It's actually not a bad idea. In a similar but more secular vein I got my mum to start using decent passwords by suggesting the same thing with lines from Shakespeare. Take a line you'll remember, use the first letters from it; change one or two into 'matching' numbers and one or two into caps if digits or mixed case required by whatever you're setting the password on...
Use the holy word of God to stay secure online, says bishop
A bishop in Blighty has suggested that passages from the Bible can be used to create memorable but hard to crack passwords. The Right Reverend James Langstaff urged his congregation to stop using pets' name or stock phrases for login credentials in favour of passwords derived from passages in the New Testament. "The Bible …
-
-
Friday 30th March 2012 17:34 GMT Old Handle
While the basic idea is not bad (or original), using the most popular book in the world for this purpose is not so smart. If you choose a popular verse from the KJV, as I'm sure many people will, you'd probably be better off with a dictionary word. If you use an obscure verse from a less famous version that should be good enough for most purposes.
-
-
-
-
Sunday 1st April 2012 21:07 GMT Voland's right hand
Book codes, and their variants, have been around a while, no?
For many years all the way up to WW2.
If memory serves me right, Soviet intelligence (or to be more exact whatever was left from it after Stalin ordered its extermination in 1937-1939) used book codes to communicate throughout the war.
From a crypto perspective a book code is a form of one time pad. If it is executed correctly (no reuse) it is a very strong encryption method.
-
-
Friday 30th March 2012 16:17 GMT Suricou Raven
The bible has no mention of passwords, but it does use a word for security: 'shibbólet.' The authentication value doesn't come from secrecy, but pronounceability: It's very hard for anyone not a native speaker of hebrew (at least as it was spoken then) to pronounce the word correctly. After the Israelites forceibly evicted another tribe from some contested land, it was used to tell returning refugees apart from innocent travelers. True israelites could say it right, while any survivor of the enemy who learned hebrew as a second language and tried to bluff his way to safety would mispronounce it and promptly be run through with a sword.
-
-
Monday 2nd April 2012 10:45 GMT Neil 51
I remember hearing before that they used to try to identify German spies during the World War by asking them to say 'Squirrel' as apparently it was impossible for those who grew up speaking German to pronounce.
Probably an urban legend but at least it's gotten everyone who reads this to say squirrel out loud, so the worlds a more squirrelly, therefore better, place.
-
-
Friday 30th March 2012 16:17 GMT Anonymous Coward
Is Graham Cluley taking the piss?
How often does an attacker know the religion of the person who owns the email account they're trying to crack?
And given hackers don't currently use lists of common bible quotes in brute force attacks, warning that "they might" in future isn't exactly useful advise....
-
Friday 30th March 2012 18:02 GMT Old Handle
Re: Is Graham Cluley taking the piss?
Come on, use you imagination! For example if it's your Facebook account, there are probably clues in there. Ditto for your home computer. Other times the website itself could be big clue (Christian singles or what have you). And then there are people you pick user names like ChristWarrior129.
I partly agree on the other point, but security gurus much prefer solutions that are still good even if everybody starts using them. Perhaps they give that too much weight, but it's a worthy ideal.
-
Friday 30th March 2012 20:26 GMT Anonymous Coward
Re: Is Graham Cluley taking the piss?
You're missing the point. Hackers don't generally target individuals, they blanket bomb to crack weak passwords.
If you seriously think there's someone out there going through your facebook profile, to figure out what you're into, so they can make an informed guess that if you like, say, guitars, then your password might be an acronym made up of the initials of the big guitar manufacturers, Gibson, Fender, Gretsch, Rickenbacker, followed by the vintage year for Les Pauls, and then they'll try typing in GfGR1959 ..... you're giving the importance of your account far too much weight.
You could say "hackers will come up with tables for this if it becomes popular" for just about any password strategy. It's a meaningless statement. Do those tables exist? No. Is this actually not a bad suggestion by Bishop Thingy? Yes, compared to what people usually use as passwords.
Security consultants would do well to recognise half decent suggestions as well as invent imaginary attacks that have no basis in reality.
-
Saturday 31st March 2012 21:10 GMT Old Handle
Re: Is Graham Cluley taking the piss?
Blanket and targeted attacks are both realistic threats, blanket attacks are more common, but targeted attacks are potentially more devastating.
On the other issue, I really think you are the one missing the point. The point is that it's low entropy. There are around 30,000 verses in the bible. Even at face value, that's only about as good as say "licorice7" (common word + digit). And the vast majority of verses are not going to be used, because they're too long, too dry, or teach something horrible like murdering your kids.
So mystical aspects aside, the only thing this method has going for it is that it's not currently popular. If it remains unpopular, good for the few people who use it, but plenty of other password advice out there says good even if lots of people use it.
