Howdy, Stranger!
Categories
- 4.8K All Categories
- 4.3K Life in Lusternia
- 453 Announce Posts
- 75 Event Posts
- 1.7K Common Grounds
- 589 Q&A
- 83 Combat Overhaul
- 1.5K World Library
- 86 Combat Logs
- 870 Event Scrolls
- 403 Mechanic's Corner
- 329 Ideas
- 314 Last Chance Trading Post
- 478 Life Outside of Lusternia
- 9 Forum News
- 275 The Real World
- 94 Meet and Greet
- 37 The Funnies
- 63 Mafia Hideout
New password announce missed the point?
I get that companies still insist on not using far superior pass phrases for security. What I find bizarre is using an example which tells you to do the opposite as a reason for a policy change. Sure requiring 8 characters instead of four adds a more entropy, but is easily subject to brute force.
+ Have at characters from least two of the following categories: upper
case, lower case, digits, and everything else (symbols, punctuation,
spaces, etc.). Note that spaces are now allowed.
+ Not contain your character name. (Same as before.)
The point of the cartoon is that these types of rules are bad math. It gives the illusion of protection and if not required could provide some actual protection. However, when required, it makes passwords substantially more predicable and less secure. Why? Because far too many people will use the password they wanted in the first place and slap your 'additions' on the end of their password.
http://xkcd.com/936/
+ Have at characters from least two of the following categories: upper
case, lower case, digits, and everything else (symbols, punctuation,
spaces, etc.). Note that spaces are now allowed.
+ Not contain your character name. (Same as before.)
The point of the cartoon is that these types of rules are bad math. It gives the illusion of protection and if not required could provide some actual protection. However, when required, it makes passwords substantially more predicable and less secure. Why? Because far too many people will use the password they wanted in the first place and slap your 'additions' on the end of their password.
http://xkcd.com/936/
0
(c) Iron Realms Entertainment 2012.
Comments
"New password announce missed the point?" The point is: make your passwords more secure. End of story.
The writer is conveying why you should not implement passwords the way it was done here and is normally done. Anyone who has ever looked over a list of leaked passwords knows how useless it is to require categories.
Moving from 4 to 8 is insufficient and can be brute forced. If the point is only to make it harder than you don't need the other rules.
The other rules far too often result in common substitutions which add negligible complexity and even worse penalize those who use natural pass phrases.
As written it doesn't seem like an anecdote, but as an example. Or to draw from the announce and comic combined, you don't need to require, "I love Lusternia more than Angry Birds", when "ilovelusterniamorethanangrybirds" is far more than sufficient.
So what's the harm? It turns out that the more you require the less secure passwords become generally become. That is the point of the comic.
Requiring more minimum letters does not make passwords less secure.
If my password was lerad1111111111 instead of lerad1, it would be more secure. Maybe it would be more secure "by a negligible amount", but it would be more secure.
It would be more secure.
It would be more secure.
End of story.
Sure requiring 8 characters instead of four adds a more entropy, but is easily subject to brute force.
I get this isn't intuitive.
You have received a new honour! Congratulations! On this day, you have shown your willingness to ensure a bug-free Lusternia for everyone to enjoy. The face of Iosai the Anomaly unfolds before you, and within you grows the knowledge that you have earned the elusive and rare honour of membership in Her Order.
Curio Exchange - A website to help with the trading of curio pieces in Lusternia.
So what am I babbling about? The comic makes the case that pass phrases are better than standard passwords. That's really the main the point of the comic. Yet the actual implementation makes it so that you cannot use a pass phrases of the form the comic uses. So even though correcthorsebatterystaple would take 550 years to brute force solve, it isn't a good enough password for the new schema Lusternia uses.
Is it worth a discussion about?
The new system does not even require a number, you can use capitalization instead.
