A brief history of bad passwords

Password policies don't work because they don't consider how people use passcodes in real life—but attackers do.
352 readers like this
352 readers like this
Data Privacy Day 2017: Solutions for everyday privacy

g4ll4is on Flickr. CC BY-SA 2.0

IT-mandated password policies seem like a good idea—after all, what are the chances that an attacker will guess your exact passcode out of the 782 million potential combinations in an eight-character string with at least one upper-case letter, one lower-case letter, two numerals, and one symbol? 

Those odds are not in your favor because most IT password policies don't consider how people select and use passwords in the real world, says Kyle Rankin, chief security officer at Purism and author of Linux Hardening in Hostile Networks. Password polices don't work because hackers do consider how people think.

Watch Kyle's Lightning Talk, "Sex, Secret, and God: A Brief History of Bad Passwords," from the 16th annual Southern California Linux Expo (SCALE) to learn the history of bad passcode policies and what we must do instead to secure our data.

During the UpSCALE Lightning Talks hosted by Opensource.com at the 16th annual Southern California Linux Expo (SCALE) in March 2018, eight presenters shared quick takes on interesting open source topics, projects, and ideas. Watch all of the UpSCALE Lightning Talks on the Opensource.com YouTube channel.

Opensource.com publishes stories about creating, adopting, and sharing open source solutions. Follow us on Twitter @opensourceway.

9 Comments

The first thing I consider when generating passwords is that not every account you have needs high security. Consider the damage or lack thereof that someone might cause for a particular signin.
For things that are important, I use a little shell script to generate random passwords that I found somewhere and then slightly modified. Here it is, then afterward its output. And I may not necessarily use something verbatim; I may make a slight modification just to remember more easily, or insert a symbol where one doesn't exist.

#!/usr/bin/env sh
echo 'Generating 12-character passwords'
for ((n=0;n<12;n++))
do dd if=/dev/urandom count=1 2> /dev/null | uuencode -m - | sed -ne 2p | cut -c-12
done

Generating 12-character passwords
dYrEhmmN1e1/
7uMoO0bn1hBs
UWSyrryMNzB7
289jyQzR0NPz
GX6V0QvZUM5r
HRCUHoSD8TBT
5VLRgCbt8Lqu
GKLqXGnbekak
BC/2e9UnC7zy
pzD+Y7jnLMNl
qmm6AdMTs0V/
9L65jrVxOYRf

Great talk. Thank you for sharing.

Greg Pittman wrote "generate random passwords"

You forgot the all important prefix "pseudo-" before random.

I agree with Greg Pittman - not every account needs a super strong passwords. For forums, twitter and facebook I use a really simple and guessable password; if somebody wants to tweet on my behalf, me declaring was on some country, I wouldn't lose any sleep.

Something I figured out a long time ago is that chemical formulas are pretty good passwords. In my testing John the Ripper can't find them and they are easy to remember. I work in a college and I remarked to a chemistry teacher that my password was an organic compound. He said there are only about 4.5 million of them, so it shouldn't take too long to crack it!

That said, if you're using a password manager, what's the harm in using a strong password?

I'd also caution folks about devaluing the need for strong passwords on social media sites (especially Facebook and Twitter). It's not just about someone tweeting for you. With OAuth and the ability to authenticate accounts using login credentials from social media sites, those passwords have a much higher importance than you might think.

In reply to by MartyMonroe

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.