A brief history of bad passwords

A brief history of bad passwords

Password policies don't work because they don't consider how people use passcodes in real life—but attackers do.

03 May 2018 Opensource.com (Red Hat) Feed 9 comments
A brief history of bad passwords
Image credits : 

g4ll4is on Flickr. CC BY-SA 2.0

x

Get the newsletter

Join the 85,000 open source advocates who receive our giveaway alerts and article roundups.

IT-mandated password policies seem like a good idea—after all, what are the chances that an attacker will guess your exact passcode out of the 782 million potential combinations in an eight-character string with at least one upper-case letter, one lower-case letter, two numerals, and one symbol? 

Those odds are not in your favor because most IT password policies don't consider how people select and use passwords in the real world, says Kyle Rankin, chief security officer at Purism and author of Linux Hardening in Hostile Networks. Password polices don't work because hackers do consider how people think.

Watch Kyle's Lightning Talk, "Sex, Secret, and God: A Brief History of Bad Passwords," from the 16th annual Southern California Linux Expo (SCALE) to learn the history of bad passcode policies and what we must do instead to secure our data.

During the UpSCALE Lightning Talks hosted by Opensource.com at the 16th annual Southern California Linux Expo (SCALE) in March 2018, eight presenters shared quick takes on interesting open source topics, projects, and ideas. Watch all of the UpSCALE Lightning Talks on the Opensource.com YouTube channel.

Topics

SCALE
Security and privacy

About the author

Opensource.com - Opensource.com publishes stories about creating, adopting, and sharing open source solutions. Follow us on Twitter @opensourceway.
More about me

Recommended reading

Lock
A sysadmin's guide to SELinux: 42 answers to the big questions
brick wall construction
5 Firefox extensions to protect your privacy
Where in the DevOps cycle do you do security?
Where in the DevOps cycle do you do security?
Purple testing and chaos engineering in security experimentation
Purple testing and chaos engineering in security experimentation
secure your systems
The state of encryption: How the debate has shifted
Locks
How insecure is your router?

9 Comments

Greg P
Greg Pittman on 03 May 2018

The first thing I consider when generating passwords is that not every account you have needs high security. Consider the damage or lack thereof that someone might cause for a particular signin.
For things that are important, I use a little shell script to generate random passwords that I found somewhere and then slightly modified. Here it is, then afterward its output. And I may not necessarily use something verbatim; I may make a slight modification just to remember more easily, or insert a symbol where one doesn't exist.

#!/usr/bin/env sh
echo 'Generating 12-character passwords'
for ((n=0;n<12;n++))
do dd if=/dev/urandom count=1 2> /dev/null | uuencode -m - | sed -ne 2p | cut -c-12
done

Generating 12-character passwords
dYrEhmmN1e1/
7uMoO0bn1hBs
UWSyrryMNzB7
289jyQzR0NPz
GX6V0QvZUM5r
HRCUHoSD8TBT
5VLRgCbt8Lqu
GKLqXGnbekak
BC/2e9UnC7zy
pzD+Y7jnLMNl
qmm6AdMTs0V/
9L65jrVxOYRf

Vote up!
1
Ricardo J. Barberis
Ricardo J. Barberis on 09 May 2018

I use pwgen (https://sourceforge.net/projects/pwgen/ - which I just found out is a project of none other than Theodore Ts'o!) to generate 15 char passwords, but I also do as you and remove a char or two, add a symbol here and there.

Although I don't do that to make them easier to remember, as I also use a password manager :)

Vote up!
1
Don Watkins
Don Watkins on 03 May 2018

Great talk. Thank you for sharing.

Vote up!
1
Mr Awkward
Mr Awkward on 03 May 2018

Greg Pittman wrote "generate random passwords"

You forgot the all important prefix "pseudo-" before random.

Vote up!
1
Greg P
Greg Pittman on 04 May 2018

Sure. But certainly more random than anything you'd devise in your head.

Vote up!
1
MartyMonroe
MartyMonroe on 04 May 2018

I agree with Greg Pittman - not every account needs a super strong passwords. For forums, twitter and facebook I use a really simple and guessable password; if somebody wants to tweet on my behalf, me declaring was on some country, I wouldn't lose any sleep.

Something I figured out a long time ago is that chemical formulas are pretty good passwords. In my testing John the Ripper can't find them and they are easy to remember. I work in a college and I remarked to a chemistry teacher that my password was an organic compound. He said there are only about 4.5 million of them, so it shouldn't take too long to crack it!

Vote up!
1
Jason van Gumster
Jason van Gumster on 04 May 2018

That said, if you're using a password manager, what's the harm in using a strong password?

I'd also caution folks about devaluing the need for strong passwords on social media sites (especially Facebook and Twitter). It's not just about someone tweeting for you. With OAuth and the ability to authenticate accounts using login credentials from social media sites, those passwords have a much higher importance than you might think.

Vote up!
1
Greg P
Greg Pittman on 04 May 2018

My answer to that is to not have anything to do with social media apps, sites, whatever.

Vote up!
1
Ricardo J. Barberis
Ricardo J. Barberis on 09 May 2018

I think we all value our bank's and email's passwords the most, but you're right that that we should all give of our passwords more importance than seems at first sight.

Here's a couple of posts from Brian Krebs as examples of the uses of a hacked account:

https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revis...

Vote up!
1

Comment now

Creative Commons License