
How I Collect Passwords  - wglb
http://xato.net/passwords/how-i-collect-passwords
======
chris_wot
I have to say that I loved his other post on the TSA's ridiculous password
policy...

<http://xato.net/passwords/worst-password-policy-ever>

Their policy is:

1\. Minimum password length is eight characters.

2\. Passwords must contain at least one of each of the following: one
alphabetic uppercase, one alphabetic lowercase, one numeric, and one special
character.

3\. Passwords shall not contain any two identical consecutive characters
(example: 22apples, 14588904).

4\. Passwords may contain no more than two identical consecutive characters in
any position from the previous password.

5\. Passwords shall not contain any dictionary word.

6\. Passwords shall not contain any proper noun or the name of any person,
pet, child, or fictional character.

7\. Passwords shall not contain any employee serial number, Social Security
number, birth date, phone number, or any information that could be readily
guessed about the creator of the password.

8\. Passwords shall not contain any simple pattern of letters or numbers, such
as "qwerty" or "xyz123".

9\. Passwords shall not be any word, noun, or name spelled backwards or
appended with a single digit or with a two-digit "year" string, such as
98xyz123.

10\. Pass phrases, if used in addition to or instead of passwords, should
follow these same guidelines.

11\. Passwords shall not be the same as the User

12\. Password length will be selected to provide a level of protection
commensurate to the value or sensitivity of the resources or data it protects,
but not less than eight characters.

You just can't make this stuff up!

~~~
billybob
My favorite bit: "Passwords may contain no more than two identical consecutive
characters in any position _from the previous password_ ".

How would they know that unless they have your previous password in plaintext?

 _Security Fail_

~~~
jsight
That requirement actually isn't as rigorous (or as difficult to implement) as
it sounds. The keyword there is "password" instead of passwords. Based upon
similar systems, I feel comfortable that this is not a typo.

Whenever the user changes a password, the user has to provide a (single)
previous password. This password is hash-checked against the current user
password. Then the password duplication rules are applied.

(Note, none of the above should be construed as an indication that I agree
with this approach to password policy :) )

~~~
Androsynth
_Whenever the user changes a password, the user has to provide a (single)
previous password._

What about if you forgot your password? (which I feel is the scenario I
usually change a password in) Do they just ignore that rule in that case? If
so, whats the point of having the rule?

~~~
Ideka
The fact that you know your password is what identifies you as the legitimate
owner of your account. If you forget your password, you can't identify
yourself as the legitimate owner of your account and thus, to the eyes of the
system, you aren't. And about the only person who should be able to change the
password of an account is its legitimate owner.

So, to answer your question:

 _Do they just ignore that rule in that case?_

That case should not even happen in the first place.

~~~
chris_wot
That's ridiculous. It is extremely easy to forget your password, that
situation _does_ happen and resetting passwords should be catered for in the
system.

Your premise is basically false. A system administrator should be able to
reset a password.

------
mgkimsal
IMAGE: [http://michaelkimsal.com/blog/wp-
content/uploads/2011/06/Scr...](http://michaelkimsal.com/blog/wp-
content/uploads/2011/06/Screen-shot-2011-04-06-at-6.34.33-PM.png)

"Passwords should not have more than 9 characters".

This from a financial institution.

~~~
lytfyre
My bank requires 8 to 10 characters, [a-z]|[A-Z]|[0-9] only. They also require
you to know something easily researched from facebook (elementary school,
mother's maiden name, etc.) when you use a new machine.

That they refer to this as two factor authentication makes me question their
ability to do simple addition, something I consider a fairly important skill
for a bank.

~~~
edoloughlin
> They also require you to know something easily researched from facebook
> (elementary school, mother's maiden name, etc.)

I'll never understand why someone would provide this information to Facebook.
My friends already know the details of my life relevant to our relationship.

~~~
shabble
maybe because they're part of a "$foo High School class of '99"
group/page/whatever with some friends, or perhaps both parents and
grandparents are linked as friends, making it pretty easy to figure out
mother's pre-marriage surname?

It's not just the explicit facts you provide, a significant part of the deeper
value is from the linkages between them.

------
thereallurch
Surprised no one has mentioned OpLop for passwords. I keep a list of sites
(containing a site nickname and a password hint). I then wrote a simple
md5base64 perl script which combines the nickname and password (similar to
OpLop..basically md5(nickname+pass)). Script throws the result on to my
clipboard, and I hit paste. Thus, no two sites use the same password. If one
site is compromised (ex: zappos.com), I just need to change that one password.
Script is on my phone, desktop, and cloud drive.

