Xkcd and Xkcd Password site
Comments
-
I can't speak for AgileBits, but I do believe that the XKCD method is sound.
You may also like to read Toward Better Master Passwords. It's well worth your time. I've adopted Diceware for generating secure, but memorable, passwords as a result of reading it.
0 -
@wkleem: Really? I wasn't aware that Randall Munroe had a password generator. I only see 'XKCD-inspired password' results doing a search. Frankly, it looks like a lot of people are just tossing his comics onto their pages without asking. Do you have a link?
Regarding the 'correct horse battery staple' comic in particular, security papers published in the past year have demonstrated that these types of passwords can be easily cracked if they are less than 5 words unless you're using random special characters as separators. Something to keep in mind. Personally, I go for 7 words, as I'd like my passwords to have a bit of future-proofed buffer.
Ultimately, so long as the passwords are long, strong, and unique, they're as good as anything, though. Cheers! :)
0 -
@brenty - Here's your link to the XKCD password generator.
0 -
security papers published in the past year have demonstrated that these types of passwords can be easily cracked if they are less than 5 words unless you're using random special characters as separators
Just to clarify, which KDF did these papers test against and how many iterations?
0 -
@RichardPayne, @hawkmoth, There are login sites that have a character number limitation. Microsoft limits their passcodes to 16 characters. Most sites don't publicise the character sets for successful pass phrase creation.
0 -
@wkleem - Alas, you are correct, there are sites with character number upper limits, and those what don't reveal what their limitations are on character sets. I wouldn't have thought that it's most of them for the latter, but it's too many. And those sites are actually compromising security when they impose such limits. whether or not they reveal them.
For me, I remember passwords for 1Password, my primary email account, and my AppleID, none of which have such restrictions. But for those that do, it's difficult to let 1Password's password generator do its best work.
0 -
@wkleem for sites with length restrictions, especially short ones (cough Microsoft cough), Diceware is noot the best option. Use a standard random password for these.
Most sites don't publicise the character sets for successful pass phrase creation.
That's just wrong. The vast majority of sites that have restrictions will tell you what they are right there, on the password creation screen's validation control.
Granted, there are exceptions but they are rare.The best ones are when do tell you but tell you wrong. That takes a while to figure out...or, my personal favourite, where they accept anything on the creation page and then don't accept everything on the login page (cough Microsoft cough)!
0 -
@wkleem, you may be interested to read this existing thread about Diceware passwords. Lots of fun stuff in there (particularly the posts from jpgoldberg, our Chief Defender Against the Dark Arts):
Our support article for creating strong, memorable Master Passwords recommends Diceware:
https://support.1password.com/strong-master-password/
But — as mentioned in that support article — for all other passwords, you might as well generate a long string of characters using the generator since 1Password remembers and fills them for you. :)
0 -
Hi
I'll have to read the "fine print" more closely then. I find that in my case whenever I go to a certain site or sites, I don't see the password recipe up front. I will have to recheck and get back when I can.
0 -
I'll have to read the "fine print" more closely then. I find that in my case whenever I go to a certain site or sites, I don't see the password recipe up front.
@wkleem: I'll have to agree with you here as well, as this has also been my experience. Often I'm only told of these limitations when I generate an awesomely random password and the site doesn't like it because it's got a bloody H in it or somesuch nonsense. Only then am I told of the criteria.
Obviously this isn't the case for all sites, but I feel like the ones silly enough to make these demands tend to also be the ones which aren't particularly user-friendly in other ways as well -- including not announcing password requirements front and center. :(
0