Forgot your password?
typodupeerror
News

The Psychology of Passwords 492

Posted by CmdrTaco
from the thats-pretty-wacky dept.
afabbro writes "According to this study, people's password choices put them into four groups: "Family", "Fan", "Self-Obsessed", or "Cryptic". I'm sure we're all good Cryptics here...now if only my users would stop being "Family"." And then there's the category "Stupid" for the zillions who use "Trustno1", "Swordfish", and "Password",
This discussion has been archived. No new comments can be posted.

The Psychology of Passwords

Comments Filter:
  • by Anonymous Coward on Friday June 29, 2001 @11:11AM (#119133)
    I beat end users with random flailings of my arms and watch for 'letter-like' shapes which rise as welt on thier bodies. Grab a new user, repeat.
  • by Anonymous Coward on Friday June 29, 2001 @11:22AM (#119134)
    The problem with this is that you then need a (secure) password management scheme. Unless you are a Rain Man type who can easily remember a large number of random passwords...

    I develop schemes now and again. I start with something easily recognizable, like 'So Long And Thanks For All The Fish'. Then I turn it into a 'random' password by a bunch of operations. For an example, I might take the second letter of each word (yielding oonholhi), then make characters 1 and 5 upper case, turn 2 and 6 into numbers (alphabetic value mod 10), then turn 3 and 7 into non-alphanumerics based on the keyboard layout. The pass would then be O5$hO2*i.

    That is sufficiently random for 90 day use or so. It would be weakened if somebody somehow guessed my scheme, but I pick a new arbitrary scheme every 90 days when I change all my passwords. Then I just have to remember one scheme and a bunch of key phrases for all of them.

  • We got our high-school computer labs admin password the old fashioned way too. By rifling through his desk. Sure enough, we found the words 'lunch' and 'dinner' written on the inside cover of one of the manuals for no apparent reason. Admin password? breakfast. From then on we played a lot of networked doom.

    --
  • If you have trouble remembering secure passwords, here's a great trick:

    Take a made-up nonsense sound, like "kersplat" or "squish" or "blart" or "shazam" or something.

    Capitalize the first letter, easy to remember because words are often capitalized in English (Kersplat, Squish, Blart, Shazam).

    Pretend you're a l33t h4x0r and start replacing letters with numbers (K3rspl@t, Squ1sh, Bl4rt, Sh@z@m).

    Add some punctuation, either in front or behind (K3rspl@t!, Squ1sh?!?, !Bl4rt, ??Sh@z@m).

    Congratulations, you now have a reasonably secure password.

    One of these is very similar to a password that I used to use. Can you guess A) which password is similar, B) what the real password was instead, and C) which systems that password was used on?

    --

  • by mce (509)
    I'm currently tracking 25 passwords (two of which are not computer related, actually). Some of them change too often to be sure that I'll remember them when in high need.

    So I've had to write them down "somewhere" bloody safe. As it happens, I ended up encrypting the piece of paper, such that the only thing that I definitely have to remember is the non-trivial decryption scheme. Of course, I also remember the passwords that I need most often, but for the others my encrypted paper has occasionally worked miracles.

    --

  • Where do you work? :P

  • that was popular when I was in school. Every time I came across someone who did that I just did a control-C and then rm -rf (opps, I mean whatever the dos equivelent was. deltree of some such) I always hoped the student has some assignment due the next day that was almost done...

    I always said that when the program catches me like that, I don't trust it not to have logged someone else's password, and so my good dead for the day was to make sure no passwords were stolen.

  • Wouldn't work these days. If you said "So where's the lead?" and were overhead these days, they'd think you were talking about bullets and expel you.

  • At my old HS they were runnint Novel Netware with one of those butt ugly login screens. All of the student accounts were locked down to a rediculesly low 500K of storage. I "needed" more ( to install wolfenstein ) so I wrote a pascal app that looked "just" like the novel login screen that logged usernames and passwords. Then would give a cookie.."wrong password" message and show the real loing screen.

    After a week of going in just after class and starting it on every pc in the lab I had all of the privlidged account passwords.

  • If you just write it on a slip of paper and stick it in your pocket, you're probably really safe. It's rather unlikely that someone will mug you for it, and you can make it really hard to guess while not leaving it around the computer. Given the number of people who pick good passwords and then leave them where it's easy for an attacker to get at and obvious what it's for, you'd think people would think to carry them.

    I mean, they tell you not to carry your ATM PIN with you, but that's because you'd have the card and the PIN in the same place. You're probably not carrying your work computer with you...

    Also, you'll probably have memorized your password after using it a bunch of times by looking at the slip of paper, at which point, you can destroy it.
  • That's why we have npasswd configured to not allow password reuse within a one year period. I have already had people tell me that they had picked out five passwords that they intended to rotate as the last used expire away. Those users can rotate if they like, but after a year I imagine they'll be more likely to pick a genuinely new one, especially since npasswd is such a hard ass about approving password choices.

    Ultimately, we hold the users responsible for maintaining reasonable security practices. My job in implementing npasswd was not to force everyone to do the right thing, it was to make it a lot harder to do something stupid. In the end, it comes down to the user.

    We do master a lot of systems from our master account database, so the user's single password gets them email, dialup, UNIX, Windows NT, AppleShare, etc. If our users needed to remember a dozen very difficult passwords, we couldn't do this, but with only one password needed for most of our network services, we hope it is not too unreasonable to require them to use decent passwords.


    - jon
  • I tried setting my password to 'mypassword1', and it told me 'Password not acceptable, may be derived from word 'mypassword'.

    npasswd may not be able to catch all variants of past passwords, but it is very very picky about what passwords are allowed, and if you choose a password that passes through npasswd, it is going to be a high quality password.

    No, a piece of software can't do anything about a user writing their password down on their forehead. But we have managers, and they can discipline or fire users for putting the lab's security at risk, if they do something truly stupid/negligent.

    Security is a process, and software's just a tool.


    - jon
  • The npasswd password history files are kept as a dbm of crypted password choices, so an intruder would have to find and crack that file, and by definition all of the passwords in that file would be hard to crack, as such things go.

    The one thing I'm not sure of right now is whether or not npasswd can support the use of md5 passwords or not. If it can, that would add a significant boost to the difficulty of cracking its files.


    - jon
  • by jonabbey (2498) <jonabbey@ganymeta.org> on Friday June 29, 2001 @12:09PM (#119153) Homepage

    We recently implemented Clyde Hoover's npasswd [utexas.edu] password validation program, which does all kinds of password quality checks and a password history function, to prevent users from re-using their old passwords. We have incorporated npasswd into Ganymede here, along with a password aging function, and boy, what a change for our users. Users really can't have easy passwords any more, they have to change them regularly, and they can't re-use old passwords. The sysadmins in charge of network security here love it, because the odds that our users are using the same password for our network that they are using for Amazon and Slashdot is now dramatically reduced.

