ie8 fix
madison

Networking

Steven J. Vaughan-Nichols
Home / News & Blogs / Networking

Cartoon makes better password point than many security experts

By | August 12, 2011, 3:27pm PDT

Summary: Sick of passwords you can’t remember? Not sure you trust password managers? A cartoon has some good advice for you.

I’ve been using cryptic passwords since I cut my computing teeth on an IBM 370. I never liked using passwords like xkcd1234EMC2 though. They may have been more “secure,” but they were hellish to remember. I still use them today, but the brilliant Internet cartoon xkcd by Randall Munroe has just shown me that I, and many security experts, have been idiots for years. Read the cartoon below and you’ll see what I mean.

Password Strength cartoom by Randall Munroe

Password Strength cartoon by Randall Munroe

ARGH!

Munroe’s perfectly correct. If you use a random nonsense phrase for a ‘password’ you will be able to recall it without fear and trembling and you will be safer from casual crackers. Of course, if you write your password phrases down on sticky notes on your monitor, you’re still beyond help. But, hey so long as you avoid phrases such as “This is my password.” you should be fine.

Of course, even with this method, you still have the problem of having dozens of Web sites that require passwords. You could use a single password phrase for all of them, but considering how quickly sites are being cracked for their passwords these days, having one password or pass phrase for all your sites is just asking to be cracked.

No, while using a pass phrase makes excellent sense-and I feel like an idiot for never realizing it on my own-you’re probably still going to need a password manager.

If you feel better keeping your password safe and sound on your own PCs, I recommend RoboForm or IronKey Personal, If you want a password manager as part of a security suite, I recommend Norton Internet Security 2011 or Kaspersky Password Manager.

If you don’t mind having your passwords out on the Web, I like LastPass. I can, and do, use this program on any and all platforms. And, since I use pretty much every operating system and platform out there, that’s a good thing.

As you may recall, LastPass had some trouble recently, but the problem wasn’t with them losing passwords, it was with them being too paranoid about a possible attack. The end-result was that the LastPass service was knocked off the Web for a short time.

For what it’s worth, I trust LastPass. In the end, though, which password manager you trust is a call only you can make. All I know now is that you’ll be a lot smarter if you use a four word password phrase than a dozen letters of gibberish for your password. Thanks Munroe.

Related Stories:

Death of the Password? Markus Jakobsson and Jason Perlow discuss with the CBC

AntiSec posts passwords from Apple survey server

Sony hacked again, another 1m passwords exposed

Opera beefs up password security

We interview LastPass CEO: the human price and the real truth

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Networking”

Topics

Security, Password, Randall Munroe, LastPass, Steven J. Vaughan-Nichols

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system

Disclosure

Steven J. Vaughan-Nichols

Steven J. Vaughan-Nichols is a freelance writer. He does not own stocks or other investments in any technology company.

Biography

Steven J. Vaughan-Nichols

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system; 300bps was a fast Internet connection; WordStar was the state of the art word processor; and we liked it.

His work has been published in everything from highly technical publications (IEEE Computer, ACM NetWorker, Byte) to business publications (eWEEK, InformationWeek, ZDNet) to popular technology (Computer Shopper, PC Magazine, PC World) to the mainstream press (Washington Post, San Francisco Chronicle, BusinessWeek).

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
44
Comments
Add Your Opinion

Join the conversation!

Just In

There is a better way
Password King 22nd Mar
"The 5th Dimension Password Keeper" solves this problem.
1. You don't have to remember the password itself.
2. You use a complex password.
3. You use a different password for each accout.
4. The password is NOT in your computer where it is subject to hacking.
5. It is easy. Even an engineer can do it. (um, that's a joke)
6. It is just as secure offline as it is online. Even if the book is lost or stolen, the passwords are safe.
Look for it on Amazon or at Barnes & Noble. Or below is a link:
http://www.amazon.com/5th-Dimension-Password-Keeper/dp/146991882X
View in thread
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
runbei 12th Aug
The cartoon mimics a very long post on exactly the same subject by Baekdal: http://www.baekdal.com/tips/the-usability-of-passwords-faq. What's missing is that you'd better put white space or hyphens, etc. between the words...
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
wright_is 14th Aug
@runbei Agreed, although I heard it from Steve Gibson's Security Now podcast a few months back.

As you say, putting a few non-standard symbols between the words (or appending a bunch of the same symbol at the end) will increase the entropy greatly.

AsD12Sw2311skddeeds232S (@1000/sec = 54.26 thousand trillion trillion centuries)

is less secure than

Dog1.................. (@1000/sec = 10.40 million trillion trillion centuries)

If the password is being dictionary attacked.

I've been using random words concatenated with various symbols for about 15 years now. They are easier to remember, usually with a few digits thrown in for good measure.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
hjagla 15th Aug
@wright_is

I was about to post the same thing. I also listened to that podcast and I use his online haystack caluclator to show customers how insecure thier passwords are.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
algreig@... Updated - 17th Aug
@runbei
I have been using the mnemonic system for years. My school friend and I had a sentence which we used often, it contains seven words, from which I extracted one letter each. I use a numeral where it fits, start the password with a capital as good English demands. I say the sentence to myself as I type the appropriate letters. It is very solid. Something like "The journey of a thousand miles begins with 1 step. could become "TjoaMmbw1s." ignore the Quotes. (The capital M = 1000) For my Android phone as a hot spot I use the whole sentence entirely. No one will be able to crack it while you are waiting for the plane.

I now work in customer service for a large Australian Telco, and I advise the Password challenged ( a majority) to follow my example. Their sense of relief is palpable.

The advantage of a motto, is that one can have it framed on their office wall and no-one would pick it as a memory aid.
0 Votes
+ -
Better Yet...
Confident Technologies 12th Aug
The reason that the person is able to remember the phrase better than an arbitrary string of letters, numbers and symbols is because they created a mental image to go with the phrase. The root of the problem is that our human brains are evolved to better remember IMAGES than words, letters and numbers.

So, instead of trying to come up with a mental image to help you remember a series of words... let's ditch the use of text all together. A better solution is to simply use images instead of passwords. This picture-based approach uses people's ability to recognize images that fit their secret categories, and it generates its own one-time password for each login: http://www.confidenttechnologies.com/products/confident-imageshield
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
tonymcs@... 12th Aug
@sneeds

While you may find that great in theory, I found it irritating when my bank changed to an image based system. Instead of a simple string, I now had to recognize images in the correct order. Sure I may be able to remember the images, but the correct order? In practice, I found it much harder as did a lot of other clients - they don't use it anymore wink

The real solution to passwords is to have the computer recognize you rather than you having to remember meaningless passwords.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
CobraA1 13th Aug
@sneeds I'm not certain that's necessarily true. Some people find images easier, some people find sounds easier. I don't think it's a scientific fact that one is easier than the other, and it seems very much subjective - I do believe that the human brain is not always the same from person to person.

I'm a very visual person, but I know people who aren't. So IMO this does in fact vary, and I'd be wary of a technology that claims one over the other.

Indeed, what if the person is blind?
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
lehnerus2000 14th Aug
@CobraA1
Braille monitor?
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
mejohnsn 15th Aug
@CobraA1 You have correctly identified some fundamental flaws in the idea, flaws that Nichols just didn't even notice.

The first I noticed is that not ALL of us have memories that work in exactly the same way. I have NEVER found it easy to memorize random phrases/lists//what-have-you by constructing such mental images. For some lists, it is hard to come up with the image in the first place, with others, it is hard to remember what the things in the image really stood for and in what order.

Why, even in the xkcd cartoon example, if I didn't know already that that was supposed to be a "battery staple", I would have no idea that is what is in the image.

As for the problem of multiple passwords on multiple sites/applications, the trick I learned is to use the pseudo-random passphrase to remember a prefix or infix, and then come up with your own simple rule for adding on suffix or circumfix. One suggestion was to use the month and year the password is being changed/set.

Of course, the weakness with this scheme is that once a cracker cracks one system, he can then guess what to try on your others. But you can defeat this by not always using the three letter abbreviation for the month, but sometimes the number either in hindu-arabic or roman numerals. Or by sometimes using as suffix, sometimes as prefix. Or by having a small number of prefixes to choose from.

But with any of these schemes, you who set the password need make only a few guesses, while an attacker would have to make many more, and that without the help of using a program to generate the options.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
melekali 15th Aug
That's a really good idea. But if we must have passwords we enter, please consider...

...if you use some kind of broken keyboard pattern, the pattern is far easier to remember than four words and much more difficult to crack. And it depends on your keyboard. Have a split keyboard? You have different patterns than on a standard keyboard. So feel free to type in *mju7bgt5MJU&BGT%l. Try cracking it. I bet you can't. Try typing it. I bet you can type and remember it. Dag, I just provided a superior way to create a password.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
LoverockDavidson 13th Aug
This is a great article. Security isn't my field but the article and comic make a great point. I have a list of substituted character passwords for some of the admin accounts and its worthless to try to remember them. Using random words might just be easier. The only drawback I see is the more characters you have the greater chance of a typo which will lead to an account lockout. But still, I might try it on an account just to try it. I'm curious now as to how many people are now going to change their password to "correcthorsebatterystaple".
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
CobraA1 13th Aug
"but considering how quickly sites are being cracked for their passwords these days, having one password or pass phrase for all your sites is just asking to be cracked."

A good website will NOT store your passwords. Instead, they'll be using a cryptographic hash of them. Properly "salted," and the hash would be worthless to try to use at other websites.

That being said, there's no enforcement of such a policy sad.

I use LastPass and KeePass for passowrd management. LastPass is okay for websites, but KeePass works better for offline use.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
mejohnsn 15th Aug
@CobraA1 You make a good point, but I think you miss his. He never SAID the website would STORE your password. But once an attacker cracks one, even though he doesn't get your other passwords, he now knows at least that one password, and can use it to guess your others. So if he also knows where else you use passwords, you are vulnerable.
0 Votes
+ -
Cracker Shouldn't Even Get the One
CFWhitman 16th Aug
@mejohnsn
CobraA1's point is that when one site that you do business with gets cracked, if they follow good security practices (a big if), then passwords are one thing they shouldn't be able to obtain because they are stored encrypted. Of course some well known break-ins reveal that some sites at least don't encrypt passwords as they should.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
mejohnsn 15th Aug
@CobraA1 As you observe, there is no enforcement of such a policy. This is a major problem. What we really need is an independent agency auditing these companies to make sure they follow good security practices.

But who would do such an audit? The best agency I can think of to do this is still not a very good match: NIST. I would prefer an independent industry consoritum, but I don't see one about to spring up.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
BP314 13th Aug
It depends on the implementation. As far as I'm aware: most versions of Windows do not properly "salt" the password hash functions used to encrypt them. This leads to an attack method called a "rainbow table." On most Linuxes the passwords hashes are properly salted so this type of attack is not feasible. I'm unsure if Windows 7 salts it's hashes or not. Now, try to explain that to someone who knows little about computers.. wink

http://en.wikipedia.org/wiki/Rainbow_table
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
CobraA1 14th Aug
@BP314 Windows Vista and Windows 7 disable the weak security methods by default, and use Kerberos.
0 Votes
+ -
goo goo ga joob
Robert Hahn Updated - 14th Aug
I was forced by my bank to change my password recently, and I thought of one that Compuserve issued me when I first signed up with them in 1980. I used that password for 15 years, so it is burned into my brain. Curiously, it is much like the cartoon'st ideal password: random ordinary words separated by punctuation. And here I thought I was being smart by using things like "pPft7s9xtrk".
0 Votes
+ -
Easy way to remember passwords.
linux for me 15th Aug
Use a phrase, quotation, or other line that you know, such as this: Four score and seven years ago, our fathers.......

(And don't use this one now that it is posted!!!)

It will become this: 4s&7yaof

Now, if you know the phrase behind it, you will remember it very easily. I would challenge anyone to figure that one out without a lot of real brain work if you saw it for the first time.

Using the first character of each word, substituting numbers for words that are numbers or sound like a number (for) and characters like the ampersand for words (& = and), makes a very complex looking password that is easy to remember. You can capitalize any character if needed.

Looks very complex, easy to remember. Fails any brute force attempts to crack, especially those methods that use a dictionary for word lookups. The method in the article can fail with a crack using a dictionary lookup.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
mejohnsn 15th Aug
@linux for me Eight characters, even with some punctuation and digits, is no longer strong enough.
0 Votes
+ -
I never mentioned a length......
linux for me 17th Aug
@mejohnsn
Password length was never mentioned, this was just an example....Having a bad day?...Can't find something else to complain about?
0 Votes
+ -
The problem with the passphrase method
voyager529 15th Aug
is that they take some time to type in. Sure it makes sense when you're only typing the password one time, but if you follow the security practices that every rational person here says is a good idea (limited user accounts, UAC for Windows), you're typing that password in several times per day. how long does it take to type "correcthorsebatterystaple" vs the 4s&7yaof password listed above, and doing so accurately, all the times it's requested of the user during the course of a day.

Joey
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
cerving 15th Aug
Unless a user is a very good touch typist, they're not going to be mentally able to get past the 40 or so astericks that they're going to be seeing on their screen. And, as it has been previously mentioned, many password policies require numbers and special characters, so they aren't going to fly. I personally love the passphrase technique, I use it whenever I can get away with it, but sadly the places where I can is few and far between.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
mejohnsn 15th Aug
@cerving What do you mean? The Passphrase technique DOES substitute numbers and special characters for words in the passphrase.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
Caggles 15th Aug
I love doing things like this, but it's frustrating to see the number of websites that have maximum password sizes. It's not something I run into all the time, but enough that I find it frustrating. Is there even any reason for it?
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
jscott69 15th Aug
@Caggles Storage space. But given how inexpensive storage is these days, that's a lame excuse.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
KeithDick 15th Aug
@jscott69

Saving storage space is not likely to be the reason sites limit the length of a password. If it is, that would mean the sites are storing the actual password rather than storing a hash or a salted hash of the password. A few sites might be storing passwords in the clear, but I hope not very many are.

I hesitate to speculate on the actual reason many sites limit the password length, making it difficult to use password phrases or related forms of password. It might just be a bit of laziness -- they might find it easier to make some interface they build have a fixed-length field for passing the password than making it a variable-length field. Does anyone reading this have relevant experience to share?
0 Votes
+ -
If people are able to use a dictionary attack on your website....
Been_Done_Before 15th Aug
then you have more than just password problems. 5 tries then 20-30 minute lock out. You could even go further and say a max number of tries per day/week/month. Log all access information for invalid tries. Check the logs for spikes in tries and address situations as they come.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
mgrubb@... 15th Aug
oh how I miss the days when the "root" password was simply "toor" or "password"

happy
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
Muzhik1 15th Aug
Regarding the passphrase method, I once had a user who had a "Bible Quote a Day" calendar, and would save ones she liked to put on her cubical wall. I showed her how to create a password from a day's quote, then put that day's quote up on her cubicle wall with all the others. She was able to always have her "key" for reference, but no one else would know which quote held the key. Hiding in plain sight!
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
Scrabbler 15th Aug
Most sites require that you put numbers, capitals etc in a password and also limit it to 12 characters so you can't use a random phrase.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
kb5ynf 15th Aug
I don't use random phrases. I use phrases that I will never forget along with numeric strings that are easy for me to remember and then I break those into smaller representations of themselves and mix them together with variations in case and special characters. I end up with a password that is complex but very easy for me to remember.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
tech_ed@... Updated - 15th Aug
The human brain is very bad at memorization. But it is very good at pattern recognition. As such, why bother to memorize a password at all? Instead look at your keyboard...notice any interesting patterns? Patterns begin to popup even more readily if you have one of those natural keyboards.
Imagine this password:
6tgbnhy7^TGBNHY&
You have a 16 character password of seemingly random characters. But if you look at a natural keyboard, you'll notice that this is just the two rows of keys down one side of the split and back up the other side..
How about: 1qazxsw2!QAZXSW@ You should surely recognize this pattern of keys...
And who says you need to stay within the first 128 ASCII characters. Use all 255...

That's a fun one...How did I do that? Hold down the "ALT" key and hit three numbers on the number pad. Any 3 numbers above 200 and below 255 will give you an upper ASCII character that *NO ONE* can guess...Not even brute force crackers!
edit: looks like this board dosn't allow upper ascii characters...just open notepad and play around with them on your own and try them out...you'll be suprised!
0 Votes
+ -
My Passwords are better than Your Passwords...
melekali 15th Aug
Yes, but if you use some kind of broken keyboard pattern, the pattern is far easier to remember than four words and much more difficult to crack. And it depends on your keyboard. Have a split keyboard? You have different patterns than on a standard keyboard. So feel free to type in *mju7bgt5MJU&BGT%l. Try cracking it. I bet you can't. Try typing it. I bet you can type and remember it. Dag, I just provided a superior way to create a password.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
TexasJack 15th Aug
If only most websites even allowed passwords that long. Too many still suggest 6 to 8 characters, while only allowing a maximum of up to perhaps 16.

And don't get me started on the pathetic "your favourite colour" password reminder methods.

As for a "central authority"? Please...NO! That just screams "let's make laws and create more agencies" to politicians. Want to enable your government (any government) control the internet and have easier access to personal/corporate information? That's one quick way to do it.
More user education=OK.
Voluntary website standards=OK.
A self-test service for website owners=OK.
A third party that "rates" website password security for users or lets them test it themselves=OK.
0 Votes
+ -
Not all passwords are the same
inmarket 15th Aug
The reality is that not everything that asks for a password requires the same level of security.
There are numerous website's that require a sign-up but that I couldn't care less if someone tried to impersonate me.
On the other hand I want to protect my bank accounts as best possible.

One of the easiest ways to do this is to have "rings" of security...
1 password for unimportant stuff
1 password for middle strength stuff, and
1 password for secure stuff eg banking.
If a password at one level gets broken (most likely the unimportant stuff level) your bank accounts are still safe.
Now there are only 3 passwords to remember providing appropriate protection accross hundreds of web-sites or other logins.
They key of course is using the correct password level in the correct spot.
0 Votes
+ -
RE: Cartoon makes better password point than many security experts
krzyst0ff 15th Aug
as I see it, the problem with any new way of selecting passwords is that users cannot implement them because software, website hosts, financial and other institutions are configured to only allow their own criteria be used:
eg. most banks only allow 4-5 number pins, accounts with 6-8 numbers and phone security usually must be an anglicised word;
email hosts and websites usually require a mixed-case group of 6-8 letters with 1-2 numbers;
there is rarely an allowance for long passwords with foreign characters, spaces, extended punctuation marks, and even when you have the option of using it in one place, different rules will block you on other sites or different devices / operating systems, so you are forced to use the lowest common denominator if you want a consistent security and memorable passwords.

it's all well and good to have a suite of 50-100 passwords for all the sites you visit but it's frustrating to forget the different permutations, and ultimately a hacker only needs access to your email account to enable them to retrieve passwords to all other websites you use, for example.

there should be an open-source standard approach to passwords, to create a best-in-class rule for all applications -- this could then be used across all security systems, under the continued scrutiny of the traditional security software and identity verification companies -- in much the same principle of HTTPS sites.
0 Votes
+ -
I'm surprised that this is the first time you heard of it
rarsa 16th Aug
The nice thing about random phrases is that you can construct them from things that are printed around you. E.g. Diplomas, Certificates, postcards.

For passwords that expire, I would add that using "themes" helps remember them.

I have a document here and if I read the first word in each line I can construct about 10 - 20 passwords

"Our a Book1"
"AnnualAnnualHope2"

This means that I can have the reminder of my password right there but either the "guessers" do not have access to my desk. Or if they do, They don't know the "theme" and it cannot be automated. Oh, in case you are wondering. I am messy so I have books, calendars, mapps, product labels, etc to choose my theme from.
0 Votes
+ -
Any dictionary crack can easily break these.....
linux for me 17th Aug
@rarsa
Since these are based on words, these will be easily cracked. Secure passwords should not be in a dictionary, and use other non-alphabetic characters to make passwords a lot more difficult for brute force and dictionary crackers to solve.
0 Votes
+ -
Doesn't work
SeanBlader 17th Aug
IT departments and websites have for so long been imposing "secure" passwords on their users that numbers and capital letters and sometimes symbols are required elements, ruining the idea of a 4 word password. I put in a request to our IT manager that we allow any password if the length of it is over 10 characters, no reply yet.
0 Votes
+ -
The problem is many sites won't let you...
minda@... 18th Aug
...Make a password longer than, say 10 characters. Which blows because you're perfectly right that a longer random or even not so random but personal phrase is more secure.
0 Votes
+ -
I've always known
Hobyx 19th Aug
I've always known generally suggested password practices make life worse for the owners than anyone trying to guess them. Passwords didn't work well in war and they work worse for personal use. On every password protected site I've managed, the Forgot Password page gets more hits than the content pages.
0 Votes
+ -
It's just shame he misused the word "entropy"
LeonBA 19th Sep
...though his point is valid and, as usual, punchy.

http://en.wikipedia.org/wiki/Entropy
0 Votes
+ -
There is a better way
Password King 22nd Mar
"The 5th Dimension Password Keeper" solves this problem.
1. You don't have to remember the password itself.
2. You use a complex password.
3. You use a different password for each accout.
4. The password is NOT in your computer where it is subject to hacking.
5. It is easy. Even an engineer can do it. (um, that's a joke)
6. It is just as secure offline as it is online. Even if the book is lost or stolen, the passwords are safe.
Look for it on Amazon or at Barnes & Noble. Or below is a link:
http://www.amazon.com/5th-Dimension-Password-Keeper/dp/146991882X

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix