What is the obsession with complex passwords?

[Marked 197]

It seems to be the new thing websites are doing: forcing you to have a password with both letters and numbers, and sometimes forcing you to start with either a letter or a number.

 

But really, what is the point of it? If you're gonna get hacked you're gonna get hacked. Meaning the method used to find out your password is going to reveal your password no matter how complex you want to make it.

 

Unless your password is 'password' or 'qwerty' (in which case you deserve to be hacked) then what is the point?

 

What this is doing is forcing us to change our perfectly secure passwords to a string of numbers and letters that we're probably going to forget, and a lot of people may not be bothered returning to that site.

[Bob423 52]

its because people are too stupid to think of passwords that are harder to guess for themselves...i guess

[kellessdee 48]

Thank you. I am glad someone else understands this!!!

 

It's actually ironic, because, if you are trying to hack any kind of account by guessing passwords...well, then, I'm sorry but you are doing it wrong.

 

Anyone hacking is either gonna break into some database and steal a bunch of passwords (in that case, as you said Marked, password "strength" makes no difference), or they are probably gonna run some brute force scripts to try and crack the password.

 

What's ironic, about symbols, capitals, numbers, etc. Is that the computer just sees them all as a string of bits anyways. All a computer really has to do is count, eventually it will get the password.

 

So, password strength is not related to WHAT your password is, it's HOW LONG it is. The difference in time for a computer to try every possible combination of 5 character to 16 characters IS HUGE.

 

Basically, we've all been trained (or now, websites are FORCING us) to choose passwords that are:

A) Easy for computers to guess

B) Hard for humans to remember

 

I find that VERY very silly, and quite backwards.

 

I am with you 125% mark, shall we start a revolution?

[Jon Bon 43]

There are two ways to steal passwords. I agree breaking into the database and stealing a large amount of them is the way to do it. But it is by far not the only way or the right way.

As much as you should have a password that does not pertain to your every day life, people do not follow this. I could easily 'hack' the average persons life by guessing their passwords and other personal information. People do need to be told to use alphanumeric and case sensitive passwords, because the con artists of old who were around long before computers still employ these techniques to steal identities and personal information. Which with today's facebook and social networking site days is super easy. Mother's maiden name, available online, pet's names, available online, favorite book/show, available online.

We can't forget the tricks of old.

[Marked 197]

All of that is what I was trying to say, with my layman knowledge :P

I am with you 125% mark, shall we start a revolution?

Yes! I'll start by allowing 1 character passwords on GDU! Who'd guess a 1 character password?

[Jon Bon 43]

Basically, we've all been trained

I'm 28 and was never taught about passwords. I can only imagine the people 30-80(and my 80+ great grand mother uses facebook), they were all 'taught' this too right? Nope, they need to be forced, trust me. They come from days when there were no debit cards. People 25 and under do not make up the majority of the working body of the planet, nor do they make up the direction of how paid services should be run.

[Polraudio 122]

What this is doing is forcing us to change our perfectly secure passwords to a string of numbers and letters that we're probably going to forget, and a lot of people may not be bothered returning to that site.

Problem i have. I must have left 5 sites in the past year because i forgot my password.

They force you to have a capitol in it. Even knowing my passwords are mostly the same i cant remember what letter was capitol or if the site wanted a letter or number first. I have a number first for mine and some sites require a letter. I dont even bother with sites now days that require such things.

 

Off topic a little. Another thing that drives me crazy is some sites make you have a different username than your login or email. So most of the time im forced to use Polraudi0. It looks very stupid and takes away from who i really am.

Yes! I'll start by allowing 1 character passwords on GDU! Who'd guess a 1 character password?

1 character is harder to guess than a password that is 123456789, or qwertyuiop.

[Marked 197]

1 character is harder to guess than a password that is 123456789, or qwertyuiop.

...

 

*tries to login to Pols minecraft, rmxpu account, steam account, skype, etc. using 123456789 qwertyuiop*

[kellessdee 48]

All of that is what I was trying to say, with my layman knowledge

 

Yes! I'll start by allowing 1 character passwords on GDU! Who'd guess a 1 character password?

