"Tips For Crafting A Strong Password That Really Pops"

Funny, and the inspiration for this week's headlines. (Note that the image shows Password Safe on the screen.)

And marginally related, here's an odd essay about using a password as a mantra for personal change.

Posted on July 11, 2014 at 2:09 PM • 45 Comments

Comments

nonneeJuly 11, 2014 2:19 PM

Oh, so there was some explanation for those weird titles. But not much convincing.

Please, never do this again, if it's really you. I'd post this on the squid today, but no squid appeared so far.

And also, I find it annoying that no comments were made in the noIP x microsoft dispute.

ChelloveckJuly 11, 2014 2:34 PM

@nonnee: I have no problem with this week's titles as such, but I'd urge Bruce not to do it again just because reading all the complaints got very tiresome. :-/

Clive RobinsonJuly 11, 2014 2:35 PM

When I saw this on thq FriSquid page I thought this is going to be something clever using oil, corn kernels, heat and something like a USB camera with clever software to generate good random numbers to select passwords with via the "poping corn".

You can only imagine my disappointment ;-)

JacobJuly 11, 2014 2:39 PM

I've recently read somewhere of a guy who invented the perfect password: "incorrect"

He uses it everywhere, and claims that the beauty of it is that whenever he enters the wrong password, the system always reminds him of his true password: "your password is incorrect"

AnuraJuly 11, 2014 2:40 PM

@Clive Robinson

Clever software?



byte buffer[8192];
Sha512 Hash = new Sha512();
while ((BytesRead = VideoStream.Read(a, 8192)) > 0)
Hash.Append(buffer, BytesRead);
return Hash.Final();

Michael E.July 11, 2014 3:42 PM

I found them amusing. I do agree it would have been nice to see some response as folks become more annoyed/concerned.

Regardless, it's good to remember who's blog it is - Bruce could suddenly change it to a squid posts only blog, it's entirely up to him.

JonJuly 11, 2014 6:45 PM

I like taking the first letter of long passphrases and turning them into passwords.

Schneier on security is the best blog in the world = Sositbbitw

Throw in a few numbers and printable special characters.

So5itbB|tw!

Or I just use the whole passphrase so it's longer.

SchneierOnSecurityIsTheBestBlogInTheWorld!

Which one do you think has more entropy, and which one do you think would take longer for HashCat to guess? The short passphrase or long passphrase?

Nick PJuly 11, 2014 11:53 PM

@ Clive Robinson

Haha. Makes me think, though, about how much entropy is in swirling or boiling water if one trains a detailed camera, microphone, or both on it. Given the lava lamp research I'd guess quite a bit. Yet, there could be enough recurring patterns that make the actual entropy smaller than it appears. Of course, this is for fun as we already have much simpler and more energy efficient sources of randomness.

AnuraJuly 12, 2014 12:40 AM

@Nick P

The total entropy depends on the amount of water, but it's around 70 J/(mol*K), according to Wikipedia.

Coyne TibbetsJuly 12, 2014 1:43 AM

The whole article reminds me of...

"Bzzzzzzzzzzzzzzzzzt! Korben, sweetheart, what was that? IT WAS BAD! It had nothing! No fire, no energy, no nothin'! You know I have a show to run here, you know? Hmm? Hmm? And it must pop, pop, POP! So tomorrow from five to seven, will you please act like you have more than a two word vo-cab-u-lary? It must be green, OK? OK?" -Character Ruby Rhod, The Fifth Element

Passwords must pop, pop, POP! They must be green! And you must please act like you have more than a two word vo-cab-u-lary. OK? OK?

Nick PJuly 12, 2014 1:10 PM

@ Coyne

+1 for Fifth Element reference. Chris Tucker's character was hilarious. Especially one hairstyle in particular I just had to shake my head at.

AlexJuly 12, 2014 4:01 PM

@john, the longest is better. Think at two passwords of 2 and 3 characters. 90x90

AlexJuly 12, 2014 4:02 PM

@john, the longest is better. Think at two passwords of 2 and 3 characters. 90x90 vs 30x30x30 (8100 vs 27000)

Bruce SchneierJuly 12, 2014 4:50 PM

"Oh, so there was some explanation for those weird titles. But not much convincing."

Apologies, but I have nothing more convincing for you.

Bruce SchneierJuly 12, 2014 4:51 PM

"I have no problem with this week's titles as such, but I'd urge Bruce not to do it again just because reading all the complaints got very tiresome."

My favorite was the person who said, after three days of the clickbait titles, that he was no longer reading my blog because it was going on for more than a week.

Bruce SchneierJuly 12, 2014 4:51 PM

"I can attest that moderators are still alive here"

I can, too.