I use multiple passwords, a different one based off the importance of the
site. I was amazed at how many sites impose a 12 character limit
(Fidelity...really?).

~~~
Groxx
My personal favorites are the ones that silently truncate your password. A few
have done this to me, and it used to take a while to realize wtf was wrong
when I couldn't sign in right after creating an account. Now I just start
shortening the password until it works, which 'fixes' a good 99% of just-
signed-up login failures.

------
HorizonXP
<http://xkcd.com/936/>

I personally believe that a great startup idea is a website or app that
operates like KeePass or 1Password or Revelation, and allows you to enter your
passphrase like xkcd suggests, and manages all of your other passwords and
logins for you. I'm guilty of using the same password for a lot of sites, and
I really need to get that in order. Making it easy for regular users to adopt
would be key. It's an idea, I have no idea how you'd execute it.

That said, I'm developing a web-based management interface for my contract
work that is only going to be used by a few key users/stakeholders. I'm trying
to come up with a way incorporate xkcd passphrases into it, forcing my users
to adopt it. I don't know how well it would go over though. Guess I just have
to try it and see.

~~~
wingspan
Isn't this what <http://lastpass.com> does?

------
dredmorbius
Compiling/sharing a list like this, so that it can be used in password
strength checkers, would be a strong plus.

The best password is one that's never been used before. Rainbow tables and
other methods mean that _any_ known password (and in a list of exhaustively
compiled passwords, finding only 1.3 million distinct values is "small") can
be found very quickly given access to hashes, or tried relatively quickly via
brute-force. Even a series of login attempts to known / common account names
with top-50 (or some n) passwords will generate many hits.

I'd love to see online sites check against known lists. I've suggested it to
several. One problem is coming up with a good "known list".

It would be even more useful for this to be added to standard OS/system
security features.

------
jwallaceparker
I've been using 1Password for the past few months.

It's been incredibly useful. All my passwords are exponentially more secure
and synced across my devices.

Can't recommend it enough.

~~~
SCdF
Additionally, if you want linux support and don't care so much about the web
support that 1Password gives you (your password file is also a website that
uses JS to decrypt your passwords) or the prettiness and would like to save
US$60 KeePassX works perfectly well.

------
rch
>> "None of the passwords contain a colon, because that is the delimiter used
to separate usernames and passwords in the combo lists my scripts generate."

tldr; Put colons in your passwords...

~~~
VikingCoder
>> "My scripts only grab usernames and passwords between 3 and 30 characters
long, all others are thrown out."

tldr; Put colons in your passwords, and make sure your password is 31
characters long.

I bet it would also make sense to include "username:" in your password.

For instance:

username: VikingCoder

password: username:CorrectHorseBatteryStaple

Or how about like this:

username: VikingCoder

password: '); DROP TABLE Passwords;

~~~
chimeracoder
The problem is that you may also erase the entire database of the server
you're trying to log into: <http://xkcd.com/327/>

I guess that's one way of protecting your accounts from being hacked,
though... you can't hack an account that no longer exists!

~~~
VikingCoder
Think about it -

do you really want to use a site... that's vulnerable to SQL injection
attacks?

If my password erases their DB, then I didn't want my password on their DB in
the first place!

~~~
chris_wot
That's assuming they have a database table called "Password". I'd use:

'); DROP DATABASE;

------
normalfaults
It is fascinating how many passwords are available ... I wonder why websites
don't stop one from using these common passwords during account setup?

~~~
patio11
_cough_ $250 in sales from folks who chose "password" in 2011. I suppose I
could tell them "Wait wait, put your credit card back for a second and listen
to a complicated instruction designed to solve a problem you don't have.".
Doesn't seem to be a huge upside, though.

~~~
trin_
and you know that because:

a) you store cleartext passwords b) you use a static salt and have memorized
the hash of the password+your salt ... or c) ???

~~~
patio11
Because even bcrypt doesn't make testing one candidate password against 1,500
users all that hard.

------
JoshMock
+1 for using KeePass, 1Password, etc.

~~~
HorizonXP
I use Revelation on Ubuntu. It hasn't been maintained in quite some time
though, I should pick up the code base and update it.

------
stephengillie
Does anyone else get the "Access Restricted: you're botnet infected" page?

Running virus scan... _sigh_

~~~
m8urn
That is due to the cloudflare service. You can actually leave a note, I do
follow up on those.

Edit: It's a good thing I'm using that too, 108K hits from this in the last
four hours. CloudFlare saved my site from 800k requests and 6GB in bandwidth.

------
zupreme
With our TeddyPass app we are pretty loose on what users can use as their
login password, but we employ pretty robust techniques to prevent brute-force
attacks and other common methods. With our system key user data (like stored
usernames, passwords, and the description of the account entry) is fully
encrypted based on the user's password and other factors. As a result we can't
retrieve their data even if we wanted to, so it's in our best interests to
allow people to use just about any password they can comfortably remember
(within reason).