    Npasswd is very good at what it does. Npasswd supports checks against account information and a wide variety of dictionary files, with character transpositions, reverals, etc. No more 'us3rname' passwords for our users. Here's a partial list of the dictionaries that Ganymede with npasswd checks against in our environment:

    • Antworth -- Big dictionary, includes many inflected forms
    • CIS -- Words and names from Current Index to Statistics (partial)
    • CRL-Words -- Dictionary from Center for Research in Lexicography
    • Congress -- Names and nicknames of U. S. Congressmen
    • Domains -- Internet domains
    • Ethnologue -- Words from the "Ethnologue Database"
    • Family-Names -- Common family surnames
    • Given-Names -- Common first names
    • Jargon -- Words from the Jargon File
    • Movies -- Characters, actors, and titles from thousands of movies
    • Python -- Words and names from M. P. scripts
    • Roget-Words -- Words from 1911 R's Thesaurus
    • Trek -- Words and names from Star Trek plot summaries
    • Zipcodes -- Town and city names for all U. S. post offices

    If anyone here wants to make sure your users are using strong passwords, run don't walk and get npasswd, I say.


    - jon
  • I tend to configure /etc/issue so that it prints the root password just above the "login:" prompt.

    Nice way to tease crackers. Too bad telnet doesn't allow root to login, but requires su'ing from a user account.
  • by VAXGeek (3443) on Friday June 29, 2001 @11:04AM (#119156) Homepage
    On some enterprise systems, the administrator has the option to have passwords checked against a dictionary for common words, palindromes or other easily guessed passwords. If you are interested in such "smart" password software, check out npasswd at: http://www.utexas.edu/cc/unix/software/npasswd/
    - -----------
    a funny comment: 1 karma
    an insightful comment: 1 karma
    a good old-fashioned flame: priceless
  • Is there a category for the idiots that write their passwords on post-its and stick them to the bottom of their keyboards?

    Oh, so THAT's how my wife found all that pr0n on my private share...

  • #!/bin/sh
    head -c 6 /dev/random | mmencode

    Much easier & faster, and certainly just as random as your cup of tea (of course, you have to be on a system with a reasonable /dev/random).

    -"Zow"
  • I prefer to take stupid phrases that no one else would think of (something like making a phrase to remember quiz items) and take the first letters and sound out a word for it.

    pretty easy to make up, easy to change, and easy to remember.
  • My winner under the Stupid category is the "admin" when I was in high school. He choose the great password of "none" for his personal account, which was easily cracked with a simple dictionary. Of course, he was really one of the biggest fools I have known in my life, so I am not really all that surprised...
  • Ack! I forgot the best part. For users who are really paranoid, you can, in the next-to-last step, convert the number into triplets instead of pairs:

    633 436

    And then you convert both triplets to their Unicode decimal equivalents. Thus, the high-security password in this case is:



    This may not display properly on non-Unicode browsers/platforms. But those of you who can display them will see that they have the added advantage of not actually appearing on any keyboard, thus exponentially increasing the difficulty for anyone wishing to guess your password.



    BTW, for those who can't display them, decimal 633 is an upside-down lower-case "r", and decimal 436 is described as "Latin small letter 'y' with hook".
  • by general_re (8883) on Friday June 29, 2001 @12:13PM (#119171) Homepage
    That is not nearly random enough. You need an algorithmic process that'll give you something really random.

    Here's what I do. First, you take a phrase, famous or obscure. For this example, I'll use a little Shakespeare - "He hath a daily beauty in his life that maketh mine ugly."

    Then, you take the second letter of each word, ignoring any single-letter words, thus producing "eaaeniihaig" in this case.

    Then, you convert each letter to its decimal ASCII equivalent, giving us:

    101 97 97 101 110 105 105 104 97 105 103

    Then squash that all into a single number in that order, producing:

    101979710111010510510497105103

    Then, you take the 5'th root of that number, and drop any decimal places:

    101979710111010510510497105103^(1/5) = 633436.01848182821643020050352705 --> 633436

    Then, you take THAT number, and break it into pairs thusly:

    63 34 36

    Finally, you take the first pair and convert it back to its ASCII decimal equivalent, and that's your password. In this case ASCII 63 is "?", so your password is "?" (without the quotes, naturally).

    And that, my friend, is pretty damn random.
  • The answer to this is quite easy by using a (simple) password algorithm:

    1) Take that random number, say 5934
    2) Now for everyplace where you need a password, append/prepend the name of the site/computer to that string. So if you decided something like first and last letters, plus the random number, you'd get:
    yahoo.com = y5934a
    slashdot = s5934t
    etc.
    If that's too short (like for hotmail) use a full-name variant for those like ho59tm34ail.

    For better security, always use caps for one of the ends, and/or tack on some (consistent) non-alpha at beginning or end, whatever rules you want to always use.

    Benefits:
    1) You never need to "remember" a password. Just the numeric bit, which you get to reuse everywhere, and the rule for picking the letters.
    2) Unique password nearly everywhere. Getting one of them doesn't give access to the other sites, and pattern isn't obvious with just one.
    3) If you ever are required to change a password (or just want to be safer anyway), ditch the first random number and select a new one, using the same basic scheme with it for all new passwords. Worst case scenario is you'll have to make 2, maybe 3 guesses, at a site you haven't been to for a while....

    I've been doing this for about 4 years now and it works like a champ. I've lost track of how many times I've suggested this to users when they're griping about having to remember passwords, but they still give me a blank look and use something like their dog's name anyway. Lamers... ;)
  • I mean, if I wanted to be really secure, I'd come up with a whole bunch of hyper-obscure passwords, memorize them for weeks on end and use those - secure in the knowledge that nobody can read my mind.

    Of course, that would be silly.

    I have used my PDA for password storage, but it proved somewhat tedious to go back and forth between computer and PDA to input them (whereas FPM can copy straight to X11's cut buffer with the hit of a button). It's not impossible for someone to break into my box, steal FPM's password file and somehow steal the password to decrypt it, but I consider that a possibility remote enough to fall within my level of tolerance.

    I figure so long as the value of the passwords are less than the effort it would take someone to steal them, I'm protected from the most likely attacks.

  • by tuffy (10202) on Friday June 29, 2001 @11:18AM (#119176) Homepage Journal
    With a password manager, I wind up with lots of passwords like "pXSvs2gQ", "3zRrtjBc" and "UA4urfVx" (to make up some examples). Sure, I have to remember one cryptic password to get into the manager, but then I can forget the rest (which, by my personal count, is 41 different user/password combos to remember - which I don't have time for).

    I recommend a decent password manager for everybody, since there's just too damn many sites that require them.

  • Hey, a bunch of people in my HS did that too.

    You wouldn't happen to be in Surrey, UK would you? ;)

    Stuart.
  • Yeah, and because folks with root can bypass this, every single time I survey a new system I find at least one account with "Senior" in the GECOS field and the password set to the userid...

    -
  • The advice "never write down a password" dates from back when a secure-enough password could be remembered reliably.

    This simply isn't true anymore. Any password that is easily remembered is likely to be easily crackable, because computer power is so cheap these days.

    Even Bruce Schneier has reversed himself and now recommends that you write your passwords down on a piece of paper, and then treat that paper like it was a significant amount of cash or a credit card; keep it in your wallet, or locked in a safe, and be aware of it's location at all times.

    Of course, people who write down their password on a sticky note and place it on their monitor are still idiots.

    -
  • by Garion911 (10618) on Friday June 29, 2001 @11:22AM (#119180) Homepage
    A friend of mine came up with a pretty nifty password creation scheme.. He lived on a rather busy street near a stop light.. So he would look out the window and pick out someone's licence plate number who was waiting at the light.....
  • The thing that cracks me up, is that they obviously had researchers go ask people for their passwords, and they gave them to them!

    I used to have an app on my PalmPilot that would generate random passwords and store them using IDEA. I was responsible for changing the root passwords at the ISP I worked at, and everyone hated it when I made them change.
  • Wasn't it Sierra's Hero Quest where you had to utter a password to enter a house, or cave, or something? The password, if I'm not mistaken, was "schwertfische"; If you said, "swordfish", it responded with something akin to "Wrong game!" before kicking you back to from whence you came.

    Well, it was amusing... back in those EGA days...

  • I grab two random license plates, concatenate them, and screw with capitalization. I've been using this method since 6th grade and it's always been secure enough.

    And in what situations, exactly, would this prove to be more secure than, say, taking one licence plate and not screwing with the capitalization?

    There's no need for horribly complex password schemes. Really, you can have passwords that are "secure enough" for whatever environment you're in without having to resort to major convolutions or a radioactive decay random number generator. Pick something not in the dictionary that couldn't be guessed even by someone who knows you. If you can work in capitalization or punctuation, that's great.

    Just make sure you eliminate everything that could reasonably be guessed or derived. (Don't use your mother's maiden name, not even backwards.) Once the cracker has to resort to a brute-force attack, any password is as good as any other.


    Chelloveck
  • by Compuser (14899) on Friday June 29, 2001 @12:42PM (#119190)
    When I worked as an intern in a rather big
    corp which shall remain nameless all
    passwords for all computer were "welcome".
    The sysadmins claimed it made their jobs
    easier because they didn't have to remember
    passwords for all the machines.
  • by sammy baby (14909) on Friday June 29, 2001 @12:03PM (#119191) Journal

    I once read an interview with Clifford Stoll, who was speaking about another interview he did on camera in his apartment. Apparently, the camera crew set him up seated in front of his computer. By the time the interview was aired, he realized his monitor - and the Post-It (tm) note with his root password on it - was clearly visible in the shot.

    The obvious retort is, "But anyone can read it!"
    No, the obvious retort is, "But anyone who can get inside the room can read it." At my place of bidnez, our administrative passwords all get written down, then placed in a fireproof safe, which is in our locked operations center. If you're confident that nobody is interested enough to read your passwords, that's fine. Just don't give any TV interviews.
  • But honestly I feel for these people. I have a ton of passwords too. Some are hard some are easy some I don't know thanks to cookies. The point being ther ARE far too many passwords.

    IMHO, this is a very serious problem, and almost everyone has it. It isn't realistic to expect anyone to memorize 20 different randomized passwords for 20 computers, 20 web sites, etc.

    I think the Right Thing to do would be to memorize a single passphrase (that you never use as a real password for anything) and use it as a key, to encrypt the name whatever computer/site you're logging into, then hash the ciphertext down into some password-like form. Thus, the user would only have to memorize one secret, but his local login, Slashdot, and Amazon passwords would all be different.

    Naturally, no person could do this kind of thing in their head, so maybe that's the final excuse for carrying around a PDA or something. (The PDA wouldn't store passwords, it would just be for converting combining the passphrase+identity into passwords. So all you'de have to worry about would be someone compromising the PDA to store/forward your passphrase.)


    ---
  • by crow (16139) on Friday June 29, 2001 @11:18AM (#119194) Homepage Journal
    This Slashdot Poll [slashdot.org] shows that 3% of slashdot users use "password" as their password.
  • Yeah, if they have physical access to your home and box anyway, passwords aren't really going to stop anyone.
  • by sharkey (16670) on Friday June 29, 2001 @12:23PM (#119196)
    He built redundant Cisco router configs for Slashdot until June 23, 2001.

    --
  • by sharkey (16670) on Friday June 29, 2001 @01:39PM (#119197)
    Ah, yes. @Home. I get service through Comcast Cable in Indianapolis. In trying to get them to actually provide service, rather than just leaving the modem, I ended up talking to a senior level tech. I had to tell her where I was, so I did:

    @Home: Where are you located?
    Me: 73rd & Hoover.
    @Home: What is that near?
    Me: About 1/2 west of Meridian St.
    @Home: No, what's close to there on the map?
    Me: It's Meridian, US 31, runs down the center of town.
    @Home: I don't know where that is.
    Me: The middle of Indianapolis!!
    @Home: But what is that near?
    Me: Plainfield, Carmel, Avon, it's a big city in the middle of the state!
    @Home: What state is that?
    Me: Huh?
    @Home: What state is that?
    Me: INDIANA!
    @Home: What is that near?
    Me: What the hell are you talking about?
    @Home: We don't have any facilities there. What is that near?
    Me: What? Do you mean what States are nearby? OH, IL, MI...
    @Home: OK. We have service in Illinois. I put in a request for them to finish turning on your account.

    Bear in mind that I called my LOCAL cable company for this support, and ended up, on the same call, talking to this wizard, who apparently flunked 1st grade geography, and was stuck on that asinine question, "What is that near?"

    --
  • No, writing down your passwords is only stupid if all of your enemies will be able to find your written down password.

    Like, if you post their location to a very public place...
    --
  • The thing that amazes me is when users boast about their passwords just out of the blue. One time I was helping a user who couldn't log in, and it took me about three seconds to spot the caps lock key that had been accidentally engaged.

    "Thanks so much for fixing that," the user told me gratefully. "I couldn't understand why it wouldn't work. I typed in password just like I always do. You know, my niece's name -- 'brittani', spelled with an 'I'..."

