

I’m sorry, but were you actually trying to remember your comical passwords? - troyhunt
http://www.troyhunt.com/2011/08/im-sorry-but-were-you-actually-trying.html

======
yaakov34
I agree with him - it's impossible to remember a unique high-entropy password
for every account. I disagree that password managers are the solution. They
are a huge single point of failure both for getting locked out of accounts and
for security breaches.

I think passwords are fundamentally broken as a security mechanism, once you
take human psychology into consideration. We've spent decades trying to teach
people to pick better passwords. That didn't work; people still pick stuff
that gets cracked in minutes. And now, as Randall Munroe said, it turns out
that the "better" passwords we taught people to use are actually very bad.
Great, let's spend the next 3 decades teaching people to use long passphrases,
and watch that fail too. Then we can start teaching them to stop sharing and
reusing passwords (good luck).

A security token (<http://en.wikipedia.org/wiki/Security_token>) is a
fundamentally better solution to authentication. It's not perfect and it's not
a panacea, as the RSA security leak/breach shows. But it's better than a
completely broken paradigm. Once these tokens acquire enough compute power to
perform challenge-response calculations internally, they will be very safe
even at untrusted terminals. They've already become ubiquitous in places that
really care about authentication on a large scale (like the military), and
they should become ubiquitous everywhere. You can have several of them (one
for banking sites, one for social...), to avoid single points of failure. They
are reliable, and you know when you've lost one. A leaked password manager
password, on the other hand, could have the attacker using your logins for
months.

A technical solution is preferable to a solution which involves changing human
behavior on a massive scale; that is just not going to happen.

~~~
blahedo
So now we're carrying around 130 security tokens? Unless you're talking about
this in conjunction with a password manager, all the OP's arguments apply to
this too.

~~~
yaakov34
The token would either have to work with a single-sign-on authority that would
authenticate you to other parties (like OpenID, but hopefully easier to use),
or it would contain multiple "authentication slots" for the parties that issue
credentials. Both things already exist today, although I don't think they are
very widely deployed. But certainly companies that deploy something like the
RSA tokens have a company-wide single sign in working with them, and there is
no reason for that to stay within one company. Both solutions are technically
very different from a password manager.

------
cubicle67
related: wondering if anyone can offer feedback on an idea I've just
implemented:

We're in the process of building a new app and I was giving serious thought to
the whole password thing, account creation and lowering barriers to entry.
What we've come up with is a means of enabling users to go pretty much
password free if they so desire.

What we've done is taken the usual email verification/password reset link
(something like /keys/65a8c7bc16e759f28d37950664a397d231c552f9) and instead of
directing the user to an account setup or password reset page, we use this to
authenticate the user and log them into the app. Currently the links expire
but I'm toying with extending the length out to a month or more. Users are
free to create and use passwords if they prefer.

Internally keys are treated like passwords (we use bcrypt) with the exception
that a user can have multiple valid keys and keys expire.

Weaknesses I can see are - someone who has access to email (physical machine)
can log in, will it be a pain to launch an app from an email link (for me,
yes, but I've seen users do some very rube goldburgesque things to get to
websites). Aside from the physical/email access I think it's probably more
secure that the usual users' choice of password

~~~
troyhunt
Security by obscurity and a perfect example of failure to restrict URL access:
[http://www.troyhunt.com/2011/08/owasp-top-10-for-net-
develop...](http://www.troyhunt.com/2011/08/owasp-top-10-for-net-developers-
part-8.html)

These URLs are exposed in all sorts of places; browser history, proxy servers,
web server logs and ISP gateways to name just a few. Never put secrets in URLs
and expect it to remain secret.

Here's an objective suggestion - put the proposal over on stackoverflow.com
and see what response you get.

~~~
cubicle67
First, it's ssl only. Second, the alternative (which I'm trying to avoid and
where this idea came from) is a user being prompted for a password and
responding something like "er, um... Password123" or just using the same
password they use for everything else

The idea was that this may give users a bit more time to think about
passwords, and possibly be more secure than the usual passwords. Stating the
idea here is giving me some good things to consider

~~~
mattgreenrocks
Why not use OAuth or something similar so you deal with auth tokens, rather
than passwords?

~~~
cubicle67
Because I'm dealing with exactly the type of users who think 1234 is a great
password.

------
RexRollman
I've been looking at this for a while and there really isn't a good solution,
in my opinion. So, inspired by a Bruce Schneier post about writing down
passwords, my solution is to keep site passwords in a bcrypt encrypted text
file, which I print from time to time.

(I chose bcrypt because it works in the command line, which I favor, and it
runs in Linux, BSD, or Windows. I would have chosen scrypt but there isn't a
Windows binary for it yet.)

~~~
Revisor
You are poorly duplicating a password manager, which is an encrypted DB of
passwords plus some UX goodness (autotype, file storage, notes, URLs, folders
etc)

~~~
dchest
Simplicity is good. He knows how his system works, and can extract passwords
even if the password manager company goes out of business and the program
would no longer work with OS/hardware update. Using a very simple (~1000 lines
of code) open source cross-platform tool and plain text is future-proof.

------
blackRust
TL;DR Get a password manager

The first part is interesting, if you had been less verbose an ALL the
different accounts you had it would have been a more interesting read.

There are still undeniable issues of using a password manager if you lose the
data (or your master password is compromised but lets not get into that).

~~~
shabble
The problem with password managers (or any scheme that creates unique, non-
memorable passwords) is that should you need to access a particular service
when you don't have your manager available, you're SOL. Being able to pull
things out of dropbox and whatever on your phone are nice, but it's another
thing to have to rely on.

I've thought a bit about this in the past, mostly relating to setting remote
shhd to disable passwords entirely, and only accept PKI logins - what if you
need to get in, and don't have your key?

The google 2-factor with optional 'emergency 1-time use codes' that you can
print and carry in your wallet is a nice solution to half of the problem (the
other half being, if you're not using a computer you control, how do you
securely access your password manager?)

I don't really have a solution, other than "remember to take your phone with
you", and possibly "ensure that at least your primary email is accessible via
1-time codes or a memorable (and strong) password."

~~~
injekt
I agree this is an issue, and one I've come across a couple of times. I use
1Password for OS X and iOS. I have the database synced with my Dropbox and
backed up locally too. I have two strong passwords that I remember. One is to
open up 1Password, and the other is for my personal email address. Now's the
time people start yelling at me telling me I should use 1Password for my
personal email login too, but that proved, many times, extremely inconvenient.

I use the Chrome and Safari 1Password extensions for 1-click logins, and it's
a setup I'm extremely happy with. On the few occasions I've needed to access
an account without access to my 1Password, I've reset my password via my
personal email address and changed the password when I next have access to
1Password. I'm not going to pretend password managers solve all problems, but
they certainly help.

------
tripzilch
This guy's problem seems to be mostly that he can't help himself smearing his
sensitive PI all over the Internet, everywhere he goes.

And he's right, if that's your handicap, a password manager is probably the
right crutch.

Not saying a password manager isn't a very useful, convenient and most
definitely secure tool otherwise, but _wow_. Doesn't he realize you don't need
to give every website every little tidbit of information they ask you? Or that
if they do require it, you're allowed to lie your tits off? And that you
really don't need to re-use the same account over and over again if you buy at
the same place?

And finally, that if some business does require all this information about
you, as well as requires it to be true and unique, you probably shouldn't just
suck it and bend over, unless, possibly it's your bank and you really don't
have choice?

This is just bad personal information hygiene, yuck.

~~~
troyhunt
Unfortunately having your PI spread over the internet is now an inevitability,
if not through your banking then through your shopping or through your social
interactions. We all have our PI smeared out over the web to varying degrees,
just look at how many sources of information can be used to start profiling
someone with a unique username they reuse:
[http://www.google.com.au/search?sourceid=chrome&ie=UTF-8...](http://www.google.com.au/search?sourceid=chrome&ie=UTF-8&q=tripzilch)

So we protect our online interests as best we can because we have accounts on
Hacker News / Twitter / Stack Overflow / You Tube etc. and even if not
exposing PI via the registration process, we expose it via our activities and
we want to retain control over that important aspect of our lives. But really,
how much information you divulge about yourself is a parallel discussion; I
want to protect ANY accounts I create onlne, regardless of how little
information I provide.

------
pilif
The main issue I have with password managers aside of being inconvenient and
missing when you most need them: They are a bad single point of failure.

Using a local password manager, the file could get corrupted or it's not there
when I need in in an emergency. Using a remote one, like LastPass, I risk my
passwords getting compromised all at once (though maybe not in LastPass' case
due to how their architecture works) or, again, not having access to them when
I need them.

I have too many machines I'm using for various kind of work where I need
different types of passwords. Too many to sync over my passwords and some not
even my own, so I don't even _want_ to sync anything there.

Now I have 4 strong passwords I use. One for banking/financial stuff only, one
for work, one for "valuable" private accounts bound to my identity (this
account here for example) and one for crappy sites I have to give a password
to and I don't care if they lose it.

This way I'm not dependent on that password manager being available at a bad
time.

The thought of not being able to log into some server people need me fix just
because there's no 3g access in the data center or because an update to the
password app on the phone didn't re-import the old data correctly is
absolutely daunting to me.

Especially because these kind of failures feel more likely to me than one of
my more secure passwords leaking out.

