I'm in ur address book, callin ur peeps
June 13, 2007 6:45 AM   Subscribe

Chillmost's password was not very good. Mwhahahaha!
posted by chillmost at 6:49 AM on June 13, 2007

So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage.
posted by sourwookie at 6:55 AM on June 13, 2007

So the combination is one, two, three, four, five?

What a coincidence! That's the same combination on my luggage.
posted by Bryan Behrenshausen at 6:58 AM on June 13, 2007

One of my favorite Ask Tog columns is on passwords and security.
posted by TedW at 6:58 AM on June 13, 2007

I need to go change the combo on my luggage!
posted by snwod at 6:59 AM on June 13, 2007

login/login
posted by matteo at 6:59 AM on June 13, 2007

something easy to remember, like >em>passw0rd and the 0 makes it super secure
posted by caddis at 7:06 AM on June 13, 2007

I really should just use Matt's convenient little buttons from now on.
posted by caddis at 7:06 AM on June 13, 2007

I create passwords by combining two or more phonetically misspelled words and a number or three. Easy to remember. Works for me. Maybe government agencies have algorithms to crack that in ten seconds or less but I doubt anyone stupid enough to waste their time hacking into m. mouse's pseudonymous yahoo mail account has the wherewithal.
posted by fleetmouse at 7:12 AM on June 13, 2007

SECURE? I SUPERGLUED THAT FUCKER TO THE FRONT OF MY MONITOR. IT'S *NEVER* COMING OFF.
posted by quonsar at 7:12 AM on June 13, 2007 [14 favorites]

Isn't it like impossible to change a metafilter password?
posted by delmoi at 7:12 AM on June 13, 2007

By the way. Bruce Shiner actually recommends that people start writing down passwords now.

Why? Because these days you end up with dozens of them. If you always use the same one, one shady operator will get access to all your stuff. If you use different ones, you forget 'em.

So actually writing them down on a peice of paper that does not then leave your home can be a good idea.
posted by delmoi at 7:14 AM on June 13, 2007

LBHE SNIBEVGR PBHAGREZRNFHER FHKKBEF
posted by Smart Dalek at 7:25 AM on June 13, 2007 [2 favorites]

I use a randomly generated password for every site I use. Yes, hundreds of them. There's no way I memorize them, I keep a plain text file listing all of them.

My logic is that this is no less secure than using one (or a small number) of passwords for all sites, even if it's a good password, since there's no guarantee that every site operator is honest. (And they shouldn't even be storing my password anyway, only its hash, but that's a whole other rant.) This way, there's still one large secret that accesses everything -- my large text file -- but at least this one secret is under my sole control and not trusted to every site I use. Even if a password is completely compromised it only affects that one site and no other.
posted by Rhomboid at 7:27 AM on June 13, 2007

That crack! you just heard was Bruce Schneier breaking delmoi's neck for misspelling his name. Using only a sharp look.
posted by bitmage at 7:30 AM on June 13, 2007

Do you mean Bruce SCHNEIER?
posted by chuckdarwin at 7:30 AM on June 13, 2007

Your password is like your toothbrush. Use it everyday. Change it frequently. Don't share it with your friends. And if you use it to clean out the gunk in the toilet, don't put it back on the shelf.
posted by ubiquity at 7:32 AM on June 13, 2007

It's so odd that this was happening from inside Sandia, the stalker had Q-level security and everything. But it was really just a coincidence. Still:

Dimitrelos says there should be consequences for Sandia as well. "The US attorney wanted to get me on a gag order," he says. "I told him to suck it." Dimitrelos believes that Sandia's ignorance of Townsend's activity speaks poorly of the lab's security. Fauver concurs, saying, "It causes me great concern that there would be people inside Sandia able to use a network that was not being closely monitored."

That doesn't really make any sense. Townsend wasn't "hacking" in the traditional sense, she was just doing normal things a customer might do to recover their passwords. Any kind of "security" thing would never be able to discriminate between legitimate and illegitimate use.

