SoylentNews is people
SoylentNews
Micah Lee writes at The Intercept that "coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion."
But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You’ll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You’ll need a total of five dice rolls to come up with each word in your passphrase. Using Diceware, you end up with passphrases that look like “cap liz donna demon self”, “bang vivo thread duct knob train”, and “brig alert rope welsh foss rang orb”. If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words. If you choose two words for your passphrase, there are 60,466,176 different potential passphrases. A five-word passphrase would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.
I recommend that you write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn’t take more than two or three days before you no longer need the paper, at which point you should destroy it.
"Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop," concludes Lee. "It’s a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training"
(Score: 2, Disagree) by Covalent on Monday March 30 2015, @01:19AM
First, let me say I'm as guilty as the next guy of what I'm about to accuse the next guy of.
1. Users like short, easy passwords that they can remember and type quickly
2. Unless prohibited from doing so, users will use the same password for lots of sites
3. When forced to change, users will usually increment the number in their password by one.
Case in point, I used my anniversary as my password at work for many years. Every 6 weeks we were forced to change. By the time they ended that policy my anniversary had shifted by nearly 2 months.
I know enough about security to know this is a bad idea. But if someone hacked into my computer at work, all they would be able to do is access my shared hard drive on our server. To change grades or attendance (teacher here), they would have to know an additional password for the grading software (which I haven't changed since I set in back in 2003 (yikes) but which is different from the computer login and password).
I've always wondered why people with important secrets to protect are ALLOWED to choose their own passwords. If you really care that much, users should be assigned passwords that are long enough to be impossible to crack (in the time they are valid) but simple enough for the user to remember.
Here's how I'd do it. Please shoot holes in this idea :)
The employer keeps a list of 30 words that you are really confident in (dog's name, kids names, birthdays, anniversaries, street you grew up on, etc.) The password is a list of 3 of those words, plus a word chosen at random, all in random order
So your password for this month might be Street - Dog - Maiden - Random: ParkFluffyJablonskiOkra
Next month it's Kid2 - Random - Street - Wife: MichaelHerpesParkJanice
(I figured no one uses Okra or Herpes in their passwords).
You could even write these down in an easy to remember code for your own purposes (Kid2 - Random - Street - Wife will work if you remember the random word. It gets less secure if you write down the random word, but even then it's not hacked because someone will have to know the other facts about you).
No switching passwords. The passwords are only good for say a month, so unless someone was willing to dedicate enormous resources to cracking them, they're safe from brute forcing. If you're that important, make it five words.
OK, nerds...what's wrong with something like this?
You can't rationally argue somebody out of a position they didn't rationally get into.
(Score: 3, Informative) by Gaaark on Monday March 30 2015, @01:47AM
If i was an AC, i'd probably start with something like, 'Fucking everything, asshole' (isn't that what is happening nowadays?)
But it sounds to me to be much better than the memory knockers like "Where were you born", "your mothers maiden name", etc which could be found by someone who really wanted to hack you.
I personally switched after reading the XKCD comic: my password is 18 characters and up, or:
Length: 18
Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
Entropy: 69.6 bits
Charset Size: 26 characters
according to the rumkin site.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---