[euphemize]

> 1. Have a really, really good password, and change it often. Your password should not contain “real” words (and definitely not more than one real word in immediate proximity, like “whitecat” or “angrybird”), and should contain capital letters, numbers and symbols. The best passwords of all look like total nonsense.

http://xkcd.com/936/

But really, I'm a bit puzzled by her 5 "recommendations". Turn off your devices while you're not using them? I feel like the most important one is missing - don't use HostMonster or Godaddy, their representatives are not paid enough to care about the implications of you losing your domain name.

[curiouscats]

If you read the comments she is no computer security expert. And she accepted the comments of others that passwords that "look like nonsense" are not necessarily best.

My guess is "turning off" relates to not leaving a device that is logged in and open available for someone at school/work/... to stop by and mess with.

She ends up advising 2 factor authentication for email (an old email that was compromised is he guess on the cause of the problem). It is a good article. For advice it might be nice to put a TLDR of: "use 2 factor authentication."

[lelandbatey]

To follow up, I will say that my favorite way to create a password is to use sayings from two or more of your favorite books or other sources.

So, if you like Harry Potter and Enders Game, what are the phrases that come to mind?

    Harry Potter - expelliarmus
    Enders Game - win all the future fights

Now you have a great password: "winallthefuturefightsexpelliarmus" Nice and long (33 chars), with some made up stuff. Maybe tack some numbers on the end.

[pilom]

Modern password crackers are pulling all of wikipedia and youtube for seed words. If your words are in either of those, don't expect the password to stand to a dedicated attacker

[riquito]

There are 1160290625000000000000000 combinations of 5 words with a dictionary of 65000 words. That's not brute-forceable. If you take existing phrases it's another story, but random words works well.

[pilom]

Being a little loose with my estimates and a bit of Fermi Math, thats only about 300 years of computing time on a small home built GPU cluster.

Basically tells me that 4 random words are definitely crackable and 5 are theoretically possible (and definitely doable with 5-10 years of Moore's law)

[dllthomas]

lg(65k^4) is very nearly 64. If you worry about 4 random words being brute forced, you should worry about 64 bit symmetric keys being brute forced. I don't know where the current recommendations come down on that.

[elwell]

not sure what your calculation is, but permutations is what you should have calculated.

[woqe]

His calculation was (65000 Choose 5) * 5!. His premise required a combination then a permutation.

[dllthomas]

If you're picking with structure (including "phrases that spring to mind"), agreed. If you genuinely include enough entropy, then it doesn't much matter what mnemonics you layer on top.

[vacri]

winallthefuturefightsexpelliarmus

Why not "Win all the future fights expelliarmus"? Passwords that don't accept spaces are pretty rare, and you end up with a longer password 'for free'.

[SlashmanX]

> Passwords that don't accept spaces are pretty rare

Oh how I wish that was the case. Twitter is one such example which don't allow spaces (Last time I checked anyway)

[TazeTSchnitzel]

More modern guessing methods might try that one.

[dbbolton]

The xkcd-style passwords may be less vulnerable to a brute-force attack, but they are more vulnerable to a dictionary attack.

There are (very) roughly 2^17 words in the dictionary, so if you pick 4 there are 2^68 possibilities, or 2.95e20.

There are 94 printable characters on a US keyboard. This means that an 11-character "hard to remember" password has over 16 times as many (~2^72, 5.06e21) combinations as a four-word xkcd style password.

But again, we are comparing two different types of attacks. I don't even know how feasible a 4-word dictionary attack is, or whether it's actually used "in the wild". Still interesting to think about.

[danielbarla]

The issue with the numbers you give is that nobody really has an 11 character password compatible with it.

The reality is that people have trouble remembering 11 truly random and unrelated things, so they try to simplify and group things - e.g. by taking a base word and changing the spelling, or adding numbers on. This is what leads to the easy to brute force passwords; the cracking techniques now cater for the most popular variations.

So again, while you may be right on paper, you can't compare a 4 word passphrase with a true 11 character random password; they are on completely different scales of difficulty to remember. If you're interested, take a look at how the xkcd comic constructs the difficulty of the two passwords, it is fairly realistic. For what it's worth, it considers only "common" words (top 1000 to 2000 most popular) from the dictionary, and the passphrase wins out even so. Throw in a word from another language, would be my suggestion.

[dbbolton]

I think you're missing the point. I'm not arguing that passwords like "H$&v46S13^a" are actually better in practice than passwords like "TheCowSaysMoo". I'm providing one specific case where they are superior in terms of difficulty, i.e. the unlikely event of a directed dictionary attack, and a rough comparison of the level of security in that case as compared to a brute force attempt.

As far as "true randomness", it's irrelevant here since we are only counting permutations, meaning "Hello,2048" is just as difficult as "^6H9Ox#g`!" (i.e. their length and superset are both equivalent).

[danielbarla]

I think we're mostly on the same page, but still talking past each other. In my opinion, the only _reasonable_ way to compare the two password styles is in a practical way, taking into consideration human memory limitations. In that sense, the equivalent to an 11 character "random character" password is NOT an 11 character sentence. It would be more like a 5 or 6 word sentence due to the way your brain works. When you compare these, the pass phrases do win out, even for directed dictionary attacks.

Essentially, what I'm saying is that your brain seems to have better memory (or compression?) for sentences than random character jumbles, allowing you to use longer / stronger ones. Even when you consider dictionary attacks. Again, the original XKCD article is fairly objective and accurate; what's shown there IS a dictionary attack.

[dllthomas]

They are more vulnerable to a dictionary attack for a given password length. The theory is that memorability (and ease of typing) decays more slowly with respect to the entropy contained in an xkcd style password than in a jumble of random characters.

[Perdition]

The issue with "random" passwords is trying to remember them. XKCD-style isn't perfect, but it is loads better than "Password91" and "Dragon" style passwords which are what most people actually use.

[dbbolton]

As I already said, I am not arguing that "random" passwords are better in practice.

Also, a password that uses a very large character space does not have to be random at all.

[arh68]

Use PwdHash, it only improves the situation. [1] Even a bad password like "123456" turns into "rY9RHtJZ" (for HN). Turning computers off seems weird, but if that computer's got your ssh keys or your cached passwords, off is safest.

[1] https://www.pwdhash.com/

> don't use HostMonster or Godaddy

http://internetshitlist.org is free for the taking :)

[Buge]

Two factor authentication should be one of the top recommendations. I'm not sure about the domain sites, but she mentioned a hacked Youtube account and it's possible to set up 2FA for that.