 

That actually sounds quite genious. As per most WPA2 cracking utilities, most people try to only work with certain ranges of characters, to try and avoid wasted time/cpu power. I wonder if anyone would even think of letting the thing try 1 character password!

 

I'll be the first to set my password to 1 character!

 

There are two ways to steal passwords. I agree breaking into the database and stealing a large amount of them is the way to do it. But it is by far not the only way or the right way.

As much as you should have a password that does not pertain to your every day life, people do not follow this. I could easily 'hack' the average persons life by guessing their passwords and other personal information. People do need to be told to use alphanumeric and case sensitive passwords, because the con artists of old who were around long before computers still employ these techniques to steal identities and personal information. Which with today's facebook and social networking site days is super easy. Mother's maiden name, available online, pet's names, available online, favorite book/show, available online.

We can't forget the tricks of old.

 

This is true. However, if you REALLY wanna get those people, just send 'em an email saying you're a facebook admin or something, and you need their password, blah blah.

 

I think phishing is *probably* the most popular method of stealing passwords. I didn't mention that, only because with phishing, once you send out your password it's all over but the crime. It doesn't matter how long, how complex, etc.

 

I'm 28 and was never taught about passwords. I can only imagine the people 30-80(and my 80+ great grand mother uses facebook), they were all 'taught' this too right? Nope, they need to be forced, trust me. They come from days when there were no debit cards. People 25 and under do not make up the majority of the working body of the planet, nor do they make up the direction of how paid services should be run.

 

Well, indirectly. There are still a lot of websites that say "hey you should make your password stronger!" and don't enforce, and some that actually force it.

 

I think it's 6 of one, half a dozen of the other. I was never "taught" passwords either. It's just from signing up everywhere (hotmail, gmail, whatever) that's indirectly taught me that "I'd better make a really weird looking password!"

 

But alas, it's a good point you're making anyways. People should be forced to make stronger passwords; but technically speaking, adding foreign characters only protects you from people trying to guess your password.

 

actually, I think there SHOULD actually be password education. Train people not to use stuff that's easy to find just by running a quick google search.

 

But seriously, the TRUE issue isn't weak passwords. It's password reuse.

 

Here, xkcd explains it to elegantly for me to try and explain:

http://xkcd.com/792/

[Ackley14 1]

I 100% agree XD, i use basicly the same pass for most of my stuff. honestly the only thing i protect with my life is my bandcamp page because that has all my custom work on it and i would hate for that to get stolen. everything else "utube email ect. i can allways make another one. and just tell ppl, hey account got hacked don't affiliate with that until further notice, my friends laptop password is like 30 chars long. like dude who is going to want to get into your laptop anyways. lol

 

edit- with marked that is xP but i get what your saying kell

Edited May 22, 2012 by Ackley14

[Bigace360 38]

Only thing I keep the same is my communty site passwords. Stuff like Bank, email, and school I keep different as those have actually important email. I don't put much on facebook but a couple of pictures and you find anyones face on google anyways so what am I really hidding. The only thing that requires me to right different characters and one uppercase is my school password. As someone has said if someone wants to hack in there going to hack in. Obviously it's going to take longer for some encryptions like banks and schools but they'll get in soon enough. Just look at Sony last year, they got hacked like 2 twice. Bleachforums.com got hack from some hacker very easily. Nothing unhackable, it just takes skills. Although I wouldn't be hacking any government buildings anytime soon, but ya'll already get the point.

[kellessdee 48]

and then suddenly we realize, we're admitting to the man who controls our passwords, that we use the same password for everything.

 

Not to spread any conspiracies or anything.

[Jon Bon 43]

actually, I think there SHOULD actually be password education. Train people not to use stuff that's easy to find just by running a quick google search.

Everything in the entire world should have a button with a universal symbol for help on it. When you press the button it asks you which language please, you respond. Then a polite slow and accurate female voice explains to you how to use whatever it is you are currently interacting with. That's the future I want, flight attendant type explanations for everything, I sound like I'm being sarcastic but I am really not.

 

My point is that forcing people to use an alphanumeric and case sensitive password also forces them to use a password that is likely not involved with their life, and does protect against one of the methods of stealing passwords. I think that on the same spot that says 'password strength' it should also say 'have you used this password before? Each password should be unique for extra security', or something to that effect.

 

1 character is harder to guess than a password that is 123456789, or qwertyuiop.

 

If you picked a 1 character password, and it could only be a letter or a number, and I got 3 tries before it locked me out every 24 hours, that means it would only take me 12 days to go through all 36 possible combinations(number and letters). If I tried to crack tons of peoples passwords each day, I would have tons and tons and tons of access after the 12th day, remembering some would crack right away, or before day 12. The amount of characters a password has and their complexity, and relation to your life is always relevant. But I agree the most important factor is repeat usage. People should be 'forced' to make complex passwords for the same reason they are 'forced' to cross the street at a corner(not J-walk), it's just safer.

[Ackley14 1]

.People should be 'forced' to make complex passwords for the same reason they are 'forced' to cross the street at a corner(not J-walk), it's just safer.

 

I guess i can see where your coming from with that, only because i assume websites don't like dealing with tons of ppl complaining about there accoun't getting hacked and what not

[ForeverZer0 44]

Having a strong password prevents a dictionary-based or brute-force attack. It obviously does not help with the theft of a database, but that is up to the security of the site, not the person.

 

True, all characters are interpreted simply as a "bunch of bits", but most brute-force attackers target combinations of specific "bits", and simply adding a single foreign character increases the possibilities exponentially, since it forces the use many millions, even billions more enumerations, depending on the size of the table.

[Foxkit 4]

um... correct me if i'm wrong, but arn't all passwords stored in the database in their encrypted forms?? O.o and a cipher needs to be used to undo the encryption? So adding different kinds of letters and symbols throws the brute-force off, additionally the passwords cannot be guessed by looking for common symbol connections (Yes I know my understanding of cryptography is horrible) ... then again... that probably doesn't matter if the system has been compromised...

[ForeverZer0 44]

It basically comes down to not making your password the word "password".

Things is, aside from online financial institutions and email, there is no real need for some uber-strong password. I could really care less if someone got my password for a forum or something. Absolute worse-case scenario, they mess around with my account and get me banned along with causing some mayhem on the site. Getting the misunderstanding resolved would only be as hard as contacting the admin, if it was even needed. If not, the only thing in life I am out of is a membership to a website. That is hardly anything of any real-life consequence.

[Jon Bon 43]

It basically comes down to not making your password the word "password".

Agreed, if everything you need a password for was different, sufficient number of characters to not be an easy guess, and nothing related to your life in anyway shape or form, then it wouldn't matter if they got access to any one place, because it wouldn't grant them access to others.

But it's people who make simple passwords for their forums accounts, make personal messages on their forum accounts with personal information (mother's maiden name, their last name, place of birth, favorite pet) things you need to crack more secure stuff, like bank info. Then when someone get's into your forum or faceboook or whatever with your simple 12345 password, and uses the abundance of 'secret' information otherwise only visible to you, to gain access to the real goods, credit card and bank stuff, through 1-800 numbers, and password recovery functions.

 

All that database stuff (to me) is irrelevant because it's on the companies side to protect it, and only represents the 'tech' way to steal stuff. People were doing fraud and stealing identity long before computers, and those methods still ring true. It's those methods that extra secure,. long, non related, and unique passwords are good to protect against. The good ol' fashioned con(confidence) man.

[Foxkit 4]

It basically comes down to not making your password the word "password".

Fair enough, though in my personal opinion, if your using "password" as your password... you deserve it because you didn't care enough about the account in the first place. Then again, I don't have to listen to customers complain about being hacked either...

[kellessdee 48]

Having a strong password prevents a dictionary-based or brute-force attack. It obviously does not help with the theft of a database, but that is up to the security of the site, not the person.

 

True, all characters are interpreted simply as a "bunch of bits", but most brute-force attackers target combinations of specific "bits", and simply adding a single foreign character increases the possibilities exponentially, since it forces the use many millions, even billions more enumerations, depending on the size of the table.

 

You make a very good point here. However, now that websites are pretty much forcing users to create passwords with upper + lower + numbers or something, wouldn't that mean dictionary based attacks would require the attacker to create dictionaries with combinations of such things?

 

For example, with an entry in the dictionary like bananas, for most cases would be a useless attempt, because there isn't a single password in the database that is ONLY lowercase letters.

