The password of 1,112 MeFiers is "123456"
March 30, 2010 9:08 PM   Subscribe

How I'd hack your password is a good introduction to how easy it is to compromise a weak password. What's a weak password? Anything among the top 20 passwords revealed among the thirty million users of RockYou is a good start ("123456" is #1). Or you can look at the 500 worst passwords as drawn by Kate Bingaman-Burt based on a list by security expert Mark Burnett. An analysis of password cracking software tells you what to avoid when trying to generate a strong password, but you can follow these techniques, or give up all together.
posted by blahblahblah (130 comments total) 55 users marked this as a favorite
 
123456? That's the same combination I have on my luggage!
posted by crapmatic at 9:17 PM on March 30, 2010 [18 favorites]


I've never had anyone hack my password, but then again, I'm not Joe either.
posted by fuq at 9:26 PM on March 30, 2010


I know it's a bad attitude to have, but I really just don't care or can't care anymore. There are so many things I have to log into, and I have such a poor memory that password moments turn into disasters almost every single time. My boss has had to reset my password into the timeclock so many times that the last time she gave me one of those "poor" ones and told me not to change it again. Frankly, I think most things that require passwords don't need the kind of detail they demand.
posted by Partario at 9:26 PM on March 30, 2010 [6 favorites]


"How I would hack your password" needs to be a nerdy version of a slow sultry R-Kelly song. It would go into long provocative detail describing in a low and silky smooth voice exactly how you would break into someone's computer and all the naughty things that would be done once the computer was broken in to.

I noticed that the "top 20 passwords" link had the best password choosing advice I have ever seen, which I will repeat here: pick phrase that you know you will never forget that someone would not guess you have memorized, and use the first letters of the words in that phrase: for example "ever since that day I have always hated lobster porridge" becomes "estdIhahlp" - throw a number or special symbol in there if you really think you have to, but it is not an easy thing to guess.
posted by idiopath at 9:27 PM on March 30, 2010 [5 favorites]


I have a foolproof system. 15 years ago or so, a couple of people let me use their accounts, back before I had my own internet account. They gave me their passwords and because I didn't want to have to remember another password, I just used their passwords when I got new accounts. Now there are variations on these passwords on different sites (caps, numbers, special characters etc.), so I don't use identical passwords everywhere, but I have a few standards. They're not words, so a dictionary attack shouldn't work and they're in no way associated with anything about me or my life or even anyone I still know (I don't even know what they mean), so having personal information about me wouldn't help.

(Yeah, I read the article. I know standard passwords are bad. I don't use the standards in important places).
posted by If only I had a penguin... at 9:29 PM on March 30, 2010 [1 favorite]


There's some good points, but I think the author made a big mistake in his estimate of how long it would take to test out the various password combinations. He calculated an attacker with a "reasonably fast connection" could try all 3 character combinations in under a second assuming the server had no lock-out rule.

Assume there are 100 valid characters in a password, that's 1000000 permutations. That's only 3 megabyte of passwords, which probably could be sent over a high speed connection in a second. But you can't just stream bytes at an authentication server and hope it lets you in, you have send the entire authentication string including username and related protocol overhead. That's going to be many times the size of the actual password.
posted by justkevin at 9:30 PM on March 30, 2010


I know it's a bad attitude to have, but I really just don't care or can't care anymore.

I'm with you. Frankly, I'd like to see an analysis of security risks prevented by passwords so strong that people JUST CANT REMEMBER THEM, so they have to physically write them down.

Here's what I do now: I have one or two basic words I use for passwords. I use one of those words, and whatever combo of numbers/length that particular site wants. Then I save a plain text file with stuff like "b*123." I know what the rest of the word that starts with "b" is, because I use it all the time.

If someone can get physical access to my computer, find that text file, and guess that rather obscure word, well then I guess they can commit some minor credit card fraud before I realize it, report it, and am liable for nothing anyway.
posted by drjimmy11 at 9:31 PM on March 30, 2010 [2 favorites]


YAY 1PASSWORD
posted by The Devil Tesla at 9:31 PM on March 30, 2010 [8 favorites]


I once had a site compromised because I was stupid -- it wasn't anything production-oriented, I'd just been tinkering with some code on my localhost, and pushed it up to a neglected, never-linked-to domain I owned to test it on another server. Lo, I left the insecure 'fast-to-type' password I'd used when working on my localhost. I got pulled onto other projects, and a couple months later came back to discover that someone had found the domain, guessed the admin login, and posted reams of gay porn.

No real harm done, and I scrubbed the hell out of the server after that, but it really drove home the point: weak passwords really DO get cracked, and strong ones DON'T.
posted by verb at 9:31 PM on March 30, 2010


500 worst passwords as drawn by Kate Bingaman-Burt
My new desktop wallpaper. Sweet.
posted by Fiasco da Gama at 9:33 PM on March 30, 2010


On another note, do you think "Beavis" is still in the top 500 today? I hope so.
posted by drjimmy11 at 9:34 PM on March 30, 2010 [1 favorite]


Th15 i5 5ur3 t0 w0rk!
posted by Artw at 9:34 PM on March 30, 2010


reams of gay porn.

Is that the official unit of measurement now?
posted by drjimmy11 at 9:36 PM on March 30, 2010 [26 favorites]


One of the better easy-to-do security tips I've read is to write down your password, then store it in your wallet. The rationale being that you almost always have that with you, are already taking precautions to guard it, and it's better than having it taped to your monitor.

One more recommendation to make it less likely to be used in the event of wallet loss: Write it in such a way as to make it look useless; e.g. if the password is SpecialSnowflake-768, write it as:
Special on
Snowflake designs
-768 Main
Getting people to use stronger passwords is not the main battle in computer security; user education can only go so far. More pressure should be put on companies to engineer better security and make it more usable; more demands should be put on governments to make better laws and enforce them more completely to make system compromise and identity theft a far more dangerous lifestyle.
posted by Hardcore Poser at 9:36 PM on March 30, 2010 [4 favorites]


I never guessed people would use (their? their spouse's? children's?) names as passwords. From now on I'm going to name my websites and use those as passwords. MeFi is now Lewis Beans Blankenship VI. Don't hack me, okay?

Like I'd trust you.
posted by sallybrown at 9:41 PM on March 30, 2010


There's a lot of crap talked about passwords: most passwords are cracked through social means, not brute force. Moreover, most people have a LOT of passwords. One approach I like is to have a hierarchy of passwords:

-- a throwaway dictionary word you use for stuff you don't care about, like one-time registrations and anytime you have to give a password where no secure information is involved. Example: GoldFish

-- a slightly harder but still easilly memorable password for sites that don't store any financial info (eg visa #s) but may store personal info like tel #s you'd rather keep private. Example: GoldFish42

-- a full on hard password (or several, preferably) for banks and any site which stores financial info (eg paypal, ebay, amazon etc). Example: +GFoilsdh42+

One tip for creating hard-but-memorable passwords is to interleave memorable words of the same length and use punctuation/numbers to space them out. For example, if your kids are called Mark and Anne, you interleave them as MAanrnke then add punctuation and a memorable number, so for example . Then if you want to write down a clue, you can write 'kids + rpm' or something.
posted by unSane at 9:45 PM on March 30, 2010 [1 favorite]


Even the smartest man on earth picked 'RAMESES II' so what do you expect.
posted by shakespeherian at 9:46 PM on March 30, 2010 [29 favorites]


*so for example !MAanrnke33!
posted by unSane at 9:47 PM on March 30, 2010


English names of Chinese medicines, a rich source of strong passwords.
posted by hortense at 9:48 PM on March 30, 2010


The Devil Tesla: “YAY 1PASSWORD”

1PASSWORD IS AN OVERPRICED WASTE OF TIME,
YAY KEEPASS!

posted by koeselitz at 9:50 PM on March 30, 2010 [11 favorites]


Incidentally it is astounding how many banking sites TD CANADA TRUST LOOKING AT YOU do not allow you to exceed 8 characters, and do not allow non-alphanumerics. I took this up with them and their response was essentially 'talk to the hand'.

Whereas Interactive Brokers actually send you a physical card with numbers and letters on it, and every time you log in EVERY GODAMMNED TIME you are given a challenge and have to refer to the physical card (or *cough* the scan you made of it on you desktop) to be able to get in, even if you gave the right password.
posted by unSane at 9:50 PM on March 30, 2010


Came for the luggage joke, left happy.
posted by mr_crash_davis mark II: Jazz Odyssey at 9:52 PM on March 30, 2010 [6 favorites]


I once worked on a site where, due to several overlapping restrictions from various peics of software involved (SAP was one of them) You had to have EXACTLY 8 characters, and no special characters. That drove me nuts.
posted by Artw at 9:54 PM on March 30, 2010 [1 favorite]


Some years ago I was talking to a cousin who's a generation or so older than I, and mentioned a nickname my mother told me the cousin had as a kid. "Omigod! No one remembers that! That's what I always use as my password!"

I'd never try to hack into my cousin's accounts, but her reaction made her password unforgettable. Now I use it as one of my six (or five? or seven?) standard passwords.
posted by goofyfoot at 9:55 PM on March 30, 2010


"How I would hack your password" needs to be a nerdy version of a slow sultry R-Kelly song. It would go into long provocative detail describing in a low and silky smooth voice exactly how you would break into someone's computer and all the naughty things that would be done once the computer was broken in to.

Replace "R. Kelly slow jam" with "chirpy indie electro-pop", and that song already exists.
posted by arto at 9:59 PM on March 30, 2010 [8 favorites]


This is a significant post for me. After 10 years here at metafilter with a password so easy to guess (it bore a remarkable similarity to my username) that the system should have rejected me for even trying to use it, I have just changed my metafilter password. For the first time.

It's crazy strong now.

Obviously I never did anything annoying enough for anyone to try hacking my account. Go me!
posted by Hildegarde at 10:03 PM on March 30, 2010


I used to have a password used for a very few, reasonably trusted, high value sites like banks, and another password for sites that were important to me but not terrible if compromised, and one last password for sites I didn't give much of a shit about.

Then I discovered this password generator and this userscript version of it.

I chose one password to memorize which I have never transmitted over any network connection, ever. I use that password and the above javascripts (or a tiny ruby script I wrote which does the same thing) to generate a unique password for every damn domain on the planet. My mail password is different from my google password is different from my facebook password, my twitter password, my myspace password, yadda yadda. If I'm on my own machine I can type "pass yahoo.com" and my ruby script generates the password for yahoo.com and copies it into my clipboard for pasting. Or I can just use the greasemonkey script to do the same thing on the page itself. IT IS AWESOME.

Tiny simple tools helped me go from "3 passwords I have to remember, giving some tiny protection against compromise, but not much" to "one password I have to remember, which generates unique passwords for every goddamn site out there".

Did it years ago and never went back.

IRONICALLY at the time I did this, there was no simple-to-use password change mechanism for metafilter (I don't know if that's changed since then) so metafilter is one of the only sites left that I still use my shitty old passwords for.
posted by edheil at 10:08 PM on March 30, 2010 [14 favorites]


I might have told this one before, it happened to a coworker:

GUY FROM NOC: Matt, one of your test machines is misbehaving, can you give us your login so we can reboot it?
MATT: Uh, I'm ten minutes from the office. I'll take care of it.
NOC: We'd really like to get this done now, can you give us your password?
MATT: Really? 10 minutes?
NOC: Really. This is a big problem.
MATT: Well, can you take me off speaker phone?
NOC: Okay.
MATT: My password is, um, "big_black_donkey_dick".
NOC: Um, you're still on speaker phone Matt, sorry about that.
posted by peeedro at 10:11 PM on March 30, 2010 [33 favorites]


I've never seen a better solution to the password problem than SuperGenPass.
posted by Combustible Edison Lighthouse at 10:12 PM on March 30, 2010 [1 favorite]


Mac Users - 1password
Windows Users - Roboform

The above have browser integration and some other nice features.

There is also KeePass, a cross platform solution that has less features and is a little less easy to work with in my experience.
posted by iamabot at 10:13 PM on March 30, 2010


How did that hacker know my wife's name is 123456?!?
posted by mazola at 10:14 PM on March 30, 2010 [3 favorites]


My important passwords are generally a alphanumeric sequence (a word spelled in g33k) based on the site type (gaming, app, whatever) with a letter or number based on the sitename in question added in the middle - so I can remember the individual passwords for different sites quite easily, they are all unique, and it's not immediately obvious from one password what other passwords would be.