    I'm amazed on a daily basis at how differently some people's minds work.

    - HH (proudly using 'lovesexgod' as a password since 1993).

  • by RandomFactor (22447) on Friday June 29, 2001 @11:17AM (#119203)
    the most common type of password attack comes in the form of "social engineering"

    *cough*

    Like giving your password to someone doing a study on passwords?

  • I agree.

    When I used to teach beginning internet classes and manage the student lab at a community college, I made the same suggestion.

    If I picked up that the students/users were savvy or interested, I also suggested adding other modifications to the acronymized sentence.

    Substitute punctuation or numerals for words, suffixes, prefixes, etc.

    @ = at
    contempl8 = contempl(ate)
    4nick8 = (for)nic(ate)
    (Way too obvious, I know)

    Alternate case in the acronymized sentence.

    Now is the time for all good men to = NiTt4AgM2

    If they insisted on using the 'family' category, I had them '1eet 5pe@k' the family name.

    Where I work now, passwords must be changed monthly so I suggest all of the above with alternatingly prefixing or suffixing the two digit month offset by some number they can remember.

  • How many idiots actually gave their real passwords to this study. I hope to god the "cryptics" just gave them an example. Hmm how big was this study? Can I get the "results" hint hint, nudge nudge.
  • Passwords aren't always the limiting defense in security.

    Back in the day, we had all the machines in the research lab have the root password of "Mr.Root" (or "Mr.System" for the VMS machines).

    It was all pretty secure.

    We were not connected to the outside world on a network, and you had to pass through two safe doors to get to the lab. The combination on those safe doors was swiping your badge in the reader and waving your ID to the guys with the guns.

    Never had a single compromised system, either.
    bukra fil mish mish
    -
    Monitor the Web, or Track your site!
  • I suppose "western" books only (not asian, russian, etc..)

    Why not? Just stick to a standard (or even better - slightly nonstandard) way of transliterating, and you shouldn't have any problem.

    Of course, the downside of this approach is that if someone discovers your system, all the passwords you ever had are then known to them.

  • This is the advantage of iris recognition. It's reliant on there being blood flowing through the eye when it's checked.
  • by Garin (26873) on Friday June 29, 2001 @11:54AM (#119216)
    Dude, who cracks passwords any more? These days, it's far more likely the bad guys will get a root shell on a particular box before they'll crack passwords. Then it doesn't really matter any more, does it?

    IMNSHO, picking ridiculous passwords is a major waste of effort. All that is necessary is to "beat" all password guessers by a reasonable margin -- ie, stay well out of their dictionaries. As long as you'll make it so that dictionary attacks are no good, you'll have pushed the weakest link in your security on to something else.

    This means that pseudo-random passwords are easily good enough. No, "s00P3rS3kr1t" isn't a good choice for a password, but "SdN4N.Stm" will probably foil any dictionary.

    Heck, these days if someone manages to get a shadow file, then they're almost to the point where they don't need it any more.
  • Haha. I can't believe someone else does this too.

    I grab two random license plates, concatenate them, and screw with capitalization. I've been using this method since 6th grade and it's always been secure enough.

    ---

  • Okay, I'm particularly proud of this one.

    In high school, someone managed to get a copy of /etc/passwd when it was accidentally unshadowed for a day [NIS went down and it was a quick fix and no one realized it broke shadow until too late].

    So we ran john (I think that's what it was called) on the password file to see what it could decrypt. All the important accounts had secure passwords, but lots of users had really stupid passwords. The most common ones were "password" and "hello123".

    So what we did was hash each of those, and then hash the hashes. We then ran the program to brute-force the double hash, and lo and behold, it said the password was "password" or "hello123". But neither password nor hello123 would be valid.

    I just really liked that method, because it's a sneaky way of creating a pseudo-random password, and if you use it correctly, you can screw with people's minds. Of course, as soon as someone realizes that this is what you've done, it's very easy to get around. But that's not the point =]

    P.S. if you can't figre out what I'm talking about, I'm sorry for the incoherent babbling, I barely got any sleep.

    ---

  • by GoNINzo (32266) <GoNINzo&yahoo,com> on Friday June 29, 2001 @11:22AM (#119222) Homepage Journal
    One of my favorite password stories is my recent subscription to @Home from AT&T. I called to complain about my cable modem dying (I apparently was querying the DHCP server every second, for an hour or to every week. Stupid crontab...). I am used to 'security questions' like 'can you verify your address' and things like that. but after the usual, the conversation went like this:

    The Guy: 'What is your @home password?
    Me: 'excuse me?
    TG: 'Oh, we have to make sure it's you.
    Me: 'But I havn't set a password.
    TG: 'Yes, you have.
    Me: 'Um, I don't remember TELLING anyone my password.
    TG: 'Oh wait, you do have the default. Do you want to set a password?
    Me: 'What?!
    TG: 'You tell me the password, i'll put it in for you.
    Me: 'I don't really feel comfortable with that.
    TG: 'Just give me any old password.
    Me: 'Okay. F. &. 9..
    TG: No, do you have a regular word you could use?
    Me: What, like 'bob'?
    TG: Okay i've set it to 'bob', how can I help you?

    I was about ready to kill him at that point. Slight alterations in the passwords, but that's pretty much how it went. I was not happy.

    --
    Gonzo Granzeau

  • Ha. When I was sysadmining, I added Hindi, Mandarin, and Cantonese dictionaries to my regular Crack run. I caught quite a few.
  • And now, for a little bit of gratuitous link karma whoring, http://www.earthstation1.com/Horse_Feathers.html [earthstation1.com] is a page with lots of clips from the Marx Brothers' "Horse Feathers", including the famous (or is that infamous?) swordfish joke.

    Too bad most people have never heard of the Marx Brothers, or at least they don't *think* that they have ever heard of them. (Think Bugs Bunny for a moment...)

    ---

  • by gorilla (36491) on Friday June 29, 2001 @11:09AM (#119232)
    You can make the case mixing in the mnemonic device too. For example, if you were to think the Too Many was loud, it could be mshTMp2d.
  • Here's what I use: [snip] ...3. Use a person's last name (like Rucker) and 4 digits (say 3120). In your DayTimer or PDA, record it as a name and phone (Bill Rucker 275-3120)...

    Hm. This method is quite common, but perhaps not so secure. Banks in my country have issued warnings about using this method for storing PIN codes for ATM cards, since "all" pickpockets seems to know this scheme, and therefore scans all dayplanners for "fishy" name and number entries. Apparantly quite a few bank accounts have been emptied this way.
    Another problem with this scheme is, that it is "easy" to verify what is real names and telephone numbers.
  • by Talisman (39902) on Friday June 29, 2001 @11:34AM (#119237) Homepage
    "The Internet domain name registry CentralNic who commissioned the study, claims that the most common type of password attack comes in the form of "social engineering", when a cracker poses as technical support, and contacts someone in a different department within a big corporation claiming that there is a network problem, and asks for the user's password."

    Brrrnnnggg!!!
    Brrrnnnggg!!!

    "Good morning and thank you for calling the sales department at ACME Widget Corporation. My name is Janet. How can I help you today?"

    "Good morning, ma'am. This is the tech support department. We're currently installing quizzards for the loopstep stabilizers on your PC and we need your password."

    "Oh, OK. My password is J-A-N-E-T."

    (tapping sounds)
    "Ummm... No, ma'am. That's your login name. We need your password. The thing that you type in after your login name."

    "You mean that box underneath my name?"

    "Yes, ma'am. The box that says "Password" next to it..."

    "Oh it's B-U-S-T-E-R. That's my puppy's name."

    (tapping sounds)
    "No ma'am, that isn't it either."

    "Yes it is. When the 'Password' box comes up I type that in or else I can't get my e-mail."

    "That's the password to your e-mail account, Janet. When you FIRST turn the computer on, a box comes up that has a text entry field... err... I mean a little white rectangular box that you can type in, underneath your login name. What do you type in that box?"

    "Nothing."

    (silence)

    "What do you mean 'nothing'?"

    "I kept forgetting my password so one of the boys from the IT department set it to Auto Save so I wouldn't have to type it in."

    (silence)

    "Janet, can you please transfer me to the accounting department?"

    "Don't you want to place an orde..."

    "SILENCE, DUNCE! TRANSFER ME NOW!!!"
  • by Monthenor (42511) <.monthenor. .at. .gogeek.org.> on Friday June 29, 2001 @11:04AM (#119241) Homepage
    Back in high school, when SNES was big-time, my favorite password was "PotassiumIodide". See, Killer Instinct was one of my favorite games, and abbreviates to KI (all the chemists out there are shaking their heads at me)...
    ------------------------
  • We got our computer lab's admin password the old-fashioned way: we watched over our teacher's shoulder. Turned out to be a "cryptic", so he didn't suspect anything for a looooong time. This was on a bunch of PowerPCs with Mac OS8, and normally the account menu in the menu bar would say "Student"...and if it said "Administrator" when he walked by, we were busted. The solution? With our newfound administrator access, we created an account called "Student " and gave it privileges :) He didn't catch on until after I graduated; he even tried changing passwords once, to another "cryptic", but by then we had keystroke-loggers and our own accounts...

    So many people neglect the meatspace security.
    ------------------------

  • by tosderg (44011) on Friday June 29, 2001 @11:47AM (#119248) Homepage
    if you ask me.

    It's amazing to me that people in such an intellectually demanding field as programming computers have for YEARS relied upon what could possibly be the most inefficient form of personal security available: a secret word. I mean really.

    Complaints aside of "stupid users!" and "idiots deserved to have their account cracked with a foolish password like that!", what do you expect? It's the same thing as the whole "Well duh, to use Linux well you need to LEARN it, it's not my fault if you're too STUPID to learn something NEW!" argument; it just doesn't hold water when applied to the general populace.

    You or I may be capable of mastering every arcane command our operating system affords us, memorizing every minor inconsistancy between BSD flavor or Linux distribution, programming in fixes when we need them, etc, but JOE USER NEVER, EVER WILL. It's the same with passwords. You or I may realize the importance of a unique alpha-numeric password for each of our important sites, and have a nice table of "xreF249sfj2r43's" and "248sT358ugtds's" memorized in our head, but JOE USER NEVER EVER WILL.

    So when confronted with that box that says "Choose a password, and CHOOSE ONE YOU WILL REMEMBER, PASSWORD RETRIEVAL IS VERY DIFFICULT, please enter in your password hint in case you forget it", Joe User is not only inclined, but DIRECTED to select an easily-rememberable password.

    Someone please tell me how the fsck you have a "hint" to remind you the password you selected is "24885sfjsfsjf82's"?

    So Joe User sees that box, thinks "oh cool" and types in for the hint "Mom's maiden name" and his password ends up being "johnson", and that's that. It works for him, he remembers it, and even if he does forget it, it's right there for him to retrieve via his hint. Joe User doesn't realize that someone with half a brain will probably guess his mother's maiden name as his password within the first ten attempts to break into his account/machine/whatever.

    Also notice Microsoft and countless third parties developing programs to auto-remember and auto-insert passwords on sites you've visited before. One wonders why they don't just tie access to a unique browser hash if it's going to be that straightforward.

    An example of the type of thing I'm referring to: One time I had a few friends over spending the night with me, and when we got up the next morning we all had logged onto our messengers of choice to talk to friends and see what the plans were for that day. One friend had logged off of his AOL IM account to go to the bathroom (for he knew that if he left it up, we all would've lunged at his machine to enter the standard requisite "Sup, slut?" messages to his girlfriend and mother and etc etc ;), well, just to be a nuisance I told another friend of mine to try a password to see if we could log in when he was away.

    To my astonishment, it worked. My FIRST GUESS. It just goes to show that most "regular people" pick a password that is so easily rememberable (a word? is now.) by them and so related to who they are that those who know them well can probably pick it out just as easily. Another one of my friend's passwords, discovered via the same method, is simply his girlfriend's name with an "i" replaced with a "1".

    (btw, the password for the aformentioned friend was "bigblack", he'd been a fan of that character on the Howard Stern show)

    So please, someone more intelligent than I, come along and invent a better personal identification system that doesn't rely on the good practices or intelligence of the end user.

    -Chris
  • In fifteen years you will be 30. And you will remember the day when you had forgotten a password for the first time.

    Amen to that. I remember a time when I was phoned up by a former employer nine months after I had left their employ, what the root password for a particular machine was (because the person I had handed over to had also left and was unreachable).

    You need a systematic way of generating passwords, where the key knowledge is the system, not the individual password. Then, if you forget a past password, you can work progressively back through the system until you recover it.

    As an example, you might choose a particular book, ideally in a foreign language, and use the longest word in the fifth line of each successive right hand page as successive passwords (that isn't my system, but it's analogous to my system). If you forget your current password, just look in the book. If you forget an earlier password, work progressively backwards though the book.

    You can, if you want, substitute some letters with some numbers in a systematic fashion known to yourself, but IMHO that trick is now so well known as to add little extra value. I know some good geeks who always systematically replace all vowels with numbers... so if you were trying to crack their passwords, you would do the same.

    And yes, I was able to tell my former employer their password, there and then on the phone, although I had changed all my passwords several times since then. Systems are good provided only you know the logic of the system.

  • by Tackhead (54550) on Friday June 29, 2001 @12:38PM (#119259)
    > We got our high-school computer labs admin password the old fashioned way too. By rifling through his desk. Sure enough, we found the words 'lunch' and 'dinner' written on the inside cover of one of the manuals for no apparent reason. Admin password? breakfast. From then on we played a lot of networked doom.

    Setting the Wayback machine for 15 years ago...

    We shoulder-surfed our teacher's r00t password. It didn't change for the next two years.

    We had access to 40 megabytes of space for our use (some legit projects, but mostly warez), of which we only used about 5-10, so nobody notice.

    On graduation day, we changed the "Mail Waiting" prompt to "Whale Mating", brought in portable tape players, each with an identical copy of a tape cued up to the same point, left the headphones hanging around our necks and volume cranked, and hit "Play" at a predetermined time according to the classroom clock.

    The classroom was then filled with the faint strains of "Batman", seemingly coming from every direction.

    Teach was confused for a minute about where the music was coming from, but then he put two and two together and started laughing harder than we were.

    Confused the hell out of the non-geek students, that's for sure.

  • by glitch! (57276) on Friday June 29, 2001 @11:04AM (#119262)
    For all my passwords (and I have a lot of them), the only acceptable way is to pick them randomly.
    And I don't mean pseudo-random, like a computer generated password, or "sounds random", from just
    making up letters and digits out of my head.

    I have a cup full of small squares, each one with a letter or digit on them. Pull one out, put it
    back in, shake, and repeat 7 or 8 times.
  • by Bilestoad (60385) on Friday June 29, 2001 @11:34AM (#119265)
    Are there also categories for systems administrators?

    Like...

    Life's Lance Corporal: Makes sure that nobody uses any software or operating system other than that used approved by the CTO. Zealously enforces the use of anti-virus software on every boot. In marketing, his tread is greeted with trembling... in engineering, with stifled laughter.

    Just a Sad Bastard: Has such a pathetic life that he needs to reaffirm his own cleverness by making lists categorizing those sheep-like lusers. Not quite competent, but it's too difficult to fire him because he won't tell anyone else the root passwords of the systems he controls.

    :-)

    Any more?
  • by vbrtrmn (62760) on Friday June 29, 2001 @11:52AM (#119270) Homepage
    I'll trump that one...

    I used to work for an ISP in Virginia, called Erols Internet.

    We had to answer the phone with:
    "Erols technical support, may I have your userid?"

    Half the People who called answered with:
    "Is that my password?"

    Soon after I started working there, I changed my username to IsThatMyPassword, basically as a geeky joke.

    It has been about 3 years since I quit, I called up support, because I didn't pay my bill.

    A nice man answered and asked me for my userid, and I said, "IsThatMyPassword".

    After I explained it to him, he laughed for a few minutes and said that I had been his best caller ever :)

    --
    microsoft, it's what's for dinner

    bq--3b7y4vyll6xi5x2rnrj7q.com
  • by The-Pheon (65392) on Friday June 29, 2001 @11:04AM (#119276) Homepage
    ...the idiots that write their passwords on post-its and stick them to the bottom of their keyboards?


    Bottom of their keyboards?


    My users stick them on their monitors!

  • by pubudu (67714) on Friday June 29, 2001 @11:42AM (#119284)
    The most annoying thing about most people's casualness with passwords is that they not only do not know even the most basic rules of etiquette, but they actually get offended when you try to enforce them. When I'm at a friend's computer and I need him to type in his password, I get up and move away. When someone is at an ATM in front of me, I stand back and stare at the wall.

    But when I ask people to back off when entering my password/PIN, they stare at me as if I'm a madman! Then they grumble something about 'paranoia' as they finally back away.

    It would appear that their own lax security affects how they think everyone else should act. I don't much mind their own obliviousness, which is what this article is about, so much as the creation of social norms around it.

  • by AugstWest (79042) on Friday June 29, 2001 @11:40AM (#119294)
    ...comes from a marx brothers movie. it's the password to get into the speakeasy. how it became a completely unrelated travolta title, I'll never know...
  • by Eil (82413) on Friday June 29, 2001 @03:23PM (#119301) Homepage Journal

    That's what I do at work for all those stupid mandatory 90-day password changes. Of course, being a network run by morons, it keeps a list of ALL YOUR PREVIOUS PASSWORDS to enforce the fact that you your new password must be unique relative to the old ones. In other words, if someone ever cracks the password database, they get not only the current passwords, but the old ones so they can see patterns in the way the user chooses his passwords.

    Dumb dumb dumb. I'm a security-conscious fellow alright, but I do the above scheme of password changing simply so that if their systems ever get cracked, they might immediately see how stupid their enforced-password plan really was.
  • by blogan (84463) on Friday June 29, 2001 @11:05AM (#119308)
    Back in high school (6 years ago) we got the password file for a BBS we were on. Took a cracker program and gave it a list of common first names, sports teams, cheezy stuff (opensesame, secret), and all the previous with '1' appended (because you always here people say to put a number, so people think they're sneaky and put a 1 at the end. Never a 2 or 48). Doing that, I'd say we got about 60% of the passwords. Also, "catLight" was one of them because when you sign up, it said to use a combination of words, such as catLight.
  • by Che Guevarra (85906) on Friday June 29, 2001 @11:24AM (#119310)


    I have a cup full of small squares, each one with a letter or digit on them. Pull one out, put it back in, shake, and repeat 7 or 8 times.

    I have a bottle full of small pills, each one with a small letter on it. When ever I get that obsessive-compulsive I pull one out, swallow, and repeat 7 or 8 times.

  • by sg3000 (87992) <.moc.cam. .ta. .cilbup_gs.> on Friday June 29, 2001 @12:01PM (#119317)

    For a while I learned how to type using a Dvorak keyboard layout. So what I'd do is use a common phrase for me, but type the letters in the Dvorak sequence on a Qwerty keyboard. Or the reverse. Bingo, a relatively simple passphrase became jibberish.

    Unfortunately, it was too hard to switch back and forth between Dvorak and Qwerty, and my regular typing became jibberish as well. So I quit doing that, and went back to the slow ol' Qwerty way.

    It was a cool system while it lasted.


  • by friedo (112163) on Friday June 29, 2001 @11:29AM (#119355) Homepage
    Heheheh. When one of my grade school buddies would sneak one of his dad's Playboys into school, we'd ask him, "So where's the lead?"

