[Mark Holtz]

From Venturebeat:

Largest-ever password study: We are all idiots

The largest-ever study on user-selected password security shows that no matter how old you are or what language you speak, your password probably sucks.

The study, conducted by Joseph Bonneau at the University of Cambridge, analyzed the password strength of about 70 million Yahoo users. While the data was protected with hashing and Bonneau was unable to see individual account info, he was still able to measure relative strength of passwords across various demographics like age, gender, and nationality.

FULL ARTICLE HERE

Sigh.... use a password manager like KeePass or Lastpass. Check out www.howsecureismypassword.net ....

 

[RasputinAXP]

I'm not. Sure, my stupid-low-security stuff sucks but for legitimate passwords? Minimum 10 digits, numbers, mixed case and special characters. Then again it may be that I'm one of Those Guys.

edit: Wait a minute, 70 million Yahoo users??! That's not even fair. That's like saying 70 million elementary school students.

 

[hdtvfan0001]

For those of us who have over 50+ passwords to manage between work and home...passwords are a major pain in the butt period. Unfortunately, they are a necessary evil for security.

To the point of the article...in the real world...I have actually seen people use password as their password.

 

[Davenlr]

. He also says that businesses that make people create passwords should make users pick tougher passcodes. "A stricter password selection policy might produce distributions with significantly higher resistance to guessing," Bonneau wrote.

I find myself not creating accounts I would otherwise create for sites that do this. It totally pisses me off when I enter 5 passwords and the site tells me they arent good enough. I end up clicking off the page.

Ive always wondered why bank pins are only 4 numbers, but an internet site requires 9 characters and MUST contain at least 1 number, one upper case, one lower case, and the thumb print of your first born.

 

[Marlin Guy]

Check out www.howsecureismypassword.net ....

"It would take a desktop PC About 600 years to hack your password"

Thanks.

 

[AntAltMike]

Now that I've given them my passwords to evaluate, how long will it take them to find out who I am and clean out my bank account?

 

[Laxguy]

For those of us who have over 50+ passwords to manage between work and home...passwords are a major pain in the butt period. Unfortunately, they are a necessary evil for security.

To the point of the article...in the real world...I have actually seen people use password as their password.

I prefer "secret"... heh, heh. Or maybe "user".... :sure:

I make a real distinction between PWs that if someone had it, it wouldn't bother me. Such as for a .yahoo or gmail account. And those where I could lose something of value. If someone logged in as me on, say DIRECTV®'s site and made changes or ordered movies, it'd be inconvenient but not a real hit.

 

[kevinturcotte]

My WPA2 password: "It would take a desktop PC about 44 novemvigintillion years to hack your password" Whatever that means lol

 

[Laxguy]

I find myself not creating accounts I would otherwise create for sites that do this. It totally pisses me off when I enter 5 passwords and the site tells me they arent good enough. I end up clicking off the page.

Ive always wondered why bank pins are only 4 numbers, but an internet site requires 9 characters and MUST contain at least 1 number, one upper case, one lower case, and the thumb print of your first born.

Yeah, even the Nigerian "bankers" don't require that level!:hurah:

And, yeah, you really do need high security for a site you'll visit once or twice....:nono2:

 

[Mark Holtz]

For those of us who have over 50+ passwords to manage between work and home...passwords are a major pain in the butt period. Unfortunately, they are a necessary evil for security.

Wimp. I count 280 unique passwords in my collection.

 

[Laxguy]

My WPA2 password: "It would take a desktop PC about 44 novemvigintillion years to hack your password" Whatever that means lol

Hah! I guess that's beyond our lifetimes!

I did a bad thing. I entered a naughty word, that begins with "mother". Here's what it showed:

Common Password: In The Top 9,800 Most Used Passwords
Your password is very commonly used. It would be cracked almost instantly.
Possibly A Word
Your password looks like it could be a dictionary word or a name. If it's a name with personal significance it might be easy to guess. If it's a dictionary word it could be cracked very quickly.

I then entered another word one doesn't use in polite company, but it's in the Latin tongue so to speak. It would take 169 days to crack.

This one, that they generated, Pre|>|>ed Lander, would take 52 Trillion years, but all the times seem way too long.

 

[Laxguy]

Wimp. I count 280 unique passwords in my collection.

How do you keep track, and what's the security on that?

 

[billsharpe]

For those of us who have over 50+ passwords to manage between work and home...passwords are a major pain in the butt period. Unfortunately, they are a necessary evil for security.

To the point of the article...in the real world...I have actually seen people use password as their password.

How about eight asterisks in a row? Then you can see your password as you type it in...

 

[dpeters11]

I do highly recommend LastPass, but at least padding a password is a good start. Even if you take the base password of "Password", making it something like {{{<<<Password!>>>}}} helps.

What irritates me is when various sites have varying requirements. Can't use that password, too long. Thy don't allow that character etc.

Myself, I use LastPass and have it set to require my Yubikey if it's not a previously known system. One of my strongest passwords is for my primary email, since that's where "I forgot my password" emails go to.

 

[spartanstew]

"It would take a desktop PC About 600 years to hack your password"

Thanks.

I use the same password when ever I can (currently use it for about 50 sites) and a secondary that I use when I can't (another 20 sites or so).

Not the smartest thing, but it only takes me a couple of attempts on any site to figure out what my password is.

For the record, it's mixture of letters and numbers, including some capitalization and the link above states it would take a PC 106 years to crack it, so that's good enough for me.

 

[Shades228]

There are some good methods out there for making different passwords for each site you can't forget.

Most of them tell you to pick a date and then pick something from the name of the site you're on. Then you mix it up in a manner that you use consistantly for every site. This way you never have a repeat password but cannot forget them.

Those calculators are usually based on brute force methods which are rarely used due to most systems having detection and prevention methods for that. Hash cracking is the most common and effective.

 

[dennisj00]

I find myself not creating accounts I would otherwise create for sites that do this. It totally pisses me off when I enter 5 passwords and the site tells me they arent good enough. I end up clicking off the page.

Ive always wondered why bank pins are only 4 numbers, but an internet site requires 9 characters and MUST contain at least 1 number, one upper case, one lower case, and the thumb print of your first born.

Possibly because there's a video camera involved?!!

 

[BubblePuppy]

From Hacker News:

Post Mortem: Today's Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself.
This morning a hacker was able to access a customer's account on CloudFlare and change that customer's DNS records. The attack was the result a compromise of Google's account security procedures that allowed the hacker to eventually access to my CloudFlare.com email addresses, which runs on Google Apps. While we are still working with Google to investigate the details, we wanted to highlight it here to make people aware that they too may be vulnerable to similar attacks and provide a full accounting of what happened.

http://blog.cloudflare.com/post-mortem-todays-attack-apparent-google-app

 

[dpeters11]

Supposedly the inventor was going to go with a 6 digit number, but his wife said she would only be able to remember 4. I wish it had been at least 5, 4 is too easy to just use a birthdate.

 

[James Long]

A work password: About 32 billion years.
My work password: About 8 seconds.
My oldest living password: About 8 seconds.
My favorite password: About 3 days.

I don't trust the estimate completely. For example, my name comes up as "About 6 Hours" but with a space it shows as "About 4 Years". Capitalizing the last name makes it "About 128 Days" and both the capitalizing and the space makes it "About 412 years". My birthday as 8 digits is 0.4 seconds. Spelled out "About 25 million years". The estimate would be completely different if the cracker knew anything about the person they were attacking.