Get the highlights in your inbox every week.
A brief history of bad passwords
A brief history of bad passwords
Password policies don't work because they don't consider how people use passcodes in real life—but attackers do.

IT-mandated password policies seem like a good idea—after all, what are the chances that an attacker will guess your exact passcode out of the 782 million potential combinations in an eight-character string with at least one upper-case letter, one lower-case letter, two numerals, and one symbol?
Those odds are not in your favor because most IT password policies don't consider how people select and use passwords in the real world, says Kyle Rankin, chief security officer at Purism and author of Linux Hardening in Hostile Networks. Password polices don't work because hackers do consider how people think.
Watch Kyle's Lightning Talk, "Sex, Secret, and God: A Brief History of Bad Passwords," from the 16th annual Southern California Linux Expo (SCALE) to learn the history of bad passcode policies and what we must do instead to secure our data.
During the UpSCALE Lightning Talks hosted by Opensource.com at the 16th annual Southern California Linux Expo (SCALE) in March 2018, eight presenters shared quick takes on interesting open source topics, projects, and ideas. Watch all of the UpSCALE Lightning Talks on the Opensource.com YouTube channel.
9 Comments, Register or Log in to post a comment.
The first thing I consider when generating passwords is that not every account you have needs high security. Consider the damage or lack thereof that someone might cause for a particular signin.
For things that are important, I use a little shell script to generate random passwords that I found somewhere and then slightly modified. Here it is, then afterward its output. And I may not necessarily use something verbatim; I may make a slight modification just to remember more easily, or insert a symbol where one doesn't exist.
#!/usr/bin/env sh
echo 'Generating 12-character passwords'
for ((n=0;n<12;n++))
do dd if=/dev/urandom count=1 2> /dev/null | uuencode -m - | sed -ne 2p | cut -c-12
done
Generating 12-character passwords
dYrEhmmN1e1/
7uMoO0bn1hBs
UWSyrryMNzB7
289jyQzR0NPz
GX6V0QvZUM5r
HRCUHoSD8TBT
5VLRgCbt8Lqu
GKLqXGnbekak
BC/2e9UnC7zy
pzD+Y7jnLMNl
qmm6AdMTs0V/
9L65jrVxOYRf
I use pwgen (https://sourceforge.net/projects/pwgen/ - which I just found out is a project of none other than Theodore Ts'o!) to generate 15 char passwords, but I also do as you and remove a char or two, add a symbol here and there.
Although I don't do that to make them easier to remember, as I also use a password manager :)
Great talk. Thank you for sharing.
Greg Pittman wrote "generate random passwords"
You forgot the all important prefix "pseudo-" before random.
Sure. But certainly more random than anything you'd devise in your head.
I agree with Greg Pittman - not every account needs a super strong passwords. For forums, twitter and facebook I use a really simple and guessable password; if somebody wants to tweet on my behalf, me declaring was on some country, I wouldn't lose any sleep.
Something I figured out a long time ago is that chemical formulas are pretty good passwords. In my testing John the Ripper can't find them and they are easy to remember. I work in a college and I remarked to a chemistry teacher that my password was an organic compound. He said there are only about 4.5 million of them, so it shouldn't take too long to crack it!
That said, if you're using a password manager, what's the harm in using a strong password?
I'd also caution folks about devaluing the need for strong passwords on social media sites (especially Facebook and Twitter). It's not just about someone tweeting for you. With OAuth and the ability to authenticate accounts using login credentials from social media sites, those passwords have a much higher importance than you might think.
My answer to that is to not have anything to do with social media apps, sites, whatever.
I think we all value our bank's and email's passwords the most, but you're right that that we should all give of our passwords more importance than seems at first sight.
Here's a couple of posts from Brian Krebs as examples of the uses of a hacked account:
https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revis...