Your example passes panel 5, 'Difficultly to Guess', but it fails, 'Difficulty to Remember', as any non-standard implementation automatically fails this test. The problem is not that this schema doesn't allow difficult passwords, it clearly does. The problem is that being a non-standard implementation it adds Difficulty to Remember,
The great thing about pass phrases are their simplicity. Once additional rules are lumped on then that simplicity goes largely out the window. The problem with a complex schema is two-fold. Firstly, it makes passwords harder for humans to remember, the result of that often is anything from dumbing down the password to writing it down for others to see. Dumbing down your password or writing it down arguably equals less secure. Secondly, a complex unique schema has the effect of people not using it. If someone has to remember the special rules for a site they're less likely to to opt using the stronger schema and default back to the less secure and more familiar one.
I get that you're trying to say that any additional requirements make the passphrase difficult to remember, and thus force users to write it down or dumb it down. And that this compromises security because hackers using social hacking (detective style hacking where they don't brute force the passwords, but gather clues from other sources like social networking or public information to deduce passphrases) then yes, you're absolutely correct. However, this is very simply countered by making the passphrase common, unrelated and random words, something that you yourself acknowledge is the best choice in the first place. Adding a single digit, capitalising one of the letters, or adding a single space will make your passphrase acceptable with these requirements. And if you're going to claim that you will have to write it down just because you added one of those above options, then I have to say that there is no possibility of such a person being able to remember a passphrase in the first place.
Please don't insult everyone in general by claiming that such requirements will "lower the security" of the passphrases used. It doesn't, plain and simple, unless the user is so stupid as to be unable to remember a single digit or space in their passphrase.
This is a non-issue, plain and simple.
Edit: That's not meant to be some curt answer. People have to manage all their passwords. That's the objection to non-standard schema, that they add a burden to the user to track what is required.
There is an average length to passwords used by the general public. If your schema dictates certain patterns, there are already algorithms out there to exploit this weakness.
You keep going on about it being a non-issue. I never said it was an issue. All I have said is it appears that a major point of the comic seems to have been overlooked or failing that possibly dismissed.
It isn't just that I'm "trying to say that any additional requirements make the passphrase difficult to remember, and thus force users to write it down or dumb it down.". it is also that they're far more likely to stick with their old crappy password than to adopt another password scheme they have to remember. Wait that site, I can put a symbol at the beginning, but this other site it can't be the first character. This one requires a number, that one, doesn't.
When something is made non-standard it runs the real risk people won't use it. If they don't use it, its potential security is meaningless. True, passphrases are new enough that most people don't yet care much about usability and I am sure people will jump in an embrace the ability to do so here and benefit from the added security of doing so.
Pass phrases simply don't need the extra rules. I don't think you disagree with this last bit?
Just use mixed case for your passphrases and you are set. It will work for Lusternia, no tweaking needed. Unfortunately some other sites require more hoops (and for those sites, yes, you are right- you are making it needlessly more complex), but I don't see anything wrong with encouraging people to use mixed case as a standard for their passphrases. It is not an extra burden on memory at all. Capitalize the first letter of each word as you are typing it.
Edit: You basically seem to be arguing against bad password policies on other sites, but what you are arguing isn't applicable here since it does not have rules as strenuous. I fully agree with the gist of what you are saying, on sites where they have really weird requirements which are basically designed to make you need something much harder to remember, but that's just not the case with the change implemented on Lusternia.
I'm mind bogglingly confused by this argument. The passphrase schema that you're arguing for is allowed under the new rules, as whitespace is now accepted. And if the issue is the requirements then frankly Celina's jab is a perfect example of an easy to remember passphrase.
NARF!
