Michael August 30, 2011 12:59 PM

Imagine your pet’s name is Buddy, you live on State Street, you’re 15, and you like to stargaze
at night. A good password for you would be budstat15*. Or go for something humorous you can remember. One woman
set her work password to remind her of why she went to work, 4da$cash.

No comment.

Brendan Kidwell August 30, 2011 1:16 PM

I suppose “budstat15*” is a little harder to guess than “buddystate”, but still yeah: stop using passwords that came from your LIFE! Ask a computer for random words or syllables.

bobby August 30, 2011 2:45 PM

they could make easy pwds abt things in your life and then run them through a simple caeser cipher. Then follow the usual rules for good passwords. In that way its easy to recall.

abby August 30, 2011 3:33 PM

Like so many things, xkcd has it right:

The mistake: teaching people to make short passwords. So if Facebook is serious about security, they’ll allow (or even require) very long passphrases.

Bilateralrope August 30, 2011 3:38 PM

As first, I was too lazy to enter details on Facebook beyond my name. Any messages I post there are things I don’t care about others knowing.

The more I’ve heard about Facebooks security, the more I’m convinced that my laziness is the correct course of action as they can’t share information I’m too lazy to give them.

Jon August 30, 2011 4:24 PM

More seriously, every previous time Facebook has ‘revamped its security’ all the ‘permit everyone to see this’ boxes wind up, by default, checked. Unchecking them has been quite a chore.

Why should we trust them any more this time?


Mike August 30, 2011 6:36 PM

How would you go about finding this thing on their the interest of not blindly pointing people at PDFs via untrusted URLs?

Thomas August 30, 2011 6:52 PM

re: XKCD

Couldn’t agree more re: pass-phrases vs. p4$$word5

The trouble is that some interfaces (e.g. mobile phones) make typing long pass-phrases too difficult (y do u thnk sms spk evlvd?)

re: facebook
The stuff they really want you can’t lie about.
Who cares if your real name isn’t John Smith when they have your social graph, browsing habits, comments, likes and dislikes?

godel August 30, 2011 9:04 PM

On this site there’s some conflict between what’s adequate for the ordinary slob logging onto Facebook, and what’s adequate to protect the latest jet fighter plans or RSA’s security token seeds.

For a 15 year-old boy, budstat15* is probably just adequate, although one upper case character and a few extra characters on the end would be a help.

It’s all down to the cost and time required to break the password, versus the pay-off. Ten characters is where brute forcing starts to cost an attacker some money and time to decode, and the result has to be worth it.

Never mind XKCD, Gibson Research’s page is probably more relevant.

Although my comments above assume that websites are smart enough to use salted hashes to store passwords, and to our shock and amazement, this has turned out not always to be true.

Jonathan Wilson August 30, 2011 10:26 PM

What really annoys me re passwords are those times when a site or something has a maximum password length.
One site I use (for a bank) wont let me use more than 10 characters in a password.

SM August 31, 2011 1:56 AM

In addition if your computer has a keylog o similar a pass-phrases is more difficult to find than a p4$$word5.

Phil August 31, 2011 3:12 AM

@Jonathan Wilson
What is even more annoying is a password system that lets you type a password of any length but just takes part of it and ignores the rest without telling you.

I discovered it a few years ago when I mistyped the end of my password to a CVS repository and was still granted access. Then I looked at the documentation and discovered it just uses the first 8 characters of the password and trashes the rest.

Carlos August 31, 2011 7:28 AM


Facebook does allow passphrases, or at least really long passwords (with at least 20 chars…) with spaces in them.

As does Google.

AppSec August 31, 2011 8:23 AM

What I don’t understand:

Why is their OTP time expiration set to 20 min??

That makes absolutely no sense. I’m not going to request a password and then not login immediately after that. Even if you factor in a little time delay there’s no reason to have it more than 5 minutes.

Has anyone used this system from them?

Ateles August 31, 2011 9:35 AM

ITWorld has an interesting article here about how it’s possible to tag someone and block them from seeing the tag, amongst other issues with the new system.

Jon August 31, 2011 6:26 PM

Many of my passwords wind up as acronyms of “pass phrases”. They do turn out to the easiest to remember.

They are, however, much more vulnerable to rainbow table attacks than real pass phrases.


Ross Quirkz September 1, 2011 10:41 AM

@Phil “lets you type a password of any length but just takes part of it and ignores the rest without telling you.”

I remember using some forums software that didn’t like certain characters, such as the @ symbol in passwords. Rather than saying the password was bad, it just dropped those characters from the middle of the word. I can’t even remember how I thought to try the password without the @, to finally be able to log in.

Dirk Praet September 1, 2011 6:42 PM

Drawing from my own experience with Facebook users, the entire security guide is pretty much useless in the sense that 99% of them claim they have nothing to hide anyway so really couldn’t be bothered less. Mileage of people living in countries with oppressive regimes (Syria, China, Iran, Libya, Bahrain etc.) may vary.

pessimistic September 6, 2011 7:04 AM

It is great that they improve their game, but I never trust them anymore after my friend’s account got hacked (and she being dumb with password) her accounts as well.

it was totally impossible to get facebook to take any action, and the hacker was able to troll with the account for a month. Emails were easy to reclaim as google for example have a reasonable it support. Endofwhinystory();

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.