• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how long is your password?

 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34073
335
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
E-mail forward from a collegue:

During a recent password audit at a large company, it was found that one receptionist was using the following password:

"MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"

When asked why she had such a long password, she said she was told that it had to be at least eight characters long and include at least one capital.


Aside from a laugh, this got me thinking - how long is your longest password? Mine is 15 characters.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64620
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
17
 
Henry Wong
author
Marshal
Pie
Posts: 20882
75
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nine. Only because the system rejected my more widely used one that has a length of five.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34073
335
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Henry:
And you like odd numbers? Is the requirement 8 or 9 for the system that didn't like 5.

Bear:

How do you remember it!
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Good systems do not use a pass "word" but rather a pass phrase. The pass phrase to my GPG key is many words.

Passwords are poor security. Made worse by requiring users to change them frequently. The definition of "frequently" varies.

If you make people use strong passwords for things that they do not use daily, they will write them down, or use the same password on every site.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64620
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeanne Boyarsky wrote:Bear:

How do you remember it!

It's a phrase that can be spoken and is easy to remember, but would be impossible to guess.
 
Ankit Garg
Sheriff
Posts: 9509
22
Android Google Web Toolkit Hibernate IntelliJ IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
19
 
Deepak Bala
Bartender
Posts: 6663
5
Firefox Browser Linux MyEclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So which password are you guys talking about ? Hopefully you folks are revealing the number for a password that cannot be brute forced from a public network.

Anywho, most of my passwords are complicated. The longest one is more than 25 characters.



 
Jesper de Jong
Java Cowboy
Saloon Keeper
Posts: 15205
36
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I use a different password for each website or thing that needs a password. Almost all of my passwords are strings of random letters, numbers and other characters, between 8 and 15 characters. Ofcourse I can't remember all those passwords (I have more than 200 of them); I use a tool to manage all those passwords.
 
Vikas Kapoor
Ranch Hand
Posts: 1374
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Would you mind sharing the tool name?
 
Jan Cumps
Bartender
Posts: 2584
11
C++ Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
lots of 20 char passwords.
managed by keypass.
 
Hussein Baghdadi
clojure forum advocate
Bartender
Posts: 3479
Clojure Mac Objective C
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
11 but I'm jealous and thinking to change it.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34073
335
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Deepak Bala wrote:So which password are you guys talking about ? Hopefully you folks are revealing the number for a password that cannot be brute forced from a public network.

Hint: It's not my JavaRanch or e-mail password. Even if you knew a public website for which I had a 15 character password, that would be a lot of work to brute force it.
 
Ryan McGuire
Ranch Hand
Posts: 1055
4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:
Jeanne Boyarsky wrote:Bear:

How do you remember it!

It's a phrase that can be spoken and is easy to remember, but would be impossible to guess.


You HOPE it's impossible. If I had to guess, it might have something to do with motorcycles, your dog and/or blowing up tanks for the military. :-)


Anyhow, my "root" (not in the Unix sense of the word) password is 10 letters long. I then tack on between 2 and 8 additional characters or mangle it in some other way for each system. I match the amount of mangling to the required security level. e.g. My bank password is longer and harder to type than the one I use here.

One guy I took some classes with doesn't even know his exact password. It involves typing one word, then hitting HOME and sprinkling in a handful of other letters with various combinations of arrow keys, letters, numbers, Caps Lock, END, etc.

BTW, my wife does not know my password.


During a recent password audit at a large company, it was found that one receptionist was using the following password:
"MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"


I'm sure this is just a joke, but...
I am severely disappointed that a system makes anyone's passwords retrievable. I'm also disappointed that anyone doing a security audit would reveal any of the passwords that people are using.

 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ryan McGuire wrote:You HOPE it's impossible. If I had to guess, it might have something to do with motorcycles, your dog and/or blowing up tanks for the military.


Perhaps a bit too meaningful for MD, but one never talks about "impossible" when dealing with crypto. All you can do is talk about how impractical it would be to guess that Bear's passphrase starts out "I used to love Harleys but they break down too often" or any other passphrase.

What you can do is an engineering estimate, figure out time to brute force one attempt, put a large number of multi-core systems on it in parallel and come up with a number.

Altho when you get to needing the same number of processors as there are atoms in the universe, and more time than has elapsed since the Big Bang, one does start to think its impossible.
 
Vikas Kapoor
Ranch Hand
Posts: 1374
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ryan McGuire wrote:
Bear Bibeault wrote:It's a phrase that can be spoken and is easy to remember, but would be impossible to guess.


You HOPE it's impossible. If I had to guess, it might have something to do with motorcycles, your dog and/or blowing up tanks for the military. :-)


You forgot to mention general guess , Girlfriend name. ;-). Other than what you have listed, I would guess something related to MAC (Apple) and cooking.
 
Vikas Kapoor
Ranch Hand
Posts: 1374
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pat Farrell wrote:What you can do is an engineering estimate, figure out time to brute force one attempt, put a large number of multi-core systems on it in parallel and come up with a number.


This will cover the source to generate different phrases but did you consider the capacity of server (which ACTUALLY authenticate whether password is right/wrong)?
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Vikas Kapoor wrote:This will cover the source to generate different phrases but did you consider the capacity of server (which ACTUALLY authenticate whether password is right/wrong)?

For most estimates, one works with worst case, so you assume that there is no server delay loop, no refusal to talk to you after N failures. And while these could add time to each test for say web access, they have do impact in others, say you physically have Bear's hard disk and you are trying to gain access to the files.

Also, most of these calculations are essentially Big-O, so all the constants fall out. Things like assuming that you have as many computers are there are atoms in the universe gives a strong hint that we won't be sweating the small stuff.
 
Jason Newman
Ranch Hand
Posts: 53
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ha, I was just talking to my friend the other day about this, and he told me to make an overly complex password, because my current one was 'too weak'.

So, it went from eight to twenty one. o.o




 
Jesper de Jong
Java Cowboy
Saloon Keeper
Posts: 15205
36
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Vikas Kapoor wrote:Would you mind sharing the tool name?

OpenOffice Calc (spreadsheet)....
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic