Mastodawn

Ryan's guide to determining whether your password is secure:

1) Did you pick it yourself? If yes, it is not secure.

2) Is it unique? If no, it is not secure.

3) Is it part of a "password system"? If yes, it is not secure.

4) Is created using a deterministic password generator? If yes, it's part of a "password system" and therefore not secure.

5) Did your password manager randomly generate it for you? If yes, it's probably fine.

6) Did you generate it with dice? If yes, it's probably fine.

7) Did you create your password in some other way? It's probably fucked.

If you have to ask in response to this post, your method is bad, sorry. 🤷

Alexand Jun 25, 2024

Please rate my method of creating passwords:
I have a paperback book and use the first 12 characters of the first line at the top of the page including punctuation followed by the page number. I just use the next page every time I need a new password.

Cassandrich Jun 25, 2024

@djg @ryanc See: 3, 4, 7

@djg fucked

I ran l0phtcrack against my SAM file a while back and these passwords were the last to be brute forced…nearly a string of random letters with only one or two common words embedded. Do you use a similar tool for testing?

@djg I have written password crackers and cracked this kind of password with them.

D C Ross Jun 25, 2024

@djg @ryanc
Let's remove some extraneous details and see if we can make this a little clearer:

"I use one or two dictionary words, in the exact order they would naturally come in a sentence, followed by a two or three digit number. Sometimes there will be a comma or period after one of the words."

It's not quite the combination to President Skroob's luggage but I think that rules one, four, seven and eight all apply here.

Alexand Jun 25, 2024

@deeseearr @ryanc

Thanks for everyone’s comments!

Here’s an old one for reference:
“Aren’tmeand23

Tomas Aschan [ɐ̆sˈkɑːn]Jun 26, 2024

@djg @deeseearr @ryanc Wait, did you just give us a way to find the exact book you're using?

@tomasaschan @deeseearr @ryanc

Alexand Jun 26, 2024

Absolutely, the book I used to use anyway, I will have to ask Google AI to see if it can find this based on that information…

Ben Aveling Jun 25, 2024

@djg I would say, not reliably secure. (And now that you've shared it, even less so)
Basically, it's a couple of random words, probably common words, plus some random letters and numbers.
That's possibly good enough for online password guessing, depending on how many random letters and numbers.
It might or might not withstand offline attack. I'd guess not. 12 characters isn't a lot these days, even if completely random, although it depends on the way passwords are being stored, and most of all, it also depends on who you are and why you are being attacked.
@ryanc

Cassandrich Jun 25, 2024

@ryanc pwqgen counts as dice. 😎

Ron Bowes Jun 25, 2024

@ryanc Thank you! Every time a security awareness training class talks about how to choose a secure and memorable password, I die a little. It's missing the point. Humans can't remember more than like 3-4 passwords, so we shouldn't. Teach users how to use a password manager!!

Ölbaum Jun 26, 2024

@iagox86 @ryanc And one time you’re at someone else’s computer without your phone and you’re fucked.

Jun 26, 2024

@oscherler @iagox86 you put your password in someone else's computer without protection!? Eeeww

Ölbaum Jun 26, 2024

@ryanc @iagox86 Yes, and I’m ashamed, so I do it incognito.

Ron Bowes Jun 26, 2024

@oscherler @ryanc You go places without your phone?? :⁠-⁠)

Ölbaum Jun 27, 2024

@iagox86 @ryanc Not on purpose, but what can you do?

yetzt Jun 25, 2024

@ryanc i use 6), and my password is ⚄⚄⚂⚅⚁⚀, very secure.

yetzt Jun 25, 2024

@ryanc 8) can the system understand or deal with the encoding your password uses? (yes, there are passwords that happen to consist entirely of unicode replacement characters because of issues like that)

@yetzt I built a CTF challenge involving a password generator that had unicode replacement character problems.

Something like generate N random bytes, base64 encode them, oops they were treated as utf8 before base64 happened.

yetzt Jun 25, 2024

@ryanc neat! i used the passwords from the "collection leaks" to (amongst other things) build an autocomplete: https://passwords.yetzt.me/

it's quite an interesting dataset, i discovered many interesting encoding issues and some brave people even used emoji containing zero width joiners in their password.

Password

:EA DATA. SF:Jun 25, 2024

J. R. DePriest

What if your password is:
They said I had to use a passphrase now?

dade Jun 25, 2024

@ryanc Password Management system idea:

1. Purchase a brick of playing cards.

2. Shuffle each deck at least 7 times.

3. Use the complete card order as your password (or as far as the shitty website will let you get into it)

4. Subtly mark each deck's box to indicate which site it is for.

5. Never lose or use your playing cards

@dade password manager with extra steps

dade Jun 25, 2024

@ryanc but fun steps. You can play solitaire with your password manager. I mean, you'll lose your password forever. But you can.

Mister Moo 🐮Jun 25, 2024

@dade @ryanc The punch card version of password management.

Insecurity Princess 🌈💖🔥Jun 25, 2024

@ryanc Does that apply equally to all passwords for all systems?

Do all passwords need to be "secure"?

@saraislet Great point. This post was somewhat prompted by someone describing passwords as "kayfabe".

Many passwords are vestigial, existing within systems that assume (rightly) that they are not secure. They're there because they're expected, the actual security lies elsewhere.

The nuance seems difficult to explain to people, though.

@saraislet My general opinion is that systems need to be designed to account for the fact that they're used by humans. We have very predictable failure modes that must be accounted for - trying to get us to change our behaviour to be "more secure" is like nailing jelly to a tree.

Adam Katz Jun 25, 2024

@ryanc This is a good list. Humans are bad at random:
https://infosec.exchange/@adamhotep/112440540150220075

Adam Katz :donor: (@[email protected])

Attached: 1 video Do not conflate these terms! **Random:** Completely up to chance **Arbitrary:** Unexpected; *seemingly* random **Obscure:** Generally unknown; topically arbitrary Humans can't come up with things at #random; we accidentally create patterns. Use a password manager to generate your passwords and passphrases.

Infosec Exchange

Yaksh Bariya Jun 25, 2024

@ryanc "Did your password manager randomly generate it for you?" Oh yeah good amount of entropy is a must! I have some arrangements for that, which I'd definitely like to keep a secret :)

David Nash Jun 25, 2024

@ryanc This reminds me of the thought process I used to convince myself that "systems" were generally a bad idea, about 10 years ago:

1. hypothetical system: memorize 12 or so random characters and stuff the name of the app/website into the middle
2. hypothetical example: "BwwCB-GMAIL-wwnhlS?"
3. this at least appeared difficult to crack with the tools of the time (early 2010s)
4. but once the hacked password file for SomeTech with "BwwCB-SOMETECH-wwnhlS?" becomes public, suddenly all your logins everywhere are totally insecure and need to be completely re-credentialed *immediately*

Wendy Nather Jun 25, 2024

@ryanc @dangoodin As a sysadmin, I used to generate them by hitting the keyboard with a rolled-up newspaper. And yes, I did switch hands. But this was a very long time ago, as evidenced by “keyboard” and “newspaper.”

William Vambenepe Jun 25, 2024

@ryanc #6 means I'm doing well! Every one of my passwords is a number between 2 and 12 (mostly 5, 6, 7 or 8).

John M. Gamble Jun 25, 2024

Part 2 of my 3-part password making system.

(Part 1 *is* deterministic, but it's useful to me so it stays. Part three isn't deterministic, but I'm also not revealing it.)

@jgamble I have a bunch of those dice!

John M. Gamble Jun 25, 2024

I only wish The Dice Lab had made a version that were black with CRT-green hex digits.

toufy Jun 25, 2024

@ryanc can you elaborate on 1 and 3?
i pick my own passwords, but each is unique and no less than 16 characters long.
i also have a system to compartmentalize passwords depending on services, while still keeping them accessible to me from anywhere.