A brief history of bad passwords

A brief history of bad passwords

Password policies don't work because they don't consider how people use passcodes in real life—but attackers do.

03 May 2018 Opensource.com (Red Hat) Feed 9 comments
A keyboard with privacy written on it.
Image credits : 
g4ll4is on Flickr. CC BY-SA 2.0
x

Subscribe now

Get the highlights in your inbox every week.

IT-mandated password policies seem like a good idea—after all, what are the chances that an attacker will guess your exact passcode out of the 782 million potential combinations in an eight-character string with at least one upper-case letter, one lower-case letter, two numerals, and one symbol? 

Those odds are not in your favor because most IT password policies don't consider how people select and use passwords in the real world, says Kyle Rankin, chief security officer at Purism and author of Linux Hardening in Hostile Networks. Password polices don't work because hackers do consider how people think.

Watch Kyle's Lightning Talk, "Sex, Secret, and God: A Brief History of Bad Passwords," from the 16th annual Southern California Linux Expo (SCALE) to learn the history of bad passcode policies and what we must do instead to secure our data.

During the UpSCALE Lightning Talks hosted by Opensource.com at the 16th annual Southern California Linux Expo (SCALE) in March 2018, eight presenters shared quick takes on interesting open source topics, projects, and ideas. Watch all of the UpSCALE Lightning Talks on the Opensource.com YouTube channel.

Topics

SCaLE
Security and privacy

About the author

Opensource.com - Opensource.com publishes stories about creating, adopting, and sharing open source solutions. Follow us on Twitter @opensourceway.
More about me

Recommended reading

Chat via email
Software Privacy Day: Use Delta Chat, an open source chat tool
Chat via email
Why choose Rocket.Chat for your open source chat tool
Person using a laptop
What you need to know about fuzz testing and Go
Linux keys on the keyboard for a desktop computer
Manage your passwords in the Linux terminal
Security monster
Protect your PHP website from bots with this open source tool
A secure lock.
5 open source security resources from 2021

9 Comments, Register or Log in to post a comment.

Greg P
Greg Pittman on 03 May 2018

The first thing I consider when generating passwords is that not every account you have needs high security. Consider the damage or lack thereof that someone might cause for a particular signin.
For things that are important, I use a little shell script to generate random passwords that I found somewhere and then slightly modified. Here it is, then afterward its output. And I may not necessarily use something verbatim; I may make a slight modification just to remember more easily, or insert a symbol where one doesn't exist.

#!/usr/bin/env sh
echo 'Generating 12-character passwords'
for ((n=0;n<12;n++))
do dd if=/dev/urandom count=1 2> /dev/null | uuencode -m - | sed -ne 2p | cut -c-12
done

Generating 12-character passwords
dYrEhmmN1e1/
7uMoO0bn1hBs
UWSyrryMNzB7
289jyQzR0NPz
GX6V0QvZUM5r
HRCUHoSD8TBT
5VLRgCbt8Lqu
GKLqXGnbekak
BC/2e9UnC7zy
pzD+Y7jnLMNl
qmm6AdMTs0V/
9L65jrVxOYRf

Ricardo J. Barberis
Ricardo J. Barberis on 09 May 2018

I use pwgen (https://sourceforge.net/projects/pwgen/ - which I just found out is a project of none other than Theodore Ts'o!) to generate 15 char passwords, but I also do as you and remove a char or two, add a symbol here and there.

Although I don't do that to make them easier to remember, as I also use a password manager :)

Don Watkins
Don Watkins on 03 May 2018

Great talk. Thank you for sharing.

Mr Awkward
Mr Awkward on 03 May 2018

Greg Pittman wrote "generate random passwords"

You forgot the all important prefix "pseudo-" before random.

Greg P
Greg Pittman on 04 May 2018

Sure. But certainly more random than anything you'd devise in your head.

MartyMonroe
MartyMonroe on 04 May 2018

I agree with Greg Pittman - not every account needs a super strong passwords. For forums, twitter and facebook I use a really simple and guessable password; if somebody wants to tweet on my behalf, me declaring was on some country, I wouldn't lose any sleep.

Something I figured out a long time ago is that chemical formulas are pretty good passwords. In my testing John the Ripper can't find them and they are easy to remember. I work in a college and I remarked to a chemistry teacher that my password was an organic compound. He said there are only about 4.5 million of them, so it shouldn't take too long to crack it!

Jason van Gumster
Jason van Gumster on 04 May 2018

That said, if you're using a password manager, what's the harm in using a strong password?

I'd also caution folks about devaluing the need for strong passwords on social media sites (especially Facebook and Twitter). It's not just about someone tweeting for you. With OAuth and the ability to authenticate accounts using login credentials from social media sites, those passwords have a much higher importance than you might think.

Greg P
Greg Pittman on 04 May 2018

My answer to that is to not have anything to do with social media apps, sites, whatever.

Ricardo J. Barberis
Ricardo J. Barberis on 09 May 2018

I think we all value our bank's and email's passwords the most, but you're right that that we should all give of our passwords more importance than seems at first sight.

Here's a couple of posts from Brian Krebs as examples of the uses of a hacked account:

https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revis...

Creative Commons License