The real problem here is the laughable "security" put in place. And Chester should own up to the fact that he used a pretty weak password, and if your personal email is compromised that means everything you ever signed up for with that email can be as well.

Another problem is companies trying to use ridiculously easy "questions" to get people back into their accounts. Zip Code? DOB? last four digits of your SSN? Those things are not hard to find out.
posted by delmoi at 7:34 AM on June 13, 2007

In researching this post, I noticed that a notorious list of bad passwords has been removed.
posted by chuckdarwin at 7:43 AM on June 13, 2007

"Any formal name or nickname, including spouse's, children's, and pet's"

Rules should not have egregious grammar mistakes and expect to be taken seriously.
posted by notsnot at 7:47 AM on June 13, 2007

The best is when you call your bank and they ask you to verify your identity. My favorite is the "What County is $OLD_ADDRESS in?" Bloody hell woman, I didn't know that when I lived there six years ago, but I can google it now and get you off my back. I feel real secure now.
posted by Skorgu at 7:55 AM on June 13, 2007 [1 favorite]

I always use z0mgWTF1!1! as my password and there's no way anybody's guessing that randomly.
posted by Horace Rumpole at 7:57 AM on June 13, 2007

Dammit.
posted by Horace Rumpole at 7:57 AM on June 13, 2007 [4 favorites]

I keep all my assorted passwords in my PDA - that way I have access to them all the time (not just at home as with a sticky), and yet they are still relatively secure, since they are in an encrypted database. With one password memorized, I have all my passwords available at all times. The program I sue (YAPS - freeware for the Palm OS) automatically re-encrypts after a few minutes of non-use, so I don't need to worry about un-encrypting and then losing (or getting stolen) my PDA. My favourite algorythm for creating passwords is the pass-phrase. For example: Boy, my need for security requires a lot of these passwords. This translates to: Bmn4sralotpw. (No, I don't actually use that PW).
posted by birdsquared at 7:58 AM on June 13, 2007

What bothers me is all the sites that want to use my mother's maiden name as the backup question in case I forget my password. That name is probably more valuable than the password itself.

Of course, I've simply made up a fake name, but I'm sure others tell the truth, therefore leaving themselves exposed.
posted by desjardins at 7:59 AM on June 13, 2007

My password contains characters from 18 different languages, six of which I invented and only I speak.
posted by The Straightener at 8:00 AM on June 13, 2007 [1 favorite]

As opposed to randomly generated passwords or huge lists of passwords, I've taken the advise of someone (I can't remember who) here at MeFi who suggested using an algorithm to generate passwords. That way I just remember a formula and input variable information from whatever account I'm trying to access. What I've chosen as the variables, and the exact formula I use is the secret.
posted by carsonb at 8:09 AM on June 13, 2007

That Wired story is scary as hell.

Ever since some post a couple of years ago, all of my passwords are acronyms made of the first letter of each word from certain song lyrics, a la:

Two can be as bad as one It's the loneliest number since the number one = 2cbaba1itlnstn1

Once I had to have my sister retrieve something from my email for me, and when I gave her the password she thought it was the most deranged, impenetrable thing she'd ever seen.
posted by hermitosis at 8:13 AM on June 13, 2007

I use a similar approach to the one Rhomboid uses, but I keep my "large text file" in a small AES256 encrypted disk image that is backed up on a thumb drive. So, um, yeah.

On preview: Great idea, hermitosis!
posted by turing_test at 8:24 AM on June 13, 2007

Does anybody seriously change their passwords on a regular basis (unless required to by the system)? I'll admit that I don't.

I also only use a handful of passwords, all of which I contain in my head. If I ever get hit on the head, it'll be a problem.
posted by adamrice at 8:28 AM on June 13, 2007

I keep all of mine (and all of my clients) passwords translated into Edo period Japanese and then encrypted, and stored at the bottom of the enclosure of my pet Taipan, Squeegee.

It's a bastard when someone forgets a password and I need to look it up - but I can't be accused lax security!

[And that Wired story was unnerving - but a good lesson]
posted by gomichild at 8:30 AM on June 13, 2007 [1 favorite]

It is surprisingly hard to emphasize the importance of having a proper password policy in a work environment. I've tried dozens of times to establish such a policy, trying a number of different methods to balance "ease of use" with "actual security." No luck. I've been constantly rebuffed. It's insane how some companies treat this stuff - from everyone sharing the same NT login to having the passwords, of course, be identical to the usernames.

I personally like FIPS-181 passwords, which are somewhat random but mostly pronounceable, and therefore easier to remember.
posted by odinsdream at 8:33 AM on June 13, 2007

You want to know what it is? It's Bosco.

You know, the chocolate syrup. I love that stuff. I pour it in milk. It's my favorite drink.
posted by raztaj at 8:35 AM on June 13, 2007

Rhomboid: I use a randomly generated password for every site I use. Yes, hundreds of them. There's no way I memorize them, I keep a plain text file listing all of them.

I also keep a text file with many different passwords in it, but I keep it inside a TrueCrypt volume. That way I only really have to remember the one TrueCrypt password, and the list isn't available to a hacker or a computer thief.

These days, web browsers like FireFox, Mozilla and Opera can do something similar and more convenient -- they remember your web passwords for you and keep them all encrypted with a master password. There are even some browser-agnostic JavaScript systems to do pretty much the same thing.
posted by Western Infidels at 8:48 AM on June 13, 2007

I wonder how far you'd get with a site that said "Is your password secure? Type it here and we'll tell you!"

Oh wait, Microsoft beat me to it. Wonder how many passwords they've gathered, and how well they correlate that to the user data they gather from Windows boxes.
posted by darksasami at 8:50 AM on June 13, 2007

odinsdream, I have the same problem here. At least I've gotten everyone to use a more secure password, but it's not good enough, in my opinion.
posted by chuckdarwin at 8:51 AM on June 13, 2007

I use really offensive words in my passwords, so people will be too offended to type them in.
posted by inigo2 at 8:54 AM on June 13, 2007

I change my password every ten minutes using a one-time pad after which I eat the page. Unfortunately that leaves me little time for home or work life, so I still live in my parent's basement.
posted by DU at 9:06 AM on June 13, 2007 [3 favorites]

I thought that Wayne State U. page was from The Onion.

How could people be that paranoid?
It's ridiculous.
posted by wfc123 at 9:10 AM on June 13, 2007

I've always had very secure and easy to remember passwords. Then IT came down with some prescriptions for Best Practices in creating passwords so I had to change. They now require caps and lowercase, punctuation and a number (the only thing I didn't use in my old formula was uppercase letters).

This was my first password: ThisIsMy1stPassword!

Can you guess what my second password will be? I'm told it should be very secure.
posted by effwerd at 9:19 AM on June 13, 2007

Because these days you end up with dozens of them. If you always use the same one, one shady operator will get access to all your stuff. If you use different ones, you forget 'em.

Bah. I've got over two dozen non-formula passwords in my head and I have no problems remembering them. Then again, I'm the type of guy that can recite my Drivers' License number, my checking account number (including routing number), and even my savings account number. The only cost has been that I no longer remember the name of my childhood dog, the face of my father, or whether or not I've ever had Chicken Pox.

No big deal, right?

/mostly kidding
posted by effwerd at 9:31 AM on June 13, 2007 [3 favorites]

If anybody wants to be me, go ahead. You can't say I didn't warn you.
posted by StickyCarpet at 9:38 AM on June 13, 2007

i hacked into bruce's account just to tell you that "josecuervo4me" is a weak password.
posted by bruce at 10:25 AM on June 13, 2007

I actually have a different point of view in regards to this whole computer security mess, one that comes from an analogy to the physical security of houses, cars, and bicycles. Just about any form of physical security you can afford to buy on a reasonable budget can be cracked by knowledgeable crook in a short period of time. The purpose of deadbolts, safes, etc, is to encourage a crook to look down the street for easier targets.

