Fuck passwords

I love this post, but must point out something about banks and passwords:<p><i>Malware trojans don't care about your password.</i><p>I don't know why people care about 'password cracking' when it comes to their bank accounts. Please watch "Modern CrimeWare Tools and Techniques: An Analysis of Underground Resources" (<a href="http://www.youtube.com/watch?v=zj4VkCB6obI" rel="nofollow">http://www.youtube.com/watch?v=zj4VkCB6obI</a>) and your jaw may drop. TL;DW: Bank account sessions are automatically detected and wire transfers happen immediately to shell accounts. Login accounts are detected and sent to databases at C&#38;C servers. People who know nothing about computers can generate a custom trojan to drive-by infect most computers.<p>Probably 95% of the time, if your bank account gets owned, it's not because someone cracked your magical password. It's because trojans are incredibly sophisticated and will take your money at the moment you log in, all undetected, with no fancy MITM or phishing or SSL cert faking.<p>Yeah yeah, they got your password and because it's unique now they won't get into some other account of yours. But carders don't care about your other accounts. You're one in a million people owned by their trojan. They'll get the other accounts once you log into them.

There is a (mildly) compelling reason for every bank to have a stupid password rule which is mutually incompatible with every site in existence: it means that compromising that other site's identity:password dictionary and then running it against your bank results in zero successes. Regular users reuse passwords given the opportunity to do so, and most of them will happily cough up their bank password to, quite literally, any site on the Internet.<p>There's got to be some weird game-theory solution for "Maximize for security while simultaneously minimizing the sum of all accounts on the Internet which have a password that could possibly collide with a valid password on this site."

I don't understand this whole never reuse passwords nonsense.<p>I have unique passwords for my email accounts, github, facebook, twitter and bank accounts. I only need to remember about 8 passwords. They are all pretty memorable. I usually write them down <i>gasp</i>. I then manually type them in until I remember them. I then rip the paper in two putting half in recycling and half in the trash.<p>For every other site I use 1 of 3 passwords. Why? Why not? I mean seriously, if a site contains no personal information apart from your email why do you need a separate password for it?<p>I only use unique 10+ character long passwords to guard things that are worth protecting. If a forum account, stack overflow account etc gets hacked.. oh well. I will make another. It really doesn't matter.<p>I would use 1 password for all non-critical sites but password restrictions means I need 3.

How's passwords an unsolved problem for any power-user? There's a ton of password management software out there that does /not/ require you to copy-paste passwords around†.<p>For me, kwallet &#38; ssh public keys all the way. Kwallet makes passwords available to all programs I authorize. Authorize either on case-by-case basis, or once forever. If you really don't want to bother with KDE and/or want to be easily portable across everything POSIX, go for <a href="http://en.wikipedia.org/wiki/Factotum_(software)" rel="nofollow">http://en.wikipedia.org/wiki/Factotum_(software)</a> -- it has a simple protocol.<p>I remember literally 5 passwords: home computer, work computer, home wallet, work wallet, auxilliary bank account (just in case something happened to all of my computers at once).<p>Actually, scratch that, I can /type/ those passwords, but I don't really know their content.<p>† using ^C^V on passwords is a bad idea anyway; (depending on browser) websites can read contents of your clipboard. And check your recent browsing history. 2+2=...?

My passwords are all generated by mashing the keyboard, and are stored in a PGP encrypted file in my Dropbox. When I want to add a password to that file, I just edit it using Vim. Vim automatically handles decryption/encryption because I have the "vim.gnupg" plugin installed. When I want to know a password, I type "password foo", where foo is a substring of some identifier I've used, eg the domain name of the site. It searches my encrypted text file for a line containing that identifier, and selects the last string of non-space characters on that line as the password. It then displays the password, and also copies it into the clipboard. It waits for 10 seconds, and then overwrites the clipboard with it's previous value. My "password manager" is this tiny script: <a href="https://grepular.com/password.pl_txt" rel="nofollow">https://grepular.com/password.pl_txt</a><p>I'd much rather rely on the security of GnuPG for my password store, than Keypass or Lastpass etc. Dropbox provides me with backup and syncing capability for my password store.

