Correct horse battery staple.
That is all.
A quartet of researchers from Carnegie Mellon University's Computer Science Department have explained a method they feel makes it possible to memorise several complex passwords. As their ArXiv paper, Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords explains, passwords are important but most people …
At this point everyone1 knows that 1) Randal Munroe recommends passphrases over cryptic passwords, because they have greater information entropy and are easier for users to remember; 2) lots of other security researchers have been making the same recommendation for years; 3) the people who create and administer password-based authentication systems don't pay any fucking attention2; 4) "correct horse battery staple" is now used as a passphrase by an embarrassing number of xkcd readers who think they're being clever; and thus 5) "correct horse battery staple" is now in password dictionaries.
Thus we have Schneier claiming that Munroe's construction isn't a safe technique. A number of people (including myself) have pointed out why his argument, as presented, doesn't hold water; but it does mean you can't use "correct horse battery staple" itself as a passphrase under many reasonable threat models, and you have to be a bit more thoughtful about using the Munroe technique.
1(who pays attention to these things)
2Because that would require they actually do some work, rather than simply relying on guidelines that were outdated 30 years ago. And, of course, because they're afraid they might get blamed if they deviate from "standard practice" and anything unfortunate happens.
I think using a long phrase is a good idea, Unfortunately, most places that expect passwords severely limit the length, and even if they don't may require numbers and special characters which may be hard to include naturally in a phrase, and may reject spaces. The example would have to be something like "Bill@Gates2swallowing#bike/on!a!beach" to be accepted in them.
Adobe had an especially hilarious one which I discovered after their massive password leak. I used LastPass to reset my leaked password to a random 16 character string, and the website accepted this. Later, I had to reinstall CS4, the installer for which requires you to log onto your Adobe account. Only I couldn't, because the installer's password field would only accept a 12 character string.
Another quality Adobe product!
Virgin Media, where their passwords have to be something like more than 6 and less than 10 and don't allow spaces
Try Schwab's site, which limits passwords to 8 characters, from a restrictive alphabet. And that's for a brokerage and bank. I'd like to see them sued for breach of fiduciary responsibility.
... and irritatingly, they don't usually tell you in advance.
More irritatingly still, when you get password "set" routines that allow you to go past the character limit, with the password "test" routine that observes limits - so your new password will never pass again.
Your only option is to factory reset and start again from scratch.
F**k you TP-Link. F**k you, and the horse you rode on.
You're meant to keep it in your head as a mental image of the scene rather than a collection of words. It's proven that imagery is much more memorable, especially if it's amusing. And if you can imagine the Pope waving a fan over a patty it's much less likely to mutate into an image of the Pope patting someone on the [body part appropriate to the nickname on your continent.]
Although that image would be much more memorable...
My grandmother's generation used them to study in college.
I use them to memorize passwords.
A really simple example would be:
4MhalLwFwwaS4
Very easy to remember that password and I just made it up. Why? Because the password is a combination of two things I can remember.
1. A phrase or string of words that are very easy to remember.
2. A system or set of rules that turns that phase into a password.
In this case:
Mary had a little lamb who's fleece was white as snow.
With this rule set:
A. Take the first letter of each word.
B. Capitalize nouns.
C. List the number of letters in the first word and last word at the beginning and end of the password.
The password is very easy to remember though you might have to decode it a bit in your head sometimes.
Take a string of song lyrics. A poem. A famous quotation. A children's nursery rhyme. Something you will remember. Come up with a set of rules you won't forget.
Then associate that password with that text string.
Using this method you can actually write down hints to your passwords in plain text right next to the password input and no one will be able to guess your passwords.
Good idea, but you should keep this kind of thing to yourself. It would be dead easy to create a rainbow table from a range of (popular) nursery rhymes using this algorithm. Just imagine how many people would end up using The Owl and the Pussy Cat went to sea as a basis for their key. Easy pickings. Wouldn't add much to the length of existing rainbow tables.
Okay, remembering a password is one problem and one can develop and propose methods of selecting and remembering password. Great.
But typing the f%$king things is another matter altogether.
As a systems administrator, I type complex passwords many times a day to the point of muscle memory but I STILL mistype them 2 times out of 5.
Plus, consider the NUMBER of passwords we have to go through each day. I'm pretty sure these phrases run into the point where you have to wonder which mnemonic you used for which site. "Now did I use Mary Had a Little Lamb or Little Jack Horner? Or was it actually Simple Simon?" I'd like to see an effective mnemonic for remembering the credentials for hundreds of arbitrary websites.
Great ideas but then you have sites - notably when dealing with the US government - that require that you change your password every 60 days and require that your new password is not the same as any of the "n" passwords used previously.
So naturally everyone writes the passwords down on a sheet of paper under the keyboard.
@John Brown (no body)
"Users will always find the easy way, even if that decreases security."
This ABSOLUTELY should be a key factor in designing a password policy, The key is to make it strict enough enough that people aren't using 'password' but not so strict and unmanageable that people find a way around it.
The problem is that it's next to impossible to prevent people gaming the system by using a password that fulfills the requirements but is not very secure at all - Password123 for example, and it's just as hard to prevent people from writing them down.
The best thing, I have found, is to have a password policy that enforces basic good sense, 8+ chars, complexity (not really necessary) and 90 day expiry (to taste). Then you have to EDUCATE the users on how to choose strong passwords and why these are necessary - especially where remote access (like webmail) is concerned.
In some workplaces there is a lot of bickering and stealing credit and you need to tell people plainly that if they choose a weak password, one of their colleagues could just log onto their e-mail and steal their sales leads or whatever.
The trick is to get the users to be part of the process - to understand why it's necessary.
"As a systems administrator, I type complex passwords many times a day to the point of muscle memory but I STILL mistype them 2 times out of 5."
Sounds more like a typing problem than a password problem? Observation suggests something of the order of 1-2% of IT professionals and users are properly trained to a competent standard in touch typing (I'm not, I should add). Think what that does for accuracy and speed across a large business, yet I know of no business that regards touch typing as an essential part of basic training. The companies happily train their staff in manual handling for jobs that don't involve any manual handling, they insist everybody does DSE training, yet with the most basic input operations of a computer companies don't train staff to use the tools properly (and buying the cheapest, nastiest keyboards and mice probably doesn't help either).
Sounds more like a typing problem than a password problem?
I'll argue it isn't. I'm a trained touch-typist - I was taught to touch-type on manual typewriters in the early '80s, and between programming and my academic work I've touch-typed the equivalent of thousands of pages of text. I still mistype my passphrases (which are now generally around 40 characters) on a regular basis.
Passphrases often aren't especially amenable to touch-typing. The typical passphrase system has zero tolerance for error and doesn't provide useful feedback. With Windows, for example, the standard password dialogs show bullet symbols for each character and are only 26 characters wide; after that, you don't even get feedback to show that you've successfully entered a character, because the identical bullet symbols just scroll horizontally.
And passphrases generally aren't typical natural-language phrases, because those would be weak against dictionary attacks. And since many passphrase systems are actually just password systems that allow long "passwords", they are often configured to require a large alphabet, so your passphrase has to include numerals and punctuation. Those elements make it easier to mistype the passphrase.
Back in the days of non-correcting typewriters, it's true that touch-typists typically had a much lower error rate than they do today, when correcting typographical errors is trivial. But a vanishingly small number of people use such typewriters now, so very few users have the training to eliminate typographical errors. And expecting users to do so once again puts the security burden on the wrong part of the system.
"""But typing the f%$king things is another matter altogether."""
german keyboard layout (and derived c-e european) has 'y' and 'z' swapped. imagine the joy "i'm positive i typed the %@!$ thing right! oh, blimey, wrong keyboard layout again!"
of course, who in their right mind would set anything different than plain US as default keyboard layout?
well... apparently it's our new domain default. which cannot be changed. enforced by domain policies. updated on every reboot. they can even reboot your computer for you. arghhh!
quote: "german keyboard layout (and derived c-e european) has 'y' and 'z' swapped. imagine the joy "i'm positive i typed the %@!$ thing right! oh, blimey, wrong keyboard layout again!"
of course, who in their right mind would set anything different than plain US as default keyboard layout?
well... apparently it's our new domain default. which cannot be changed. enforced by domain policies. updated on every reboot. they can even reboot your computer for you. arghhh!"
Standardised keyboard layout for servers in EU subsidiaries, I completely agree with. My place does this as we only have the one 3rd line support department for the whole of the EU, and it's based in the UK so we're familiar with (and use) UK layouts. It's not difficult to fit a physical UK keyboard in to the racks for any local support techs to use either.
Standardised keyboard layout for users though? Utter insanity. If there is one thing guaranteed to cause a fistfight between users and support, it's not having the fucking keys in the correct place. Yes, it means I have to be mindful when typing passwords on a remote system and the layout is QWERTZ or AZERTY, but that is minimal fuss compared to asking several hundred people to use a different layout than the rest of their country uses.
Maybe I'm being far too sympathetic though ^^;
As has been mentioned, most authentication is limited to a maximum number of characters which prevent using a really strong password.
Or worse
I tried "heroes in a half shell turtle power" on one site, and got a dialogue pop-up telling me my password required strengthening. Sack off
This post has been deleted by its author
So now we need to remember 200 bloody passphrases instead of 200 passwords. Personally I am old and can't remember sh!t these days so I use KeePass to manage my passwords for me.
One other problem with passphrases is that it takes way longer to enter them. If it's once per day, no problem, but I enter between 100 and 300 passwords every day!