Should we also ask if and how this is important?
Looking over one’s shoulder used to be important. It still is if there are cameras around.
Is there any reliable data on how most users are compromised, and separately examples where the gains have justified more sophisticated strategies for gaining access? I suspect human nature factors heavily in some examples. Others may be down to the ever present vulnerabilities (unintended or deliberate) in so many of the systems we use.
I think there are two main forms of compromise:
Phishing
Data leaks
Bad person gets access to bank website, downloads a copy of the user names and passwords database.
Phishing is the more common of these, but data leaks affect more people. Subscribe to haveibeenpwned.com if you want to know when your email address shows up in a published database.
It is good to see some advice understandable to an older everyday user with limited computer knowledge. The average computer user just needs simple advice on choosing effective PWs that can be remembered. Presumably, including a couple of words from a couple of different languages might be effective too, or misspelling one or two words. Mark’s P.S. also makes sense.
The best advice is to not use the same password or phrase for all your logins.
If one site gets compromised, and the password exposed, then hackers could have a field day, especially if you had accounts with sites that stupidly used your email address as the userid.
Like Choice.
That makes sense, although it would seem to double the number of things to remember if using different userids.
Fair enough. So lots of sites may use a common userid, like your email address.
It is very easy to have individual passwords and remember them.
Consider a password to be two parts concatenated.
The first part is your stem password that meets the usual rules of at least one uppercase, at least one numeric, at least one special character, blah blah.
The second part is something specific to the login environment, that is clearly displayed.
In this world of Internet and WWW, that would be the unique URL.
So you could have your own scheme of taking some part of the leftmost level of the URL, say first and last characters, and append that to your stem password.
Many thanks for your advice. It is all very helpful.
This.
If a person must use a phrase made up of dictionary words then at least one of the words should be made up, foreign, misspelled or otherwise not occurring in the attacker’s choice of dictionary.
I would also say that if a person must use such a passphrase then it should be left to a program to choose the passphrase because humans are rather poor at choosing genuinely random anything.
L33t speak is too common a substitution. Yes, it will increase the search space, but it lacks subtlety. It is covered by off-the-shelf password breakage software.
They don’t - any more than they know with certainty the length of a password. However the average user is lazy. The password or passphrase is usually not much longer than the site’s minimum requirement. It may be a little bit longer when using a passphrase since you want to finish the word.
I would just like to comment on the claim that
Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
We are not supposed to be remembering passwords. They are supposed to be random and meaningless and unique and unable to be remembered - and stored in a password manager.
OK, you wouldn’t do that for your login password to the computer or the password for the password manager (that would be chicken and egg) but you can do that for all the various different web sites etc. that you need to log in to.
To add to that …
using the Linux defaults of SHA512 and 5000 rounds for password hashing, a second hand GPU that was expensive, new, at launch 10 years ago but today could be picked up for under $100, you would manage about 10,000 passwords per second.
You can apply Moore’s Law to update that for today. Maybe 20x to 40x.
That’s one person with one GPU.
It is important to look at the cost of purchasing and running GPUs because, if the motivation is outright crime, there has to be a financial payoff. No point buying $10,000 worth of high end GPUs to break into an account with just $150 in it.
If the party who is targeting your password is a government, you can assume that they can afford thousands of GPUs - and the payoff is not measured solely in dollars.
Another consideration is that a password that has not been changed for a long time or that is on an embedded device that is of some vintage may not even be using the best general hash function.
For example, older Cisco equipment used MD5 for password hashing and MD5 is an order of magnitude faster to brute force.
Likewise, even just changing your password to the same string again (if that is allowed by your system) can have the effect of strengthening it. While 5000 rounds is the Linux default, the man page notes that this value is too low to defend against modern hardware, so you can assume that over time the default will increase, and then setting your password again will pick up the new default number of rounds i.e. more rounds.
Certainly a fair question … I guess to avoid a DoS attack on the account. I would find it hard to think that anyone would use option 2 these days as the trade-offs don’t work very well.
Which is still a DoS - just not as bad. It may be a minor inconvenience. It may be seriously annoying. It may be dire e.g. you left paying an important bill until the last moment.
Quite right. Seems that almost every high end GPU that foundries can churn out these days is going into cars for fancy AI safety features of dubious value, or into electricity guzzling computer farms trying to solve for hash values to earn Bitcoins.
A valid issue to raise but …
To be honest, I am not familiar enough with administration of Discourse to know what’s going on there but it has been bugging me for a while - mostly because my email address is rather longer than a typical username would be but also because of the obvious security issue.
So perhaps someone should be badgering Choice about this. Is it a choice by Choice? Is it a choice by the forum user?
Well when I login to the Choice website, as distinct from the Choice Community, it clearly wants my email as the login id.
Ditto.
Science research 101.
I do have a Choice Username in my records, but note that at some point in time it seemed not to work. However my email does! It may date from when ‘Voice your Choice’ first evolved?
Yes, I am only talking about this forum.
I hear way to much d measuring and creative chest pounding
Reality bytes
User : your family
Busy busy lives
Has an email account
A mobile phone
hundreds of websites
Accounts can be stolen from you ( password manager or imitate your logical selection to guess)
The business password manager (the database hack)
Or the transfer from you to the business (man in middle or spoofing)
Whether the password access the business gives is in 4 digits or a million it will potentially be breached.
Multifactor is common for decades in businesses for critical decisions. Multiple financial signatories, multi person simultaneously key safes, time delayed locks. And for good reason it works and does not apply excessive overload on the users.
This is all forgetting the fact we still need to operate our lives everyday
I don’t want and simply cannot remember 100s of passwords and still change them all,
historically same password with what can be called an salt that I can quickly identify as unique to the location.
Coles
Password : myColPasswordles
Woolworths
Password : yWolPasswordths
These days yes I use password manager with more complex but we must remember brute force decryption and reverse engineering of keys is pathetic excuse to dump increasingly stupendous passwords expectation
Guessing your password on your logical behavior is still most common breach, birthdays family names places and simply fill at end @1#2 or l33t.
In the end despite all the discussion of password leaks down by I been pwned.
In cases where complexity matters It takes time from the theft to access your account as such you should have already changed it something equally memorable anyway.
In cases where hands on your password is had multifactor is the key.
Be proactive and change the password periodically.
I found this to be an interesting overview of many issues in dealing with passwords and the current thinking. You can drill down into the detail.
https://www.auditboard.com/blog/nist-password-guidelines/#:~:text=NIST%20has%20a%20few%20recommendations,require%20users%20to%20select%20special
I see that NIST recommends allowing Unicode characters. This is a bit of a problem, given that there are over 144,000 Unicode characters and the number keeps growing.
The reason Unicode is a problem is that many characters are indistinguishable to the person reading them. Unicode is used in Internet URLs, so it is possible to click on a link to facething where the letter i is replaced by a character that appears the same but is actually different and takes you to a different (possibly phishing) website. Unicode is also used in programming, so it is possible for a skilled programmer to read a computer program and think it says one thing while clever original programmer has actually used a homoglyph to make it mean something entirely different (and presumably nefarious).
In the context of passwords, it is possible for a user to read a Unicode password from their password manager on one device and attempt to physically enter it on another device only to fail because one or more characters is a homoglyph.
NIST advice about length vs. complexity is fine in the absence of a password manager. If you have a password manager, then you get additional entropy through length and randomness - and NIST recommends using a password manager.
I do not understand why NIST recommends a maximum password length of 64 characters. If your back end can take it, website owners should not set a maximum password length. In the real world, of course, most databases cannot handle ridiculously long passwords and so maybe set a limit of - say - 1,024 characters. Either is better than some websites I have encountered that have a maximum length of 8 characters and don’t like special characters.
The Apple 2E OS would allow unprintable un-displayable characters, eg Ctrl-q, in file names. Very amusing.
Also a problem in ASCII. Or is that ASCll?
In lower case the first is ascii. The second is ascll.
If you don’t allow Unicode, then you either lock many languages out of systems, or you have to deal with possibly hundreds of codepage variations in ASCII. Which I have had to deal with in data communications between various operating systems, and regional settings with computers around the world.
As for maximum of 64 characters for a password or passphrase. Anything more is just going to be ignored. The characters form a string of bits and the maximum key length used today or proposed is 512 bits for symmetric encryption algorithms.
