Public Service Announcement

This is seriously true. I encourage everyone to follow it. After all, if XKCD says it, it must be true.

Seriously though, this is what I do now (No, our server passwords are not “correct horse battery staple”, and no you shouldn’t build a hack tool that assumes that).

  1. #1 by JasonMK on 2011.08.17 - 10:43 am

    Ok, so I have a confession for 2,947 days (including the hiatus) my password remained the same. Even worse than that, 2,947 days ago the password I chose was my avatar’s name. I’m on day 1 of my new password and looking forward to breaking it in (and then changing it every 3,000 miles). Thanks for the PSA.

    • #2 by Nessa on 2011.08.17 - 2:24 pm

      i need help making a password and its saying When registering a legacy avatar, you must provide the matching legacy password.some help me please

      • #3 by JasonMK on 2011.08.17 - 5:59 pm

        You don’t want my help, otherwise you’d go 8+ years with your avatar and password being the same 5 letters (easy to remember though).

      • #4 by Nessa on 2011.08.17 - 9:04 pm

        so how am i supose to do this im confused i and i really need help cause i really wanna play there but dont know how to this whole thing

  2. #5 by Lela on 2011.08.16 - 1:50 am

    My office has already gone to fifteen characters with the same upper, lower, special and numeric requirement. If your password is random and you randomly select a special character from the standard USA keyboard you have about 10^30 possibilities. If you use 25 random lower case letters you have about 10^35 possibilities but if I have four common English words I am choosing from then the complexity of my password is really (number of words in my common English vocabulary)^4. If you use 20,000 words in your common vocabulary which is really quite a lot for a man’s typical vocabulary then you really only have 20,000^4 or only about 10^17 possibilities.

  3. #6 by Nessa on 2011.08.15 - 4:01 pm

    is there any way you can give me a password to join please help me im confused please replay AS SOON AS POSSIBLE

  4. #7 by Nessa on 2011.08.15 - 2:31 pm

    im so so so confused

  5. #8 by Tomo (@tomosaigon) on 2011.08.15 - 9:06 am

    Three words separated by a . is not secure.

    Using a pattern using family relations plus the name of the website is not secure once someone sees your password on one site and can start guessing your other passwords.

    Using a single capital letter predictably isn’t secure, same with punctuation.

    The only way is to be random. Here’s a site that will help you remember a 4-word passphrase that’s secure:

    • #9 by Michael Wilson on 2011.08.15 - 9:35 am

      “Three words separated by a . is not secure.” IF indeed it’s using Family Relations or names of sites as two of the components.

      The point behind “Horse Battery Staple” is that most relations don’t include Horses and I don’t think there are many online Battery stores. Of course, there IS a Staples. Hmm.

  6. #10 by Nessa on 2011.08.11 - 11:18 pm

    i swar this stupid how do we get in i need help with password i dont get this helpppppppppppp me

    • #11 by Michael Wilson on 2011.08.12 - 6:40 am

      Are you 18?

      • #12 by Nessa on 2011.08.14 - 5:33 pm

        yeah im 18

    • #13 by MissisElle on 2011.08.24 - 4:08 am

      lol.. ‘rolleyes

  7. #14 by shanghei on 2011.08.11 - 10:17 am

    << changes password quickly as it is now posted here…. thought it was totally random… someone must be reading my mind… (puts foil hat back on) =))

  8. #15 by IMAKOS on 2011.08.10 - 7:54 pm

    for crying out loud stop it, This gave me a dang Brain cramp.

  9. #16 by Pilot_51 on 2011.08.10 - 4:24 pm

    I feel like this is putting the spotlight on that comment I made a month or two ago about passwords. I’m kind of embarrassed now and I’m going to make a sad attempt to justify and/or revise what I said.

    I’m obviously no security expert, but I know “X|<cdW1n5!" is far stronger than "password1" in every situation and potentially stronger than "correct horse battery staple" when you have someone spying over your shoulder (harder to follow random-looking keystrokes with shift presses). I would suggest something more like "Correct?Horse?Battery?Staple!" to multiply the time required to brute force and make it a little harder for the spy-over-shoulder to follow while still very easy to remember. The number of keystrokes kind of turns me off to the strong and easy to remember password, which is why I developed a method to my shorter complex password which I don't have a problem remembering. In many ways, password security can be rated as a combination of time (keystrokes) and difficulty (types of characters), and in nearly all cases the security is very sufficient before time * difficulty = annoying. Memorability doesn't really factor into security unless you want someone to forget it after they learn it (e.g. you tell them). Also different people remember things in different ways (photographic, imaginative, relation, etc.), so there's no universally specific solution to making a strong password easy to remember.

