US Government password requirements fail
Passwords must begin with a letter, contain between 8 and 12 characters and include at least three of the following four character groups: English upper case characters (A through Z); English lower case characters (a through z); Numerals (0 through 9); Non-alphabetic characters (such as !, $, #, %). Passwords are case sensitive.
Anyone surprised that this same site requires you to provide “security questions” almost all of which can be gleaned from public information?
Anyone surprised that this site is run by the US Federal government?
sigh
Curtis Olson June 09, 2014 18:35
I’m still annoyed at the site that asked me to pick 10 pictures that made me feel good, and then 10 pictures that made me feel bad … out of a bunch of random stock shots. I’m not that kind of person that has strong feelings about random objects. I ended up just picking the first 10, then the next 10. If I ever have to validate myself I’m hosed.
David Megginson June 09, 2014 19:30
eAPIS?
Michael K Johnson June 09, 2014 19:38
+David Megginson No, but I suspect it shares a back end authentication implementation since it is an FAA site… Now I recall that you posted something rather similar not that long ago. :-)
Michael Parsons June 11, 2014 23:23
Michael K Johnson June 12, 2014 06:19
+Michael Parsons Yeah, I’ve recommended that technique, with variations, to friends and family who have previously had rather simplistic passwords.
Bruce Schneier initially praised the xkcd scheme, but became less convinced: https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
Rebuttals (summary: he missed the point this time): http://robinmessage.com/2014/03/why-bruce-schneier-is-wrong-about-passwords/ http://www.reddit.com/r/technology/comments/1yxgqo/bruce_schneier_on_choosing_a_secure_password/cfp2z9k
Basically, it seems to come down to a misunderstanding of “random”. It’s not “choose four words that seem random to you” — that’s not particularly better than “choose to substitute some letters with symbols in a way that seems random to you”. Instead, he meant “use a random process to pick four common words, then use your imagination to build a picture that helps you remember those randomly-chosen words”.
Oh, and looks like Randall has confirmed that was his point. http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so#2779020
Therefore, the biggest problem with that comic is that it didn’t communicate to most readers an essential element of the scheme. If even Bruce Schneier (a real cryptographer) missed the point about random probably so did most others. ☺
David Megginson June 12, 2014 07:44
Almost (not quite) as good: pick a sentence, line of poetry, bible verse, etc. that is easy to memorise, then make your password out of the initial letters. For example, George Carlin’s quip
“In America, anyone can become president. That’s the problem.”
gives you the password “IAacbpTtp”
Michael K Johnson June 12, 2014 16:22
+David Megginson well, that’s the Schneier scheme. The links I provided include some suggestions that it might not be as strong as he suggests.
Imported from Google+ — content and formatting may not be reliable