This isn't my entire actual process (because discussing that semi-publically seems unwise) but you can get the idea. Start with a basic form or two and add variety based on the site itself according to pre-decided rules.

It's worked so far...
posted by Sparx at 10:16 PM on March 30, 2010


props for the Barcelona reference. "I tried your cat's name..."
posted by gac at 10:17 PM on March 30, 2010


i found it easier to memorize a poem, using the first letters of each word in a line, converting certain letters to numbers. plus it doesn't hurt to know a poem.
posted by fallacy of the beard at 10:17 PM on March 30, 2010 [1 favorite]


500 worst passwords as drawn by Kate Bingaman-Burt
Not to be too cranky, but writing a bunch of words on a piece of nice paper is not "drawing."

I've got a couple of solid standby passwords inspired by my university's email system nearly 20 years ago. Works like a charm.
posted by me3dia at 10:20 PM on March 30, 2010 [2 favorites]


My password is literally unhackable because I type it from the inside of the keyboard.
posted by turgid dahlia at 10:22 PM on March 30, 2010 [2 favorites]


koeselitz: "1PASSWORD IS AN OVERPRICED WASTE OF TIME,
YAY KEEPASS!
"

I know that KeePass has been getting attention lately thanks to the Joel Spoolsky crowd, but having tried the 2.x branch, let me simply say that it's got all the warning flags of bad security software:

* It's written by one guy
* He decided to write his own encryption scheme for 2.x
* it doesn't support SFTP / HTTPS, because it's 'unnecessary' in the author's estimation
* the donations page is filled with spam referrals

Its a time bomb, is what I'm saying.
posted by pwnguin at 10:24 PM on March 30, 2010 [6 favorites]


A friend of mine recently got a company laptop. He was concerned about the WPA password on his home router: "shitfacedcockmaster". He wondered if it might be possible for the IT folks at work to recover it. I told him Windows only stores the hex key generated by that password. I hope I told him right. ;)
posted by wierdo at 10:24 PM on March 30, 2010


I failed to mention that all my passwords were generated in 1994 or 1995 by the program Terminate.
posted by wierdo at 10:25 PM on March 30, 2010


Nthing keypass/keypassx. Free, cross-platform, very handy. I don't think I've ever seen most of my passwords in plaintext.

I'd be suspicious of any bookmarklet/browser-based password solution. Browsers have holes, period. I wouldn't trust your password store/generator to one.
posted by phooky at 10:27 PM on March 30, 2010


wierdo: he could just change the WPA password to "shit#faced@cock(master^&", which I am sure would earn more respect, being a much stronger password.
posted by idiopath at 10:28 PM on March 30, 2010


I tend to agree with Cormac Herley at Microsoft: Most security advice is not cost-effective to users.

Two choice quotes:
consider an exploit that a ffects 1% of users annually, and they waste 10 hours clearing up when they become victims. Any security advice should place a daily burden of no more than 10/(365 * 100) hours or 0.98 seconds per user in order to reduce rather than increase the amount of user time consumed.
There are about 180 million online adults in the US. At twice the US minimum wage one hour of user time is then worth $7.25*2*180e6 = $2.6 billion. A minute of user time per day is a $7.25 * 2 * 180e6 * 365/60 = $15:9 billion per year proposition. This places things in an entirely new light. We suggest that the main reason security advice is ignored is that it makes an enormous miscalculation: it treats as free a resource that is actually worth $2.6 billion an hour.

posted by anthill at 10:30 PM on March 30, 2010 [5 favorites]


As a heads-up, it appears that SuperGenPass has some security issues with its implementation.

For keeping passwords handy I'm a fan of PasswordSafe; open source and originally designed by Bruce Schneier. There's a free version and a paid U3 (bootable flash drive) version.
posted by Hardcore Poser at 10:32 PM on March 30, 2010 [2 favorites]


The one that kills me is our voicemail system. It has to be at least 8 digits and changed every 60 days. I can't remember 8 digits. I used to make patterns with the numeric keypad but I've already used up all the good ones. All so I can get to the one voicemail that someone leaves a month, because everyone else uses email like normal people.
posted by smackfu at 10:35 PM on March 30, 2010 [2 favorites]


One good piece of advice re: remembering passwords for many different sites, I think i was from Slate, was to come up with a formula that uses each site's URL.

Like: mmTTffIIttRR and then some number only you know.

Voila: a different, easily memorable password for any site.
posted by gottabefunky at 10:37 PM on March 30, 2010 [2 favorites]


The street addresses of my childhood friends. Uber obscure and satisfies the number+uppercase+lowercase that so many sysadmins are so hot for these days.
posted by squalor at 10:42 PM on March 30, 2010


Okay, so, what about password recovery questions?

I answer them in ways that are deliberately wrong, lest someone who loves me and knows how much I love candy canes tries to hack my account.

Favorite Author: Candy canes
Hometown: Candyland
First pet: A candy cane
posted by internet fraud detective squad, station number 9 at 10:44 PM on March 30, 2010 [9 favorites]


Hometown: Candyland

But what if this is true :/
posted by sallybrown at 10:53 PM on March 30, 2010


I've got a couple of solid standby passwords inspired by my university's email system nearly 20 years ago.

Ha! So do I.
posted by fshgrl at 11:01 PM on March 30, 2010


IT IS TRUE! Iam from a world of magic, sparkles, and most of all candy!

Candyland is a boring game that is really appropriative of my homeland, but it is OK

because I am from a CLOUD THAT IS EDIBLE
posted by internet fraud detective squad, station number 9 at 11:03 PM on March 30, 2010 [5 favorites]


YAY 1PASSWORD

Yay indeed. I love how it generates passwords like moab5him4yen5zod6i and I never have to remember it.
posted by special-k at 11:14 PM on March 30, 2010


This is scary stuff. I've been using my dog's name for my bank password for year.

