Password Strength

Came across this little cartoon comparing the relative security of a long (yet fairly easy to remember) password comprised of common words and a shorter (yet more difficult to remember) password comprised of a mixture of upper and lower case letters, numbers and punctuation.

I thought it made an interesting point. What do you think?

xkcd: Password Strength

your faith in technology is touching


Too many posts in this thread for me to read all of them so my apologies if this discussion on calculating password strength has already been posted.

And if you were properly using your DB with prepared/parameterized queries, you would never have this sql injection vector.

Also, in 2011, most sites really don’t need to hold passwords at all – OpenID is here. Why would you want to take on the onus of owning the credentials?

It pisses me off everytime I have to sign up for a site and found out my long password which can be between 32 and 64 (by default) is too long, or some of the characters are invalid. That is bad, very bad!

If one is handling passwords correctly, length and characters contained with the password should be a non-issue. Example, a password should be able ot have an SQL injection attack within, but handled right it won’t do a darn thing.


$username = some_db_escape( $_POST['username'] );
$password = hash( $_POST['password'] ); # Secured!

$sql = some_db_query( 'SELECT WHERE username=$username AND password=$password' );

After hashing, the password will be a fixed length and the default encoding hexadecimal contains a fixed set of characters. The value is no longer a security threat to your application.

Replacing some letters with numbers is used by very young users, dinosaurs may use other type of methods to secure their passwords :stuck_out_tongue:

The cartoon points out that replacing letters with numbers isn’t very secure - it’s easy to try variations on dictionary words in this manner that it isn’t really suitable IMO. I use totally randomly generated passwords with letters, numbers and special characters.

The most important factor in password security is length. The second most important is using different types of character - eg symbols, number, lower and uppercase letters. After that I guess its making sure it isn’t based on a dictionary words.

Fair point, but why is it bad? It is a pretty solid feature when implemented properly. And actually makes quite a bit of sense in modern distributed architectures – authentication becomes a service, users get single sign on and I get out of the business of storing other people’s secrets.

The cartoon makes a good point (as backed up by security gurus, like Mikko Hypponen).

I use totally random characters for mine, 20 characters or so when the website allows. I don’t actually know what any of them are… I use a password manager to generate and then store them.

me too, i don’t memorize every passwords i use and i dont have too coz of password managers like roboform or lastpass.

And what about passwords that are used to unlock password manager? :wink:

Ever since my password manager screwed up on me I have resorted to a series of passwords that are a logical sequence to me and my wife, but irrational to anybody else.

I don’t think I am that important that anybody will waste 3 days of valuable computer time to crack my passwords.

Aleksejs: How many of those would we have? I have just one master password, not counting the password to my computer (so yes, this means I’m one password away from losing my life).

Though, I do remember my passwords as well as use encrypted storage… that’s for JustInCaseIForget.

One of my banks uses this horrible setup with random combinations of images (what do I do if I can’t see?), words, passwords, and “security questions” which are made up of publicly-available information. Only way those are “secure” is if I totally make crap up instead of using real answers (like if I say my mother’s maiden name, which was the name she went by anyway, was Tr0ub4dor&3 :slight_smile:

Another of my banks uses a password and then a little device that needs my bank card to send and receive randomly-generated numbers. The site and the device have to match. Transaction authentication rather than user authentication (userAuth is only used once, to initiate). Nice, tho I have no idea what those little Readers cost.

They won’t bother with yours, but they’ll go after… oh… Gawker’s servers (or, some server you have an account on), grab your pw from there and then hope you’re dumb enough to have used it everywhere else. Since enough people are, attackers get something useful.

By the way, any sysadmin who lets anyone attempt 1000 guesses a second deserves horrible things.

I’m at Riga Congress Center M-W next week… I WILL see those Cat House cats!![/ot]

Good topic. My office recently switched from a 8 character pw length to a 12 character length, and they expire monthly. As a result, you can find most people’s passwords written down on a post-it note hidden under their keyboards (or sometimes even stuck to their desks or monitors).

I think you get to a point of diminishing returns on pw length, since something like ^0Ley$j2 is likely stronger than something like Aaaaaaaaaa1!

Given any decent system should lock out the account after 3 guesses, yeah.

I’ve found it frustrating that some banking websites limit the number of characters of passwords to 6-8 characters. I find it very frustrating since, well, shorter passwords tend not to be as secure. Especially when there is no lockout mechanism in place for incorrectly guessed passwords.

My car insurance company used to not allow any special characters at all in passwords. They also had a list of “security” questions, but had a minimum number of characters that the answer could be. One of the questions was “name of your first pet” and it had to be at least 6 characters. But what if your first dog’s name was Rex?

Enter it twice? :stuck_out_tongue:

Also check out Password Haystacks: How Well Hidden is Your Needle and the [URL=“”]Security Now episode on it.