Bad Grammar Make Bestest Password, Research Say 193
An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"
Certainly (Score:3, Insightful)
Corollary (Score:4, Insightful)
Re:My question is this: (Score:5, Insightful)
Re:Randomized passwords are the best (Score:5, Insightful)
Re:Certainly (Score:4, Insightful)
Unless those dictionaries contain common misspellings, which they probably already do.
Re:My question is this: (Score:5, Insightful)
A paranoid colleague of mine composed passwords with a sprinkling of extended chars. He entered the whole thing on the numeric keypad with ALT held down.
I've no idea what his password(s) were, but they caused quite a few badly written apps to explode in a spectacular shower of exceptions and unhandled input errors.
Re:Corollary (Score:5, Insightful)
Entering wrong infromation for password reminders / security questions.
My opinion is that password hints and security questions are really just a bad idea which websites should possibly stop to use completely. They can easily ruin the whole security even if your password itself is robust.
Re:Randomized passwords are the best (Score:5, Insightful)
I don't have a different phone number for every person I call. People I call do not make up rules like my phone number must be at least x characters long, must have a special character in it, can not have a special character in it, must not begin with an upper case letter, must begin with a character, must begin with an emoticon ;-)
and I don't know what other crap they are about to come up with...
Re:My question is this: (Score:4, Insightful)
Because not all systems can handle Unicode, and Unicode itself has multiple internal representations (UTF-8, UTF-16.) Furthermore, there are multiple valid Unicode encodings for the same character stream. In other words, that would be a very bad idea unless you are in an environment where only company approved systems, set up by competent system administrators, are allowed to log in, in which case it would just be a bad idea sans the "very". Even then it is of little value, since a well chosen password still has plenty of entropy, and there is no need to add complexity to the auth system (complexity is the enemy of security.)
Re:Certainly (Score:2, Insightful)
Well, if we didn't say it, they'd all make their passwords "password", their own first name, or some other amazingly simple word. [cbsnews.com]
They always glaze over when you try to explain strong passwords. No matter what you tell them, you can always sit down at their desk and say "what's your password?", just to find out it's "Password1" or "1234567A"
For everything outside of my place of work, I use a password safe program and (if I can) at least a 42 character password using the largest possibly set, generated randomly.
At work, where I'm not allowed to use a password safe and am required to memorize no fewer than 30 passwords, most of which have to be updated at least monthly, and cannot use any password I've used in the last 6 months.... my password is my first name and last initial, followed by a number which is how many times I've had to reset it. Yes, it's weak. No, I really don't give a shit. They drove me to this point with their dumbass fucking password policies and I've got better things to do with my time.
The reason why my eyes glaze over is because I'm having visions of murdering your stupid fucking ass in the parking lot after work. If you were worth even half a shit at your job you'd never need to ask my password in the first place.