*sigh* and tZn345loiuQR8 is such a good dog.
posted by Bonzai at 11:19 PM on March 30, 2010 [21 favorites]


> All so I can get to the one voicemail that someone leaves a month, because everyone else uses email like normal people.

squalor, have you considered turning the voicemail function off? I personally hate voicemail and always disable it on any telephone service I'm using. That then leaves only the normal people options of texting or emailing me.
posted by Pranksome Quaine at 11:27 PM on March 30, 2010


1PASSWORD IS AN OVERPRICED WASTE OF TIME

Maybe? I got it for 20 bucks through some promotion, and it's implementation is extremely polished (more so than KeePass) so I happen to love it. 40 bucks seems like a good price to me.

I don't know how secure it is. I don't really care, I doubt that anyone is going to hack into my computer at any moment, though I like that there is any encryption of my passwords at all.

Far more important to me is the fact that I can put a wide variety of different kinds of data into a secured enough location that is easy to access. 1password is that.
posted by The Devil Tesla at 11:31 PM on March 30, 2010 [3 favorites]


How to have the most secure passwords possible for free:

Install TrueCrypt. Create a small encrypted container. Create a blank text file within the container. The text file becomes your password list. The password for the encrypted container becomes the only password you need to remember. For all other (secure) passwords, figure out the the maximum number and types of characters allowed. Then go here and select an/ appropriate string/s of text. For added security, do the same thing for the username, if possible. Make different combinations for every website and store them in your passwords text file. Keep at least two copies of the encrypted container. Done.
posted by ferdinand.bardamu at 11:42 PM on March 30, 2010


1 Password does a couple of things that are GOOD in terms of the applications security model. They go in to it in great detail on the website, but their practices around the implementation are sound this far.

For purely windows users there is also PasswordSafe, which is both free and excellent from a cryptographic implementation point of view.

The hard part of good password databases isn't in the cryptography, it's in implementing the cryptography in such a manner that you do not compromise it unintentionally.
posted by iamabot at 11:49 PM on March 30, 2010


SuperGenPass is a version of my password generator (and credits mine as the original), which edheil linked to (an old version of) above. Since mine runs in a bookmarklet rather than in the DOM of the page, it doesn't have the vulnerability that Hardcore Poser mentions.

It really is a very simple solution to the problem of using the same password at many sites. Your master password does still have to be hard to guess and hard to brute force, but you only need one, and if someone pwns one of the sites you use it for, they don't get the passwords for any others.

Since all it's doing is base64(SHA1("masterpassword:domainname")) there's nothing proprietary about it, nothing to buy, nothing to carry around, and nothing to lose. Give it a try!
posted by nicwolff at 12:07 AM on March 31, 2010 [5 favorites]


No variation of "opensesame" in the 500 worst passwords list?
posted by telstar at 12:26 AM on March 31, 2010 [1 favorite]


No one's mentioned patterned passwords yet, AFAIK. They're fairly unpredictable, and can easily incorporate mixed-case, numeric, and symbol keys, yet remain easy to remember.

Examples:

zaq1@WSX
(up the first QWERTY column, press Shift, and down the next)

cft6&UJM
(chevron pattern, again holding Shift for the 2nd half)

Want something longer? How about:
zse4XDR%cft6VFR$

Crack that, bitches!

(Try to retype these on your keyboard, if my descriptions aren't clear.)
posted by IAmBroom at 12:32 AM on March 31, 2010 [3 favorites]


BTW, I use a simple system to change my password from site to site. I change a small portion based on the site name. Thus, my Metafilter password is Mpassword, but my AcmeExplosives.com account password is Apassword.

The recent bank collapse wave forced me to update several passwords, just based on the changes in site names...
posted by IAmBroom at 12:38 AM on March 31, 2010


Having a good strong password is a great idea, but it's a pointless waste of time if the site you have just joined thinks it's okay to email you your username and password in the clear to remind you that you have joined.

I just entered that fucking password on your site. You made me do it twice. I know what it is. Now, so does everyone my email has passed through...

It's normally forum software that does it, but yesterday I had the same bullshit from an online retailer...
posted by sodium lights the horizon at 2:14 AM on March 31, 2010 [2 favorites]


IAmBroom: These are, in fact, in any decent brute force suite. They are common...not quite as common as 12345654321, but close.
posted by jaduncan at 2:19 AM on March 31, 2010


Yeah but don't forget God. System operators love to use God. It's that whole male ego thing.
posted by _Lasar at 2:27 AM on March 31, 2010 [2 favorites]


Like Sparx and IAmBroom I have a system that creates a unique password for each site: in my case it's derived from the name of the website (though not the website's actual name, obviously), a passphrase and an alphanumeric sequence derived from an algorithm I can work out in my head in under five seconds. Some of my passwords end up quite long.

For sites with fixed password requirements, I have another password. It is very rude.

Back when I was working for other people, my work password was always "Ohfuckoff". Because I knew that roughly every six months someone from IT was going to ask for it.
posted by Hogshead at 3:46 AM on March 31, 2010 [1 favorite]


I'm working for the gummint right now, and omigod they want a tough password. Worst of all, we're forced to change our password every 45 days.

My strategy is to use the names of two of the pets I've had in the past (that gives me over a dozen names to choose from), but that breaks the rule against using words that can be dictionary-cracked. So then I displace the whole thing by one key, up, down or to the side, whatever works best for that pair of names.Then I toss in the requisite number of special characters and numbers to make the password filter happy.

Back when I was sysoping, I'd email the username and the password in different messages, with nary a mention of the term ""password" or "username" in them...usually it was "Here's that thing you wanted." Then I told people to never write their user name and their password o the same piece of paper, to prevent dumpster diving. I don't know if they listened, but we were never compromised, not that anyone would want to compromise a POS server.
posted by Jimmy Havok at 3:59 AM on March 31, 2010


Fourfourfourfourthats4fours&

I answered the challenge question for my cell provider to something like LAKSDJFOIUWERHOEROIUERH, and I regret it. Every time I call for support, they ask me what my password is, and I don't know, and then they ask me what my favorite hobby is, and I say rock climbing, and then they say no, it's LAKSDJFOIUWERHOEROIUERH, and I say "oh, let's change that to rock climbing then," but they never do.
posted by spikeleemajortomdickandharryconnickjrmints at 4:51 AM on March 31, 2010 [3 favorites]


When I get asked for the password, I always seem to be too drunk to remember that it is "Milwaukee."
posted by digsrus at 5:08 AM on March 31, 2010 [1 favorite]


I really wonder why so many people pick 123456 as their password. Well, I know, people suck at picking passwords, but why would 123456 be used so much more than 12345? Is it because of the "stigma" associated with 12345 (Spaceballs, etc), or is it something about 6 characters being "nicer" than 5 characters?
posted by ymgve at 6:09 AM on March 31, 2010


I just use crap that's on my desk. And cat macros. (I have no idea how my dad comes up with some of the passwords he does, which appear to be just keysmashes.)
posted by sperose at 6:12 AM on March 31, 2010


I, on the other hand, think that I will preserve the security of my passwords by not telling strangers on the internet the exact procedure I use to select my passwords.

