…(and three conversations and a couple of mails richer)

One of the very few posts that got remarks the majority being mailed as the website is in a closed format unless you have an account. Only commented on them until Monday

For most I would suggest to visit the link again as Steve made some changes to the page and especially listen to the audio link in the middle of the page. If you have the time available listen to the last half of the security now podcast episode 304 as Steve also revisits password haystacks. Just reading the page might do it, but the idea and scope behind it is explained better if you listen to him.

A few other notes based on what I’ve received:

Q: A password like you create on Steve’s Perfect Password page is in my opinion much stronger than a haystacked password.
A: I agree, but who can remember such a password? With the right choice of password and padding you should be able to create something that comes at least close to it without the need of writing it down somewhere. The perfect password generator still has it’s uses especially for service related accounts in business environments or other uses where you don’t need to use a password frequently and there are safe storage facilities available as they have to be recorded somewhere. Or reset the password with every problem/incident you have if that is needed for troubleshooting purposes in that case only the dependencies need to be known, not the password. The last would be the safer method from a password point of view.

Q: I don’t want to use a long password.
A: Your choice, but in my opinion a wrong one. Although you cannot guess a part of a password (there is only pass or fail), in the end the only strenght is length. In case you really want to use a short one, stay away from all obvious things as they will always be tried first. Nowadays most passwords I see have one off the following formats: Password99 or P@ssword, so stay away from the obvious, also the changing of certain characters is easily anticipated (! for 1, @ for a etc.) and can be considered as part of a dictionary which will be infront of a brute force attempt. But still a short password will fall very quickly in an offline brute force attempt no matter what complexity you used so it only provides delay in an online scenario depending on bandwidth being available. Here a suggestion from somebody else that might come in handy. Take the first or last letter from a word out of a sentence you know well and use that as the base of your password and make sure all four different type of characters get in there either by replacing some characters or adding something in between (a small haystack) and make it as long as you are willing to live with. Keep in mind that the average password length at this moment is about 7-10 characters and this is what will be tried first as well. This also goes for the average of characters being used, say 50% lowercase, 20% uppercase, 20% numbers and 10% other.

Password haystacks is just a mechanism for you to remember longer passwords and it’s up to you to make them in such a way. Also try to stay away from the obvious and this includes patterns like smileys which work good for illustration purposes but if everybody uses them will not be ignored by “the bad guys” either. All other advice about passwords cannot be ignored of which the most important are to change them on a regular basis and never use the same password on more than one location. Internet (and even non internet) based services do get compromised and “the bad guys (as Steve calls them)” do get their hands your data through backdoors/exploits or simply human error, it’s up to the owner of such services to provide protection and the level of protection they have provided for your data. At the moment of writing there most likely is somebody going through 77 million accounts and you better hope that the password entries and credit card info in that stolen database where protected in some way……. and not just a single hash/password (or worse nothing at all). So in short make your password is long but memorable/usable while for somebody else it still looks like some piece of gibberish that makes no sense what so ever…. Creativity rules here, on a US keyboard you got 90+ choices per character for your password so go wild…. On international layouts there are more, but depending on where you spend your holidays you might lock yourself out by not being able to type your password (think of ñ, ö, ç etc.). Also not every website allows these either. If a website has limits like you can only use certain characters or cannot exceed this length, you might want to verify with their support department how they store your password as these are indicators that there is no protection on them. There was one person who said he’s using it to write down passwords so unless you know where to start it is hidden somewhere in there, doubt if it such a good idea as only start position and lenght need to be guessed if he would ever loose his paper, especially if the username and site are noted down as well.