    For 12 years until recently, I've used about 3 stupidly short passwords similar to "btp42" or "nrjfbi" across 30 or so websites/services, some of those sites were hacked, and I still had no problem with any of my accounts becoming compromised. It gives me the impression that everyone I hear getting hacked on an individual basis are entirely a result of easy to guess passwords, phishing, keylogger viruses, or poor password storage (plain text), rather than brute force attacks. The only defenses for the latter three is to simply not fall for phishing (mainly look at the URL), don't download from unpopular or unfamiliar websites/emails, use a good anti-virus, be aware what you give administrator access, and don't write down passwords in non-encrypted storage. I don't think brute force attacks are worth worrying about on most sites that don't have highly sensitive info. On the other hand, maybe I'm just very lucky (didn't have Gawker or Sony accounts for example) and brute force attacks are a bigger problem than I think.

    So, to revise and generalize my password creation steps a bit…
    1. Don't use simple (dictionary word with few other characters) or short (<8 character) passwords.
    2. Use a different password for each website/service, such as by including a name or word used on it.
    3. Form your passwords with some kind of randomization but still in a way you're sure you can remember them.
    4. Increase the length and/or complexity even more for important accounts like banks or email accounts associated with such important accounts.

    Also don't forget to use password recovery features wisely. Use secret questions when available, but not with easy to guess answers.

    If you're REALLY concerned about security, do some real research and don't just go by what a few people say in a blog.

    • #17 by Michael Wilson on 2011.08.10 - 5:43 pm

      Personally, I would agree, but I have done the research, and agree with their conclusions. People looking over your shoulder is a form of “human engineering”, which, while it may be “harder” to guess /!qzrblah, the number of characters in the lower right hand side of the keyboard are limited, so it may not be as secure as you’d wish for a determined hacker.

      The best single thing you can do is use a different password on every site. That alone will increase most people’s security exponentially.

      • #18 by Pilot_51 on 2011.08.11 - 2:07 am

        Yeah, I definitely agree with different passwords being the most secure… well, just short of not using common passwords. Regardless of how a password is discovered on one account, it will prevent the hacker from getting a free pass to your other accounts.

        Basically my whole point is that while the method you support may indeed be more secure, I believe the security of both methods is already plenty for most people and preference begins to take priority. Going above and beyond is probably only necessary for people who would be a likely target for hackers, such as those with reasonable fame or wealth. As I mentioned, the worst security problem is likely social engineering or trojan attacks which strong passwords have no defense against and large numbers of people can easily be targeted, and there are an awful lot.of people on the web who don’t know any better. Fortunately, the one password-based defense that would still be very helpful in that situation is having a different password for everything.

  10. #19 by Seg_Vio on 2011.08.10 - 2:09 pm

    I gotta say…Those images are full of win! I had to read them all carefully before I read what you said above and below to see if I could make sense of them…I felt like I was taking the Mensa exam!

    It would be a VERY good idea for everyone here to re-examine their password strength (including myself). Even with the failsafe (3-4 passwords wrong and you wait for 20 min before you try again)
    a hacker very well could (if talented) download the password file from the server and spend countless hours with a brute force.

    To those that say “just email your strong password to yourself…Not the best idea. Don’t get me wrong, it does seem like a good idea, but if a hacker can get the password frolder, then they can get your email address.

    I will post an encrypted password container ( my laptop came with one) if I can find a free/cheap one. That really is the best method of storage (well, besides from memory).

  11. #21 by dakotaman on 2011.08.10 - 1:15 pm

    Thanks MW! I just read an article a month ago about this very thing. They said that three random words, separated by periods = a strong password. And MUCH easier to remember!! I have been switching all my passwords to these combinations.


    • #22 by Camel on 2011.08.10 - 2:09 pm

      See my post above; (20 000^3) / (600 000 000 / sec) = 3.7037037 hours

      Not as secure as you think, if an attacker knows your mnemonic.

  12. #23 by VM on 2011.08.10 - 12:10 pm

    I lol’d

  13. #24 by Kickin686 on 2011.08.10 - 11:42 am

    I just watched Steve Gibson on Security Now talking about this.

  14. #25 by Camel on 2011.08.10 - 10:29 am

    Entropy is about quantifying the “uniqueness” of a phrase, and is irrelevant when discussing the domain of a brute force attack. He’s definitely correct that the long, simple password is stronger vs a brute force attack (wost case is 26^25 attempts) than the short, complex password (wost case is 72^11 attempts), but this has absolutely zero to do with entropy. Simply put, entropy isn’t simply a function of the length and alphabet a particular phrase uses, and has very little to do with security. When entropy does come to to question at the security table, it is almost always a question of the entropy of a particular hashing function’s output; a good hashing algorithm should produce well distributed, high entropy hashes — but the purpose there is to make it difficult to intentionally construct a collision.

    Aside from this one niche area of security where entropy is important, entropy is almost only ever discussed when referring to compression algorithms. If a phrase has low entropy (it’s not very unique), it can be compressed more easily. For example, the phrase:
    has almost no entropy because it is easily described as a single run of consecutive characters, despite having an alphabet of size 94 and length 94 (brute force could take 94^94 attempts – read: never going to happen).

    • #26 by phasedenergy on 2011.08.10 - 10:47 am

      the second letter and ages of all your family members is a good one…..(ex:letter age letter age)……if you add the acronym of the site you use the password for, you will always have a different password for each login.

      • #27 by Camel on 2011.08.10 - 2:01 pm

        The point of the OP is that it’s better to have an extremely long password, even if it uses a simple alphabet and common words, than an short complex password. Although, no matter how you remember your password, its security is pretty well defeated when you post your mnemonic publicly on the internet. If an attacker knows even the pattern you use, their attack becomes much easier.

        Just to give you an example, one single Radeon 6990 can do about 600 million SHA-1 hashes per second. Let’s say you have 4 family members, and they are all between the ages of 1 and 60. That means you’ve got 60 possibilities for each person’s age, and 26 possibilities for the second letter of their name. ((26*60)^4 hashes)/(600 Mhashes/sec) = ~ 2 hrs 45 minutes. Not very secure.

        But if you increase that to 5 family members, the time increases to 178 days. 6 family members gets you 761 years.

        By comparison, there are approximately 20,000 English words in the average American’s vocabulary at 18 years old (I’m not going to include references here; substitute your own numbers if you wish). If your password has 4 of these words, you’ve got about 8.5 years before the 6990 guesses it (assuming, again, the attacker knows your mnemonic). But, if you go to 5 words: 169,000 years.

        I hope this helps to illustrate that length is paramount.

      • #28 by Michael Wilson on 2011.08.10 - 2:19 pm

        So, essentially, you’re saying the using birth control leads to insecure passwords.

        Damn, I always knew the Father Murphy was right about that, no matter what the other nerds in the computer club said.


      • #29 by phasedenergy on 2011.08.11 - 7:59 am

        length is important…but so is girth…THERE I said it lol

        I would sincerely like to meet any hacker who could even guess My patterns….most times I have a hard time remembering them they get so convoluted lol,the example was just to illustrate what could be a password selection process that would make it easier to remember the password…….it really only comes down to imagination, the more devious(read imagination plus intellect) you are, the harder it will be for someone to crack it.

  15. #30 by moondustmadness on 2011.08.10 - 10:19 am


  16. #31 by GaryBob on 2011.08.10 - 9:45 am

    Unfortunately the bad type of password is institutionalized in many workplaces (including my own).

    You are required to create a password that’s: 10 characters long with at least two uppercase letters, two lowercase letters, two numerals, two special characters, and no repeating characters, no pairing of types of characters… which roughly translates to “ridiculous combination you’ll never ever remember without writing it down on a sticky note attached to your monitor and creating an actual security risk.”

    • #32 by Michael Wilson on 2011.08.10 - 9:48 am

      “” is my password! Drat!

      • #33 by phasedenergy on 2011.08.10 - 10:57 am


      • #34 by CalDude on 2011.08.10 - 11:36 am

        LMAO! I spit out my coffee! Seriously, MW, thanks for being so informative AND damn funny.

  17. #35 by Jonathan on 2011.08.10 - 9:38 am

    If this is true, why do all ‘password-strength-checking-machines’ say that a strong password should have a mixture of all upper case, lower case, symbols etc?

  18. #36 by Brandyn Rlp There on 2011.08.10 - 9:26 am

    After reading that a couple of times I finally realized what that was about rofl
    I’m not a tech guy as much as I wish I was. ‘tu

  19. #37 by DrChisel on 2011.08.10 - 9:24 am

    Neat. Thanks changing passwords now ๐Ÿ™‚

  20. #38 by robloxias on 2011.08.10 - 9:22 am

    Very cool!!Thats the true.

  21. #39 by Cellophane Thereian on 2011.08.10 - 9:20 am

    And between this, the tailshot and The Places You Roam… I’m just thinkin’…

  22. #40 by Cellophane Thereian on 2011.08.10 - 9:19 am

    The above is one of my favorites of all time. I have it bookmarked because, well, it has applied. ๐Ÿ˜€

    • #41 by Seg_Vio on 2011.08.10 - 2:13 pm

      Added to favorites! thanks!

  23. #42 by knighthawk101 on 2011.08.10 - 9:18 am

    With the difficulty I had remembering my own password and the trouble I brought on to myself by trying them way to fast, I feel like a bit of a horse’s “battery” LOL. and almost as smart as one.

  24. #43 by _Taz on 2011.08.10 - 9:10 am

    Lol. Just email all your passwords to yourself!

    • #44 by phasedenergy on 2011.08.10 - 10:43 am

      lol..just don`t misspell the email addy

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: