14

It seems like there will be no end of Can I use this dumb trick to generate my password? questions.

They basically all suffer from the same wrong approach, that ignores Kerckhoffs' Principle, refuses to use a password manager, and has no concept of password entropy (thinking, like they have unfortunately be taught, that entropy is having special characters).

Can we mark questions like this as duplicate, and link to a good question that emphasizes the entropy over the obscurity of the algorithm, and indicates that memorability is really only important for your master password? (for instance, This answer seems pretty good)

11
  • Although the answers all don't seem to go into great depth, the question itself ("What type of pattern should I use for my passwords?") seems like a suitable duplicate target to me. I'd definitely support the idea of redirecting all those custom password scheme questions somewhere.
    – Arminius
    Commented Nov 14, 2017 at 19:25
  • 2
    IIRC, XKCD #936: Short complex password, or long dictionary passphrase? has been used as a target for these a lot.
    – Arminius
    Commented Nov 14, 2017 at 19:28
  • 1
    You assume that pattern-based passwords are uniformly bad and should never be used.
    – schroeder Mod
    Commented Nov 14, 2017 at 19:35
  • 2
    @schroeder, OK, I stand corrected. Not all of them are bad. But why would you waste the time and mental effort coming up with your own custom solution when diceware is always as good (given enough words) or (more likely) way better than your system? And then once you generate one or two with dice, you can store the rest in a password manager.
    – NH.
    Commented Nov 14, 2017 at 19:59
  • @NH. You aren't thinking about senior citizens
    – schroeder Mod
    Commented Nov 14, 2017 at 21:29
  • @NH. I'm thinking about password policies than can be followed by senior citizens and others with accessibility problems which would make it difficult to use diceware or password managers. Policies are for people.
    – schroeder Mod
    Commented Nov 16, 2017 at 11:32
  • @schroeder much better explanation of what you are looking for. I'm thinking of a couple of different ways we could approach this. One is to address the accessibility concerns in one of the existing posts, another is to redirect most questions to one post, and then some to a senior- (or accessibility-) focused post. They would link to each other, of course.
    – NH.
    Commented Nov 16, 2017 at 16:19
  • @NH. that sounds better - instead of a "wakeup call" an actual analysis of the cost/benefit
    – schroeder Mod
    Commented Nov 16, 2017 at 17:32
  • 2
    You still need a strong password for your password manager.
    – Johannes Kuhn
    Commented Nov 20, 2017 at 2:37
  • @NH. Diceware, Really ? Memorizing 8 words (for 100 bits of entropy) and typing them without making a mistake ? For people that do not know English ? There is almost always a better solution to your problem than Diceware. However my point is that a "one-size fits all" solution for authentication does not exist yet. So there will be questions marked as duplicate when they should not be.
    – A. Hersean
    Commented Nov 20, 2017 at 13:21
  • 4
    @A.Hersean of course, if people don't know English, you would have to have a (insert language here) version of diceware. Doesn't need to be a translation or equivalent in any way except entropy measurements (number of sequences, which may be words depending on the language).
    – NH.
    Commented Nov 20, 2017 at 18:49

2 Answers 2

Reset to default
1

How big of a problem is this?

I had trouble finding a large number of examples of dumb tricks to generate passwords. Could you provide more examples? Perhaps the problem here is that it's subjective. I think adding foreign words to diceware or an unprintable character at the end of your password is an interesting proposition to add a small amount of extra security, while other users may say "just use a password manager to generate a 16-character alphanumeric string".

"Dumb" isn't a closure reason

As far as I was aware, just because a question is dumb, low-effort, or trivial doesn't mean it should be closed. Realistically, low-effort questions clog up the site with low-quality content, so there is some merit in closing or deleting them. However, none of the closure reasons are directly related to how dumb you think the question is. That's what a downvote is for, and a vote to close is not a super-downvote.

Deciding which password schemes are dumb tricks isn't simple

You seem to assume that line between naïve passwords and smart passwords is clear, but in many cases there's a big grey area. Password schemes falling into this grey area will create controversy when you try to close them as a dupe of a "don't use dumb tricks" question.

Some examples of questions that fall into the grey area include:

The mythical canonical answer

Every website about passwords tries to develop good explanations of do's and don'ts of password use. What makes us different is that we have thousands of specific questions and answers, which in a world dominated by Google searches is a very good strategy. While processes like clearing up duplicates can make it seem like the goal is to have just one canonical question and answer for every topic, in reality we aim to have a variety of similar questions and answers so that users can find the answer easily to their specific question (source). Closing lots of low-effort questions about basic tricks is a valid goal, but it comes with the caveat that many questions won't be so easy to mark as a duplicate and that's ok. We're allowed to have several variations of the same question.

We're not trying to tell people to just go RTFM. I've seen too many cases on this site of overzealous users who tried to close questions as duplicates of questions that are only tangentially related. Using vote-to-close as a way to say "Answering individual questions like yours is too much work, but here's a link to an indirectly-related generic answer that might answer your question" isn't helpful, it's OCD.

An intermediate solution to this is having a canonical answer for common variations, like adding foreign words, adding part of the website name, using the current year in your password, etc. We already have this, although many of the answers aren't very good.

Duplicate closures are a tricky subject. For more see this meta question .

Current questions are not a good candidate for a single canonical answer (these are the only ones I found, please comment any other ideas you have):

Closing new questions like "is wwwwwwwwwwwwwwww a secure password?" to any of these questions would be confusing and even potentially rude.

Picking a recommended password generation scheme is controversial

Password managers are one of the best solutions, but are a pain for many people. I have family members that don't lock their phones. You think you can force them to roll some dice and use a third-party app just to protect their Disqus account? There are also many places they don't work like websites that block copy and paste, hardware like smart TV or videogame systems, public computers, phones under some circumstances, etc.

I've tried to start a question about how long passwords should be, only for the idea to be "too subjective" under its most general application, and already covered under more narrow formulations thanks to similar questions like this. A user in the comments told me a 32-character alphanumeric password would be sufficient for some people but not for others (even though over 90 bits of entropy your password becomes ridiculously hard to crack).

Various widely accepted systems like diceware and xkcd have been their own source of controversy (see Bruce Scheier's criticism). These widely accepted systems have also seen several extensions, from different separators between words, casing changes, using online generators vs dice, and using foreign words.

Given all these points of personal opinion, are you really going to tell a user that their idea is dumb and your idea is unequivocally better?

Standard points that would have to be made in the one-size-fits-all question

  • Explanation of threat models like brute force, shoulder surfing, plaintext leak, or offline cracking
  • Advantages and disadvantages of a password manager
  • Explanation of how entropy is computed as a result of password generation, not just apparent complexity
  • Discussion of memorability vs guessability tradeoffs.
  • Ideally, if I have two passwords of yours, it should still be very difficult to guess another password.
  • Either explain the most common tricks individually like repetition and changing characters, or walk through how to calculate Kerchoff's principle and, discuss where each should be used.

Pros and Cons of redirecting all dumb trick questions to one new canonical one

Pros:

  • Less redundant information and effort explaining things like why a password manager is good, what entropy is, what the threat scenarios are, how cracking works, why it's hard to outsmart password crackers.
  • More focus on one good answer to this question rather than hundreds of answers
  • Leaner site with less clutter
  • Fewer dumb questions that annoy experts

Cons:

  • Reduces unique information for each password question asked, making our answers less useful.
  • Less Google-friendly design. Asking "Does repeating words make my password more secure?" directs you to a page which redirects you to a lengthy general explanation of password strategies instead of going straight to a targeted answer "No, password crackers can predict that, you don't really gain anything by repeating words."
  • Would probably result in overzealous behavior, causing good, legitimate questions to be misunderstood and closed.
  • Can be offensive to the asker who didn't realize their closed question was dumb and now is told their question doesn't belong here and they should have already found the answer.

Some unique information can be generated for each password scheme:

  • Is the scheme recommended by any researchers or websites?
  • How usable is this password scheme?
  • Is the scheme already covered by common rules in software like hashcat?
  • Does the scheme seem like nation-state actors might be able to compromise it?
  • Does the scheme seem likely to be misused, compromising it's security?

Even though there are problems with the way it's currently set up, I'd say we keep doing what we're doing. Creating one canonical answer would probably help these dumb trick questions, but creating a canonical answer would be difficult, deciding which questions to close as dupes of it is controversial, and the askers might still find the redirection to a canonical answer unfriendly and unclear.

2
  • I already agree that not everything about passwords can be covered in a single post (otherwise we should lock down the passwords tag and not make any new entries). I'm just looking for a good place to point to when discussing with people that they should focus less on the trick (shh, don't tell the world), and more on the entropy of their passwords.
    – NH.
    Commented Nov 28, 2017 at 23:40
  • Also, your last con is a very good point and we should be careful not to come across that way, all the while, being helpful and instructing them in good password policies.
    – NH.
    Commented Nov 28, 2017 at 23:42
-1

I am sorry but I have to point this out.

As of now, your "canonical" answers contradict each other.

The 98x upvoted accepted answer to this question linked by the OP argues that using passwords like "correcthorsebatterystaple" is not secure because it is vulnerable to dictionary attacks. EDIT: OK I got this part wrong: "staple" doesn't seem to be among the top 5000 most common english words. The contradiction between the answers mentioned by me below still exists.

The 86x upvoted accepted answer to the question the OP wants to mark all similar questions dupes of argues that no such approach can be safe and the only correct approach is to use a password manager storing unmemorable 32bit passwords. It links to a blog post that explicitly lists "correcthorsebatterystaple"-like passwords as an example of bad passwords.

The 1221x upvoted accepted answer and 430x upvoted answer that have already become canonical answers on this site still argue that correcthorsebatterystaple-like passwords are examples of good passwords.

So, to sum up, only force the policy proposed by the OP if you work out a consistent approach and if you come to the consensus that the XKCD is yet wrong (or at least is no longer correct), then please mark all such questions as dupes to a question whose accepted answer explicitly argues against this XKCD AND for sake, edit or mass down-vote the aforementioned canonical answers that argue in favor of the XKCD and post an answer to this question that argues against the XKCD and make sure it gains enough upvotes to be moved to above the answers supporting the XKCD.

2
  • 2
    Schneier rarely gets security wrong, but he is human, and in this case, didn't clarify very well what he was trying to say about "correcthorsebatterystaple" (I think he meant this particular password is bad because it has been blasted all over the web, and is not in lots of dictionaries). As bitmonger explains, the diceware approach (which is essentially a properly-implemented version of the XKCD comic) is still valid (when enough words/dice rolls are used).
    – NH.
    Commented Nov 22, 2017 at 16:28
  • The (highest by votes) answers to this question can help you better understand the subtleties here.
    – NH.
    Commented Nov 22, 2017 at 19:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .