Cartoon makes better password point than many security experts

Cartoon makes better password point than many security experts

Summary: Sick of passwords you can't remember? Not sure you trust password managers? A cartoon has some good advice for you.

SHARE:
TOPICS: Security
44

I've been using cryptic passwords since I cut my computing teeth on an IBM 370. I never liked using passwords like xkcd1234EMC2 though. They may have been more "secure," but they were hellish to remember. I still use them today, but the brilliant Internet cartoon xkcd by Randall Munroe has just shown me that I, and many security experts, have been idiots for years. Read the cartoon below and you'll see what I mean.

Password Strength cartoom by Randall Munroe

Password Strength cartoon by Randall Munroe

ARGH!

Munroe's perfectly correct. If you use a random nonsense phrase for a 'password' you will be able to recall it without fear and trembling and you will be safer from casual crackers. Of course, if you write your password phrases down on sticky notes on your monitor, you're still beyond help. But, hey so long as you avoid phrases such as "This is my password." you should be fine.

Of course, even with this method, you still have the problem of having dozens of Web sites that require passwords. You could use a single password phrase for all of them, but considering how quickly sites are being cracked for their passwords these days, having one password or pass phrase for all your sites is just asking to be cracked.

No, while using a pass phrase makes excellent sense-and I feel like an idiot for never realizing it on my own-you're probably still going to need a password manager.

If you feel better keeping your password safe and sound on your own PCs, I recommend RoboForm or IronKey Personal, If you want a password manager as part of a security suite, I recommend Norton Internet Security 2011 or Kaspersky Password Manager.

If you don't mind having your passwords out on the Web, I like LastPass. I can, and do, use this program on any and all platforms. And, since I use pretty much every operating system and platform out there, that's a good thing.

As you may recall, LastPass had some trouble recently, but the problem wasn't with them losing passwords, it was with them being too paranoid about a possible attack. The end-result was that the LastPass service was knocked off the Web for a short time.

For what it's worth, I trust LastPass. In the end, though, which password manager you trust is a call only you can make. All I know now is that you'll be a lot smarter if you use a four word password phrase than a dozen letters of gibberish for your password. Thanks Munroe.

Related Stories:

Death of the Password? Markus Jakobsson and Jason Perlow discuss with the CBC

AntiSec posts passwords from Apple survey server

Sony hacked again, another 1m passwords exposed

Opera beefs up password security

We interview LastPass CEO: the human price and the real truth

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • RE: Cartoon makes better password point than many security experts

    The cartoon mimics a very long post on exactly the same subject by Baekdal: http://www.baekdal.com/tips/the-usability-of-passwords-faq. What's missing is that you'd better put white space or hyphens, etc. between the words...
    runbei
    • RE: Cartoon makes better password point than many security experts

      @runbei Agreed, although I heard it from Steve Gibson's Security Now podcast a few months back.

      As you say, putting a few non-standard symbols between the words (or appending a bunch of the same symbol at the end) will increase the entropy greatly.

      AsD12Sw2311skddeeds232S (@1000/sec = 54.26 thousand trillion trillion centuries)

      is less secure than

      Dog1.................. (@1000/sec = 10.40 million trillion trillion centuries)

      If the password is being dictionary attacked.

      I've been using random words concatenated with various symbols for about 15 years now. They are easier to remember, usually with a few digits thrown in for good measure.
      wright_is
      • RE: Cartoon makes better password point than many security experts

        @wright_is

        I was about to post the same thing. I also listened to that podcast and I use his online haystack caluclator to show customers how insecure thier passwords are.
        hjagla
    • RE: Cartoon makes better password point than many security experts

      @runbei <br>I have been using the mnemonic system for years. My school friend and I had a sentence which we used often, it contains seven words, from which I extracted one letter each. I use a numeral where it fits, start the password with a capital as good English demands. I say the sentence to myself as I type the appropriate letters. It is very solid. Something like "The journey of a thousand miles begins with 1 step. could become "TjoaMmbw1s." ignore the Quotes. (The capital M = 1000) For my Android phone as a hot spot I use the whole sentence entirely. No one will be able to crack it while you are waiting for the plane.<br><br>I now work in customer service for a large Australian Telco, and I advise the Password challenged ( a majority) to follow my example. Their sense of relief is palpable.

