[clug] [OT] all text passwords == secure?

[Alex Satrapa]

On 27/08/2012, at 08:53 , Scott Ferguson <scott.ferguson.clug at gmail.com> wrote:

> Now if the education system taught basic mnemonics (and
> education) it might reduce the difficulty some people have.
> I favour my password formulae[*1] - but a lot of people get vision
> problems, hypertension, and blinding headaches, when attempting it. :-/
> 
> [*1]https://lists.samba.org/archive/linux/2012-August/031365.html
> 
> I've seen lots of presentations for biometric and presence based
> authentication systems... which are much hyped. But every one I've
> looked at had gaping holes - and significantly higher costs.

Here is my "formula" for passwords: write a story about the site that I'm generating the password for. No character substitution, no forgetting whether it's F0rmu!a or fORmul4. My password for one particular recipe site is, "I visited this site in order to find more recipes that use red lentils and mango."

If the site has stupid policies in place like, "MUST contain a digit and punctuation", I'll turn to 1password and generate a password with as many characters as the site allows (remembering that shorter passwords are less secure), and keep hacking away until my password fits inside the insecure password policy of the site (must have punctuation, but spaces are not allowed, neither are brackets or braces or square brackets or percent signs, yadda yadda, because the company's illiterate suit-wearing programmers don't know the difference between URL escaping, HTML entities, SQL and Unicode).

The pertinent message of the xkcd episode about password entropy was that "formula" passwords are difficult to remember while long sentence passwords tend to be easier, and the extra entropy from simply having more characters is a bonus. And the pertinent message from the discussion on this list has been that people can't do statistics & probability, and confuse permutations with entropy (with a side order of narcissism from people who view themselves as “superior” due to being able to remember arcane passwords, lamenting the mental capacity of the rest of the population who will not partake in algebraic onanism for the sake of password security).

Of course storing my passwords in 1password means that I'm vulnerable to attacks against the equipment storing those passwords: one airport security agent plugging my smartphone into a memory dumping device for a few seconds will spell the end of life of all my passwords. I have taken to changing my collection of a few hundred passwords after every trip that involves checked baggage. Thankfully I've not yet had security staff demand that I hand over my carry-on devices to be inspected, but I can never be sure that checked baggage hasn't been tampered with (https://www.youtube.com/watch?v=G5mvvZl6pLI).

TL;DR: If you don't make it hard for people to remember passwords, they won't write them down on Post-It Notes. Your “simple” formulas are actually arcane.

Alex