[FFML] [ADMIN] Password related stuff

Dennis Carr dennisthetiger at chez-vrolet.net
Sun Dec 12 11:36:41 PST 2010


I've let Aleh back on - all is well. I'm not going to blame him, as
it's not really his fault that somebody did htis. For those that
expressed concern, I appreciate it - but know that, behind the scenes,
machinations were already at work on my side. =)

This said, I think it's prudent to post this particular blurb for the
list, after having worked these past few months for speakeasy.net, and
seeing many people in my immediate circle of friends deal with this.

I've noticed two things insofar as password security, and this
particularly focuses on basic circumvention methods to basically hold
to a provider's standards, yet still allow the password to be committed
to memory owing to its simplicity: not only are 60% or more of all
passwords of the structure of 'Password1!' (that is, a capitalized
dictionary word followed by a number 1 and an exclamation mark), but
also, where there is a secret question and answer, the easiest answer
to give to a question is provided - in this case, the favorite color of
60% or more of all people is "blue".  Not a shade of it (e.g., Dodger
Blue), but the primary color's canonical name.

In three words, this is bad.  This means that, purely based on this
statistic, there's a good chance that 600ish of everybody who subscribes
to this list has an excellent chance of being broken into. 

This said, I don't even want to know your password.

For the password, the concern is simple: while it is certainly a hold
to the requirements that a provider gives on the most basic level, it
is just as insecure of a password as a straight dictionary word.  I
think the secret Q/A thing is foregone, as such. =)

So here's a few tips that I've posted about on my LJ and Facebook, as
well as spread to my friends, supported users at Speakeasy, and members
of the WOodinville UU church, which I attend pretty regularly.

0) It pays to be password paranoid.  We just saw why.

1) AVOID ALL DICTIONARY WORDS LIKE THE PLAGUE.  This includes all
languages, be they live, constructed, or dead. Even a password in
Japanese Romanji, Na'vi, Elven, or whatever language Leeloo from The
Fifth Element speaks is an open possibility.  If 'grep' can find it,
it's a bad idea to use it.

2) Never build a password that looks anything like 'Something1!'.  The
use of the exclamation mark and number 1, in no particular order, makes
it only slightly harder to crack a dictionary word password. 

3) Any password you construct should exceed the minimum standards of an
account provider by many orders of magnitude.  If a provider lets you
use punctuation, do it - even if they don't require it.  If they don't
let you, on the other hand, it's time to pick up your marbles and go
away.

4 ) Never underestimate the power of true randomization, the "pipe"
character, a text editor and printer, and/or a pen.  For this, you want
a password that is truly random - it should follow no evident order.
Intersperse with any punctuation that can be had on your keyboard
without relying on the Alt-NumberPad combinations; if a system lets
you, then do that, as well.  And a few tips:

4a) Create the password in such a way that you can see it BEFORE using
it on a provider.

4b) WRITE THAT PASSWORD DOWN. For best results, involve your favorite
text editor and a printer. Once it's on paper, if you involved the text
editor and printer, delete that file.  Yes, I AM foregoing the age-old
wisdom of never writing a password down - but the truth is, the
password cracker in Prague doesn't need to fly to your house if your
password is easy to guess.  (And this said, if you're concerned about
people breaking in and getting your Facebook passwords, then if there
IS a break-in...well, I hope your insurance is paid up!)

4c) Commit this password to memory: for three weeks, do not rely on
your browser's ability to remember your password; rather, type it from
that piece of paper. Every time.  After you can do it without looking
at that piece of paper, keep going for another couple weeks before you
destroy it (yes, DESTROY it) and commit to your browser's memory.

5) If you have ever told anybody your password and they have used it,
even once, and even a loved one, it is now insecure. Change it. See step
1.

(This said, for those of you using the web interface for this list, if
you have trouble doing this sort of thing with your passwords, let me
know off-list and I'll see what's up.  Mailman SHOULD be doing it
correclty; if not, I'll be having words with the developers.)

As for the secret Q/A, it pays to use a not-so-obvious question, but
the best answer to give is a non sequitur (e.g., "What city were you
born in?" can get the answer of, say, "Organic ferret owl flavoring"
for an answer that has NOTHING to do with anything). The more esoteric
the better, and for those cases where you need to give some interaction
with a human being, if you can make it silly, well, it helps us, too -
we get a laugh out of the sillier answers, and some days, we just need
that. =)

-Dennis
List operator


More information about the ffml mailing list