      The advantage of a motto, is that one can have it framed on their office wall and no-one would pick it as a memory aid.
      algreig@...
  • Better Yet...

    The reason that the person is able to remember the phrase better than an arbitrary string of letters, numbers and symbols is because they created a mental image to go with the phrase. The root of the problem is that our human brains are evolved to better remember IMAGES than words, letters and numbers.

    So, instead of trying to come up with a mental image to help you remember a series of words... let's ditch the use of text all together. A better solution is to simply use images instead of passwords. This picture-based approach uses people's ability to recognize images that fit their secret categories, and it generates its own one-time password for each login: http://www.confidenttechnologies.com/products/confident-imageshield
    Confident Technologies
    • RE: Cartoon makes better password point than many security experts

      @sneeds

      While you may find that great in theory, I found it irritating when my bank changed to an image based system. Instead of a simple string, I now had to recognize images in the correct order. Sure I may be able to remember the images, but the correct order? In practice, I found it much harder as did a lot of other clients - they don't use it anymore ;-)

      The real solution to passwords is to have the computer recognize you rather than you having to remember meaningless passwords.
      tonymcs@...
    • RE: Cartoon makes better password point than many security experts

      @sneeds I'm not certain that's necessarily true. Some people find images easier, some people find sounds easier. I don't think it's a scientific fact that one is easier than the other, and it seems very much subjective - I do believe that the human brain is not always the same from person to person.

      I'm a very visual person, but I know people who aren't. So IMO this does in fact vary, and I'd be wary of a technology that claims one over the other.

      Indeed, what if the person is blind?
      CobraA1
      • RE: Cartoon makes better password point than many security experts

        @CobraA1
        Braille monitor?
        lehnerus2000
      • RE: Cartoon makes better password point than many security experts

        @CobraA1 You have correctly identified some fundamental flaws in the idea, flaws that Nichols just didn't even notice.

        The first I noticed is that not ALL of us have memories that work in exactly the same way. I have NEVER found it easy to memorize random phrases/lists//what-have-you by constructing such mental images. For some lists, it is hard to come up with the image in the first place, with others, it is hard to remember what the things in the image really stood for and in what order.

        Why, even in the xkcd cartoon example, if I didn't know already that that was supposed to be a "battery staple", I would have no idea that is what is in the image.

        As for the problem of multiple passwords on multiple sites/applications, the trick I learned is to use the pseudo-random passphrase to remember a prefix or infix, and then come up with your own simple rule for adding on suffix or circumfix. One suggestion was to use the month and year the password is being changed/set.

        Of course, the weakness with this scheme is that once a cracker cracks one system, he can then guess what to try on your others. But you can defeat this by not always using the three letter abbreviation for the month, but sometimes the number either in hindu-arabic or roman numerals. Or by sometimes using as suffix, sometimes as prefix. Or by having a small number of prefixes to choose from.

        But with any of these schemes, you who set the password need make only a few guesses, while an attacker would have to make many more, and that without the help of using a program to generate the options.
        mejohnsn
    • RE: Cartoon makes better password point than many security experts

      That's a really good idea. But if we must have passwords we enter, please consider...