FOAF+SSL!!!!!!!!!!<p>There exists a rather elegant alternative to passwords for authenticating a user's identity - it's been around for a while but the user barrier is too high: FOAF+SSL.<p>The idea is you generate an X.509 cert and install it in your browser(s). You then stick the pubkey in a section of your own publicly hosted FOAF file (hosted by yourself or by an FOAF hosting service) - then when you "visit" a site that requires you to authenticate all you have to do is give it the location of your FOAF file, the browser will prompt you to select which cert you have installed that you want to use. (there are cool things you can do with remembering a user too)<p>This solution is elegant in two ways - no password entry, it uses a cryptographically secure certificate for authorization (much more secure than a password hash), the application in question can also pull/cache YOUR FOAF DATA (name, address, alias, whatever you have in there) so you NEVER HAVE TO FILL OUT A PROFILE FORM AGAIN.<p>That's effing cool, man. Why don't we see it? Because it's easier to use Facebook Connect and get the same stuff nowadays then it is to try and educate internet users on A) what is a FOAF file? and B) where/how do you generate it and host it when Facebook basically has all of that already (I know, once is personally owned, the other is owned by Facebook but we can't always control the ebb and flow of internet mass consciousness even if something is "more elegant" or "stupidly better").

Dear browser makers,<p>Creating a password is not a job that users are good at.<p>Remembering passwords is not a job that users are good at.<p>Solve this problem for your users.<p>It's not super tricky. Make up a couple of new kind of input types. Say, input type=trade-keys. When you see that on a page, create a private-public key pair and swap it with the server. Take the private key you made and the public key you got and encrypt them using the user's passphrase---the only password a user should have. Store that locally and make a back up to your cloud service in case the user wants to log in with another computer or the user loses their hard drive somehow.<p>Done.

I had to register my Apple ID. Apple's site disallows copying and pasting in the password field. I really REALLY hope this isn't a trend, because I use strong passwords for everything, and these 128-bit monsters will make your hands explode if you try to type them in manually.<p>It blew my mind because a coder had to burn some calories code the site specifically to disable copy/paste. What kind of UX is that?

I absolutely <i>despise</i> security questions.<p>I have a few bank accounts for my company (checking/investments/etc.) which each require different logins. That's fine.<p>However, the security questions <i>for a business account</i> are inextricably tied to an individual. Favorite animal? High school mascot? Where were you born?<p>These are all questions that are pretty easy to crack for an individual account, so they provide next to no added security. Furthermore, for a business account, they're just an added layer of frustration. When I took over the accounts, I had no idea how the previous president answered the questions, since they're all personal to <i>him</i>, not our company. Furthermore, when someone else at our company needs to access our accounts, they need to know the answer to <i>my</i> security questions... which are the same ones I have to use on my personal bank accounts!<p>In the end, it's so much of a pain to remember the answer to these questions that when I'm randomly asked to verify, I'm just as likely to call customer support and ask them to reset them. So what does this mean? I call customer support and give them<p>1. My name 2. My company's name 3. Our username 4. Our bank account name 5. Our tax ID number <i>or</i> the last 4 digits of the social-security number on the account.<p>...most of which would be pretty simple for a would-be attacker to obtain. And let's face it, corporate accounts at banks are much more likely to be the targets of individualized attacks, rather than random attacks over an array of accounts.<p>tl;dr: For business accounts, security questions actually <i>decrease</i> security.

Awesome rant.<p>In my mind, someone (browser vendors? security community?) should create a standard for handling interactions to do with passwords. Covering password length, characters allowed, characters required, case sensitivity, et cetera. Or perhaps a grading mechanism. Give it a catchy name and get some noted security researchers and clueful businesses to endorse it. You could even have a browser extension which points out to users which sites are handling passwords poorly or in an inconvenient way.<p>With respect to the issues with banking institutions: why not take it up with your congressperson, or write to the FTC and/or SEC? The FTC is charged with consumer protection, and this seems directly in line with that. Again, if there was a grading tool, the regulators could apply that.

