The Usability of Passwords
April 24, 2011 6:32 AM   Subscribe

"Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones."

Not sure if your password is secure? How Secure Is My Password will tell you exactly how many years it will take for your password to be cracked. And, if you need help coming up with a more secure password (old school complex style), this video can help. Once you've made your secure password, keep it secure. Use Punchcast, developed by MeFi's own Lanark to create a unique password for each website you log into.
posted by Deathalicious (14 comments total)

This post was deleted for the following reason: poster's request -- jessamyn



 
I'll add that I actually use my own technique that I learned a few years ago: use a "wrapper" password with the name of the website inside of a commonly shared string. So, for example, say my wrapper were p1L* %f, my password on MetaFilter might be p1L*meta%f. According to How Secure is My Password, my current email password would take around 75 days assuming 10,000,000 password attempts per second. That's good enough for me.
posted by Deathalicious at 6:38 AM on April 24, 2011


http://howsecureismypassword.net/ has been hacked!
posted by BYiro at 6:39 AM on April 24, 2011


Try http://www.passwordmeter.com/ instead?
posted by BYiro at 6:40 AM on April 24, 2011


Ummm... did you just post a phishing site?
posted by anotherpanacea at 6:41 AM on April 24, 2011


oops. The howsecureismypassord.net domain expired yesterday & got picked up by a domain squatter.
posted by pharm at 6:41 AM on April 24, 2011


Also, yeah: typing your password into a website form is a really bad idea...
posted by pharm at 6:42 AM on April 24, 2011 [1 favorite]


I have a very secure password, but goddamn if my university doesn't force me to change it every three months.
posted by anotherpanacea at 6:44 AM on April 24, 2011


The analysis in the linked article has little to do with how passwords are actually compromised these days. I recommend you disregard any advice given.
posted by ryanrs at 6:47 AM on April 24, 2011


My solution to the secure password problem has been to use pwgen to generate reasonable passwords, which I then write down somewhere secure just in case I forget them. Then I type the passwords in by hand whenever I need them, using the offline copy to jog my memory if necessary: After a few repetitions I usually find that the password has embedded itself into my subconscious & I don't need to think about it any more.
posted by pharm at 6:50 AM on April 24, 2011


That's weird -- I'm seeing a normal page for howsecureismypassword...and the website works with the Internet turned off, so feel free to turn it off while testing your password...as I understand, it doesn't send anything back to the server.

The analysis in the linked article has little to do with how passwords are actually compromised these days. I recommend you disregard any advice given.

He's posted a more recent article defending his earlier position; not sure if it addresses that point.
posted by Deathalicious at 6:52 AM on April 24, 2011


hey if you guys tell me your checking account routing number i'll check to make sure nobody's stolen any money from there seriously okay now i'm checking it omigod you guys somebody just stole a bunch of money from your account!
posted by (Arsenio) Hall and (Warren) Oates at 6:54 AM on April 24, 2011


Just to be very clear—this article is a joke. The author is basically clueless.

Between the bad info in the article and the suggestion to send your passwords to random web sites, this is a dangerously bad FPP. Deathalicious, I suggest you ask the mosts to delete it.
posted by ryanrs at 6:56 AM on April 24, 2011 [2 favorites]


Okay, fair enough. As I've noted, the "How Secure is My Password" website doesn't send passwords anywhere, but if you feel like that establishes bad practices then I can see why it's a bad idea.
posted by Deathalicious at 6:57 AM on April 24, 2011


How do you know where it sends passwords? If I were trying to collect passwords, I'd only serve up malicious code to 1% of visitors, and then only after seeing a particular referrer more than 1000 times that day (i.e. only after it hits some popular blogs).
posted by ryanrs at 7:01 AM on April 24, 2011


« Older BBC Radio 4 Collections   |   Artis Gilmore elected to NBA Hall of Fame Newer »


This thread has been archived and is closed to new comments