aspose file tools*
The moose likes Meaningless Drivel and the fly likes how long is your password? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Other » Meaningless Drivel
Bookmark "how long is your password?" Watch "how long is your password?" New topic
Author

how long is your password?

Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 31057
    
232

E-mail forward from a collegue:

During a recent password audit at a large company, it was found that one receptionist was using the following password:

"MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"

When asked why she had such a long password, she said she was told that it had to be at least eight characters long and include at least one capital.


Aside from a laugh, this got me thinking - how long is your longest password? Mine is 15 characters.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61761
    
  67

17


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 19060
    
  40

Nine. Only because the system rejected my more widely used one that has a length of five.


Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 31057
    
232

Henry:
And you like odd numbers? Is the requirement 8 or 9 for the system that didn't like 5.

Bear:

How do you remember it!
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Good systems do not use a pass "word" but rather a pass phrase. The pass phrase to my GPG key is many words.

Passwords are poor security. Made worse by requiring users to change them frequently. The definition of "frequently" varies.

If you make people use strong passwords for things that they do not use daily, they will write them down, or use the same password on every site.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61761
    
  67

Jeanne Boyarsky wrote:Bear:

How do you remember it!

It's a phrase that can be spoken and is easy to remember, but would be impossible to guess.
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9321
    
  17

19


SCJP 6 | SCWCD 5 | Javaranch SCJP FAQ | SCWCD Links
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6662
    
    5

So which password are you guys talking about ? Hopefully you folks are revealing the number for a password that cannot be brute forced from a public network.

Anywho, most of my passwords are complicated. The longest one is more than 25 characters.





SCJP 6 articles - SCJP 5/6 mock exams - More SCJP Mocks
Jesper de Jong
Java Cowboy
Saloon Keeper

Joined: Aug 16, 2005
Posts: 14429
    
  23

I use a different password for each website or thing that needs a password. Almost all of my passwords are strings of random letters, numbers and other characters, between 8 and 15 characters. Ofcourse I can't remember all those passwords (I have more than 200 of them); I use a tool to manage all those passwords.


Java Beginners FAQ - JavaRanch SCJP FAQ - The Java Tutorial - Java SE 8 API documentation
Vikas Kapoor
Ranch Hand

Joined: Aug 16, 2007
Posts: 1374
Would you mind sharing the tool name?
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2516
    
  10

lots of 20 char passwords.
managed by keypass.


OCUP UML fundamental and ITIL foundation
youtube channel
Hussein Baghdadi
clojure forum advocate
Bartender

Joined: Nov 08, 2003
Posts: 3479

11 but I'm jealous and thinking to change it.
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 31057
    
232

Deepak Bala wrote:So which password are you guys talking about ? Hopefully you folks are revealing the number for a password that cannot be brute forced from a public network.

Hint: It's not my JavaRanch or e-mail password. Even if you knew a public website for which I had a 15 character password, that would be a lot of work to brute force it.
Ryan McGuire
Ranch Hand

Joined: Feb 18, 2005
Posts: 1013
    
    3
Bear Bibeault wrote:
Jeanne Boyarsky wrote:Bear:

How do you remember it!

It's a phrase that can be spoken and is easy to remember, but would be impossible to guess.


You HOPE it's impossible. If I had to guess, it might have something to do with motorcycles, your dog and/or blowing up tanks for the military. :-)


Anyhow, my "root" (not in the Unix sense of the word) password is 10 letters long. I then tack on between 2 and 8 additional characters or mangle it in some other way for each system. I match the amount of mangling to the required security level. e.g. My bank password is longer and harder to type than the one I use here.

One guy I took some classes with doesn't even know his exact password. It involves typing one word, then hitting HOME and sprinkling in a handful of other letters with various combinations of arrow keys, letters, numbers, Caps Lock, END, etc.

BTW, my wife does not know my password.


During a recent password audit at a large company, it was found that one receptionist was using the following password:
"MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"


I'm sure this is just a joke, but...
I am severely disappointed that a system makes anyone's passwords retrievable. I'm also disappointed that anyone doing a security audit would reveal any of the passwords that people are using.

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Ryan McGuire wrote:You HOPE it's impossible. If I had to guess, it might have something to do with motorcycles, your dog and/or blowing up tanks for the military.


Perhaps a bit too meaningful for MD, but one never talks about "impossible" when dealing with crypto. All you can do is talk about how impractical it would be to guess that Bear's passphrase starts out "I used to love Harleys but they break down too often" or any other passphrase.

What you can do is an engineering estimate, figure out time to brute force one attempt, put a large number of multi-core systems on it in parallel and come up with a number.

Altho when you get to needing the same number of processors as there are atoms in the universe, and more time than has elapsed since the Big Bang, one does start to think its impossible.
Vikas Kapoor
Ranch Hand

Joined: Aug 16, 2007
Posts: 1374
Ryan McGuire wrote:
Bear Bibeault wrote:It's a phrase that can be spoken and is easy to remember, but would be impossible to guess.


You HOPE it's impossible. If I had to guess, it might have something to do with motorcycles, your dog and/or blowing up tanks for the military. :-)


You forgot to mention general guess , Girlfriend name. ;-). Other than what you have listed, I would guess something related to MAC (Apple) and cooking.
Vikas Kapoor
Ranch Hand

Joined: Aug 16, 2007
Posts: 1374
Pat Farrell wrote:What you can do is an engineering estimate, figure out time to brute force one attempt, put a large number of multi-core systems on it in parallel and come up with a number.


This will cover the source to generate different phrases but did you consider the capacity of server (which ACTUALLY authenticate whether password is right/wrong)?
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Vikas Kapoor wrote:This will cover the source to generate different phrases but did you consider the capacity of server (which ACTUALLY authenticate whether password is right/wrong)?

For most estimates, one works with worst case, so you assume that there is no server delay loop, no refusal to talk to you after N failures. And while these could add time to each test for say web access, they have do impact in others, say you physically have Bear's hard disk and you are trying to gain access to the files.

Also, most of these calculations are essentially Big-O, so all the constants fall out. Things like assuming that you have as many computers are there are atoms in the universe gives a strong hint that we won't be sweating the small stuff.
Jason Newman
Ranch Hand

Joined: Oct 20, 2010
Posts: 53
Ha, I was just talking to my friend the other day about this, and he told me to make an overly complex password, because my current one was 'too weak'.

So, it went from eight to twenty one. o.o




Jesper de Jong
Java Cowboy
Saloon Keeper

Joined: Aug 16, 2005
Posts: 14429
    
  23

Vikas Kapoor wrote:Would you mind sharing the tool name?

OpenOffice Calc (spreadsheet)....
Jesper de Jong
Java Cowboy
Saloon Keeper

Joined: Aug 16, 2005
Posts: 14429
    
  23

Cracking 14 Character Complex Passwords in 5 Seconds
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how long is your password?