AnuraJuly 13, 2014 4:26 AM

Okay, I thought people were being a bit dramatic about over-moderating, but now that we find out they've been deleting Bruce's comments I think it's gotten a bit out of hand.

Tal Be'eryJuly 13, 2014 5:37 AM

Having a Mantra for a password may seem odd on first glance. But isn't re-entering the same arbitrary, meaningless, string for a password, over and over again even more weird? It's just that we had got used to it, that's all.

Bruce SchneierJuly 13, 2014 11:25 AM

"Having a Mantra for a password may seem odd on first glance. But isn't re-entering the same arbitrary, meaningless, string for a password, over and over again even more weird? It's just that we had got used to it, that's all."

My mantra is an epic passpoem, detailing the life and works of seven mythical Norse heroes.

name.withheld.for.obvious.reasonsJuly 13, 2014 5:00 PM

@ Bruce Schneier

My mantra is an epic passpoem, detailing the life and works of seven mythical Norse heroes.

Is that anything like a "patriot" or a "citizen" working at the NSA or other questionable TLA's?

Clive RobinsonJuly 14, 2014 7:24 AM

@ Bruce, Wael,

My mantra is an epic passpoem, detailing the life and works of seven mythical Norse heroes.

I know the work, and that's not so much a Passpoem as a Book code. Thus it is "epic" in many ways (especialy as my youngish son actually likes to read it...).

I guess you deceided to avoid more common literature because it could be "Hobbit forming". Mind you Wagner had a fairly good go at a "ring decoder" that even Cptn Crunch would have found epic ;-)

noonneeJuly 14, 2014 7:30 AM

@Clive Robinson

Doing popcorn to watch the World cup Games during July, I thought something similar to your idea :). Funny.

@Bruce

:) ok, got it, but after the recent events of heartbleed, truecrypt mistery and no-ip takedown, my radar was a bit more active on important-security-news-persons changing their behavior.

Clive RobinsonJuly 14, 2014 7:30 AM

@ Mike the Goat,

I was going to do the "Key to your fortunes 'Passbook'" joke but I'm not sure it works in Amercanlish.

CallMeLateForSupperJuly 14, 2014 7:56 AM

When passWORD became no-use-um some years back, I switched to passpoem and passlibretto. I remember that my first passpoem was derived from the first poem I had to memorize and recite, in 8th grade: "Blessings on thee, little man..." I am not a poetry lover though, so slim pickings there. But music! Have tons of it lodged in my head, more than enough to last the rest of my life. Most is opera, which incidently adds a bit of security, because most of the resulting passlibrettos derive from languages that I do not speak fluently, that is, are not my native tongue.

Nevertheless, ah, for the good old days of 8-character, digit & alpha only, passWORDs.

Mike the goatJuly 14, 2014 8:42 AM

Clive: passbook, hmm?? isn't that what you guys call check-books? Ahh, I give up.

On an unrelated note I am amazed at just how many people have responded negatively to Bruce's headline 'experiment'. I really think people are over-reacting, suggesting that they are about to leave over a freakin article title. Touchy, touchy ;-).

Bruce SchneierJuly 14, 2014 9:09 AM

"On an unrelated note I am amazed at just how many people have responded negatively to Bruce's headline 'experiment'."

My guess is that comparatively few people responded negatively, but that we heard from most of them.

Mike the goatJuly 14, 2014 9:21 AM

Bruce: Indeed. I can't believe the sense of entitlement of some of these serial complainers. Even if the blog titles annoyed me greatly (and like most people I've got more important things to get annoyed about than a freakin' blog title) I wouldn't carry on about it, as I know that I am a guest on someone elses' (your) blog and it isn't my place to say anything. That's just uh, being a polite person.

My mother in-law circles typographical errors in library books and has on more than one occasion contacted a prominent newspaper to complain about their grammar. I would never have believed people could get so up tight over relatively unimportant things until having seen that first hand :) But I'm getting really off-topic, so I'll leave it at that.

I know you've been busy Bruce, but glad that you are still dropping into the conversation occasionally...

Clive RobinsonJuly 14, 2014 10:26 AM

@ Mike the Goat,

No a "passbook" is not a cheque book, back in the days of old there were two types of licenced deposit takers in the UK Banks (that were not mutual) and Societies (that were mutual). The latter were often called "building Societies" and when you opened an account you were given a book in which the Society entered your deposits and withdrawals. This was the "Passbook" and it was in effect the "title deed" to the account and thus the key to your fortune no matter how small (no negative balances allowed back then).

