from Hacker News

Researchers discovered the perfect password that’s easy to remember

by bigsassy on 10/23/15, 3:42 PM with 74 comments

  • by ph0rque on 10/23/15, 4:45 PM

    The biggest drawback is that many sites these days limit the number of characters that you can use in your passwords, so these poems are probably too long for many of your accounts. But perhaps that will change someday soon. More and more sites are considering dropping the character limit, since shorter passwords are a lot less secure.

    This is my biggest pet peeve. Actually, my second-biggest. My biggest is when registration silently fails because the password was too long.

  • by aclissold on 10/23/15, 4:22 PM

    But surely you can't remember a different poem for every service that requires a password?

    Relegating you to use a password manager anyway, at which point you might as well just generate random passwords that don't rely on dictionaries?

  • by 100k on 10/23/15, 4:09 PM

    "Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

    http://www.schneierfacts.com/fact/27

  • by thinkmoore on 10/23/15, 4:15 PM

    "If you want your own little poem password, you can enter your e-mail here, and their program will send you a secure one, which will then be deleted from their server."

    Uh...

    They went through all the trouble of making a website. Maybe use https and just show me the password on the website?

  • by ChuckMcM on 10/23/15, 3:50 PM

    And if we could only get password taking software to not require special characters and numbers if the password was longer than 15 characters, life would be peachy. (that is 19 characters if you're wondering, and no I don't use it as a password)

  • by ColinDabritz on 10/23/15, 3:55 PM

    Using rhyme and meter to remember things has a rich history, back to the epic poems.

    The phrasing of the title made me think of an Onion article along the lines of: They found the perfect password, it's '42Lemons?' and everyone should use it!

    What they found is an excellent password scheme for humans.

  • by dogma1138 on 10/23/15, 4:52 PM

    That only works against basic bruteforce attacks, if you are using hybrid attacks those passwords become easier to crack.

    What people don't realize that professionals who crack passwords for a living use quite sophisticated techniques using known information about the target, common masks, and patterns makes cracking specific passwords easier than just bruteforcing them.

    If you use a 300K words dictionary and know or can assume that the paraphrase will be constructed out of 3-5 words the password entropy isn't as large as just thinking this is a single case or mixed case alpha with say 12-16 characters.

    When dealing with generic password your basic unit is a character so a 16 char password is made out of 16 units each of those has a specific search space single case alpha it's 26, mixed alpha it's 52, single alpha numeric it's 36 and so on.

    Here you have 3-4 units each has a fixed search space and that's the dictionary you use, the search space can be even more restricted if we can assume certain things about the algorithm that generated the passphrase.

    If we take the poem example we can assume that words will not appear more than once in the passphrase and that they might need to rhyme this alone can reduce the password entropy considerably.

    If we take other examples like story based passphrases e.g. "the quick brown fox jumps over the lazy dog" then we can base our assumptions based on what we know of the English language for example that words like "the" will appear at least once in such sentences as well as take some estimates about how many verbs, nouns, and pronouns will appear on average in each sentence based on their common distribution which allows you again to reduce the search space considerably.

    Passphreases are still great when you need to ensure that your passwords won't be broken in bulk when a breach happens because unless your account is admin@ijustgothacked.com you most likely won't be a target and those types of datadumps are still usually broken through basic dictionary, masked and cheap bruteforce attacks.

    If you might be targeted directly or phished than passphrases might not offer any sufficient level of protection and could actually be weaker than an annoying mixed-alpha-num-special password.

    That of-course will change if everyone will start using passphrases if you expect that 50% of your hashed passwords dump is passphrases you will adapt your password cracking techniques accordingly.

  • by jobu on 10/23/15, 4:19 PM

    Edward Snowden mentioned using a pseudo-random phrase like MargaretThatcherIs110%SEXY in his interview with John Oliver: https://www.youtube.com/watch?v=yzGzB-yYKcc

  • by LoSboccacc on 10/23/15, 4:10 PM

    LoL at 'discover' http://security.stackexchange.com/questions/22717/how-secure...

    I think we should held a competition to find out how old this tibit of knowledge really is and also the oldest article about security experts demonstrating passphrases are wide open to dictionary attacks.

    1982 reference on passphrases http://www.sciencedirect.com/science/article/pii/01674048829...

  • by codemac on 10/23/15, 4:08 PM

    All passwords should not be memorable.

    Once you see them as tokens that 3rd parties will probably lose, then you know our efforts should be in secure token management software (keepass, lastpass, 1password, etc).

  • by kisstheblade on 10/23/15, 4:28 PM

    I was wondering what the real "entropy" (?) for these kinds of passwords is? If you take the vocabulary of common words (ie. not generated from a list of eg. 300k words like in the article), aren't the permutations rather small? If some person just makes these four words up from words they know (and probably use quite regularly)

    Eg 10000^4 or even 1000^4 (for those types who would use "password" otherwise)? Isn't that quite bad or am I understandig something incorrectly?

  • by kristopolous on 10/23/15, 4:27 PM

    Everyone who is serious about passwords should run a cracker for a week or so on some large set of passwords. You end up getting a pretty good sense on what falls quickly.

  • by zeveb on 10/23/15, 4:48 PM

    It's a bit disappointing that they're focusing on 60-bit passwords; a 128- or 256-bit security level is best for securing important data.

  • by samstave on 10/23/15, 4:38 PM

    In 1997 I inherited a network which had a password I needed to recover... It was some Cisco Device -- I cant recall model number or how we recovered the password; but Ill never forget that password:

    FeetFourMonkey

  • by syoc on 10/23/15, 4:43 PM

    The problem with passphrases are wordlists and combinator attacks. This is been known for a long time. This headline is very misleading and I hope no one use passphrase-based passwords for extremely sensitive data.