Actually, for additional security, it'd probably be even more effective to lie to everybody about how I picked my passwords.

So, uh, this is what I do -- I count the number of characters in the web site's address. For example, metafilter has ten letters. This corresponds to Neon on the periodic table of elements. The atomic weight of Neon, of course, is 20.1797, which I spell out using the phonetic alphabet, but, and this is important, not using the commonplace NATO phonetic alphabet, but the US Phonetic alphabet from 1941-1956.

Hence, my metafilter password is TareWilliamOboeZebraEasyRogerOboe etc.

For important things like banking, of course, I transpose some numbers so that if anybody ever cracks the code they will be like "Wait, this guy thinks the atomic weight of Neon is 20.71?! He can't be a very good chemist, I bet he's poor, why should I even bother."
posted by Comrade_robot at 6:13 AM on March 31, 2010 [26 favorites]


Bosco! Bosco!
posted by briank at 6:14 AM on March 31, 2010 [1 favorite]


_Lasar: "63Yeah but don't forget God. System operators love to use God. It's that whole male ego thing."

Yeah. And that donkey_cock thing isn't at all.

A friend recommended an open source tool to be the other day. I went to the website and looked at the description. In addition to the specific tool, the site offered a password encryption and "cloud storage" utility. Only $12 a year or something. You enter all your passwords into this thing and they "keep them safe from prying eyes" and always available. I didn't feel so comfortable with this solution for some reason... did I mention that the website was from Russia?
posted by Drasher at 6:22 AM on March 31, 2010 [1 favorite]


I really wonder why so many people pick 123456 as their password. Well, I know, people suck at picking passwords, but why would 123456 be used so much more than 12345? Is it because of the "stigma" associated with 12345 (Spaceballs, etc), or is it something about 6 characters being "nicer" than 5 characters?

Perhaps password input fields require a minimum of six or more characters, so people just keep putting in numbers until the machine spits out a food pellet.
posted by Blazecock Pileon at 6:23 AM on March 31, 2010


p2ssw0rdFTW!

No variation of 'opensesame' in the 500 worst passwords list?

I use "opensaddlesoap" or "opensaskatchewan."
posted by kirkaracha at 6:25 AM on March 31, 2010 [1 favorite]




The easiest way to deal with forgetting passwords is to create a metapassword for security questions.

People may or may not guess your password is "ELzN3a3", but they sure as hell won't guess that Your Childhood Best Friend, Mother's Maiden Name, Family Pet, and Street You Lived On are all "Boo History and The Jerk Parishioners"
posted by Uther Bentrazor at 6:31 AM on March 31, 2010


nicwolff: thanks for the awesome script. :) I still use the old version cause I've got a lot of passwords out in the world that I generated with it.
posted by edheil at 6:31 AM on March 31, 2010


Oh, and that... When the ask for the security question thing...
I either flat out lie: What city were you born in? Jacksonville (HA!)
Or I answer a question with the truthful answer of a different question: What is your favorite color? Ralph.
Or just make something up: What was your first teacher's name? Fido.
posted by Drasher at 6:31 AM on March 31, 2010


Ha. 8675309! You can sing it! That almost makes me want to change my password to "11235!" after the Fibonaci reciting parrot on MathNet. (11235! Eureka!)

Also: I use other people's pet's names, and not my own. That's how tricksy I am!

(Though honestly, that guy who could hack passwords? Probably in about five minutes he'd have access to my internet identity and after being done feeling smug, would die of boredom.)
posted by grapefruitmoon at 6:39 AM on March 31, 2010 [1 favorite]


Also: the internet's not nerdy enough to have 314159 crack the top 500? I'm totally disappointed.
posted by grapefruitmoon at 6:41 AM on March 31, 2010


I think we ought to reconsider this whole "users" thing we keep asking computers to figure out for us.
posted by wobh at 6:46 AM on March 31, 2010


People may or may not guess your password is "ELzN3a3", but they sure as hell won't guess that Your Childhood Best Friend, Mother's Maiden Name, Family Pet, and Street You Lived On are all "Boo History and The Jerk Parishioners"

I actually use a system for making up the answers to those security questions, and I've ran into two problems. The first one is that a lot of them won't let you use the same answer for multiple security questions. The other problem, which I think is much worse, is that at least one banking site I know of actually makes the security questions multiple choice, and ask them every time you try to log into the site from an unrecognized PC (even before you enter your password). So if I type your user name in there, it's going to ask

Who was your childhood best friend?"
[ ] Ricky
[ ] Suzy
[ ] Boo History and The Jerk Parishoners
[ ] Ed

Even for people who use normal-looking security answers, it still gives the malicious user a four item list that they can use on other sites to try to answer security questions for that user name correctly.
posted by burnmp3s at 6:49 AM on March 31, 2010


(Though honestly, that guy who could hack passwords? Probably in about five minutes he'd have access to my internet identity and after being done feeling smug, would die of boredom.)

My main concern would be that by hacking my email account, someone would then be able to access others by simply searching my email for "password", or by reading my old mail.

Looking at my email archive on gmail, I have a lot of "password successfully changed" mails from various websites. So, armed with the knowledge that I have an account at say, the Private Cabal Bank of Metafilter*, they could then go to that institution's website, request a new password via email and then gain access.

If you get a newsletter from a company or other organization, then you may have a login on their site. One email account might even yield access to others you own. Someone with patience and access to your email account(s) could pick your entire life apart.

Now if you'll all excuse me, I'm off to clean out my inbox, deleted and sent mail folders. :P

There is no Private Cabal Bank of Metafilter. Please forget I mentioned it.
posted by zarq at 6:53 AM on March 31, 2010 [1 favorite]


It would go into long provocative detail describing in a low and silky smooth voice exactly how you would break into someone's computer and all the naughty things that would be done once the computer was broken in to.

And then corn would be served.
posted by octobersurprise at 6:56 AM on March 31, 2010 [2 favorites]


Let me tell you from personal experience -- the most diligent efforts to protect your information security won't protect you if you sleep with Tron's wife.
posted by brain_drain at 6:57 AM on March 31, 2010


I have great passwords, and I think I got the idea from Metafilter. I pick an album or a book, use the first letter of each word, and throw in some punctuation or a number somewhere. For example, Hawksley Workman's "Last Night We Were the Delicious Wolves" could be:
HWLnwwtdw! Or it could be LnwwtDw!hw. Or even Lnwwtd3liciousw!. Pretty unguessable.
posted by arcticwoman at 7:12 AM on March 31, 2010


Is there any good password already made for people who don't want to make their own?HAMBURGER
posted by mccarty.tim at 7:17 AM on March 31, 2010


I'd make a comment about my own password-generation scheme, but if I say too much what use will it be in keeping people from guessing my passwords?
posted by The Lurkers Support Me in Email at 7:43 AM on March 31, 2010 [1 favorite]


I hate pre-set security questions that are have stupid limitations for the character length and/or apply to only people who grew up in middle America. E.g. the city of birth needs 6 characters, high-school mascot, ...
posted by zeikka at 8:05 AM on March 31, 2010


the 'analysis of password cracking software' link is chilling. I don't personally have much to lose in getting hacked, but having robust security seems to involve a lot more than a strong password.
posted by Shit Parade at 8:08 AM on March 31, 2010


I think that study is inaccurate, because in my experience most people use the same password, "fudge," for everything. It's because fudge is so delicious.
posted by Nedroid at 8:15 AM on March 31, 2010


Just make one long series of random numbers and letters. Memorize it. It's not that hard if you only have to do it twice (one main, one backup for non important things).
posted by Malice at 8:25 AM on March 31, 2010


I used to work a job where twice a year, we'd run John the Ripper on the password file, and ask anyone who got caught in the first two (non brute force) sweeps to update their password to something more secure.

I was always amazed at how trivially easy some people's were; the guy with the giant Packers flag above his desk? "Packers", when we asked him to change it, the next time it was "GoPack".

And really, strong passwords aren't that hard; just make sure you have a reasonable length, it's not something easily guessed, but something you can remember, and it uses some shift characters; "2+2=Four" or "P@cker$!" and you have something that will stop the vast majority of people.
posted by quin at 8:47 AM on March 31, 2010 [1 favorite]


Okay, so, what about password recovery questions?

I know right? Give me a fucking RSA dongle if my password isn't enough. I hate, hate, hate security questions. No I don't remember my first car, no I don't remember my favorite teacher and I didn't stop reading after high school so I don't have a favorite book.

The only thing worse than the recovery question are sites that don't allow "special characters" in the password field but still require a "strong" password.

I'm convinced that most authentication systems are done by people with a poor understanding of what they're doing.

N.B. Bible verses work well for passwords, e.g., Genesis25:30 ... you have your caps, you have your special character and you have your number.
posted by geoff. at 8:51 AM on March 31, 2010


Almost everyone here is giving horrible advice. You deserve to have your accounts compromised.
posted by ferdinand.bardamu at 9:21 AM on March 31, 2010 [1 favorite]


I missed the Rock You security breach back when it first happened, but having heard about it now, I can't really say I'm surprised. Their information technology (IT) environment is pure chaos, as they prefer to hire "console cowboy" types. Their IT manager said that he doesn't really want to create or enforce policies, and that his team members are free to do whatever they feel like doing. The Director of IT is happy if there are x butts in y seats, and doesn't care about anything beyond that. They have no coherent trouble ticket system, and along with zero QA or other production quality controls, nobody there has any idea what anyone else is doing. A major security breach like this is the natural consequence of trying to drive an IT group like it's a clown car.

Good times, good times.
posted by nathanlindstrom at 9:30 AM on March 31, 2010


nicwolff: Since mine runs in a bookmarklet rather than in the DOM of the page, it doesn't have the vulnerability that Hardcore Poser mentions.

So is SuperGenPass also safe if you pop up its window to enter your master password?
posted by Combustible Edison Lighthouse at 9:32 AM on March 31, 2010


I just trust everybody.
posted by philip-random at 9:33 AM on March 31, 2010


There's a lot of crap talked about passwords: most passwords are cracked through social means, not brute force.

I doubt that that's true. I work for an ISP, and the passwords that get hacked are always the easy ones, though our site doesn't allow for brute force. I have yet to get a call from someone who was compromised because they gave their password to someone else, though to be fair they may not have known to mention it. But anecdotally, I believe far more passwords are guessed at random than obtained through social engineering (which works but takes a long time compared to other methods).
posted by krinklyfig at 9:44 AM on March 31, 2010


Nathanlindstrom... It was a SQL INJECTION ATTACK

You shouldn't need policies to avoid those. Just the tiniest bit of common sense. Clearly they were hiring the wrong kind of cowboy.

I'm pretty sure it was the kind that thought they were supposed to ride the cows to where they needed to be.
posted by flaterik at 10:20 AM on March 31, 2010 [1 favorite]


So is SuperGenPass also safe if you pop up its window to enter your master password?

I don't see that option in SuperGenPass, but if it will let you open its dialog in a separate window I guess that would be safer — but I don't know if it will then be able to populate the password fields in the other form's window.
posted by nicwolff at 10:23 AM on March 31, 2010


As far as the people giving up on creating strong passwords, you're not alone. Even some security experts have discussed as much in certain settings. It was pretty well discussed in episode 229 of Security Now (Transcripts are available here.)
They discuss Cormac Herley's paper mentioned above. This is where I first heard about it, and it's a great podcast about Security.
posted by MrBobaFett at 10:46 AM on March 31, 2010


I don't see that option in SuperGenPass, but if it will let you open its dialog in a separate window I guess that would be safer — but I don't know if it will then be able to populate the password fields in the other form's window.

It does. In fact, I was totally unaware of the option where you type your master password into the site's password field directly. If you click on the bookmarklet in an empty password field, it shows the popup, and then populates the field after you enter your master password in the popup.
posted by Combustible Edison Lighthouse at 10:56 AM on March 31, 2010


For web passwords, Passwordmaker for Firefox rocks. It's the same strategy as SuperGenPass, but can track your login name, too, making logging in just a keyboard command away, once you've entered the master password once (well, depending on exactly how you've configured it.)
posted by Zed at 11:21 AM on March 31, 2010


I wish we lived in a world where password requirements were (more) consistent. My default password is invalid on some sites because it ends in a number. So I've had to reset my password almost every time I've logged into the site because I can't recall what the crazy variation I used previously was, and then I can't change it to one that makes sense because all the ones that make sense are one of my previous 6 passwords. Some other sites don't like my passwords because they are too long, or don't contain enough special characters, or contain any/too many.

At work my password was denied because it contained a dictionary word. The password was )(go99_$temple. I tried many variations and different ones before I finally gave up. I didn't test if all passwords with the letters "I" or "A" (also dictionary words) were invalid as well.

Is there an ISO standard for password requirements? If not, there should be.

The script that generates a password based on URL sounds great, but I can't decide it changing my password on every single site is worth the trouble.
posted by Four Flavors at 11:52 AM on March 31, 2010


I would hack u if u would only lower ur shitwall.
posted by everichon at 12:28 PM on March 31, 2010


Have hotmail changed that thing where you could register expired email adresses? And then go request new passwords from half the sites on the net? Lot of people got their ICQ numbers stolen that way back in the day *sheds a tear*
posted by Iteki at 12:49 PM on March 31, 2010


I'd love to have strong passwords for everything. However, I've found that most banking sites don't allow the use of special characters. And in one display of spectacular incompetence, Capital One doesn't even allow case-sensitivity.
posted by lholladay at 12:52 PM on March 31, 2010




And there is lastpas.com, a browser extension for IE, Firefox, Chrome and Safari or a stand-lone program for Windows, Mac, Linux, Blackberry and Iphone (well those are premium), which can generate strong passwords of any size and complexity, uses auto-complete to automatically fill in forms with those hard-to-crack passwords so keyboard sniffers will not work, provides an export function for backup in your truecrypt folder, syncs passwords between browsers or multiple operating systems and can be downloaded from here
posted by marcelm at 1:26 PM on March 31, 2010 [1 favorite]


When the ask for the security question thing...
I either flat out lie


Back in the pre-internet-banking days, banks routinely used "mother's maiden name" (MMN) as a security question for phone transactions and the like. One time, since I realized it wouldn't be that hard to find out someone's MMN (public records, etc.) I gave my paternal grandmother's maiden name (PGMN) when asked for an MMN when opening a new account.

Flash-forward a few years. To that point, I've only done ordinary transactions with my account, nothing like a phone transaction requiring me to answer the security question. So I've completely forgotten I did this. Until one day I needed to do a phone transaction:

Banker: OK, to confirm your identity, would you tell me your MMN?
Me (confidently): [MMN].
Banker: I'm sorry, that's not what we have here.
Me: Huh? I can't think what else it might be...
Banker: We have [PGMN] down as your MMN.
Me: *facepalm*

I wasn't even trying to social engineer my own security answer, and still managed to do so.
posted by DevilsAdvocate at 1:50 PM on March 31, 2010 [2 favorites]


So according to these websites, my password is really freaking awesome. Yay!
posted by biochemist at 1:57 PM on March 31, 2010


Just make one long series of random numbers and letters. Memorize it. It's not that hard if you only have to do it twice (one main, one backup for non important things).

Unfortunately, that's not possible. As someone else observes upthread:

I wish we lived in a world where password requirements were (more) consistent. My default password is invalid on some sites because it ends in a number.

Seriously. I've got an OK set of passwords, but one of my more important accounts is at a place with an idiotic IT department. Who force you to change your password every 3 months, require that the password be between 6 and 8 characters (!), include one of a handful of non-alphabet characters (but not others!), fulfill various rules about consecutive letters, reserved strings, strings or letters present in previous passwords, etc.

Which means most of my password patterns produce things that are too long, include non-alphabet characters that are OK elsewhere but not valid here, or fall afoul of the string & letter rules. I feel so much safer now that I have to write my password down for the first month of every 3-month password period.
posted by ubersturm at 2:09 PM on March 31, 2010 [1 favorite]


I read a great tip once where you can create a really strong password which is still easy to remember by making an acronym out of a phrase you won't forget. For example, A penny saved is a penny earned = ApSiApE (plus a number, or whatever variations you want to strengthen it)
posted by hypersloth at 3:14 PM on March 31, 2010


hypersloth: "I read a great tip once where you can create a really strong password which is still easy to remember by making an acronym out of a phrase you won't forget."

Yeah, that is the method Bruce Schnier recommends, you are the third or fourth one to recommend it in this thread.
posted by idiopath at 3:29 PM on March 31, 2010


IAmBroom: "No one's mentioned patterned passwords yet, AFAIK. They're fairly unpredictable, and can easily incorporate mixed-case, numeric, and symbol keys, yet remain easy to remember."

My best friend in high school would ask me to look away when he was typing his password for anything. Sometimes he would tilt the keyboard almost 90º so I couldn't see. It was always odd but I never asked him about it. And then one day I cheated and looked at what he was typing and all the characters were from the number row. Well, I figured it out instantly: we were dorks in high school and memorized pi to 100 digits. I remember he changed his password to square roots (2141421356, because sqrt(2)=1.41421356) and I figured it out again before he learned his lesson.

