DailyDirt: How Many Passwords Do You Know?

from the urls-we-dig-up dept

If you’ve been online for more than a few years, you’ve probably collected a fairly sizable number of logins for various things. When the next cool social network you discover asks you to register with an email and password, a surprisingly large number of people choose “123456”, “p@ssw0rd” or something easy to remember (and use that same password for multiple services). That’s not a good idea, especially as more services are being broken into due to bad (or no!) password hashing. Password attackers aren’t usually doing trial-and-error to guess your password; they’re scraping password databases and doing the brute-force cracking offline, based on all the hints that can be gleaned from a huge pool of passwords that likely have duplicate passwords or passwords susceptible to dictionary-attacks. If you have some time, turn on two-factor authentication and peruse the following links.

If you’d like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DailyDirt: How Many Passwords Do You Know?”

Subscribe: RSS Leave a comment
Lawrence D’Oliveiro says:

Longer Is Better Than More Characters

8 random characters, uppercase only → 37.6 bits of entropy
8 random characters, uppercase + lowercase + digits → 47.6 bits
10 random characters, uppercase only → 47.0 bits
12 random characters, uppercase only → 56.4 bits

In other words, don’t sweat the special characters, go for password length.

Chronno S. Trigger (profile) says:

Re: Longer Is Better Than More Characters

I don’t understand this rainbow tables and entropy. If I can have a password that’s 8 character mixed case alphanumeric with specials, how is having an 8 character all lowercase password faster to crack?

I really only understand brute force. The only reason lower case is faster to brute force is because lower case is usually tried first.

Chronno S. Trigger (profile) says:

Re: Re: Re: Longer Is Better Than More Characters

So this rainbow tables and entropy stuff doesn’t mean crap? We just have to social engineer our passwords.

If “sex” is checked first because it’s a real word then “s3x” because it’s a real word with a number replacing a letter, then “kmk” would be more secure because it will be checked last since it’s just random lettering.

Anonymous Coward says:

Re: Re: Re:2 Longer Is Better Than More Characters

“kmk” … [is] just random lettering.

But “kmk” is a keyboard walk, at least on a QWERTY keyboard. The “k” key is diagonally-adjacent to the “m” key. Not good.

On the plus side, you did include a repeated character. I notice that people attempting to create random sequences tend to include fewer repeats than expected from a uniform distribution. That is, they pick some random character, and then feel biased against it. Indeed, I’m always slightly surprised at the number of repeated characters I find in sequences drawn from a flat distribution.

Christopher (profile) says:

Bits of entropy

but only if your “Entropic” character string isn’t in a dictionary. Twelve characters in a dictionary is not the same as twelve non-word characters — in any language. Dump a dictionary in English and then next four most used languages into your rainbow tables and you’re still more successful than not.


Spaceman Spiff (profile) says:

Secret decoder ring

Myself, I like passwords from 2000 year dead languages that are only relevant to myself, unguessable, and seeded with non-alphabetic characters. The chances of them being broken in a period shorter than that via a brute-force attack is unlikely. However, they are easy for me to remember, and the only way that they can be captured is if my system has had a key-logger installed that I don’t know about. Given that all of my systems are not Windows-based, and have serious major anti-malware software and LAN hardware firewalls installed, the chances of that is pretty low…

Anonymous Coward says:

Re: No need to remember anything


Did you notice that the card can be “regenerated” from a 16-hexadecimal digit identifier?


This is the number of your card. Store it somewhere safe! If you want to regenerate a card you lost, type the number here and press Enter:


Further, the sample card has 8 rows and 29 columns. Then there are four cardinal and four intercardinal directions from any starting position.

Anonymous Coward says:

Re: Re: No need to remember anything

Good lord, that thing seems like the worst of all worlds.

Well, on the surface, the (16*2^4) identifier space indicates that the sequences on the card are generated by some rule.

How would you backdoor the card-generation rule so that the 8 row * 29 column starting position loses some of its surprisal?

art guerrilla (profile) says:

Re: Re:

with your social security number and signature, too ? ? ?
hee hee hee

i’ll mention again my ‘system’ for NON-CRITICAL passwords:
make a prefix (say, 3f) make a suffix (say, u9), then take the website ‘name’ (or organization, or whatever) and append those…
so, if this were for techdirt “3ftechdirtu9″…
works for me…
(AGAIN, NON-CRITICAL sites, for ‘real’ important sites, i use the random type stuff that is written down in my little black book…)

Gracey (profile) says:

I have an index card for each site I have a password for (a real paper one, not digital). I store them in a most unlikely place. Where they’re stored is written in a letter and kept with my will. That’s for my 2 girls (hopefully, long into the future).

Unfortunately, it does mean I have to remember them but then, I don’t have passwords for hundreds of sites either. I have only a dozen sites I use regularly where I need a password.

I don’t sign up for membership and a lot of random sites. If you can’t read or visit a site without signing up, I’ll find somewhere else to get the information I need.

When it gets to the point that I can’t remember a dozen or so passwords, I’ll turn in my computer.

Ninja (profile) says:

Re: Re:

My bank recently introduced fingerprints for physical use (ie: ATMs) and it has a google auth style authentication method for online banking. I can use an independent code generator, my phone or receive a sms with the code. I’m not quite comfortable with fingerprints though, the palm scanner another bank introduced seems much more secure for physical interactions.

Anonymous Coward says:

Too many sites where security is not necessary

Bank, Professional society, the place I post my original writing: Strong password required.
The huge number of websites where I need a password login to read articles or download a technical manual: Nope.

We talk so frequently about password strength and a requirement for uniqueness. We never seem to address the proliferation of useless security. I really don’t care if someone guesses my password and uses it to download extra copies of a technical manual. Most of those login systems are only in place to ensure the vendor has an email address for solicitation purposes anyway.

John85851 (profile) says:

Re: Too many sites where security is not necessary

You’re correct that tech manual sites shouldn’t need a name and password, but this is exactly where security fails. Too many people will simply use their usual password so they don’t have to remember yet another password for yet another site.
Then hackers get into the tech manual site because it’s not very secure- come on, who would want to break into a tech manual site? They don’t even store people’s credit card information.

Yet once the hackers have the password, they can try it against the larger sites like Facebook, Amazon, or iTunes. And if any of the passwords match, the hackers have completely control of the account.

Rikuo (profile) says:

I admit, I do have my passwords in a text document. The document is itself protected by a password and is not stored on my computer. It is instead stored on an old smartphone that is permanently disconnected from Wifi and is charged by a USB cable that plugs only into a charge socket, not into a computing device. The phone itself is encrypted.

MondoGordo (profile) says:

Re: Re:

that’s pretty damn secure … and not a little paranoid!

Check out Steve Gibsons article on generating passwords that are memorable and hard to guess https://www.grc.com/haystack.htm

my password manager password shows the following results for “crackability” using his tool and it’s easy to remember, a pain in the ass to type, but easy to remember.

Couple with your approach to storing pass words with his approach to generating memorable passwords and you’re almost unhackable.

MondoGordo (profile) says:

Re: Re: Re:

Brute Force Search Space Analysis:
Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 26 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password’s length) 2,663,234,997,260,162,
Search Space Size (as a power of 10): 2.66 x 1051
Time Required to Exhaustively Search this Password’s Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 8.47 hundred trillion trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 8.47 million trillion trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 8.47 thousand trillion trillion centuries

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...