Any way Maggie Thatcher did not like mutuals and put in place the first of several pieces of legislation that alowed them to demutualise and become banks. One of which was Northen Rock that brought on the banking crisis in the UK... Any way the Passbook that many treasured became replaced by the convenience of "plastic" on demutualisation and your ability to do home accounting quickly went with it....

trogJuly 14, 2014 11:18 AM

@ Mike the Goat,

I am one of those that complained about the headlines, and your comment compels me to explain why I did.

For many things on the Internet in 2014, everything is about clicking on things for "engagement". Engagement can be for a bunch of different reasons - for ad dollars, to get more 'likes' or followers, to troll, or whatever.

Headlines are now hyperbolized to a degree. Everything is screaming for my attention, all the time - but there's only so much of it to go around. I get rapidly desensitised to claims that a post is going to "blow my mind" or "restore my faith in humanity" or "make me cry" (all actual headlines from this blog in the last week).

I've come to this blog because the headlines are useful indications as to what is going on in the post - often from a technical perspective. They're simple and to the point and I can easily gauge whether or not the information is relevant. It's not really possible to do that with the recent headlines.

I have no sense of entitlement to this blog. I've been reading it for years - since I had Applied Cryptography as a textbook at university and became interested in computer security. I've since bought a couple other Schneier books and have been a big advocate of Schneier-esque security practices.

This blog has been a fascinating resource, looking at technical and social issues of security. The community is also interesting - largely technical people, drawn by a common interest, with useful insights into the topics.

I would be worried about that community being replaced by the sort of people who are attracted by headlines that were crafted based on the policy of a clickhole.com article. Clearly, other people felt the same - even if they were in a minority of overall visitors.

I won't make any other posts on this topic, but I wanted to explain why I registered a complaint. It's intended to be genuine feedback that explains why I come to the site in the first place, and how this change affects me.

I would add my thanks for all the work on the blog over the years.

AnuraJuly 14, 2014 11:42 AM

I prefer to use passthoughts that are so profound and that humans are incapable of creating a medium to express them; unfortunately, most websites don't accespt them.

Mike the goat (horn equipped)July 14, 2014 12:18 PM

I wasn't speaking of your post specifically, in fact yours was probably one of the nicer ones as I saw a few that were chock full of virtriol over something that really wasn't that significant.

Had the entire articles contained the same kind of hyperbole then I can understand why people would have been upset, but as far as it appeared - Bruce was merely having a bit of fun for a week with the article titles only.

I don't think anyone would resent you for providing honest feedback but many of the posts IMO crossed a line and were far from cordial.

That said I in fact suspected that it was Bruce's way of letting the canary out of the cage, so to speak. A kind of subtle way to tell us all that he has had a visit from a TLA and should no longer be trusted. I trust that is not the case!

Bruce SchneierJuly 14, 2014 1:14 PM

"I prefer to use passthoughts that are so profound and that humans are incapable of creating a medium to express them; unfortunately, most websites don't accespt them."

Try adding a number.

SomebodyJuly 14, 2014 3:44 PM

I set a passpoem for my root account. My next project is a robot that can type 200 words per minutes so I can enter it before the login screen times out. Thankfully I did not use a passbook.

WaelJuly 16, 2014 1:06 AM

My mantra is an epic passpoem, detailing the life and works of seven mythical Norse heroes.
Geeez! Passpoem hasn't changed in eight years! This has got to be disinformation at it's best! He won't even tell us how schroedinger's cat is doing?

Scott CarpenterJuly 16, 2014 8:49 AM

Longtime sporadic reader and rare commenter here. Just wanted to note my enjoyment of the headlines. I was certain they were meant ironically and for amusement. (I was hoping Bruce would share some traffic information, noting if they resulted in a significant increase in visits.)

Christer WeinigelJuly 19, 2014 9:48 AM

Bruce Schneier • July 14, 2014 9:09 AM
"On an unrelated note I am amazed at just how many people have responded negatively to Bruce's headline 'experiment'."

My guess is that comparatively few people responded negatively, but that we heard from most of them.

Actually quite a few of my friends reacted to it and I've heard a lot of remarks about "what's up with Schneier and all the clickbait titles". It was such a departure from your normal writing that we all started wondering what was going on. I was planning to write a comment about it but saw that someone else had beaten me to it so I didn't, but I definitely did notice. And as someone else mentioned: I've have developed some kind of mental filter, "oh, more clickbait, I'll just skip to the next entry" and then I realise it's from a blog that I consider as important and I can't quite reconcile those two conflicting reactions.

LILO Back On TopicJuly 22, 2014 12:06 PM

All I could think about the 'life changing' passwords guy was how weak his mind must be. Does that make me a bad person?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.