Dr. I. Needtob AtheOctober 13, 2016 6:28 AM

My password policy:

1. Keep up with all the popular advice on creating passwords.

2. Think of something completely different.

3. Don't tell anyone about it.

LesOctober 13, 2016 6:41 AM

Are these really bad habits? What I get from the article is that people create strong passwords for things that matter, like online banking, and weaker passwords for the dozens of throwaway accounts that one is asked to create on less critical sites.

Seems perfectly reasonable and rational. One wouldn't want to lose access to their banking information, but who cares if someone takes over your account on (for example) a kitchen renovation site? You can just create a new one.

MattOctober 13, 2016 7:25 AM

I agree with Les. Seems to me people prioritize their passwords. I certainly do which means I responding with confirmation bias.

Nonetheless who cares if your account gets hacked as long as it's not the same password as the rest of your accounts. I use a throw away password system for sites like that (complex-ish easy to remember password with changing numbers).

For most of my important accounts I use dual authentication of some sort. Including the most important of all email. Email is the key to the kingdom especially when it comes to password recovery.

OliverOctober 13, 2016 8:28 AM

Years later, XKCD's comic on Password Strength ( is still relevant--strange in this field.

Old Bull LeeOctober 13, 2016 8:33 AM

I also agree with Les and Matt above. The prioritization makes sense assuming the higher up you go the more differentiation there is between passwords. If someone hacks your Pandora account and it has the same password as another trivial account, not a big loss as long as your related email password is completely different.

None of the type A or B lists contain a cure-all, but several combined add up to a strategy good enough for most purposes.

Which leads me to wonder why email password wasn't part of the survey, and its own category, placed a level above banking.

AlOctober 13, 2016 8:37 AM

My initial policy was
- one password per domain/criticity (pro,perso-critical, perso-throwable)
It evolved to many critical password to avoid cross attacks.
Corporate password evolved with password policy forcing change, damaging my brain (up to... guess), hopefully solved by SSO tools.

then I used Lastpass with no change in strategy, and a very strong password (changed in 2014 after attack).
Then password policy in many forum/services forced some change putting my method in total mess. Criticity of some serviecs increased with my public exposition and tools usefulness.

then I generated my pw randomly with lastpass, except few critical password who were distinct, long, based on old personal history nobody knows

I use now where possible 2 factor verification mostly OATH apps like google auth,microsoft account, fb, twitter, else SMS.
I use FB/google/twitter OAUTH id federations where possible.
I named trusted people for restoration of account (facebook&co), trusted secondary sms, plus safety codes.
I use strong microsoft account with PIN.
lastpass on mobile with pin.
activcard +pin with bank.
3D secure with credit card.

now my problem is with PIN, not with passwords.

I plan to have a secure OTP-snail-mail account at LaPoste (they are quite innovative).

Those id are more and more essential.even stealing a forum account can damage my image today

I think that current situation is hopeless.
sure nobody can have a correct password policy with 100+ accounts without a password manager.
and a password manager is a big catastrophe risk. Lastpass managed recent attack honestly so not
2factor is an improvement but my mobile is now a big catastrophe risk, stolen or lost.

I work in digital trust, pushing certificates, but java not supported and crypto api not yet standard on javascript force us to propose OATH.
SMS have success too, but stealing mobile is a risk.
Can we trust OATH software token like Google Authenticator, LastPass Authenticator, Microsoft Account, Twitter or Facebook authenticator ?

If we can lose password individually, as the service operators can lose our password, can we accept a central US operator like Google/MS/FB/Twitter gives access to a service totally independent from them and their governments ?

It is like comparing the risk of having a car accident and the risk of GM to obey CIA or be hacked by mafia, to crash all cars driven by a class of people (the Russian, the bankers).

In talebian philosophy we are exchanging mild risk for huge catastrophe risk.

ab praeceptisOctober 13, 2016 9:04 AM


Oh, what an evil man Bruce Schneier is! To be precise, his blatant crime consists of 4 words, namely "Interesting data and analysis". All he did was linking to something and calling it interesting.

But there is more! Yes, Bruce Schneier is guilty of yet another crime, namely the crime of not reading and knowing *all articles ever written* on this planet and such being easy about linking to a "blatant copy".

In case your accusation meant the source - and not Bruce Schneier, who merely linked to something - you might want to put your criticism over there.

DaveOctober 13, 2016 9:09 AM

Am I the only one who gets annoyed with sites which filter passwords like '?*-!;#= but are content with ones like ohiO123 ? (that's an uppercase 'o' BTW. I've seen arguements about problems related to character sets, but the fact that other sites happily allow arbitrary passwords sinks those explanations, I believe.
I suspect nanny-filters might provide an extended attack surface too.