 

With that aside, you still can't deny that the length of the password is where its true strength lies. For each extra character, you are exponentially increasing the number possible combinations.

 

But, then again, increasing the number of possible options (i.e. just characters vs. characters and symbols) adds another level of exponential growth hmmmmmmmmmmmm. Let's crunch some numbers:

 

let's say, for sake of argument, we have 52 letters (upper + lower) and 10 numbers and 33 symbols (I think that covers a standard US keyboard, but I may have miscounted. I am including space; and of course ignoring carriage returns, line feeds, etc)

 

so in total that's 95 possible options, for a single "digit" of the password.

 

so, let's say the minimum length of a password is something like 8 characters:

All possibilities = 8⁹⁵ = 62165404551223330269422781018352605012557018849668464680057997111644937126566671941632

Just letters = 8⁵² = 91343852333181432387730302044767688728495783936

 

And 16 for max:

 

 

All possibilities = 16⁹⁵ = 2462625387274654950767440006258975862817483704404090416746768337765357610718575663213391640930307

227550414249394176

Just letters = 16⁵² = 411376139330301510538742295639337626245683966408394965837152256

 

Well, Fzer0 you've just changed my mind about not using symbols or numbers.

 

But, then again (I could be wrong) I'm not sure how many people use brute force for anything other than wifi networks (nowadays anyway) where, especially if you are using WEP encryption it literally does become a counting exercise for the CPU.

 

I think the most important thing is to inform people of social engineering. Phishing and such are HUGE now (I once got a call from some guy claiming that he worked for Microsoft Windows, and that my computer was sending them reports of being infected with viruses LOL. I played with him for a bit, until he realized it wasn't going anywhere...and he got mad at ME for wasting HIS time);

or for example how dangerous it *can* be to use a public wifi network; considering connections over wifi aren't encrypted and packet sniffing becomes easy as pie.

 

The unfortunate thing, is that, phishing works far to well. Or my favourite tactic I've seen, once I found a random website, that just mimicked facebook's login page, and was logging the username and password fields. Their site directory was open, so I downloaded their log file and saw that there was roughly at least 5-6 people who fell for it.

 

And, what you said about whether it matters having an account hacked, is very, very true. I would only worry if someone broke into an account that stores very private information.

 

All my meaningless accounts (even my emails for that matter) I mostly use false information. Unfortunately with financial/government accounts, that has to be real and very private data :(

 

(and then, of course, most of it is linked to some e-mail)

 

@fox: It really depends on the website. No one is forced to encrypt passwords. And even so, to encrypt something, you need some kind of routine for encrypting it and another routine for decrypting it, which must exist somewhere around the website. It might be on the Database level or on the Website level (or something)

 

Assuming the encryption/decryption routine is done at the database level; if someone gets the database, they have those routines. So now encryption is moot, since they just have to use that routine to output decrypted passwords.

 

Assuming it's on the website level; then they may be able to easily acquire the routines anyways.

 

So really, encrypting passwords may or may not even be beneficial. Making CERTAIN that the actual database cannot be acquired is more important.

 

But, my cryptography knowledge is lacking as well, so I cannot say for certain as to what is more beneficial (and then, you get into many different ways of encrypting data....)

 

@jon bon:

 

Your point of fraud/identity theft is actually a VERY good point.

 

I think, the biggest misconception about hacking, is that while there is "tech" ways to get into systems, most actual hacking that involves getting passwords, usernames, etc. Actually involves social engineering, and unless the target has very poor security, I'd say in most cases, the "tech" way is pretty inefficient, and not worth the headaches.

 

The weakest link (*most* of the time, assuming there's some kind of decent security implemented) to ANY security system is PEOPLE. I wonder how easy it would be to call into somewhere, pretending to be a certain user, and sweet-talking the person on the other line to give you some password or way in.

 

Or, like I said about phishing, send an e-mail pretending to be someone important; asking for a username and password. Most people might say "whoa, no way!" however, it's not that hard to set up some kind of spam server, and eventually (especially if the email looks legitimate enough) someone's going to get tricked into sending a password.

 

Also, that's another thing: How far does password guessing work, if you don't know anything about the person OR especially if you don't know their username.