------
learc83
What if China is using their well known hacker resources to secretly build a
giant list of username password combos like this guy, but on a massive scale.

They could use botnets to log in to hundreds of thousands of bank accounts and
transfer money. There wouldn't be an easy way to detect them because they'd
look like legitimate transactions, and the only option would be to temporarily
shut down online banking transactions.

I wonder how much of a disruption they could cause?

~~~
3pt14159
Targeted stikes, yeah, it can work. Massive downloading of gmail account
passwords, NOPE. It will set off internal alarms. But yeah, to target one
individual, it is indeed possible and they did a string of those when they
cracked the rotating RSA key.

~~~
mkjones
Do you have a reference for people doing an online brute force attack in the
RSA attack? IIRC the only brute forcing they did was offline (i.e. cracking
hashes that they had locally).

Or maybe that's what you were saying, and I'm just misunderstanding you :).

------
K2h
Thank you for sharing the various methods you use to collect the passwords.
That is extremely detailed.

I was curious if you ever considered putting a date stamp on the log for when
you found a particular password. Because you have been collecting for such a
long time, you may see some interesting trending.

~~~
m8urn
I have actually kept most of the original data since I started so I could go
back and do that if I wanted. There is about 4gb of raw data there.

------
pbhjpbhj
Anyone else worried that Athena (<http://www.project2025.com/athena.php>, link
in article is messed up) is actually going to start by installing a keylogger
or uploading password files from ones own computer ...

Paranoid? F'sure!

~~~
m8urn
How do you know I don't already have your password anyway?

~~~
pbhjpbhj
Was that you I saw crouching in my fridge earlier?

------
eli
_occasionally I will spend half a day leeching from these forums_

Man, I'm glad that's not my job

~~~
pavel_lishin
Seems like it would be easily automatable with Greasemonkey, or dotjs.

------
is74
I thought openID would solve the password problem, because it would allow for
each person to remember one password only (which is still better than
password1234). What reasons prevented the widespread adoption of openID? For
example, if I were a startup, I'd want to have openID on my site to make it
easier for users to register, and help them to not forget their passwords. Yet
for some reason there are few sites that support it. Any thoughts?

------
billybob
A sensible password-selection policy really only has two principles:

1\. It shouldn't be in a dictionary, so that the only option is brute force
2\. It should be very hard to brute force

#1 means "don't use anything in this guy's list."

For #2, the concept of "password haystacks" is useful:

<https://www.grc.com/haystack.htm>

~~~
DanBC
Steve Gibson is not considered expert:

(<http://radsoft.net/rants/20010714,00.shtml>)

(<http://www.groklaw.net/article.php?story=20060113111825193>)

(<http://attrition.org/errata/charlatan/steve_gibson/>)

etc etc.

~~~
billybob
Is there something specifically wrong with the concept of password haystacks?
I understand it as "force the attacker to search an extremely large potential
keyspace." The tool I linked to simply calculates the keyspace that a given
candidate password is in.

------
mkopinsky
My goto IRC password is hunter2.

------
mjwalshe
So you admit to a number of rather dubious practices both on an openly avaible
blog and on a forum that has at least one EX NSA employee as a poster.

Anyone else think this is ill advised to say the least - its just asking for
your phones to work realy well "nudge nudge wink" ;-)

~~~
zevyoura
What's dubious? I don't think there are many (any?) people who understand what
he's talking about and would be able to implement it, but wouldn't be able to
figure it out on their own. Of that set, the set of people who are malicious
is even smaller, if not non-existent.

~~~
mjwalshe
"I visit a number of public and private hacking-related forums to get
wordlists and hacked passwords. I often pay for VIP memberships (usually the
lifetime ones) so that I can access premium content areas. "

and when the men with no sense of humor invite you for an interview with out
tea and biscuits what would you say to that.

ok the are grey areas and I have on behalf of a FST100 organization broken in
to a system with explicit permission and clearance from v senior manger and I
also had far better contacts at BT's board level to lobby in case or security
dept threw a hissy fit than most people

~~~
drucken
There is nothing dubious about collecting information if you do it legally.

Further, it is what you do with it not the potential that would get you into
legal trouble, otherwise Google, Facebook and every other company would be
under legal uncertainty.

Indeed, your hacking actions were far more risky without prior consent from
_all_ parties involved.

~~~
mkopinsky
Just ask Google what the consequences are of collecting payload data traveling
over the open air via their Street View cars.

Collecting data is not always legal, even if you don't do anything with it.

~~~
m8urn
The difference is that all of these passwords are public knowledge and already
published in some form. My compiling these passwords into a single list is
different from gathering them directly from the source!