I've often wondered to what extent my own password mnemonic "system" is either sufficiently secure or woefully misguided.<p>Each of my passwords is made up of the same eight-character non-dictionary word, plus the alphabet-position numbers of the first three characters of the name of the site I've made the password for (A -&#62; 1, B -&#62; 2, that old trick).<p>So for example, say the common word I was using in my passwords was "pizzadog", then my Hacker News password would be "pizzadog813" (H -&#62; 8, A -&#62; 1, C -&#62; 3)<p>I admit my goal is convenience, as it's clearly only one step up from using the same password for everything, but with the added numbers making me feel a little better in the event of one of them being compromised. But is there any reason why this approach might be considered a bad idea?

1Password is a great tool for that kind of stuff. I use it everyday, and it's very secure.

I completely agree with the sentiment of the post, I have to continuously go back to my KeePass database to lookup the more complicated passwords.<p>What's the simplest thing that could work to fix this problem once and for all? I get the impression that there simply isn't one.

&#62; <i>You know those SSL certificate warnings? You know how you always ignore them? Yeah, you shouldn't do that. They're the only warning you get that someone might have hijacked the connection to your bank or whatever. It's a shame that browsers have trained most of us to ignore the warnings, because they're the only thing making SSL useful.</i><p>It's not just browsers - here's an example of a budget web / email host telling users to ignore the warning:<p>(<a href="http://www.purplecloud.com/webmail/" rel="nofollow">http://www.purplecloud.com/webmail/</a>)<p>&#62; <i>When logging in your browser may warn about an invalid or untrusted SSL certificate. This is normal and can safely be ignored - the communication is fully encrypted despite this warning.</i><p>People only using one computer (that no-one else uses) have nice browser based password managers. Software like Keepass or Password Safe are handy, but not great if you use more than one computer (especially if you use more than one OS.) Keeping databases both synchronised and backed-up becomes tricky. And some companies / public computers won't allow you to use such software.<p>Trusting my passwords to the cloud just feels weird and unsafe.

Lots of fail here, but I'm surprised no-one has mentioned www.ironkey.com yet (I just did). I've been using one for a couple of years (admittedly mostly on Windowses) and was so impressed I bought a couple more for my partner, family members etc. The identity manager does a reasonably good job, and the two-factor authentication works well for Ebay / PayPal. I use the on-board browser, which I keep as my "secure" / trusted-sites-only browser (where trusted mostly means "can cause money to change hands") or the integration with IE for some banks. The only thing that doesn't work automatically is banks asking for random digits (from a 16+ character random string, yeah, thanks). For that I use the ability to store notes alongside account credentials in the identity manager. IronKey also provide a degree of device management on their website, which is maybe the obvious weak spot - the credentials and checks needed to log on to their site WITHOUT having the device. That sort of thing is maybe best written down and stored with a will in a lawyer's safe - it's a worst-case-scenario if you need it.

Ok, SSH agent is fantastic, but why it is not used to log to websites? Is it so complicated to paste my public key to some textarea during account creation at any website? What is the reason that no site is using this?

Personally, I use Keepass over Dropbox. I have my latest passwords available on any device I use. So if my phone and my computer burns up in a fire, I can still access my passwords from anywhere I can securely log in to Dropbox and my safe. If anyone hacks Dropbox, they will still need my safe key. If I lose Internet access, I can still access all but the most recent password changes.

I wish banks in the United States started offering two factor authentication. If I want to log into my bank (Swiss bank) I input my card number, I then get a one time code from my bank, I insert my pin card into my card reader (not connected to the computer), I type in my pin number, I then type in the code I got from my bank. What I get back is another number that I then type into the browser field.<p>I am now logged into my bank. Now each time I try to do anything with my money (move it from checking to savings, or from checking to my dad, or savings to checking, or to investing) I have to insert my card, enter my pin, enter the number and give my bank the number that is generated.<p>That is secure. WAY more secure than what I currently have with BoA, ING, WF, First bank, Chase, and Capital One.