      ...if you use some kind of broken keyboard pattern, the pattern is far easier to remember than four words and much more difficult to crack. And it depends on your keyboard. Have a split keyboard? You have different patterns than on a standard keyboard. So feel free to type in *mju7bgt5MJU&BGT%l. Try cracking it. I bet you can't. Try typing it. I bet you can type and remember it. Dag, I just provided a superior way to create a password.
      melekali
  • RE: Cartoon makes better password point than many security experts

    This is a great article. Security isn't my field but the article and comic make a great point. I have a list of substituted character passwords for some of the admin accounts and its worthless to try to remember them. Using random words might just be easier. The only drawback I see is the more characters you have the greater chance of a typo which will lead to an account lockout. But still, I might try it on an account just to try it. I'm curious now as to how many people are now going to change their password to "correcthorsebatterystaple".
    LoverockDavidson
  • RE: Cartoon makes better password point than many security experts

    "but considering how quickly sites are being cracked for their passwords these days, having one password or pass phrase for all your sites is just asking to be cracked."

    A good website will [b]NOT[/b] store your passwords. Instead, they'll be using a cryptographic hash of them. Properly "salted," and the hash would be worthless to try to use at other websites.

    That being said, there's no enforcement of such a policy :(.

    I use LastPass and KeePass for passowrd management. LastPass is okay for websites, but KeePass works better for offline use.
    CobraA1
    • RE: Cartoon makes better password point than many security experts

      @CobraA1 You make a good point, but I think you miss his. He never SAID the website would STORE your password. But once an attacker cracks one, even though he doesn't get your other passwords, he now knows at least that one password, and can use it to guess your others. So if he also knows where else you use passwords, you are vulnerable.
      mejohnsn
      • Cracker Shouldn't Even Get the One

        @mejohnsn
        CobraA1's point is that when one site that you do business with gets cracked, if they follow good security practices (a big if), then passwords are one thing they shouldn't be able to obtain because they are stored encrypted. Of course some well known break-ins reveal that some sites at least don't encrypt passwords as they should.
        CFWhitman
    • RE: Cartoon makes better password point than many security experts

      @CobraA1 As you observe, there is no enforcement of such a policy. This is a major problem. What we really need is an independent agency auditing these companies to make sure they follow good security practices.

      But who would do such an audit? The best agency I can think of to do this is still not a very good match: NIST. I would prefer an independent industry consoritum, but I don't see one about to spring up.
      mejohnsn
  • RE: Cartoon makes better password point than many security experts

    It depends on the implementation. As far as I'm aware: most versions of Windows do not properly "salt" the password hash functions used to encrypt them. This leads to an attack method called a "rainbow table." On most Linuxes the passwords hashes are properly salted so this type of attack is not feasible. I'm unsure if Windows 7 salts it's hashes or not. Now, try to explain that to someone who knows little about computers.. ;)

    http://en.wikipedia.org/wiki/Rainbow_table
    BP314
    • RE: Cartoon makes better password point than many security experts

      @BP314 Windows Vista and Windows 7 disable the weak security methods by default, and use Kerberos.
      CobraA1
  • goo goo ga joob

    I was forced by my bank to change my password recently, and I thought of one that Compuserve issued me when I first signed up with them in 1980. I used that password for 15 years, so it is burned into my brain. Curiously, it is much like the cartoon'st ideal password: random ordinary words separated by punctuation. And here I thought I was being smart by using things like "pPft7s9xtrk".
    Robert Hahn
  • Easy way to remember passwords.

    Use a phrase, quotation, or other line that you know, such as this: Four score and seven years ago, our fathers.......

    (And don't use this one now that it is posted!!!)

    It will become this: 4s&7yaof

    Now, if you know the phrase behind it, you will remember it very easily. I would challenge anyone to figure that one out without a lot of real brain work if you saw it for the first time.

    Using the first character of each word, substituting numbers for words that are numbers or sound like a number (for) and characters like the ampersand for words (& = and), makes a very complex looking password that is easy to remember. You can capitalize any character if needed.

    Looks very complex, easy to remember. Fails any brute force attempts to crack, especially those methods that use a dictionary for word lookups. The method in the article can fail with a crack using a dictionary lookup.
    linux for me
    • RE: Cartoon makes better password point than many security experts

      @linux for me Eight characters, even with some punctuation and digits, is no longer strong enough.
      mejohnsn