-
Monday 2nd April 2012 13:57 GMT Tom 13
Re: around 30,000 verses in the bible
Only if you leave it strictly where the Bishop did. First off, I count 30 different English translations, while some of them will generate similar character lineups, I am quite sure the KJV and the GNT won't. Next up, you can combine different verse sets for the character bits, or you can use the actual translated text, or you can use the translated text with Le3t! spellings. Or you can leet the first character sets, or... And at that point you are doing more work trying to build the cracking bible that you would just trying to brute force the password. I would add that modern intelligence techniques have generally failed when dealing with religious oriented codes. Most famously the Israeli codes were never broken by the Arabs during its first war after its formation. IIRC, they were sending short letter and number bursts which referenced specific verses, and the verse communicated the relevant information.
It is generally agreed that easily remembered pass phrases are far more secure than short passwords. In part because you don't know what some is using as his cypher pad, and in part because you can't assume he is using a cypher pad so you have to account for brute force passwords as well.
-
-
-
-
Friday 30th March 2012 16:39 GMT William Boyle
Sanskrit
Well, if you want to crack my passwords...
1. You need to know Sanskrit
2. You need to know my past
3. You need to know my mind (and even I have a problem with that!)
Akanda Mandala Karam. There are multiple ways of spelling that phonetically, such as Akanda - it could be Achanda, Achandha, Akandha, Acandha... FWIW, this is the first phrase of the guru puja. Finally, this phrase has zip to do with any passwords I use... :-)
-
Friday 30th March 2012 17:14 GMT Dynamic Net
Revealing the secret of creating secure passwords
http://www.dynamicnet.net/2012/03/weak-passwords-open-doors/ is our take on using common words to create a secure password that is hard to crack.
As long as Reverend James Langstaff followers keep in mind social engineering tricks (i.e. they don't broadcast favorite verses, chapters, persons, etc. in the Bible), they should be fine using his method.
When you consider most users will do as they please in favor of convenience for passwords, what would you rather? To have them lean more towards security by making it easier or stick with old methods that while they work, don't lend to user conversion?
-
Friday 30th March 2012 17:29 GMT JeffyPooh
How about Leviticus?
On slavery done right: "Your male and female slaves are to come from the nations around you; from them you may buy slaves. You may also buy some of the temporary residents living among you and members of their clans born in your country, and they will become your property." Leviticus 25:44-45
On the death penalty as applicable to children for cussing: "For everyone who curses his father or his mother shall surely be put to death." Leviticus 20:9
So sayeth the Lord. Amen. WTF?
-
Friday 30th March 2012 22:01 GMT John Brown (no body)
Re: How about Leviticus?
"On the death penalty as applicable to children for cussing: "For everyone who curses his father or his mother shall surely be put to death." Leviticus 20:9"
WTF indeed.
Cussing - "Dad, fuck off."
Cursing - "Dad, I curse your dick with the plague and hope it goes gangrenous and drops off." and all parties expecting it to actually happen
See the difference between modern "cussing" and ancient, superstitious cursing?
It's an invitation to destroy "witches" not to execute children for bad mouthing their parents.
It has also been known for parents to have children who manage to grow up to adulthood so that quotation doesn't necessarily imply only young children.
disclaimer: I don't believe in sky pixies of any flavour but do have a fair mind.
-
-
Sunday 1st April 2012 14:36 GMT Anonymous Coward
Re: Jeffy bible bait fail
http://www.biblicalnonsense.com/
Above is a gold mine of interesting tidbits. The phrase "salad bar Christian", picking and choosing their favorite bits and trying to ignore the rest, is apt.
Commentary: Christians should be taking the lead on sorting out the whack jobs (e.g. Westboro) within their own ranks. Seriously.
-
Monday 2nd April 2012 12:26 GMT Anonymous Coward
@salad bar
"If you don't fit in my straw man evil fundamentalist nutjob suicide cult stereotype, you are a bad christian".
Here's another gold mine for you:
http://en.wikipedia.org/wiki/Lutheran#Doctrine
FWIW, to me there are core tenets in christianity (love your neighbour as you love yourself), which in turn helps to put meaning on everything else (prime directive :P). As for the bible, its purpose is to help reflect on yourself, not a legal document to bash others with (see christ vs. pharisees).
-
-
Saturday 31st March 2012 10:49 GMT Anonymous Coward
Re: YwetfoysatfoydL2630ish
Yes, jeffy, we get the point that you've managed to find some unpleasent stuff in the bible. Leviticus can be rather problematic, basically though, you shouldn't quote it if you're not an ultra orthodox Jew. There is also the matter of the new testement superceding the old. See if you can find anything nice to quote, it's a lot easier.
-
Sunday 1st April 2012 07:18 GMT Anonymous Coward
Re: YwetfoysatfoydL2630ish
Context is a wonderful thing! :)
The quote describes what Israel would end up like if they *didn't* follow the Lord's commands.
Unlike the primitives of 4000 years ago we don't eat our children. We are far too civilised for that!
We have better tech too. We choose to chop them up before they are born and throw them away - its quieter that way. Well over 200,000 children per year in the UK alone. Eat them? That's disgusting!
Go Modernity!
The NT doesn't supersede the OT, it is two parts of one story. The historical bits of the OT chart the decline of God's people for want of a decent leader. They get so bad they are compared unfavourably to the proverbial cities of Sodom and Gomorrah. The NT resolves the leadership issue and spells out explicitly how god executes justice for all the wrong in the world without destroying everyone.
Meanwhile, back on topic....
Any well known phrase as a password is going to be an issue. It may not be likely that the phrase is added but software encapsulates skill and the databases grow. The upshot is that an obscure phrase is likely to be better than "password1" Personally I have different password classes, websites I don't care about, websites I buy stuff from and banking are some of them. Use some common sense!
-
-
-
-
This post has been deleted by its author
-
-
-
Friday 30th March 2012 22:56 GMT JeffyPooh
@John Brown
Point taken on cussing vs cursing. Your assumption is aligned with accepted historical interpretation.
"It has also been known for parents to have children who manage to grow up to adulthood so that quotation doesn't necessarily imply only young children."
I didn't write *young* children. You've inserted that adjective yourself. We are always are parents' children. The obvious self-symmetrical back-fire of your complaint is thus hilarious. :-)
-
-
Sunday 1st April 2012 16:35 GMT Wensleydale Cheese
@Kevin 6
"People often wondered why I had old MB's on the desk as decor not knowing my passwords were in plain sight"
That reminds me of the manual for some demo software. Nobody knew the initial password and tried all sorts of combinations without success.
The documentation had the initial password in plain sight: "XXXXXXXX"
-
-
This post has been deleted by its author
-
Saturday 31st March 2012 04:14 GMT eulampios
urandom
I use
head -c1000 /dev/urandom | tr -dc [:print:] | head -c 20
then save it to a .password gpg-encrypted file. The latter uses a key (or a bare symmetric) with an easier , less gibberish but a strong passphrase constructed in the same vein as suggested in the article with a little change. Like "Rule Britannia" can be made into something like #U7e b4IdDa9eeah!!!
-
-
-
-
Sunday 1st April 2012 20:19 GMT eulampios
Re: urandom
I did not forget. Should I reveal a little secret of mine? Most of my oneliners (with some multiliners) are kept in an org file whatever.org. I just grep it whenever I need something (even got a shell alias and tiny script for it). I bet, Mr. Polichinelle might get jealous.
Try using /dev/random -- more "random", but too slow, especially if you need to many password for many accounts.
-
-
-
-
-
Saturday 31st March 2012 06:42 GMT Robert E A Harvey
Obvious
I used to tell people at work who asked for the administrator password on their desktops "The password is obvious"
After an hour watching them trying the company name, my name, their name, 'password', 'computer', etc, I would wander past and give them a bit of paper with a single word written on it.
"obvious"
-
-
This post has been deleted by its author
-
-
Saturday 31st March 2012 11:12 GMT Anthony Hegedus
correct horse battery staple
passphrases like "correct horse battery staple" are excellent. They're easier to remember and hard to crack, especially if you use numbers and punctuation after each word, and mixed case as in "engineEr5whistlE!highwAy*locatE." Assuming the words are chosen from a list of 3000 easy to remember names, a quick back-of-the-envelope calculation shows that there are possibly 1.8 x 10^18 different combinations (or 1.8 million million million). Since most important passwords are to protect online things such as email, credit card accounts etc, and there's no way that anything would let an automated program take that many guesses (even if it were physically possible), I would say this is particularly secure.
Scaling that down to three random words separated by numbers, the security such a password offers is at least far better than most passwords, and certainly easier to remember than things like q3!U5opO3.
As humans, we can't remember lots of passwords easily, that's the problem. And seeing as many things which are passworded are less important than others, why not use a less secure (and therefore easier to remember) password for things that don't matter so much?
Surely I need less security on my Nespresso account (which can only be used to order coffee and requires a credit card number every time) than say my Paypal account (which can be used to send people money)?
Why do some broadband companies make their broadband signon password "welcome1" or even just not have one, whilst others make it "Y1H4O7P2"? The signon cannot be used for anything other than logging into the internet!
I'm no expert but there is a LOT of misinformation going round about passwords, I'm sure of it. I see people running a business whose password for EVERYTHING is "buster", I've seen people who have an incredibly complex password for their computer but a file on the desktop called "banking passwords and pin numbers!", and what about people who set a complex 64 digit WEP key for their wireless?
Anyway see passphra.se for more info about easy to remember passwords
-
Saturday 31st March 2012 12:17 GMT itzman
its all about shared secrets innit?
I.e the best password is simply one that is instantly personally recognizable to you, but impenetrable to anyone else.
I have used personal phrase, car numbers or simply 'what I can see looking out of the window' and 'red.bus' and 'RPH862E' have featured..
Its not hard to find something that you remember - the name of your first girlfriend, the number plate on your first car, the first telephone number you aver had (like swansea6074) a scrambling of a pet phrase...that you will never forget and is yet fairly impossible for a random outsider to guess.
What is missing is a simple guide to explain all this. A person I know had his web site messed up completely, several times, but never changed the password from 'stanley' How amazingly dim is that?
Likewise its a really simple way to do cryptography: use some online work of literature and randomly scan it for the word you want and encode the word offset in that text instead of the word itself.
Using the bible maybe be appropriate from a clergyman who actual knows large tracts by heart, but for the rest of us its not the natural choice.