I love how LastPass isn't the solution because ... "it's a computer program".<p>What kind of Luddite computer programmer is against using computer programs to solve their problems? Yet is fine with using SSH keys?<p>The argument of bloat is garbage -- you can utilize LastPass bookmarklets at the cost of exactly 1 bookmark in your browser. That adds a 1K bookmark and a very small amount of JavaScript to the page if and only if you utilize it.<p>Password certainly are painful, and our whole goal at LastPass is to make it easier. We'd be happy to help make other scenarios people are experiencing better, we've looked at handling ssh a number of times (putty in LastPass for Applications for example) -- anyone have a preference for how we tackle that next?

It would be better to use public keys for authentication instead of password, but it will require to many things to change for this to happen.

The approach I use is to combine a master password (so only one password to remember) with a site specific name (e.g. the domain name or site title) using some difficult to reverse combining / hashing algorithm.<p>This way, even if one password is leaked, it should be impossible (or at least very hard) to calculate the master password.<p>I just uploaded a simple demo of this: <a href="http://onewheeledbicycle.com/junk/passwords/index.html" rel="nofollow">http://onewheeledbicycle.com/junk/passwords/index.html</a>

I completely and utterly loathe the security question-answer system. Has there been any study into how effective they are at improving security compared to, say, being forgotten and causing a complete annoyance? I've been unable to get access to fairly important accounts because I couldn't remember which answer I gave to a generic security question 4 years ago; I know full well that I gave a perfectly correct answer at the time, I just have no idea what it was.

If you hate passwords, check out <a href="http://dswi.net/" rel="nofollow">http://dswi.net/</a>

Using passwords as single factor of authentication is complicated, inefficient, insecure; and for corporations, they are also expensive because of all the calls to the helpdesk they generate.<p>A solution for you is using an OTP (one-time password) as a 2nd factor of authentication. Since your authentication is a lot more secure with an OTP, you probably don't need to use such complex passwords anymore.<p>For example, you can enable the 2-factor authentication with OTP with Google and Bank Of America. With Google, you can either request an OTP by SMS when you are authenticating and/or provision the Google Authenticator mobile application which will generate OTPs for you. For Bank Of America, you can also get OTPs by SMS. They also provide an OTP card called the SafePass card (<a href="http://www.bankofamerica.com/privacy/cf/safepass_card_popup.cfm" rel="nofollow">http://www.bankofamerica.com/privacy/cf/safepass_card_popup....</a>) to generate the OTPs.<p>"Speaking of usernames, i've run into more than one bank that requires a digit in your username. A digit. In. Your. Username." --&#62; It cost me so much trouble with my BOA online account! I found out I could actually change my username and it made things a lot easier!

I started e-banking with UBS in Switzerland around 10 years ago (it's were I live) and they provided me with a card, and a little card reader with a key pad. To log in, I have to enter and 8 digit account code (not my account number though - something random but consistent). It then gives me a random code. I type my secret pin number into the card reader and enter the given code. It gives me back a response with number and letter characters (all capitol letters) that I enter into the web page to complete the log-in.<p>This seems quite secure as someone would have to have my card and pin number to access my account, which is the same level of security I have when I access my ATM machine. This was my first experience with e- banking. Imagine my disappointment when I tried to open other bank or trading accounts and found out they just used normal passwords.<p>Now, I only use e-banking with UBS, even though their fees ares somewhat higher - I consider the security well worth it. I guess the cost of the device and administration must be less than 35USD per year, which they easily make up for in fees. My question is, why aren't the other banks doing this as well. I would totally pay for it.

One of my banks limits passwords to 12 characters. I asked a customer service representative why, her response was "because it's hard enough to remember 12".<p>/facepalm

He would have gotten his point across better if it wasn't presented as an expletive-filled "yeah? fuck you!" rant, which seems like the cool thing to do, these days.<p>Never mind the fact that this subject ("Use different passwords!") has been beaten into the ground at this point and if people haven't clued in by now, they likely won't until they're compromised.

As to the bank issue, I think they "fixed" that in Belgium. Logging in is still an annoyance, but I atleast feel pretty safe with it.<p>To log in on the site, you need to do the following steps:<p>* Load site and type in card number (this is mostly a pain, but if needed you can make your browser remember the number)<p>* The site provides you with a "challenge code", in the case of my bank an 8 digit number<p>* You take a little machine provided by your bank, it looks basically like a calculator of sorts<p>* Slide your card in the machine<p>* Enter challenge code and your pin in the machine when asked for<p>* Machine returns a number which you then input on the site<p>* Click login<p>This challenge code is different every time, the only (big) downside is always needing the machine when doing online banking. However, I feel that's a small price to pay given that once logged in you can make transactions, something I wouldn't trust much if there was only a password with silly restrictions.<p>Also note, you have to repeat the challenge-&#62;machine-&#62;reply action when signing transaction you enter online.

This has been a problem for a long time - which is why companies like Microsoft and IBM have been spending time on technologies like CardSpace, ADFS, the identity meta system from Kim Cameron, IDEMIX and U-Prove, and other stuff that tries but fails like Microsoft Live (erstwhile Passport), OpenID, and OAuth.<p>The upshot is that the technology to move away from usernames and passwords exists. What we (the IT world) haven't been able to pull off is the ecosystem, to borrow an over-used cliche.<p>What we need are identity providers - some kind of body that can verify who we are. A good candidate is the passport office (FCO in the UK), the drivers license people (DVLA, in the UK) or the people who issue birth certificates.<p>Others, like banks, credit check agencies or supermarkets might also fulfill this role, but the scope for abuse and potential lack of accountability might make these bad choices.<p>Typically, the technology is not the problem. People are the problem.

If you're using SSH, you should check out Monkeysphere: <a href="http://web.monkeysphere.info/" rel="nofollow">http://web.monkeysphere.info/</a><p>It allows for the use of OpenGPG keys.<p>There's also a web component so your website can use it! However it only has a FIrefox/IceWeasel plugin for now. It's two parts; the server side validation stuff, and the browser plugin.

Hi there, I think password is working perfect. And we just need to figure out a way to remember all passwords into our brain in a unforgettable way. Here is what I do: Password for xxx: First GF's birthday(yymmdd)+favorite city(2 letters, first letter CAP)+ high school student no.+last 3 letters of my all time favorite movie this would result: 760925Lu201228can And you can store the statement in your gmail. Only you will know the answer. Then you don't forget! Also I have 3 level passwords. High Medium Whatever High: I will think of a password as I demonstrated above (at least 4 questions). Medium: I will think of a password for just 2 questions. Whatever: would be a stupid password but for accounts I don't care if it's hacked(stack overflow, github..etc) Among all tools, maybe it's better to write your password and put in your pillow. and forget all the technical stuff.

I totally agree. I recently had the password requirements experience with quickbooks and their silly requirements (<a href="http://imperialwicket.com/quickbooks-online-password-fails" rel="nofollow">http://imperialwicket.com/quickbooks-online-password-fails</a>).<p>Like many have said, I have a 6-10 password bank of relatively complex passwords that I use for services I may need to easily use on alternate computers. For everything else, I use randomly generated values (usually 24 char, including alphanum, special, hyphen, underscore, and white space) which I store in a Keepass db. I keep the Keepass db on a flash drive which I keep with me virtually all the time.<p>This technique is frustrating at times, but I like knowing that if a password is compromised, it's either something that can quickly and easily be addressed, or it's something that I really don't need to address.

I use the PwdHash extension. It works great. You type the same password into every box; it in encrypts it using the domain name of the current web page as the key.<p>Also I'm using SSL client certs for a recent project, and I <i>LOOOVE</i> them. I wonder what sorts of problems render them "unusable" for him.