 

Now you need a username AND the right password that matches THAT username. If you have a specific user you are targeting, that's not AS hard. Take banks for example, most require you login using your account/card number and a password.

 

While getting an account number is still possible, it's much more unlikely for someone to know your card number (especially if you don't use that number online....) than it would be for them to know your e-mail address, or RMXPU username.

 

Nonetheless, I guess it's very important people think about these things. You can never assume that that information cannot be acquired. Because, most likely, it can.

[Foxkit 4]

@kell and bon

 

you've reminded me of something, I read an old article about how two kids got into a judges computer network by checking his dumpster, aka: dumpster diving. So people arn't the only way to get information, but I doubt a website is routinely spiting out paper for its user information. Sorry about that tangent then, to get back to the OP, I guess it would be because websites are a business and real people who don't want to have to deal with customers who were complaining about getting hacked, its not good for business either. So its a matter of preventing bad air from spreading?

[Jon Bon 43]

I think, the biggest misconception about hacking, is that while there is "tech" ways to get into systems, most actual hacking that involves getting passwords, usernames, etc. Actually involves social engineering, and unless the target has very poor security, I'd say in most cases, the "tech" way is pretty inefficient, and not worth the headaches.

Exactly. People are stupid (as a whole), and don't understand how things work. Which brings us back to the point of the topic, forcing alphanumeric, case sensitive passwords on people. This makes the password likely to not be related to their life and near impossible to 'find out'.

 

I read an old article about how two kids got into a judges computer network by checking his dumpster, aka: dumpster diving.

 

Perfect example. The average con artist would be able to steal our identity within hours using zero 'tech' methods, like the one mentioned above. With things like facebook, and other social networking sites people give away their information too readily without realizing it. There is little need to even route through trash like a detective of old, now a days you just go to their local internet hangout and read everything they wrote. But if your passwords and your secret question responses are nothing to do with your life, then no one can realistically guess them with logic. If you let people pick all letter passwords 50%+ are going to put 'puppy', 'myskiidoo', 'chevyninetyseven'. But then again, I would bet any money there is someone out there right now who loves their 97 chevy and their password is Chevy97, alphanumeric and case sensitive. A password should be impossible to guess through deductive reasoning.

[LaDestitute 3]

My mother thinks the same way. Personally, being safe is better than sorry. I just leave my password data in LastPass, and so; never worry about memorization and such. Besides, my master pass is ungodly complicated.

[FranklinX 37]

People are concern about passwords being stolen. It's not about how complex the password needs to be. The site's security needs to be good.

[Jon Bon 43]

People are concern about passwords being stolen. It's not about how complex the password needs to be. The site's security needs to be good.

 

It's about both. If your whole life is oriented around your favorite pet, and everything you own has it's named on it, and you have pictures of it on/talk about it on every social networking site, it's definitely not a good idea for that name to be your password.

Both are equally important as there are many effective ways to obtain someones password, but this was mentioned already many times in this very thread.

[ForeverZer0 44]

Complexity only matters if you are being targeted specifically, otherwise its the site. Using the above mentioned "favorite pet" example, that only matters if someone knows you enough to know that you love your pet, Anonymous people cracking databases of a site are not attempting your password of "Fluffy".

 

Ironically enough, even if someone is targeting you personally, they would be moronic to try and guess it. Keyloggers, RATS, phishing, and an assortment of other methods make that easy, so in all reality when it comes to website related passwords, a basic password is more than enough. I would rather spend the 10-15 minutes creating and deploying a keylogger or RAT before I would bother guessing passwords blindly.

[Jon Bon 43]

((Duplicate))

[Jon Bon 43]

It doesn't take allot to 'know somebody enough' in this day and age, people are stupid with their information, especially the stupid people who use personal information as passwords, rather then nondescript numbers and letters.

I would social engineer my way. Find someone with 'more money then sense' and go to their facebook, twitter, etc account and like you said target them directly, as an anonymous stranger. When I do gain access to their stuff since I picked my 'mark' (confidence artist term) wisely it pays off well. Rather then literally 'fishing' for useful passwords and accounts.

Quality versus quantity. Both methods work, to forget one or the other is silly. People are stupid enough to use their personal details for their super important stuff. I would bet any money at least one person reading this has their birthday as their pin code (shakes head).