    (Lead = Pb = Playboy)


  • About a year ago there was some sort of discussion here about methods of password generation. Someone had the best system I have seen, and I have been using it ever since. It's based on the use of simple math formulas, such as 8+7=fifteen or 24/8=three . It has many advantages. It's relatively long, uses shifted characters, and isn't hard to remember. Another advantage I discovered after we started using it regularly is that you can verbally relay the password to another admin who might have forgotten it and that admin (who knows that the answer to the equation is spelled out) can then use it but others within earshot who heard it will not understand how to use it.
    A tip of the hat to whomever it was here that originally posted that method a year or so ago.

    maru
  • by AMuse (121806) <slashdot-amuse AT foofus DOT com> on Friday June 29, 2001 @11:04AM (#119370) Homepage
    Users, generally, have too many passwords to remember. And no one wants to subscribe to MS Passport. Writing down the password, as well, is equally foolish.

    However, to be a good SysAdmin, you really need to try to find SOME way for your users to have both a secure password, and one the can remember. (OR you'll be resetting it constantly).

    I advise my users to think of a sentence to use as a mnemonic device, and make their password off that. ie, "My Sysadmin Has Too Many Piercings Today" - their PW would be mshtmp2d. I know, it's not as good as, say, "54kaSgHJ3", but most crack programs will take a hell of a long time on a NICE computer to break it, and the users feel more comfortable with it.

    Really, the point is to make the password not easily guessable, not write it down, but easy for the user to remember.
    --------------------------------------- -----------
  • by susano_otter (123650) on Friday June 29, 2001 @01:24PM (#119376) Homepage

    The Internet domain name registry CentralNic who commissioned the study, claims that the most common type of password attack comes in the form of "social engineering", when a cracker poses as technical support, and contacts someone in a different department within a big corporation claiming that there is a network problem, and asks for the user's password.

    Another option is to pretend to be doing a study of such things, and ask thousands of companies for their user's passwords.

  • by YIAAL (129110) on Friday June 29, 2001 @06:59PM (#119382) Homepage
    I have post-its with fake passwords scattered all over my office. I figure anyone who tries to hack my machine will waste a lot of time trying them, and will be so absolutely sure that one of them must work that in the end he will be too emotionally exhausted from frustration to try a more intelligent approach.
  • by rgmoore (133276) <glandauer@charter.net> on Friday June 29, 2001 @11:48AM (#119387) Homepage

    Of course on a modern system that uses MD5 passwords, it would be fine to use the whole sentence as the password (passphrase) instead of abbreviating it. Typing out something that long could get really annoying after a while, but if you're really interested in security it would be worth it. If the goal is to increase the keyspace, the simplest way to do it is to allow longer but still memorable passphrases, not to force people to remember gibberish.

  • ...the idiots that write their passwords on post-its and stick them to the bottom of their keyboards?

  • --As a Sys Admin I have a sort of love/hate relationship with passwords. My users are required to remember no less than 3. (NW, Notes, Sabre.) Some of the savvier have managed to use the same password everywhere. Recently an edict was passed down from the PHBs to make everyone's password the same. Mostly so the PHBs could access anything. I showed them the error of this thought process.

    --"Then they can get eachother's stuff and yours!"

    --"But, they're not me, how could they get in?"

    --"If I have the keys to your house I could get in to it."

    --"Oh. But they'd have to sit at my desk!"

    --"Not really." (Of course I could restrict where users can log in from but they don't need to know that!)

    --But honestly I feel for these people. I have a ton of passwords too. Some are hard some are easy some I don't know thanks to cookies. The point being ther ARE far too many passwords.

    --I have been trying to envision a swipe card system wherein all a user's passwords are stored yadda yadda. Clearly theft of this would be bad, but so is losing your work ID swipe card. Perhaps this is coupled to a typed password for the card. (Which my users would write onto the card with a Sharpie.)

    --Of course the promise of fingerprint recognition (lop off the finger trick?) and retinal scans would make this idea obsolete in several years but something has to be attempted to lessen the password load.
    ---
  • by _xeno_ (155264) on Friday June 29, 2001 @11:55AM (#119406) Homepage Journal
    Google "translation Fithos Lusec Wecos Vinosec" [google.com] and feel lucky about it [ezboard.com], and you'll be rewarded with:
    [W]hat Uematsu did was rearrange the letters in "Succession of Witches" and "Love" to make something that sounded truly Latin. Try it for yourself. All of the same letters are in there!

    Fithos Lusec Wecos Vinosec
    Succession of Witches Love

    I think it's cool that he did that because that also portrays the prevalent theme of Final Fantasy VIII.

    More information (like the words) can be found elsewhere [rpghosts.com].

    My mod points, please :)

    --

  • by dbolger (161340) on Friday June 29, 2001 @11:07AM (#119414) Homepage
    "Computer passwords reveal workers' secrets

    login: dbolger
    pw: StalkingNataliePortman

    ;)

  • by PopeAlien (164869) on Friday June 29, 2001 @11:16AM (#119418) Homepage Journal
    Uh.. yeah.. there *have* been some problems at OSDN lately, but don't worry we're working on the problem. Everybody just needs to email their slashdot username/password to me and I'll check to make sure it hasn't been 'compromised'.. Have a nice day!

  • by Psmylie (169236) on Friday June 29, 2001 @11:02AM (#119424) Homepage
    1... 2... 3... 4... 5...
    I specifically chose it because that's what I have on my luggage.
  • by neema (170845) on Friday June 29, 2001 @01:23PM (#119429) Homepage
    And then there's the category "Stupid" for the zillions who use "Trustno1", "Swordfish", and "Password".

    Yeah, those stupid people. Haha, they're so dumb.

    *Quickly loads preferences page to change password*
  • by Ian Wolf (171633) on Friday June 29, 2001 @11:11AM (#119436) Homepage
    Or I was I should say. One of my previous employers had fourteen NT/Win2K and 4 Solaris boxes all with the combos of administrator/password and root/password. Nice eh? Their web server, ftp servers, domain controllers, everything. I tried twice to get them changed. I even started to put better passwords on new machines, but the CTO kept changing them.

    "I don't want to have to remember 18 different passwords." You don't Genuis, give the same password if you must, but make them tough.

    To this day, if I want to call an old co-worker, but can't remember their number, I look it up on their intranet.

  • by Alien54 (180860) on Friday June 29, 2001 @11:14AM (#119448) Journal
    Of course, there is the possibility that the user may be deficient in other areas as well

    As seen on Computer Stupidities [rinkworks.com]:

    Student: "Hey, how do I lodge in to Hotmail?"
    Me: "You've got to type in your username and password in those fields that say 'username' and 'password'."
    Student: "I don't have one of those."
    Me: "You need one to log in to Hotmail."
    Student: "It's 'LODGE' in."
    Me: "The term is 'log in,' and you can't log in without a username and password. I can help you create one if you'd like."
    Student: "Um, excuse me, but I THINK I know what I'm talking about. It's LODGE in, and I don't want a username and password, I just want to get some email!"

