how long is your password?

E-mail forward from a collegue:

During a recent password audit at a large company, it was found that one receptionist was using the following password:

"MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"

When asked why she had such a long password, she said she was told that it had to be at least eight characters long and include at least one capital.

Aside from a laugh, this got me thinking - how long is your longest password? Mine is 15 characters.

17

Nine. Only because the system rejected my more widely used one that has a length of five.

Henry:
And you like odd numbers? Is the requirement 8 or 9 for the system that didn't like 5.

Bear:

How do you remember it!

Good systems do not use a pass "word" but rather a pass phrase. The pass phrase to my GPG key is many words.

Passwords are poor security. Made worse by requiring users to change them frequently. The definition of "frequently" varies.

If you make people use strong passwords for things that they do not use daily, they will write them down, or use the same password on every site.

Jeanne Boyarsky wrote:Bear:

How do you remember it!

It's a phrase that can be spoken and is easy to remember, but would be impossible to guess.

19

So which password are you guys talking about ? Hopefully you folks are revealing the number for a password that cannot be brute forced from a public network.

Anywho, most of my passwords are complicated. The longest one is more than 25 characters.

bruteForceDictionary.add("MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento")

I use a different password for each website or thing that needs a password. Almost all of my passwords are strings of random letters, numbers and other characters, between 8 and 15 characters. Ofcourse I can't remember all those passwords (I have more than 200 of them); I use a tool to manage all those passwords.

Would you mind sharing the tool name?

lots of 20 char passwords.
managed by keypass.

11 but I'm jealous and thinking to change it.

Deepak Bala wrote:So which password are you guys talking about ? Hopefully you folks are revealing the number for a password that cannot be brute forced from a public network.

Hint: It's not my JavaRanch or e-mail password. Even if you knew a public website for which I had a 15 character password, that would be a lot of work to brute force it.

Bear Bibeault wrote:

Jeanne Boyarsky wrote:Bear:

How do you remember it!

It's a phrase that can be spoken and is easy to remember, but would be impossible to guess.

You HOPE it's impossible. If I had to guess, it might have something to do with motorcycles, your dog and/or blowing up tanks for the military. :-)


Anyhow, my "root" (not in the Unix sense of the word) password is 10 letters long. I then tack on between 2 and 8 additional characters or mangle it in some other way for each system. I match the amount of mangling to the required security level. e.g. My bank password is longer and harder to type than the one I use here.

One guy I took some classes with doesn't even know his exact password. It involves typing one word, then hitting HOME and sprinkling in a handful of other letters with various combinations of arrow keys, letters, numbers, Caps Lock, END, etc.

BTW, my wife does not know my password.

During a recent password audit at a large company, it was found that one receptionist was using the following password:
"MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"

I'm sure this is just a joke, but...
I am severely disappointed that a system makes anyone's passwords retrievable. I'm also disappointed that anyone doing a security audit would reveal any of the passwords that people are using.

Ryan McGuire wrote:You HOPE it's impossible. If I had to guess, it might have something to do with motorcycles, your dog and/or blowing up tanks for the military.

Perhaps a bit too meaningful for MD, but one never talks about "impossible" when dealing with crypto. All you can do is talk about how impractical it would be to guess that Bear's passphrase starts out "I used to love Harleys but they break down too often" or any other passphrase.

What you can do is an engineering estimate, figure out time to brute force one attempt, put a large number of multi-core systems on it in parallel and come up with a number.

Altho when you get to needing the same number of processors as there are atoms in the universe, and more time than has elapsed since the Big Bang, one does start to think its impossible.

Ryan McGuire wrote:

Bear Bibeault wrote:It's a phrase that can be spoken and is easy to remember, but would be impossible to guess.

You HOPE it's impossible. If I had to guess, it might have something to do with motorcycles, your dog and/or blowing up tanks for the military. :-)

You forgot to mention general guess , Girlfriend name. ;-). Other than what you have listed, I would guess something related to MAC (Apple) and cooking.

Pat Farrell wrote:What you can do is an engineering estimate, figure out time to brute force one attempt, put a large number of multi-core systems on it in parallel and come up with a number.

This will cover the source to generate different phrases but did you consider the capacity of server (which ACTUALLY authenticate whether password is right/wrong)?

Vikas Kapoor wrote:This will cover the source to generate different phrases but did you consider the capacity of server (which ACTUALLY authenticate whether password is right/wrong)?

For most estimates, one works with worst case, so you assume that there is no server delay loop, no refusal to talk to you after N failures. And while these could add time to each test for say web access, they have do impact in others, say you physically have Bear's hard disk and you are trying to gain access to the files.

Also, most of these calculations are essentially Big-O, so all the constants fall out. Things like assuming that you have as many computers are there are atoms in the universe gives a strong hint that we won't be sweating the small stuff.

Ha, I was just talking to my friend the other day about this, and he told me to make an overly complex password, because my current one was 'too weak'.

So, it went from eight to twenty one. o.o

Vikas Kapoor wrote:Would you mind sharing the tool name?

OpenOffice Calc (spreadsheet)....