Strong passwords are simpler than you may think.

[MikeJohns]

A friend at his first day of induction at a government facility was given a briefing on passwords. This cartoon was in handout material. They are trying to get people to adopt random word sequences as being much more secure and memorable.

IT departments worldwide are still apparently promote relatively short passwords with hard to guess and confusing letter substitutions as a strong password. Consequently a lot of time is spent sorting out forgotten passwords.
A relatively random word string is more secure and much more easily remembered.

[Leo Lazauskas]

Quote:

Originally Posted by MikeJohns

A friend at his first day of induction at a government facility was given a briefing on passwords. This cartoon was in handout material. They are trying to get people to adopt random word sequences as being much more secure and memorable.

IT departments worldwide are still apparently largely in the dark ages with their understanding of what constitutes a strong password.

The following site gives a good idea of how long the sequence of characters must be:

http://howsecureismypassword.net/

[latestarter]

Speaking of passwords:-

"I needed a password with eight characters –

so I picked Snow White and the Seven Dwarves." Nick Helm

This was the winning joke at this year's Edinburgh Festival.

The rest you can see at http://www.huffingtonpost.co.uk/2011..._n_935977.html and several other sites.

[Autodafe]

Must have been a pretty recent induction - the cartoon was first published this month.

Original source:
http://www.xkcd.com/936/

[Submarine Tom]

So, that would make "one,two,three,four" the new first guess for hackers?

-Tom

[hoytedow]

"So, that would make "one,two,three,four" the new first guess for hackers?

-Tom"

Think random.

[lewisboats]

four, two,three,one

[Dave Gudeman]

They don't say how they calculated the entropy, but I think it's wrong. there are about 67 easy-to-type characters on a standard American keyboard. There are 67 to the 8th power different 8-character combination, a bit more than 4e14. There are about 5,000 simple English words (there are a lot more words than that, but this plan calls for simple, easy-to-remember words) so there are 5,000 to the 4th power phrases consisting of these words, or 6.25e14. That's only about 50% more guesses you would have to make to guess the password.

I think that the person who came up with this is either counting the letters when he should be counting words for the word method, or he is counting the total number of English words (100,000 to 250,000).

[Leo Lazauskas]

Quote:

Originally Posted by MikeJohns

A friend at his first day of induction at a government facility was given a briefing on passwords. This cartoon was in handout material. They are trying to get people to adopt random word sequences as being much more secure and memorable.

IT departments worldwide are still apparently largely in the dark ages with their understanding of what constitutes a strong password.

Using English spelling (not US) increases the security because there are more letters in words such as honour, colour, ...

[jehardiman]

Quote:

Originally Posted by Dave Gudeman

They don't say how they calculated the entropy, ...snip..., or he is counting the total number of English words (100,000 to 250,000).

That was my thought. Let us say 5,000 easy to remember 5 letter words...5^3*5^3*5^3*5^3 = 6.25E10^13 so at 1E10^3guesses per second = 6.25E10^10 seconds+=1980 years...still fairly secure.

[Dave Gudeman]

Quote:

Originally Posted by jehardiman

That was my thought. Let us say 5,000 easy to remember 5 letter words...5^3*5^3*5^3*5^3 = 6.25E10^13 so at 1E10^3guesses per second = 6.25E10^10 seconds+=1980 years...still fairly secure.

But not much more secure than using an 8-character string taken from the whole keyboard. Don't get me wrong --I think using words instead of characters for passwords is a good idea, but it's mostly because words are easier to remember, not because it's a lot more secure.

Also, multi-word passwords are only secure if the words are unrelated. If you use a phrase like "do you feel lucky" or "take my wife please" or "mimsy were the borogroves" then a dictionary attack can work a lot faster than a random search.

[GTS225]

I just use an alpha-numeric sequence as a matter of normal protocol, and keep nothing on my computer that I would not mind being seen on the internet.
I also do not, for any reason, pass my charge card or any financial account numbers through the internet.

Roger

[hoytedow]

If you use multiple languages for word selection it becomes even more difficult to crack:
chupacabra doughnut bouton schwarz

[Submarine Tom]

Quote:

Originally Posted by hoytedow

If you use multiple languages for word selection it becomes even more difficult to crack:
chupacabra doughnut bouton schwarz

Now insert some numerals and you're away!

-Tom

[hoytedow]

chupacabra doughnut bouton schwarz numerals or MCMLXVIII?