    I just went back to working after that, and he left complaining about how "crappy" the computers in the lab were, after trying to "lodge in" for ten more minutes.

    Of course, there are hundreds of stories out there just like that one.

    Check out the Vinny the Vampire [eplugz.com] comic strip

  • As an example, you might choose a particular book, ideally in a foreign language, and use the longest word...

    So a dictionary attack will destroy every password you've ever used. Nice.

    Systems are a very good way to generate and manage passwords and passphrases but they must generate good passwords.

    Here's another system, one that generates great passwords on demand but requires that you carry a piece of paper with you:

    Create a 6x6 grid full of random letters. Pick 8-10 letters at random from the grid, and then memorize the pattern of your selections. It takes a little effort to memorize the pattern, but not as much as you might think.

    Then, you can create new random grids as often as you like, giving you all the high-quality passwords you need without requiring you to memorize them. Of course, if you lose or forget your current grid you're sunk, but it's even fairly safe to keep lots of copies of grids lying around, as long as you use a large enough grid and a long enough password. Even if someone got hold of your grid, brute forcing a 6x6 grid with a 10-character password means testing 9x10^14 passwords; the same effort as brute-forcing a nearly 50-bit key. Feasible but expensive to attack. For really strong security, use a 10x10 grid and a 12-character password. This gives an attacker an 80-bit work factor, which is probably infeasible even to government agencies.

    For the truly paranoid, this method also offers a way of permanently destroying a password. If a judge were to threaten you with contempt if you refused to divulge your password, you could simply explain your system and that you had destroyed that grid (non-toxic ink on rice paper would be an obvious way...).

  • by guinsu (198732) on Friday June 29, 2001 @12:55PM (#119465)
    I think everyone in a hs pascal class wrote the fake novell login screen.
  • by agentZ (210674) on Friday June 29, 2001 @11:36AM (#119475)
    If you really want to read all of the rules on how to choose a good password, check out this guide from MIT's SIPB [mit.edu].

    Do the karma whore dance!

  • by brlewis (214632) on Friday June 29, 2001 @11:58AM (#119479) Homepage

    I'm sure we're all good cryptics here

    Do we really know that /. passwords are more secure than average. Everybody e-mail me your /. password. I'll summarize the results.

    Bruce Perens: Don't bother; I have yours already.

  • by kenthorvath (225950) on Friday June 29, 2001 @11:10AM (#119494)
    I did that, and checked my log files. Apparently people DO check for things like post-its under the keyboard. My login: gullable, password: penii.Sure enough I saw a login attempt for user "gullable". I wonder if they got it...
  • by kenthorvath (225950) on Friday June 29, 2001 @11:16AM (#119495)
    King Roland: Alright, alright I'll tell you the password to the air shields, just don't harm her!

    Dark Helmet: You have my word...

    Roland: 1
    Helmet 1

    Roland: 2
    Helmet: 2

    Roland:3
    Helmet: 3

    Roland: 4
    Helmet: 4

    Roland: 5
    Helmet: 5...
    Opening air shields with combination 12345 - That's the stupidest combination I ever heard!

    President Spaceball: That's the combination on my luggage.
    Commence operation MegaMaid - And somebody change the combination on my luggage!

  • by ManDude (231569) on Friday June 29, 2001 @12:00PM (#119506)
    Part of the problem is stupid admins. They want strong passwords changed every 3 days for internal joe average accounts. What else can they do but post it to their keyboard?

  • by corvi42 (235814) on Friday June 29, 2001 @12:48PM (#119511) Homepage Journal
    A few little tricks I've picked up for finding good passwords:

    If you've ever played the "guess that vanity licence plate" game, this is an automatic way to come up with good passwords. You take a phrase or expression you know you can remember and obfuscate it as you might if you wanted that same phrase on a vanity licence plate but need to squash out characters so it will fit. For example, you might take the phrase "rose garden" - you could write it out as "rOzgRdN" ( where password is case sensitive of course ) so that when you read it you pronounce the upper case letters as the name of the letter and the lower case as the sound the letter makes. Of course 1337-ifying your passwords has a similar effect.

    Of course the nice thing about this is you can keep all your goofy old passwords - family names, celebrities and ego-boosting cliches, just make them difficult for a password cracker to grab out of lists of plain-text.

    Another trick that I've always liked is to use chess notation. Think of any move in a game of chess, one that you can remember easily and write it out using one of the conventional chess notations. For example the move "white queen captures kings rook 3" would be "wQxKr3".

  • by whjwhj (243426) on Friday June 29, 2001 @11:24AM (#119519)
    Everybody keeps suggesting that writing down passwords is 'stupid' and something an 'idiot' would do. This is not always the case.

    Here, in my home office, I have every single password I need (about 20 of them) written down in pencil on a single sheet of notebook paper. It's tucked in a relatively obscure location in my files.

    Is this a security threat? Not really. Somebody would have to bust into my house and ruffle through my paper files in order to find them. Unlikely, at best.

    What would be considerably more insecure than writing them down is to keep them in a text file on my machine. Somebody hacks my machine across the internet and I'm toast.

    So next time you folks start throwing out terms like 'stupid' and 'idiot', think it through a little bit, OK? Saves you from the embarrasment of being the stupid one.
  • by jmcneill (256391) on Friday June 29, 2001 @11:01AM (#119529) Homepage
    I think someone discovered the password to my other account, 'Anonymous Coward'. People keep using it to post annoying messages under every article.
  • by suwain_2 (260792) on Friday June 29, 2001 @04:30PM (#119535) Journal
    The ultimate way to get everyones' passwords: Post an article to Slashdot, getting hundreds of people to post comments describing exactly how they got their password.

    Talk about "social engineering"... ;)
    ________________________________________________

  • by markmoss (301064) on Friday June 29, 2001 @12:15PM (#119549)
    use the whole sentence as the password That's fine if you can type a whole sentence blind without any errors. Most people can't.
  • by Unknown Bovine Group (462144) on Friday June 29, 2001 @11:06AM (#119608) Homepage
    Yeah I called Microsoft tech support because my password was showing up when I typed it into the login box!

    They couldn't figure it out for quite a while until they asked what my password was....

    Of course, it was ******(star-star-star-star-star-star).

  • by Unknown Bovine Group (462144) on Friday June 29, 2001 @11:39AM (#119609) Homepage
    Of course there's another password category "people who make up passwords in hopes that someone WILL find them out".

    Like my pw I hope one day to have the FBI demand from me:

    password: guessityourselfyoudumbcunt.

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...