Passwords, why not 2 or 3 little ones instead of 1 big one

[gotsmack]

I remember reading an article a while back that said with today's computing power, it is safer and easier to remember to have a website that makes you enter 2 or 3 passwords that aren't restricted instead of 1 long one.

So it would load a page like

Login: *****

Password 1: ***

Password 2: ****

instead of having 1 long ass password like they require at my work which looks like

Login: *******

Password: ABcdghi!@123


Why haven't we moved over to a 2 or 3 password log in yet if it is safer?

 

[Mai72]

it makes sense.

 

[Imp]

Password1
Password2

Those secret questions essentially do that now.

 

[Phoenix86]

dat entropy doe

 

[Svnla]

That's why it is better to do ID confirm via other means such as text to phone.

Login: bobsmith
passworld: xxxxxx

then the website sent a short text message to your cell phone and you need it to continue.

text: xxxxx

Done.

 

[destrekor]

Passwords just need to die, entirely. Just, none. Multiple short ones, complex long ones... the average person will simply try to find ways to meet the bare minimum complexity requirements, and in doing so, continue to create exceptionally weak passwords.

Multi-factor with biometrics needs to become the standard.

 

[DrPizza]

What's the difference between:
password1: asdf2
password2: ty7eu

And a single password: asdf2ty7eu??

 

[Schmide]

It's what all the cool kids are doing these days.

 

[Elixer]

What's the difference between:
password1: asdf2
password2: ty7eu

And a single password: asdf2ty7eu??

The first 2 are easier to brute force.

We just need encrypted QR codes for all.

 

[lxskllr]

What's the difference between:
password1: asdf2
password2: ty7eu

And a single password: asdf2ty7eu??

If they're stored in different locations, it could make a data breach less damaging. Not sure what practical difference it makes though. If your setup gets pwned, the attacker could get both.

 

[Ferzerp]

Multi-factor with biometrics needs to become the standard.

Yes. Let's create an authentication system where once you can fool it with copied data, we can *never* fix it, and you can impersonate an individual forever on all accounts they possess!




edit: "Excuse me Dr, I need you to change my fingerprints and the pattern of my retinas. My information got leaked."

 

[manlymatt83]

That's what two factor auth is.... Also:

http://preshing.com/20110811/xkcd-password-generator/

 

[Red Squirrel]

Not sure how this would change much, nothing stops you from making 3 small passwords and just combining them.

IMO, short of ridiculous systems with stupid requirement or restrictions, the concept of a password works fine - it just has to be implemented right, and unfortunately it's often not the case. The key is that systems that use passwords should also have brute force protection, yet most systems don't. Hard to do for something that can be done offline like an encrypted file, but for a web page or server you have to login to, there's absolutely no reason why they can't have brute force protection built in.

Also, get rid of the requirement to change it ever month but replace with a reminder after a year, but don't force it. That serves practically no purpose. If someone is brute forcing the system, the fact that you changed your password recently, or 10 years ago, does not matter. And let's assume a brute force operation is happening over the course of multiple years (as it would probably take due to network latency and other factors of brute forcing something online) whether or not you changed it multiple times in that time does not matter. The brute force algorthm may or may not have already tried the password you just set it to.

I guess one purpose of changing a password is if there was some kind of leak, but you should change it anyway if that happens, don't force it, just educate users, and if a major leak happens then advise users that they should change it, or perhaps force a change at that point... even a leak that has nothing to do with that service, as people reuse passwords. At work we have about 40ish different passwords, they all expire at different times, some you can't even voluntary change while others you can. Makes it ridiculously hard to keep them in sync, which encourages people to just write them down.

 

[Red Squirrel]

Yes. Let's create an authentication system where once you can fool it with copied data, we can *never* fix it, and you can impersonate an individual forever on all accounts they possess!




edit: "Excuse me Dr, I need you to change my fingerprints and the pattern of my retinas. My information got leaked."

Yeah biometric and retina scan sounds cool because it's so futeristic, but reality is, it's basically a password that never changes, at all. It would also encourage violence, as people who really want your info would just hack your fingers off if you don't give them access. I could actually see courts do this, they already get so mad because they can't recover encrypted iphones. If they could just cut someone's finger off they would.

 

[MrPickins]

That's what two factor auth is.... Also:

http://preshing.com/20110811/xkcd-password-generator/

I was going to post both of these things. :thumbsup:

 

[Darwin333]

What's the difference between:
password1: asdf2
password2: ty7eu

And a single password: asdf2ty7eu??

I'm no math wiz but if both need to be entered at the same time wouldn't it be a fuckload harder to brute force both passwords at once than just the single or does the math work out to the same amount of possible combinations?

Math should be able to easily answer if this would be better or simply the same.

 

[OutHouse]

That's why it is better to do ID confirm via other means such as text to phone.