The new IRE schema doesn't dictate any "certain pattern". It dictates a certain requirement, but it dictates absolutely nothing of what you have to do with it. If the schema said, "you must have at least 8 characters, of which every third character must be of a different type, ie. "ab1cd@ef3" then that's a pattern that's being dictated. This is not the case here. Yes, when your schema dictates extra requirements, there are different algorithms for it, and - did you actually read my previous post? - these are less resource efficient than one that doesn't need to take into account those additional requirements. They add security, period. This is not arguable on a technical level. Algorithms that assume "this guy likes cakes, so he might have the brand name of cake shops in his neighbourhood used in his passwords, we can narrow our algorithm down based on that" is not brute-forcing - that's social hacking. Again, read my post.
If it is not an issue, then there's nothing to be said. If the "major point of the comic" is "overlooked or failing that possibly dismissed", then it is an issue. Make up your mind. Which is it?
Assuming the latter, I would also like to point out that the major point of the comic is neither overlooked nor dismissed. They could have changed up the requirements and said nothing about the concept behind "passphrases > gibberish symbols". If they did that, the vast majority of players who are not familiar with that concept will continue to use tr0ub4dour&3 as their passwords. The fact that they mentioned the concept is a nudge that players should consider the merits of a passphrase over the gibberish symbols they are used to, and make adjustments based on the new requirements: which allow for very secure passphrases.
If they wanted to "overlook" or "dismiss" the point in the comic, they wouldn't link it in the first place. That's not very difficult to understand, unless you're trying to imply that the admin are too stupid to have the reading comprehension needed to decode that comic.
No, I don't disagree with that. Here's an extra bit of information for you: the extra rules of the new IRE passwords? They don't disallow pass phrases. "Wow, what a shocker! You mean I can use pass phrases with the new rules?" Yes, you can. "Extra rules" and "pass phrases" are not mutually exclusive. You might want to spend some time to think about that.
In the mean time, let me tell you what I disagree with: you telling me what I should do with my password.
I might be wrong, of course (I've been wrong about how pointless this thread is for every of my previous posts: every time you reply to clarify your position, I feel it is even more pointless) but I think you're just pissed off about the fact that it is possible to still use difficult to remember, easy to hack passwords. You want the schema to require "at least 8 characters, with no special characters or spaces allowed, only lower-case alphabets" so that people will be forced to switch to passphrases. Maybe, as icing on the cake, you also want to have an additional line saying "your passphrases must be made up of common, random, irrelevant words, as that is the new standard that is more secure". Any schema that still allows someone to enter tr0ub4dour&3 as a password is a schema that should not exist.
Well, my reply to that is, I'm very happy with l3r4d as my password, thank you. Please don't dictate to me what I must or must not use. You're neither my parent nor my security adviser. The day I want to employ you to replace my adviser (which is myself, obviously), I'll let you know and send a contract your way. Until then, please kindly take your so-called "disagreements" elsewhere.
Next time I get in I am going to change it to d4r3l. Nobody will ever guess that one!
No where have I said or even suggested what you should do with your password.
A: Yes. Yes, it is.
Q: Is "CorrectHorseBatteryStaple" a "passphrase" as "illustrated in the comic" for the purposes of being easy to remember and hard to hack?
A: Yes. Yes, it is.
Q: Does the new password policy as per the announce specifically disallow this passphrase?
A: No. No, it does not.
Bonus Q: Does the passphrase in the comic use spaces?
A: Debatable - you could argue that it does, because it actually looks like there's a space between each word!
Bonus Q 2: Is that why people are expressing confusion?
A: No, they're expressing confusion at the utter lack of significance of this discussion.
NARF!
Two, two, two things in one.
GoofyHueyLouieDeweyDaisyDonaldMickeyMinniePhoenix
When he was asked why he had such a long password, he said, "The boss said that my password had to be at least eight characters long and have at least one capital."
I can see why someone might see it that way. The brackets are there for readability and more importantly to indicate the dictionary elements. The form of the math is dictionary attacks, or put another way, 'word lists'. 11bits is per word, not per character, per character would be even harder to crack, something along the lines of 117bits. 11bits x 4 for the 44bits of entropy. As an aside, did you also see the first password as having a space?