(Sometimes we'd run into a site with his old pi-password and he could never remember how many characters it was. That always made for a comical couple of minutes as he tried entering 21 digits, 22 digits, 23 digits, etc.)
posted by yaymukund at 4:03 PM on March 31, 2010


As krinklyfig says above:

I work for an ISP, and the passwords that get hacked are always the easy ones, though our site doesn't allow for brute force

Exactly. Most of these scare stories assume websites are vulnerable to brute force. So why not institute a, say, five second pause between password attempts?
posted by mono blanco at 4:39 PM on March 31, 2010


mono blanco: "why not institute a, say, five second pause between password attempts?"

trying one password on 10000 usernames will likely get you in as reliably as 10000 passwords on one username - unless you suggest everyone should have to wait five seconds after the last person who logged in...
posted by idiopath at 4:51 PM on March 31, 2010


Obligatory xkcd.
posted by nathanlindstrom at 11:25 PM on March 31, 2010


Yeah, that is the method Bruce Schnier recommends, you are the third or fourth one to recommend it in this thread.

Sorry for missing it; I did Ctrl+F looking for "acronym" when I got tired of reading. IANAthreadreader.
posted by hypersloth at 3:03 AM on April 1, 2010


The one I use as a master password, and for sites I want reasonably high security on, is my Dad's old ham call sign. He had a hand-held ham radio and used it constantly, and every use had to start and end with the call sign. I mentioned this to my mother, who has been divorced from him for 15 years, and she was able to reel it off without even thinking. It was pounded into my head so often, I will never forget it. It's a non-dictionary mix of letters and numbers, and I've added a symbol to the end (because you always sign off with "NS4gkr 'clear'"). Yes, I changed the letters and number from the actual sign.

No, I'm not worried about my mother hacking any of my accounts. Heck, I told her the pattern I use for most, and given 10-20 minutes, she could probably guess all of them. If I die suddenly everything will be clean-up-able.
posted by timepiece at 9:34 AM on April 1, 2010


I just changed my Metafilter password!

That's right, it was "monkey". A little ashamed to admit it, but that's what I used when I signed up (never realizing I wouldn't be able to change it!). And it remained so until today - one day shy of 5 years after I first opened an account. As far as I know, nobody else ever tried logging in as me, which is a matter of luck more than anything else. But now it is SOMETHING DIFFERENT, and not something I am liable to forget - however, it's probably going to take me several tries to figure it out next time I need it, because I won't remember which password I used here. Good thing I never log out, right?

In my mind, there are only a few good ways to make a strong password:
1. Length is really the only thing that makes a password hard to crack. Seriously. Limiting your character set makes this simpler for a potential password cracker, but a 20 character password in all lowercase is harder to crack than an 8 character password using caps, numbers, and non-alphanumeric characters.
2. Spaces are characters too. Type an actual sentence. Crackers can't guess it one word at a time - a sentence is easy to remember, easy to type, but hard to guess because it is long. Especially if you punctuate correctly. For example, consider the following: "You're going to need a bigger boat." 37 characters, including punctuation (and yes I include the quotation marks as part of the punctuation). See #1.
2.a As an advantage of this approach, to a key logger "RyMt9UmM!" looks like an obvious password, doesn't it? But "Remind your mother to pick up more milk", the base sentence from which the password was supposedly securely derived, would NOT likely be picked up by a key logger, because it doesn't look like a password. The only way it would be noticed as a password rather than as noise would be if the logger was also able to watch where this phrase was typed, or if the person analyzing the log noticed that the phrase was typed exactly as above, much more often than would be expected. Amazon knows this - they're pushing passphrases rather than passwords for one-click sales now.
3. If you are forced to change it regularly, pick a paradigm that allows you to change it in ways you can predict. Such as a number appended, that increments with each change, or add a date code somewhere for the last day/month/etc you changed it, that sort of thing. The best thing is that this sort of approach also makes your base password longer. See #1.
4. If you are limited in some way - the program won't allow spaces or other characters, or the password must conform to some idiotic combination of specific patterns (and really, including such patterning rules just makes the password easier to predict, right?) or even worse if the length is arbitrarily limited - and all of these restrictions tend to come together, don't they? - well, you're screwed anyway, and you might as well just use AbCd1@3$ and be done with it.

Finally, the point of a password is to have a secret that you remember but other people can't guess. So, making great passwords that you can't remember (and then protecting them all in one place using one master password) seems like a rather silly thing to do. I don't have to guess your passwords - all I have to guess is ONE of your passwords, your One Ring if you will, and then I have them all. This is secure how?
posted by caution live frogs at 9:39 AM on April 1, 2010


(If it wasn't clear - the point to 3 is not to add predictability to your password, but to allow you to satisfy change requirements without also having to resort to writing down or storing your password.)
posted by caution live frogs at 9:42 AM on April 1, 2010


How many people, when forced to use numbers and letters, just substitute numbers for letters? "S1ng4p0re" isn't really that secure.
posted by smackfu at 9:57 AM on April 1, 2010 [1 favorite]


This is secure how?

Because if you have just one password to remember, you can make it long and secure. If you have dozens or hundreds, you have to either reuse them or write them down, neither of which is secure.

however, it's probably going to take me several tries to figure it out next time I need it, because I won't remember which password I used here

See?
posted by nicwolff at 12:50 PM on April 1, 2010


Security can seem like a chore sometimes, but the Punchcast password generator generates a bunch of passwords in a single pass. (yes it's yet another solution based on Nic Wolffs script)
posted by Lanark at 4:18 PM on April 1, 2010


If you have one password to remember, you're relying on the integrity of every site you use. All you need is for one of them to do something stupid like store it in cleartext and to be compromised (which may or may not require them having done something stupid), and then someone has your password to everything and could post it on the net alongside your other account info just for giggles.

(This isn't a crazy hypothetical; it happened just last year at Perlmonks.)
posted by Zed at 4:45 PM on April 1, 2010


Naturally, it's after I hit "post" that I actually notice the context was using a master password to generate passwords on a per site basis. I'll go crawl under a rock now.
posted by Zed at 4:48 PM on April 1, 2010


caution live frogs: "As an advantage of this approach, to a key logger "RyMt9UmM!" looks like an obvious password, doesn't it?"

HAH. I play nethack, so on some days that is what 99% of my keystrokes look like.
posted by idiopath at 12:32 AM on April 2, 2010 [2 favorites]


Hmm... none of these worked for "eideteker" on twitter. (And yes, I tried e-mailing the owner of the abandoned account, to no avail.)
posted by Eideteker at 12:44 PM on April 2, 2010


« Older Stay Classy, Arizona   |   Renminbi Appreciation and US Policy Newer »


This thread has been archived and is closed to new comments