SasoOctober 13, 2016 9:29 AM

My password policy the sites I use occasionally:

1. Generate very strong password with password generator.
2. Enter into website.
3. Forget password.
4. Reset password and generate new one.

Sites I often use:

1. Generate very strong password with password generator, save in encrypted keyfile
2. Use very strong master password, change it every now and then or in case of suspicion

EvilKiruOctober 13, 2016 9:46 AM

@Tim @ab praeceptis: The article mentions "A Lab42 survey" and the LastPass blog mentions that "LastPass partnered with Lab42 to survey"...

David LeppikOctober 13, 2016 11:24 AM

I agree with Les and the others, but with one huge caveat: how valuable an account is changes over time.

For example, there was a time when financial site passwords were more valuable than email passwords. Then password reset via email became a big thing, including for financial sites. Now your email account is at least as important to protect.

Newer services are pushing authentication via social media logins. Over time, these might become as or more important than email authentication. Possibly even for accounts you never use. ("Your honor, I haven't used that account in eight years!" -- "Who am I going to believe--you or Facebook?" Even if that stays unrealistic in real life, there will be plenty of algorithmic judges out there.)

Similarly, trivia questions about your childhood are an awful way to handle password resets-- especially if you're from a small town. (E.g. Sarah Palin.) A lot of folks who comment on this blog, myself included, often don't take them seriously, some going as far as mashing on the keyboard. However, when you start having medical issues and your health care bureaucracy makes it clear that they have no humans who can to identify you without them, you start to rethink things.

BolOctober 13, 2016 12:01 PM

Interesting. I wonder whether there is a correlation between the percentage of people who knowingly develop bad password habits in exchange for convenience and the percentage of people who knowingly use online services that spy on their personal data in exchange for convenience.

wumpusOctober 13, 2016 12:28 PM

Want to be depressed about passwords? Try looking for a job: all HR agencies appear to want passwords (for unknown reasons) and appear to expire them quicker than a real hire could possibly qualify for positions. Logically, it would make sense for a single "stupid HR password", but I've preferred my password manager.

Basically, passwords are a bad idea that need to be replaced (and password managers are getting closer to that).

Oddly enough, as Les and other commenters point out, the user isn't always the weak point. People appear to have a vague idea what a "good password" is (maybe) and try to use them in important places. Unfortunately, it doesn't appear that all those places "protected" by passwords care as much about security. - Note: it shouldn't be that odd that some care about various media more than others. Actually, I'm fairly surprised that "entertainment" sites weren't more protected. I can at least pretend that my bank bothers with security, I'm less able to pretend that various entertainment sites (that have my credit card and other details) are quite so careful.

Rob PhillipsOctober 13, 2016 1:04 PM

Stupid again. I've had the same password since 1996. Changing it is a bad freaking thing and a few of us know that.
You make one and keep it. Simple.
Just don't use a word from a dictionary which I could crack in a few minutes.
Sometimes Bruce you just boggle me mind.

TomOctober 13, 2016 1:35 PM

The article ends with:

In order to establish more effective defenses, we need to better understand why individuals act a certain way online and a system that makes it easier for the average user to better manage their password behavior.”

So, where's the analysis? Because the article doesn't contain anything. It just lists the questionaire results.

Also, there's nothing new about those results.

TedOctober 13, 2016 2:24 PM

As part of National Cyber Security Awareness month, there is a special “Lock Down Your Login” campaign. #LockDownURLogIn

To summarize, in addition to usernames and passwords, the campaign recommends setting up strong authentication (multi- or two-factor authentication) for online accounts wherever possible. This includes using biometrics, a USB security-key, or a unique one time code provided by an app on your mobile phone. This step can add protection for key accounts like banking, email, and social media accounts. You can find set-up instructions for popular sites like Facebook, Google, and Twitter here:

Very 'Type A' advice. Could be good for making friends with a 'Type B'?

johnOctober 13, 2016 2:30 PM

Isn't this just a modrerately disguised fluff piece?
No real results, then finally a comment from Joe Siegrist, VP and GM of LastPass?
Gosh he must know all about keeping passwords safe! What about checking him out?
Well well, they have an incredible password manager program - that must be the best solution to the password problem: Joe's researched the problem with passwords!
"Solve all your password problems.
Stop wasting time writing, remembering, and resetting passwords. Only remember one master password, and keep the rest locked up and easy-to-find in the LastPass password manager."
That's where everyone is going wrong, nobody else was clever enough to come up with something like a safe to keep your passwords in... was there???

zOctober 13, 2016 3:56 PM

Frankly, the create-an-account culture is probably 90% of the password problem. People pick easy to remember passwords because they have to use them for every damn thing on the internet.

Clive RobinsonOctober 13, 2016 4:08 PM

I doubt that the survey results are actually representative.

The reason is simple...

When I answer the phone and they identify as a survey or I get accosted in the street, I inform them that both my experience and time is valuable, and thus I expect to be paid in advance for my opinions at a rate of atleast 500GBP/hour...

They don't want to pay, therefore I don't want to play their game.

This is the only sensible response to being "randomly selected" from what is in effect an "idiot list", as it gets you off of the list.

Secondly people who volunteer for or seek out participation in such surveys are probably not the people who's opinions you want as they are at best not representative or worse pushing a personal agenda...

Thirdly, most surveys are about confirmation bias. Those paying for the survey usually convay to those running the survey the results they are looking for even if unintentionally. It's obviously to the benifit of those running the survey to "please the customer" as that often results in repeate business...

Forthly it is incredibly difficult to phrase individual questions in a neutral way, bordering on impossible to do it for a group of questions.

Thus as always treat such survey results with a pinch of salt the size of Lott's wife.

LarHomKimFaOctober 13, 2016 7:54 PM

one thing you can do for passwords written down is substitute 3 or 4 letters from upper or lower case for example. You do have to remember which 4 letters you changed. That way if someone does get your password they won't know which letters to change.

Seriously Good Job, Don't Fret AndOctober 13, 2016 9:10 PM

That only works on iDevices that haven't felt the ire of a desoldering wick.

WaelOctober 14, 2016 1:04 AM

Passwords aren't going anywhere. There will always be a place for them. Passwords are shared secrets between humans and machines, in a way.

I hate them. Good habits, bad habits don't matter.

Clive RobinsonOctober 14, 2016 1:43 AM

@ Wael,

Passwords are shared secrets between humans and machines, in a way.

They are certainly shared and compared (hopefully after a one way algorithm of sufficient additional complexity). The hard part with them is to play to human failings without playing to computer strengths....

Humans are quite bad at remembering meaningless data, thus any system that improves that for all would be an improvment.

Thus for a replacment we need to look at something all humans do better... And the answer quickly boils down to there is nothing else ... that is as good ;-)

So yes passwords bad as they are are here to stay...

Jesse ThompsonOctober 14, 2016 4:18 PM

Here are the rules of password club.

Rule #1: Don't re-use passwords between different administrative domains.

Rule #2: Do not generate any password from your imagination. Ever. At all. Human imaginations are one of the shittiest RNGs ever invented. Use a quality RNG: dice or a well-vetted cryptographic computer algorithm with access to quality entropy are fine choices. "rand()" in programming language X is one of the few choices shittier than human imagination.

Rule #3: Are you absolutely certain you cannot get this authentication done with locally password-encrypted client certificates instead? "Passwords" are secrets handed to the server raw and in plaintext (whether or not delivered through an encrypted tunnel, *the server* gets a plaintext copy prior to hashing for comparison..) which means that any MITM or compromised server can decide to keep or re-broadcast a copy even if all they had previous to the breech was a hash between logins. Challenge/response against client cert, on the other hand, remains 100% resistant to replay attacks.

Want to authenticate from mobile devices? While you could copy the cert around, it would be far superior to generate unique certs for each source device and just authorize them all to your identity at each service. That aids in revocation, and aids service providers in detecting hack attempts because they've got a better idea of which auth cred should be dialing in from which source IP.

What, you say your web browser doesn't support client certs?

Sounds like the same reason nobody uses PGP / GPG to me, then. It should both be painfully easy for a browser to support and *hella* easier to secure than password managers due to no re-playable data ever being sent down the wire. :P

DroneOctober 14, 2016 11:43 PM

Man, that page on passwords was a lot of words and pretty pictures just to state what is plain and obvious. But at least it seems that for once, the Taxpayers didn't have to pay for this "study".

Mic StandOctober 17, 2016 3:38 AM

@nigel - that is the funniest URI I've seen for a long time. It makes me deeply distrust whatever advice is buried so deeply underneath. …Might still have a look (only 'cos it's GCHQ)

FreezingOctober 17, 2016 1:15 PM

@ Les

Are these really bad habits? What I get from the article is that people create strong passwords for things that matter, like online banking, and weaker passwords for the dozens of throwaway accounts that one is asked to create on less critical sites.

The problem is that the people don`t seem to know which type of password is *really* secure and which is not.

MEOctober 17, 2016 3:45 PM

More blaming the User to passwords being a poor security tool, but one that everyone insists on using.

Why can't more sites get behind the idea of SQRL, that is, challenge/response type authorization mechanisms that are actually usable by humans?

I'm not saying that SQRL is perfect, but it seems much better than passwords, even with a manager.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.