Login: bobsmith
passworld: xxxxxx

then the website sent a short text message to your cell phone and you need it to continue.

text: xxxxx

Done.

if you are not doing this with your google account you are a fool.

 

[Red Squirrel]

I'm no math wiz but if both need to be entered at the same time wouldn't it be a fuckload harder to brute force both passwords at once than just the single or does the math work out to the same amount of possible combinations?

Math should be able to easily answer if this would be better or simply the same.

Actually now that I think of it, it would add slight more security, since brute forcing would have to take into account where the password is "split". Ex:

"AA" + "A" != "A" + "AA" so both have to be tested. At least assuming the system does not just combine them and test with a single stored hash.

But you can also just add a couple extra characters at the end of a regular password to make it harder... so really I don't think multiple fields solves much.

 

[OutHouse]

if you want your corporate suits to freak the fuck out, send them to BlackHat.

 

[Jeff7]

There have been password leaks with millions of real passwords in plain text. From that, a computer program can figure out patterns. Something like "correct horse battery staple" follows a regular pattern.

There are password dictionaries with billions of passwords. (And I bet "correct horse battery staple" is in them.)

A strong password isn't worth a darn if the server's using crap security, either not encrypting the passwords at all, or using a lousy hash that any OpenCL-capable GPU could crack in a few hours. Unfortunately, that's probably not something that a webadmin will be willing to tell you, unless they're really confident in their encryption scheme.

 

[Phoenix86]

I was going to post both of these things. :thumbsup:

Which was my point, well about entropy. 2 factor is the best we can reasonably get currently, as far as I know.

Ironic thing I have had this for YEARS on my bnet account, but my bank is limited to around 10 characters or something retarded and still enforces C4p$ type passwords. Fucking incredible.

There are password dictionaries with billions of passwords. (And I bet "correct horse battery staple" is in them.)

You'd be very correct, though the idea is sound. Just don't use THAT password.

 

[Strk]

https://www.youtube.com/watch?v=yzGzB-yYKcc

 

[Jeff7]

Which was my point, well about entropy. 2 factor is the best we can reasonably get currently, as far as I know.

Ironic thing I have had this for YEARS on my bnet account, but my bank is limited to around 10 characters or something retarded and still enforces C4p$ type passwords. Fucking incredible.

I love those.
"It has to be really cryptic! Just don't make it too long though. We don't want you to have trouble remembering it. Oh, and you need to change it every month. Good luck!"

You'd be very correct, though the idea is sound. Just don't use THAT password.

And then you've got IT policies where you're automatically logged out after 5 minutes of inactivity from a computer you use every 6-10 minutes. It provides a powerful incentive to have a password that is no more than 1 character long.


And of course the other reason for short passwords: Even people who type on a computer every day still type very. Slowly. I can manage 25-30WPM. Using only one hand. (Not touch-typing, mind you, I do need to look at the keys.)
Though I can see a day when my old, arthritic, keyboard-ruined hands will be used to type out the last lines of code that will finally make a USB-->brain interface possible.

But they won't choose a long password, even if it's easy to remember, like "I don't remember my password. Please help me, website." It takes too darn long to type in.
(It also follows normal rules of English grammar, normal English words, and normal punctuation. It's almost like it has some kind of pattern, a pattern of the sort that a computer could be programmed to follow. :hmm

 

[Phoenix86]

I love those.
"It has to be really cryptic! Just don't make it too long though. We don't want you to have trouble remembering it. Oh, and you need to change it every month. Good luck!"

Oh man, worst job (for passwords) I had was at a health care company. I had access to maybe 30 different systems. Each had their own convoluted variations of length/caps/symbols, different forced reset times, many didn't allow repeats, ever.

I came up with a set of rules that worked for every system. I think it was 7-8 characters (on had an 8 char max) with one symbol (specific symbols as one unix system didn't like a specific set) and one number/cap.

If any system prompted me to change, I force reset ALL of them. It took around an hour, 1/month. It was the only thing I could do to remain sane.

 

[Jeff7]

Oh man, worst job (for passwords) I had was at a health care company. I had access to maybe 30 different systems. Each had their own convoluted variations of length/caps/symbols, different forced reset times, many didn't allow repeats, ever.

I came up with a set of rules that worked for every system. I think it was 7-8 characters (on had an 8 char max) with one symbol (specific symbols as one unix system didn't like a specific set) and one number/cap.

If any system prompted me to change, I force reset ALL of them. It took around an hour, 1/month. It was the only thing I could do to remain sane.

"It's a riddle! 'Speak 'friend5@aSS1' and enter.'"


At that point, what is it then?
friend5@aSS1
friend5@aSS2
friend5@aSS3
friend5@aSS4
...
friend5@aSS9
friend6@aSS0




.........I have no idea why I accidentally typed "friend5@aSS" without even thinking about it.

Phoenix, I guess I had some encrypted things to tell you...