this post was submitted on 19 Dec 2023
1006 points (99.1% liked)

xkcd

8977 readers
232 users here now

A community for a webcomic of romance, sarcasm, math, and language.

founded 2 years ago
MODERATORS
 

https://xkcd.com/2869

Alt text:

Why couldn't the amulet have been hidden by Aunt Alice, who understands modern key exchange algorithms?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 35 points 1 year ago (4 children)

Password guessing is always like that in popular media too. Oh he loved houses so his pw is obviously "Stallion"

Uhm no, it was probably zkl+7+:$(89?

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago) (3 children)

Well. Cyber security professionals wish it were that way. Instead it's usually 1234 or their kid's birthday or some shit. Having a connection in your mind between houses and horses and then using that to remember something like Green4Stallion8 would actually be more secure than most people's passwords. It's even more better if you can remember a nonsense word that phonetically matches and change up the capital like, kreeN4stauLion8.

Of course most people don't need to worry about social hacking. Black hats aren't going through random social media profiles when they have millions of password and email combinations they ripped from a few websites. So unless you're the CEO of LifeLock or dealing with abusive family the above password would totally work even if everyone around you knew you loved Horse Cottages.

Just don't forget to change it in 30 days...

[–] [email protected] 5 points 1 year ago (2 children)

Ironically only the passwords I'm forced to change frequently (i.e. my work password) are something simple and easy to type. All of my personal passwords are like 40 characters of gibberish my password manager invented and the password to that is similar to the xkcd batteryhorsestaple and is changed from time to time as well.

But my work doesn't allow password managers, so I just have a rolling window of like 12 passwords since that's their history limit.

[–] [email protected] 4 points 1 year ago

Yup. Most corporate and government security is downright hilarious.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Yes, password expiry is generally considered bad practice and should only be triggered on demand if there's suspicion of a security breach, precisely because it's much more likely to lead to simple, less secure passwords. And when users change it, they will probably just add a number or something anyway, so it's not going to stop a determined attacker from finding the new pw regardless.

Which doesn't stop a ton of organizations from requiring it anyway.

[–] [email protected] 2 points 1 year ago (2 children)

Are you really supposed to change your passwords every 30 days?

[–] [email protected] 10 points 1 year ago (1 children)

No. Make sure your password is memorable to you, and long without being easily guessed. The more secure the initial password, the longer you can go without switching. The more memorable the initial password, the longer you can go without using password recovery.

If your passwords are safety critical, they should not be written anywhere, making remembering them key.

This assumes you're not using two factor authentication of course. With 2FA, your password security (not strength, that's different but very related) is less important. Security requires the vector of attack to be small, so having a bunch of accounts with the same password decreases the security (but not strength) of your password.

Requiring frequent changes to passwords on average causes less secure and less strong passwords to be used, and causes the lost password recovery to be more frequently used, which is, in and of itself, a vector of vulnerability.

[–] [email protected] 3 points 1 year ago

Except nobody is out there guessing passwords. That's a flawed basis and advice that was outdated a decade ago. They're pulling them from site breaches and brute forcing dictionary attacks with bot nets. The best thing the average person can do now is a locked file to store their passwords. The password on that is a unique easily memorable thing and everything else can be gobbledygook because you have a reference. And yes unencrypted but locked files aren't a big block to a hacker in your computer. But the average person isn't facing that problem.

And if you're not an average person then you should be using a physical 2fa device on the principle that even if it's stolen, they would still need to gain physical access to the computer.

The one thing you shouldn't do is use a 24 character hash on every site and leave it for a year because it's "hard to guess". It will get breached and decrypted well before then.

[–] [email protected] 5 points 1 year ago

The recommendation is every six months. But that's based on companies faithfully reporting breaches to everyone right away. Which they haven't been. You could probably leave sites that aren't hooked to a payment for every six months, but email, bank, and anything that has payment details should be changed more often.

[–] [email protected] 1 points 1 year ago (1 children)

What's with the ominous line about 30 days?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Since websites decided it was okay to delay reporting breaches as long as possible it's the new prudent time frame for updating critical passwords. (Things linked to payments methods or sensitive information)

[–] [email protected] 10 points 1 year ago

Even if the password was "stallion" they probably would have made it Stallion1, Stallion!, $tallion, etc. The password always ends up being a single word, all lowercase, no numbers, no special characters.

[–] [email protected] 6 points 1 year ago (2 children)

I think you meant horses, houses to Stallion seems like a rather tenuous link.

[–] [email protected] 15 points 1 year ago

He loved houses. Houses is one letter off from horses. A stallion is a horse. His password is stallion!

[–] [email protected] 9 points 1 year ago

"correct-stallion-battery-staple" is what I think you meant