~~~
Revisor
You are afraid that you won't have access to a strong password in case of
emergency and therefore you choose to use a weak password? That doesn't make
sense to me.

Wouldn't a better solution be to use a password manager and always have a
current and working copy on you when you go out? I'm pretty sure it's doable
and can be automated. Keepass + Dropbox being one possibility but you can make
it more robust if you feel the need to.

Reuse of passwords is a much worse alternative than not being able to fix
someone's server on the spot.

------
ordinary
What's wrong with good old pen and paper?

------
con5ole
When has an online service been compromised by brute forcing a password? Are
there any records of this ever taking place?

I don't mean when someone guesses that the password is "123456" or "passw0rd",
or when the password was revealed to a crook by mistake.

I mean situations where say, "gr8shoes" was not secure enough but
"h43&22981gTddB%&$!" would have been.

~~~
dspillett
I've seen bots try thousands of passwords for a single account on services
that I've had access to the logs for. I can't name any instance when a
password has been found by brute force rather than human engineering (or by
bypassing authentication completely due to exploiting a software bug), and
I've not seen it often, but there is code out there actively trying.

Tools like fail2ban help a little here, but can't do much against a large
botnet. Adding artificial delays into the authentication process can slow down
a brute-force attempt without inconveniencing real users at all, but that
botnet has a lot of time on its hands. It might not happen often, but attempts
are made often enough (i.e. more than never) for keeping strong passwords to
be worthwhile.

~~~
con5ole
Thanks, that is interesting and kind of matches my reasoning.

I have a feeling the debate is a bit colored by leftover paranoia from the
times when several users shared one computer and the password database was
easy to get hold of.

Unless the attacker somehow manages to grab your password database (and not
your content, which would be an interesting setup in itself) he won't be able
to brute force you. He will only be able to lucky-guess you. And you don't
need 24 random characters to block a lucky guess scheme. :)

~~~
Hyena
This was my thought as well, I've never heard of a brute force attempt working
in the real world.

------
alinajaf
My strategy for passwords (that's been working well so far) has been to have
an easily mentally appliable password function that I use to generate/remember
passwords and change that every year.

For example, if it's my google account, the sites name is 'google'. I take the
first two characters 'g' and 'o' and think of the first animals that come to
mind, (for me it's giraffe and ostrich) then replace all obviously changeable
vowels with numbers (so they become g1r4ff3 and 0str1ch). I then concatenate
them with a % symbol, prefix with a _ and suffix with a #, giving me a
password of:

_g1r4ff3%0str1ch#

Which I think is a fairly strong password. It also means I have a unique
password for every site I jave an account with. Of course if you figure out my
function then you know all my passwords, which is the reason I change it every
year or so.

~~~
Revisor
No, it's not a strong password just because it looks like it (which is the
point of the latest articles). You choose from a small group of words
(animals) and do a naive character substitution that specialized programs can
(and do) anticipate.

~~~
kmm
I'm having difficulties believing that specialized programs can include all
these strategies.

------
jdelsman
1Password on the Mac is great. I actually also have the iPhone application,
and I can't imagine what I'd do without it now. Well, especially since now all
of my passwords are random for the most part. I'd definitely recommend it.

The only downside is that they don't have a version for Linux. Oh well.

~~~
falava
1PasswordAnywhere + DropBox:
<http://help.agile.ws/1Password3/1passwordanywhere.html>

~~~
jdelsman
Unfortunately, DropBox doesn't work in China. I have resulted to using a USB
thumbdrive, but that's not as elegant. Can't use VPN at work, either, which
sucks.

------
pragmatic
<http://www.joelonsoftware.com/items/2008/09/11b.html>

Dropbox + Keepass portable works well for me. I use the password plus a key
file which is never in dropbox also, just in case dropbox gets compromised.

[http://www.schneier.com/blog/archives/2005/06/write_down_you...](http://www.schneier.com/blog/archives/2005/06/write_down_your.html)

> Microsoft's Jesper Johansson urged people to write down their passwords.

> This is good advice, and I've been saying it for years.

Keepass has an android version also. I have my passwords everywhere I go.

------
leif
This is far and away _not_ the best solution, but it works for me, and I can
use it with only mild annoyance from a computer where I haven't "installed"
it, by using an online sha256 generator. On a mac, replace "sha256sum" with
"shasum -a 256".

I hope this is useful for somebody: <https://gist.github.com/1013465>

I also suggest that if you have multiple accounts on a single site, you run
"mypass user@domain.com" instead of just domain. It works fine either way,
just be sure you are consistent across all sites, lest you forget your scheme.

------
jeffool
My biggest problem with passwords? That so many sites aren't up front with
what's allowed in their passwords. Sites should tell you how long your
password can be, and what characters you can use in it.

I just know that since I started using a password manager, I don't even know
most my passwords, they're about twenty characters long, a jumble of
characters (letters, numbers, and symbols,) and I'm happy with that.

I don't even think Google's password length is known, is it? I get that this
means others don't know how long it could be either, but, that doesn't seem
vitally worthwhile. Maybe I'm wrong.

~~~
r00fus
> That so many sites aren't up front with what's allowed in their passwords.

This makes complete sense... they feel that obscurity will aid in defending
attacks (esp. if they have some ridiculously small password-space like 6
digits).

Considering it's a small inconvenience when you first create your user
password, then from a cost/ben point of view, I can see why they wouldn't
advertise this info.

------
afairchild
Password grids are a good low-tech alternative to password managers. Here is a
good explanation:

<http://www.vvsss.com/grid/>

And here is a javascript (client-only) program that I wrote that can generate
printable grids:

<http://purevirtual.com/~anthony/password-grids.html>

------
TorKlingberg
The problem with password managers is they you need to have it with you. With
a phone app that becomes more likely, but smartphones run out of battery all
the time. What about when I'm visiting someone, the phone is out of battery
and I want to check my email on their computer? Or when I'm on a trip, the
phone is dead again because I haven't found a socket for a while, and I want
to book a ticket somewhere?

~~~
Revisor
Use Dropbox, sync the DB to a flash drive aka use a more robust solution than
a smartphone, or get used to it that encrypted passwords may mean there will
be situations where you wont have access to them.

------
jarek
So does this guy have different Facebook and Twitter passwords? HN and Reddit
passwords? Why?

------
MostAwesomeDude
The takeaway from this article is actually, to me, quite amusing: Have fewer
accounts. From online banking (he does online banking! laughing-girls.jpg) to
shopping to _eighteen_ social media accounts -- this is too much!

Admittedly, I don't do Netflix, or iTunes; I use passwords like "I bet
shittyforums.example.com uses plaintext" for shitty one-off forums; when I
don't care about a site, but want to see its content, I participate in
BugMeNot. I actively work to reduce the number of things I'm signed up for.

~~~
Meai
That's like saying "I can't carry that much food, the solution is to buy less
food."

~~~
MostAwesomeDude
The alternatives are a local password manager (a refrigerator) or a remote
password manager (a guy with a truck who will cart your food around for you.)
You can't take the former with you, and you can't trust the latter.

------
xpaulbettsx
Follow Randall's advice, but take the first letter of each word in your
sentence. You don't even have to come up with a particularly random phrase,
take a song lyric. Doesn't match any common password pattern (i.e.
'someRealWord[digits]'), and it's still very easy to remember.

~~~
epistasis
Your method is vastly different from Randall's method, each word there gets 11
bits of entropy because it's randomly chosen.

In properly formed English sentences, each character only has about 1 to 1.5
bits of entropy, and I'm not certain that taking the first letters of words in
a sentence would have much higher per-character entropy than that, as the
first letters of words are not very randomly distributed.

