So you all know the usual password advice. But I saw someone talking about “passphrases” the other day, and got interested. Many—but far from all—sites just take whatever you type and run it through a one-way cryptographic hash, so that it’s stored in a fairly uniform ASCII hash. If my password is blank, or if it’s the most secure password on the planet, it’s going to look about the same in the database: something like 32 characters of text when it’s passed the one-way hash.
I think the word “password” brings in some artificial limits. How many people have a space in their password? I bet it’s astonishingly low, and probably because “password” implies that it should be a word.
But if it’s all just going to be hashed, meaning that there’s no reason for a maximum password length, why can’t, “I actually used a couple sentences for my password. Crack this one, n00bs!” be my password? I have some rarely-used passwords for very important things that are probably 12+ characters long, and extremely good passwords in terms of things that a cracker wouldn’t guess anyway. But I have so stop and think. P@$$w0rDee as a (fictitious) example: anything derived from “password” is bad, but ignore that. It’s ten characters, which is pretty good, and it’s slightly altered from the word it’s based on. And it’s easy to remember “password-ee.” But was it an @ or a 4 for the first “a”? And was it the “r” or the “D” that’s upper-case? For the ones I use every day, it’s all muscle memory. But for the ones I use rarely, it might take me a full minute to type out a ten-character password, because I have to think.
And that’s where, “I bet that you can’t crack this password” comes into play as a maybe-worthwhile idea. It’s a plain English sentence that’s foolishly easy to remember, with nothing “weird” about it to hamper my memory. The fact that it’s all based on simple English words is somewhat offset by the fact that it’s so unreasonably long for a normal password that password crackers wouldn’t even bother going out that far.
I think it would also make thematic passwords easier. It’s bad practice to use the same password everywhere, but no one in their right mind is able to use a different password for every site they visit. But suppose I had, “I keep my money safe at the bank” for my bank, and “I take good care of my health and my privacy” as my password for my health insurance provider? (Again, these are fairly bizarre examples and you shouldn’t use anything close to them!) It’s much better if you mix in some non-normal-English: “I keep my money safe in el banco” helps slightly. “I keep my $$ safe in el banco” is better.
There are lots and lots of places that don’t support this, and I’m not totally convinced that this is a great idea. But the concept has me pretty intrigued.
I’ve been in some really lax places as far as PW goes, and really strict ones. (Hell, the hospital didn’t even let you set a password. You were given one. -_- God help you if you forgot it!)
Spaces and “@” are a big no-no. So many business products throw a hissy fit when you attempt to use them. It’s an interesting idea, and I agree it would add security. Problem is so many web-based applications use those for other purposes.
A great example is I found out that our FTP throws a tantrum if you use “@” in the password. Reason being that it actually uses the “@” to mark the start of the address. Oy!
That’s pretty broken, IMHO. I’m surprised you can’t escape the @. Web apps even more so — you take whatever’s in the text box, MD5 it, and are done. You shouldn’t care what’s in it. But you’re right, a lot of places do this wrong.