I'm by no mean an expert in passwords/cyrpto and the like but it sounds to me that his idea of generating passwords from the service name and a master password is a good bad idea.<p>Basically, his passwords are made of two variable strings: one is the service (easy to guess if you're target a specific account, which in his case you must anyway) and a master password that likely doesn't vary much from one identity to another.<p>Doing this is basically opening the door to anybody who could gain access to his generation algorithm. I have no maths to back me up but I made a quick proof of concept that I ran against /usr/share/dict/words and managed to find one collision in ~100000 tests (I was generating passphrases though).<p>I'm going to keep on investigating and try to generate passwords instead of passphrases.

I'm not sure it's worth all the trouble to go out of the way and adopt a complicated password generation scheme. As long as your password isn't qwery, an attacker brute forcing it seems very unlikely for any competently implemented web app: most block you after n incorrect tries and sending HTTPS POST requests seem really slow. Dictionary attacks on the password hash is another problem, but salting the password should handle this problem.<p>I agree reusing passwords for multiple services is risky, but shouldn't having different tiers of passwords handle this? Use a really weak password for stuff you don't care about or sites you don't trust and then use a stronger password for your bank, email, etc.

It's a shame that browser-based authentication mechanisms such as HTTP Digest/Basic Auth and Client certificates are so broken and underdeveloped. HTML5 has everything and a kitchen sink, but neglects to address this major shortcoming.

While the author has a point when users reuse their password for many accounts, he ignores the time required to test a password when using bruteforce attacks. The rant on banking passwords with strongly limiting constrains may be (is?) balanced by the time to test each password. The password could be reduced to a few numbers if it is assigned randomly by the bank and can't be changed by the user, and if something like a paying phone call is required to reset the password after three failed attemps. Make the password a serie of logos to click in a specific ordre and displayed randomly, and keyloggers become history.

WebID to rescue:<p>Technology that implemented in every browser right now (certificates) + compatibility with stuff like USB dongles, smart cards, that have also been available for some time now. Oh and no, you don't need a CA. Problem solved?<p><a href="http://www.w3.org/2005/Incubator/webid/" rel="nofollow">http://www.w3.org/2005/Incubator/webid/</a><p>Only thing left is using it and making browsers more friendly towards that approach. This mainly involved getting rid of scary technical warnings.<p>Until then I will use password maker, which isn't a store but creates the correct password when needed:<p><a href="http://passwordmaker.org/" rel="nofollow">http://passwordmaker.org/</a>

&#62; ... password managers like LastPass ..., but let's think about this for a moment. I have the choice of either making my passwords so memorable and reused that i'm at a grave security risk, or of making them so secure that i need a computer program to store them for me. This is fucked up. This is fucking broken. This should not be allowed to go on.<p>Uh, how are SSH keys not using a computer program to store your secrets? Just use a password manager. You discovered the hard way why your special scheme doesn't work. Use a password manager (like KeePass). Use it with Dropbox, use it with a Flash drive.

Take a look at WebID which uses client certificates to give you that SSH-like convenience for identifying with sites<p><a href="http://www.w3.org/2005/Incubator/webid/spec/" rel="nofollow">http://www.w3.org/2005/Incubator/webid/spec/</a>

I remember reading an article about complex passwords vs what was basically called "offensive gibberish", I've actually taken a liking to this approach more recently than relying on a password manager. The whole goal is to make your password memorable while also making it long and complex enough to avoid cracking/brute forcing.<p>e.g. For gmail rather than "password3" one might use "give me my god damn email you stupid machine!" It's great because it's easy to remember, and complex enough to keep you relatively safe.<p>e.g. 2.0 : <a href="http://xkcd.com/936/" rel="nofollow">http://xkcd.com/936/</a>

I was very pleasantly surprised by the security question system used by Ally Bank recently. They let you enter your own security question.<p>Why haven't they thought of this before!? I can come up with very good security questions that incorporate inside jokes with knowledge only I know and things I know I wouldn't share with anyone publicly.<p>These are things I will remember all my life and that nobody else will know (unlike say, my father's middle name). Unfortunately, Ally asked me for answers to three pre-determined security questions right after.<p>But there is hope!

Oh shit. Just yesterday I've ran into precisely same problem: I've tried to change all my passwords online into something like service_password_date. I decided to do this after googling my four favorite password md5 hashes (abc123, cba321, etc). It was there :) So yea, only several services would allow to have password longer than 15 characters, and several even wouldn't allow to use anything else than numbers and letters. I was shocked. Skype won't even let you use their name in password, how's that fucked up...

As I posted on Proggit.<p>NO. NO. NO.<p>Password <i>length</i> is by far the most important factor to brute force attacks. Which, I presume, is most people's concerns because if we're talking about weak hashes or plain-text storage, you're kind of <i>fucked</i> anyways. You can have your cake and eat it too.<p>Take, for example, some convoluted piece of shit password like `1Liek2Progr4m35423\!#@`. First off, most people won't remember that without using a password manager or copying it from your super-secret text file in your encrypted folder.<p>Sure, there will be a few people that chime in saying, "Hey, I can remember complicated, crazy passwords". Okay. Can you do it when the service forces you to rotate passwords, e.g. AD? Most users can't. Trust me. They can't.<p>So, what now?<p>Just make really long passwords. Instead of `fC29ap5w78r3IJ`, make it something you will remember. For example: `$omeb4s1ePr3fix I like to cheat on my wife with the secretary I hate her so much`. The entropy of the second password, due to its length, is much better than the former.<p>Now, if we're talking about services don't let you have an obscenely long password, that's... a service problem. While the implications are real, we're talking about "how to make really good passwords". I feel like this has been answered, but people are insistent on some arcane notion of using some complex string of characters -- as if the computer gives a fuck. Not everything is a straight dictionary attack, and the computer doesn't give a fuck if your password has words in it or not insofar as it's not just one or two words. It's not going to break a 42 character-long sentence that much faster because it has WORDS in it.<p>And, there's no way somebody should be able to be trying to guess your password that many times without getting locked out. Unless we're talking about somebody hacking into the server itself, dumping out the hashes, and trying to break it that way. Even in that worst-case scenario, assuming they have done their due diligence with salts/bcrypt/etc, a 42-character length password should take them somewhere in the vicinity of <i>for fucking ever</i>.<p>EDIT: The benefit comes from the prefix and the sentences. It pretty much deters both kinds of common algorithms even if you reuse the prefix.

I've been using PassPack for a few years. It allows you to generate random passwords with your choice of # of characters and type. My default setting is 14 chars of a-z, A-Z, 0-9 and punctuation. Then if the site complains I scale back, no punctuation, less chars, etc.<p>This does mean that 90% of the time I need to go to PassPack before I can login anywhere. Recently I've also wondered if a public key solution could work in a browser. That would be fantastic.

I like the idea of websites using public key encryption. Would the browsers have to implement it on the client side? Could a plugin handle that?

I've posted about SHA1_Pass here on HN before, but thought it relevant to this thread, so here it is again: <a href="http://16s.us/sha1_pass/" rel="nofollow">http://16s.us/sha1_pass/</a><p>It's an open-source, portable password generator. No ads, no gimmicks, no password storage. The basic premise is "Don't store passwords, generate them locally on your computer when needed."

For secure passwords, I strongly recommend the Password Hasher extension ( <a href="https://addons.mozilla.org/en-US/firefox/addon/password-hasher/" rel="nofollow">https://addons.mozilla.org/en-US/firefox/addon/password-hash...</a> ), which allows you to use a different hash-based password for every site. It also allows different password lengths.

I generate different, easy to remember passwords for every site by using a random looking base string and slapping in a few characters derived from the domain. For example you could take the first and last letter of 'ycombinator' and use 'ut' as your changing characters (the letters to the right of 'yr' on the keyboard.)

Passwords are painful for the users, and not good for service providers either; <a href="https://www.mepin.com/2011/09/26/7-problems-with-usernames-and-passwords-for-service-providers/" rel="nofollow">https://www.mepin.com/2011/09/26/7-problems-with-usernames-a...</a><p>Support OpenID!