Which is why I stopped worrying so much about differences in bit entropy, DES3 vs. AES, long passphrases vs. random passwords, or OTP. No one is going to waste time brute-forcing my 20-character passphrase when the same amount of time with dictionary attacks or social hacking can get a dozen other suckers.
posted by KirkJobSluder at 10:37 AM on June 13, 2007

These days, web browsers like FireFox, Mozilla and Opera can do something similar and more convenient -- they remember your web passwords for you and keep them all encrypted with a master password. There are even some browser-agnostic JavaScript systems to do pretty much the same thing.

Unless you forget to turn master password on...

"Passwords will appear in plain text in Mozilla unless Master Password is turned on."

Which means, if someone can get access to your computer (out to lunch at work) they can click "Show passwords" and they'll appear in plain text. Most people surf the same sites at work as they do at home (banking, etc.) so this person will now have your password. Disgruntled coworker anyone?
posted by Debaser626 at 10:43 AM on June 13, 2007

With the methods above outlined, I've found it easist to use KeePass, open source, cross platform and secure. Remember a single very long, totally unique password. Generate random passwords for everything else.
posted by iamabot at 10:50 AM on June 13, 2007

Unless you forget to turn master password on...

Or didn't even know there was such a thing until just now! You'd think they'd have that on by default I would've looked in the Security preference pane before now.
posted by jack_mo at 11:01 AM on June 13, 2007

You know I think we could all be missing the point here. It is only through mediocrity and lack of fame that ultimately we can protect ourselves from harassment and identity theft.
posted by gomichild at 11:05 AM on June 13, 2007 [2 favorites]

Thats why my password is the price of a cheese pizza and a large soda at panucci's pizza: 1077
posted by subaruwrx at 11:57 AM on June 13, 2007 [1 favorite]

For a while, I kept my passwords in an encrypted text file (using vi -X); now I keep references to variants in it, like so: [standard admin password, but two numbers in the middle] (where I know what numbers I use when I use two numbers, and I know what my standard admin password is.) Works quite well for me, actually.
posted by davejay at 11:57 AM on June 13, 2007

Kirk,

Physical security is not computer security. You can totally drive a car through a wall to gain illicit access. This, however, leaves a car shaped hole.

Computer security breaks don't leave a hole. That's the problem.
posted by effugas at 12:34 PM on June 13, 2007

I'm guessing quonsar's passwords are all CAPS.
posted by eyeballkid at 1:16 PM on June 13, 2007 [1 favorite]

effugas: Physical security is not computer security. You can totally drive a car through a wall to gain illicit access. This, however, leaves a car shaped hole.

Computer security breaks don't leave a hole. That's the problem.

Certainly all metaphors break down at some point. On the other hand, one can also cricumvent many of the security features mentioned here just by getting access to the computer in question or the hard drive.

But the basic principle remains, you need to scale your paranoia to the realistic level of risk you face, and the overall security of the system. And when you start looking at the big picture, including how easy it would be for a guy with a crowbar to just grab your workstation and any disks lying around your office, debates about password/phrase length, password vaults vs. paper-in-wallet, etc., etc.. become trivial.

For me, that middle ground of paranoia is five-word diceware passphrases and single-key GPG encription of sensitive data stored on systems I don't control. Which is a bit more paranoid in practice than any of my peers and co-workers, but not of the same level of paranoia as two-factor authentication and One-Time Passwords.
posted by KirkJobSluder at 1:27 PM on June 13, 2007

For most of my internet passwords, I have a pretty simple algorithm. Any shady admin who stores unhashed passwords could probably figure it out and OMG TAKE OVER MY FLICKR ACCOUNT.

But online banking is serious business, so I have very strong, randomized passwords for those. It's not too hard to memorize a few strings of numbers and letters, especially when muscle memory takes over.
posted by muddgirl at 1:46 PM on June 13, 2007

i *heart* passwordsafe

stores them in a cryptographically secure fashion. ideal for dropping onto a removable drive. also helps generate random[1] passwords when you need them.

well, pseudo-random. probably more random than a human would tend to generate.
posted by rmd1023 at 3:25 PM on June 13, 2007

The best secured systems are the ones that don't allow access to the usernames. The login name and the public display should be two separate fields. That way, you can set your public name to whatever you want and hopefully (if everything was designed properly) there are two pieces of data that a potential attacker would have to figure out.

Damn near impossible. Forcing password resets is also becoming obsolete for some of the reasons mentioned above. People are simply changing a single character or two in the password in order to get around the forced change. Also, even if you have a short expiry window, if that password is cracked within that window, it still gives the attacker ample time to do whatever they want with that account.

Allow users to customize their login/display name. Enforce a strong password policy and encourage users to change it somewhat frequently. Last, but definitely not least, have a good monitoring program in place that will detect brute force attempts on passwords (account lockout, notifications etc.). I've caught a number of individuals trying to crack accounts when I received a notice of 10 failed password attempts within a short time frame.
posted by purephase at 3:44 PM on June 13, 2007

I don't get it. All the websites I use only let me use asterisks for passwords. No way am I telling anyone how many I use, though.
posted by Citizen Premier at 6:01 PM on June 13, 2007 [2 favorites]

I haven't read all the links yet, but might comment that easily guessable passwords are probably about the simplest way of "hacking" into a system.

Admins are often the laziest. Try sa, admin or sysadmin with either blank, the exact same term, a full-stop, or the perennial favourite, "god".

For regular users, knowing their pet's name, their partner's name, or their favourite sporting team is a good start.
posted by UbuRoivas at 6:52 PM on June 13, 2007

Citizen Premier: you reminded me of a Dilbert strip:

Pointy-haired-boss calls the helpdesk:

PHB: "The system is asking me to create a password, but when I type, it changes the password into six asterisks!"

HD: "Well, just make six asterisks your password."

PHB (thinks): "How ever am I going to remember that?"
posted by UbuRoivas at 6:54 PM on June 13, 2007

Only 30, Bennington had survived a tough past of drugs.

"I want to go back." Back to Charlie.

Tragic.
posted by UbuRoivas at 7:10 PM on June 13, 2007

WSOP Main Event winner Greg Raymer's account password was guessed earlier this year , but was picked up pretty quickly by observers when the hacker started playing like a donkey.
posted by cwhitfcd at 8:56 PM on June 13, 2007

Thanks for linking to my password generator, Western Infidels, but you mischaracterized what it does. It doesn't encrypt and store your site passwords behind a master password. It generates a different password for each site, using your master password and the URL as inputs to an MD5 hash algorithm.

This means that there's nothing stored, nothing that can be lost or hacked. The algorithm is simple, public, and portable, so you can always recreate your passwords, even without my page. But there's no way for any site's administrators to figure out from the password you use there either your master password or your password at any other site.
posted by nicwolff at 12:20 AM on June 14, 2007 [2 favorites]

That's a pretty cool app, nicwolff.
posted by chuckdarwin at 1:35 AM on June 14, 2007

I have been using the same password at every single website, except for my bank and PayPal and at my university (where I am still using the password that they first gave me), for about a decade. That password is a single word that my first-grade teacher used the describe me on a report card. While it is not a common word, it is in the dictionary, and I really don't care at all... At worst, someone would read all the junk-mail in my gmail account and achive it for me. (Thanks in advance, if that happens!)
posted by Silly Ashles at 8:58 AM on June 14, 2007

Whoops. Sorry for the typos... My brain is protesting my sleeping habits.

*cowers*
posted by Silly Ashles at 9:08 AM on June 14, 2007

Silly Ashles; perhaps you don't realize how important control of e-mail is. It may indeed not be important to you, but have you thought about all of the places where you've registered or set up an account that offer a "I forgot my password" page? All of these generally e-mail password reset instructions to your e-mail address. It's assumed you control and read your own e-mail. However, if someone breaks into your gmail, they don't just get access to your junk mail and daily correspondence, but all of these password reset messages, and thus, any account attached to you via your e-mail address, including PayPal.
posted by odinsdream at 8:15 PM on June 29, 2007