Strong passwords are simpler than you may think.

A friend at his first day of induction at a government facility was given a briefing on passwords. This cartoon was in handout material. They are trying to get people to adopt random word sequences as being much more secure and memorable.

IT departments worldwide are still apparently promote relatively short passwords with hard to guess and confusing letter substitutions as a strong password. Consequently a lot of time is spent sorting out forgotten passwords.
A relatively random word string is more secure and much more easily remembered.

 

The following site gives a good idea of how long the sequence of characters must be:

http://howsecureismypassword.net/

 

Speaking of passwords:-

"I needed a password with eight characters –

so I picked Snow White and the Seven Dwarves." Nick Helm

This was the winning joke at this year's Edinburgh Festival.

The rest you can see at http://www.huffingtonpost.co.uk/2011/08/25/top-10-funniest-jokes-at-_n_935977.html and several other sites.

 

Must have been a pretty recent induction - the cartoon was first published this month.

Original source:
http://www.xkcd.com/936/

 

So, that would make "one,two,three,four" the new first guess for hackers?

-Tom

 

"So, that would make "one,two,three,four" the new first guess for hackers?

-Tom"

Think random.

 

four, two,three,one

 

They don't say how they calculated the entropy, but I think it's wrong. there are about 67 easy-to-type characters on a standard American keyboard. There are 67 to the 8th power different 8-character combination, a bit more than 4e14. There are about 5,000 simple English words (there are a lot more words than that, but this plan calls for simple, easy-to-remember words) so there are 5,000 to the 4th power phrases consisting of these words, or 6.25e14. That's only about 50% more guesses you would have to make to guess the password.

I think that the person who came up with this is either counting the letters when he should be counting words for the word method, or he is counting the total number of English words (100,000 to 250,000).

 

Using English spelling (not US) increases the security because there are more letters in words such as honour, colour, ...

 

That was my thought. Let us say 5,000 easy to remember 5 letter words...5^3*5^3*5^3*5^3 = 6.25E10^13 so at 1E10^3guesses per second = 6.25E10^10 seconds+=1980 years...still fairly secure.

 

But not much more secure than using an 8-character string taken from the whole keyboard. Don't get me wrong --I think using words instead of characters for passwords is a good idea, but it's mostly because words are easier to remember, not because it's a lot more secure.

Also, multi-word passwords are only secure if the words are unrelated. If you use a phrase like "do you feel lucky" or "take my wife please" or "mimsy were the borogroves" then a dictionary attack can work a lot faster than a random search.

 

I just use an alpha-numeric sequence as a matter of normal protocol, and keep nothing on my computer that I would not mind being seen on the internet.
I also do not, for any reason, pass my charge card or any financial account numbers through the internet.

Roger

 

If you use multiple languages for word selection it becomes even more difficult to crack:
chupacabra doughnut bouton schwarz

 

Now insert some numerals and you're away!

-Tom

 

chupacabra doughnut bouton schwarz numerals or MCMLXVIII?