

The Usability of Passwords - csomar
http://www.baekdal.com/articles/Usability/password-security-usability/

======
russell
Well written and accessible; you mother would understand it. The best
passwords, usability and safety, are three word phrases. Easy to remember and
easy to type. To accommodate the rules at my clients, I use <Capitalized-
word><punctuation><word>.

I worked with a password fanatic who used a generator to create 8-12 random
character passwords, which he stored in his PDA, because he couldn't remember
them. I dont think his method was more secure than mine. I didn't have to
write mine down.

~~~
patio11
I read an article from Microsoft advocating passphrases in 2004, and was taken
with his rationale. I've been using them since then on everything except low-
security accounts.

I now have much more diversity in the hundred or so passwords I actually use
than I used to, and worry much less about forgetting them.

(P.S. Without loss of generality, pretend that for whatever reason I was
reminded of Gummy Bears when signing up for my Gmail account. (An American TV
show from back in the day.) I take a snippet of one line from their themesong,
"dashinganddaring", which works fine as a password, optionally substituting a
& for the "and" and with arbitrary capitalization. I'm highly unlikely to
forget the password because, well, I've had perfect recall of that themesong
for twenty years now.

I don't actually use cartoon theme songs, but everybody should have some
source of highly entropic data that is evocative and meaningful to them.

------
makecheck
Very well done article. One of the best sum up points: "A usable and secure
password is then not a complex one. It is one that you can remember - a simple
password using 3+ words." I've used that sometimes, and it works well; though
I also happen to be someone who can memorize random strings of punctuation and
gibberish, which I prefer. :)

------
DanielStraight
I have an encrypted file of my passwords, encrypted with a password of over a
dozen characters, containing uppercase and lowercase letters, as well as
numbers. It has no meaning whatsoever, and I have no trouble remembering it.
The author thinks no one can remember SIX random characters?? How many phone
numbers do you know? Zip codes? Addresses? URLs? Email addresses? Really, I
think ANYONE can remember 6 random characters, especially if they type them
all the time.

------
asb
Does anyone have a good algorithm for using a password template/seed for
different sites? Choosing a template, say 5_h_7_s_9_j, and replacing the _
with characters from the site's name works (and you could increment the
characters or whatever), but if anyone gets two of your passwords it's pretty
obvious there's a pattern and it's not particularly hard to work out the
relationship between the site name and the password.

~~~
niyazpk
Still this is better than having the same password for every website where the
pattern is infinitely obvious!

------
asmosoinio
Seems to me the current "standard" password scheme of about 6-10 random
characters, comes from the old Unix limit of 8 characters. But this should
pretty much be history today, right?

And yet I am still doing this myself all the time... Next time I need a good
password I'm gonna go with three word phrase instead.

------
DenisM
Thanks for posting this. My project is a password manager and my users will
certainly appreciate this article.

------
mariana
just use <http://supergenpass.com/>

------
TweedHeads
Here is an idea:

\- 256 random chars long passwords stored in a bluetooth keyring.

How it works:

pre-session:

\- every user registers two passwords, short and long.

session:

\- app asks for password

\- user does nothing, computer recognizes keyring

\- computer sends 256pw to app

\- app accepts two kinds of pw, short and long

\- if pw.length > 200 treat as keyring pass

post-session:

\- if user loses keyring, he can deacativate his 256pw

\- user can change 256pw at will, just buy new keyring, update password on
app.

That's how I see it, and that's how I would like to do it.

Keyrings can be anything, just a chip and bluetooth, can be carried or placed
on a desk, can have buttons to press to send the signals, can be locked, can
have many shapes and colors, etc.

The secret is not the keyring, I know there are plenty out there, the secret
is in allowing apps to accept two kinds of password: short, user generated, or
long, device generated, so convenience is on the user's side.

And when machines fail, there is always old-password at hand.