Passwords are not ideal, but they seem to be the best compromise available. An alternative might be for everyone to carry around a USB dongle containing a private key, along with physical keys. There's always some tradeoff between security and convenience.

We've GOT to get public key cryptography in the hands of the masses. My current favorite strategy is to get them all using some distributed social network that uses PK and also integrates with everything, but I don't know how feasible it is.<p>Any other ideas?

been preaching the same since.. 1997? When SRP came along, we though that tied to proper keychains we'd see the light at the end of the tunnel. but nope.<p>too many "pros" are too tied to die hard password auth ;-)

There's some nice little study going around on the very same topic. In fact, they seem to agree with you. Check out "FastWords".<p><a href="http://fastword.me/" rel="nofollow">http://fastword.me/</a>

When I am able to, I make my important passwords a very long phrase that I then memorize like a poem.<p>whenIamabletoImakemyimportantpasswordsaverylongphrasethatIthenmemorizelikeapoem

Firesheep is about session hijacking, not watching actual logins (which would normally be over ssl even if it is non-https served/https form target).

Fuck passwords is right! After having one of my re-usable passwords compromised through Mt. Gox's breach and (a small amount of) my bitcoins stolen from a different site, I have learned my lesson (BTW, the correct term for this type of event I think should be "I got Mt. Goxed.")<p>Here are a few things I learned:<p>* Banks don't need complicated passwords. Though they force you to use something that you'd normally consider ridiculous, like ^([a-zA-z0-9]){6,8}$, they also are much more quick about locking the login. On top of that you typically don't have to worry about SQLi with your bank and they do all use SSL. Phishing attacks are much more likely.<p>* I use LastPass and my typical password is a random 32-character alpha + numeric + all sorts of special chars string and different for every site. Some exceptions still apply: I want my main Google password to be something I remember and I feel all right about that since there I can use two-factor auth.<p>* LastPass knows your passwords. Or at least they could. Consider that when you log in to share your password with someone (see below for why), you can expose your password to yourself on their site. Now all they need is some JavaScript (potentially inserted by a malicious person from a third-party domain) to grab it out of the DOM.<p>* LastPass has the ability to share passwords with others. This works well in my situation where my wife has all of our banking and utilities passwords, and either one of use can pay the bills. Once again, the fact that every site gets a unique password means that I can share these without sharing the passwords to my employer's servers, etc. On the flip side, explaining how LastPass works to a non-geek was a challenge. Their plugin for Chrome is just sort of ugly and clunky (Chrome's fault).<p>* SSH agent is fantastic. I set up all my personal servers and workstations to only allow pubkey-based logins which means no more script kiddies trying random passwords. I also set up a PAM module to authenticate sudo using pubkeys and SSH agent, so I never enter a password into a remote machine.<p>* SSH agent forwarding may be set up in a very insecure way. The biggest problem is that if your local machine doesn't ask for permission to answer a pubkey challenge explicitly, you could have the following situation: an attacker compromised your remote machine. They have replaced /bin/bash with a clever script that executes bash, but also scans your ~/.bash_history for other hosts that you SSH'ed to. Now as soon as you log in, /bin/bash starts trying those hosts one by one, logging into those hosts and doing whatever the attacker wants since they also have access to sudo.<p>* Other things to be paranoid about: evil browsers, compromised operating systems, malicious browser plugins, key loggers, people with physical access to your machines, other people's dumb passwords on the same servers that you log into, MITM attacks and not checking the key signatures of SSH servers, monsoons, terrorist organizations, drug cartels, brain washing, swine flu and Soviet era doomsday devices.<p>Basically, LastPass and SSH agent are way better than using the same password, but just be careful about how you set it all up.

Reminds me that I have locked myself out from my Google account by using umlauts (specifically an "Ä").

I like this guy's article and it makes good points. But dropping the capitalization of the pronoun "I" half way through a formal article that one publishes for a general readership looks really bad.

Here's one solution for true geeks. <a href="https://www.grc.com/offthegrid.htm" rel="nofollow">https://www.grc.com/offthegrid.htm</a>