18

I accept that nothing can be better than a truly random password.

I also know that it is A Bad Thing to use any personal information in a password.

However, given that it is difficult to get people to use proper password practises, and given that people remember personal information, even the most obscure, is it (practically, not theoretically) acceptable to use a password which combines obscure personal information which one can be reasonably certain is unknown to/undefinable by others?

To stress, I don't think we need discuss the theory of strong passwords.

If someone is over a certain age, the have a huge store of life memories and can choose from obscure items.

I can remember:

  • the 'phone number of an elderly aunt who died decades ago. We, most of us, have dozens of relatives, friends, neighbours, from days gone by.
  • the license plate of a car which my father drove when I was 8 or so (and which he, himself, could not remember when I mentioned it recently). How many cars have I, family, friends, neighbours, had over the years?
  • a university professor's name
  • a long defunct bookshop
  • a pub I haven't been within a hundred miles of in decades, and didn't frequent much, but was near to a place of significance to me
  • a train station, in a foreign country, where I once had a delicious snack
  • the post/zip code of a place to which I wrote actual letters, back in the day

I could go on and on.

For someone who can't/won't use a password generator (and we all know enough of them), this is better than correct horse battery staple.

Is it "good enough"? If someone refuses to use a password generator, should I urge them to try thinking of personal and unrelated info, which they are sure that no one other person would know and no one would remember.

Jason C
  • 251
  • 2
  • 16
Mawg says reinstate Monica
  • 1,390
  • 2
  • 13
  • 26
  • 5
    The problem is that all the things you just told us are now more or less worthless. Someone who can associate your SO account with your person, can crack your password a lot faster now. Anything that doesn't change is a bad part of a password. And in general you can choose whatever password you want, if you use it for multiple sites, just one has to be cracked or stolen and all your accounts are now not secure anymore. – HopefullyHelpful Feb 04 '17 at 18:18
  • I don't think relying on memory of obscure facts is any more practical than a password manager with one actually strong password, so I don't see the benefit of this method. –  Feb 04 '17 at 21:24
  • 4
    Some people are not willing or able to use password managers. – Mawg says reinstate Monica Feb 04 '17 at 21:26
  • If that's true, then they probably won't be "willing" to use a complicated system of memorized strings of personal info either right? So it's not a better system in that regard. –  Feb 04 '17 at 21:27
  • 1
    The issue here is that you have far less obscure personal info than online accounts, so even if all those infos make good passwords you'd end up reusing at least some of them and you loose a lot of security. – André Borie Feb 05 '17 at 01:40
  • 1
    @DoritoStyle: Not necessarily. People already use personal info as passwords (birthdays, names of children etc). You just have to explain to them that these things A) don't offer anywhere near enough entropy and B) they should combine several high-entropy personal trivia elements instead of just using a single one. For many (think children which don't have smartphones yet, or older people who don't use their phones for anything except calling their kids and just use a computer to check their e-mail), this is vastly easier than a password manager, although of course André's fear is justified. – Out of Band Feb 05 '17 at 08:27
  • 2
    If the password is stored in plaintext (that'd never happen, right?!) then you've just revealed some of the personal info that you use to generate passwords. Multiply this by number of sites who store info unhashed * number of people using this method == lots of info for cracking passwords a lot faster. – djsmiley2kStaysInside Feb 05 '17 at 13:48
  • @pascal That sounds much more complicated than a password manager to me. _Maybe_ I'm not being open-minded enough to the user's perspective, but I don't think so. Imagining explaining that system to my Grandmother makes me queasy :) –  Feb 05 '17 at 16:22

4 Answers4

21

These elements aren't good enough by themselves, because phone numbers, license plates, names, zip codes etc are known and enumerable and it's easy to add them to a word list of a password guesser. It doesn't matter that your aunt is long dead; her phone number is still just a number, and not a very large one at that.

The pub and name of a long defunct book shop are a bit better because the pub might be named "the lamb and wicker basket" and the book shop might be "eggertsons & son's mind food", which are probably not found on any readily-available list on the internet.

I'm not sure about where to put the train station. That's basically a place name, which I can get at by throwing a spider at wikipedia or possibly download in a ready-made list from some kind of GIS website, so I don't think that would be a good idea to use just one of these snippets.

However, as you suggest, combining these personal snippets would make for a very strong password. E.g. the phone number of your long-dead aunt, combined with the place you spent your first vacation at, combined with the licence plate of your grandfather, combined with the pub where you met your wife - that would probably make a very good password.

The battery horse staple thing comes from the diceware wordlist, which consists of about 7000 words. There are more zip codes, far more phone numbers, far more license plates, far more place names than that, so the resulting combination would be much stronger than a diceware password, assuming that your attacker didn't know you very well.

If you wanted to teach this method to people, you'd have to make sure that they understood that the strength of the resulting password depended on the number of possibilities for each of the personal snippets. "Your grandfathers license plate number" opens up millions of possibilities, while "your brother's favorite food" or "your best friend's favorite color" only offers a few easily guessed possibilities and therefore shouldn't be included as a part of the password.

Out of Band
  • 9,200
  • 1
  • 22
  • 30
  • 4
    An excellent analysis. In my case, I have worked in 15+ countries, so can come up with lots of things, in lots of languages, which others might have shared, but no one person could put together. Mix those with a few symbols & I should be fine. In general, it seems that other could use this approach, so long as they think carefully. – Mawg says reinstate Monica Feb 04 '17 at 12:23
  • 3
    I feel like long personal phrases are OK sometimes, if you can remember them (and *assuming you don't use the same one for every site*). E.g. "IHave2HandsAndMyCatsNameIsSpot". You can have rules to help you remember, like I always type numbers and use camel case, and as long as your passwords are sufficiently long and varied I don't think a consistent rule set really poses a danger as long as it's minimal. You just have to remember the phrase you associate with each site. – Jason C Feb 04 '17 at 16:13
  • 2
    One caveat in the comparison to the diceware word list: those words are chosen at random which is different from choosing things of significance to you. – dave Feb 05 '17 at 02:36
  • 1
    @Mawg, don't bother with the symbols. They don't add much security compared to the random personal info, and they make the password much harder to remember. – Mark Feb 05 '17 at 05:41
  • 2
    @dave: True, but as long as nobody can guess which elements are significant and which aren't (or even which list of elements to consider), it shouldn't matter. It's not perfect - if I knew Mawg spent his whole life in Okinawa, I could reduce the list of possibilities with fairly high confidence by only considering pubs from Okinawa, license plates from Okinawa, bookshops in Okinawa and so on, but in practice I'd need to do original research into his life in order to reduce the search space by just the right amount (enough to matter without missing the actual password). – Out of Band Feb 05 '17 at 08:12
  • I realities that my nomadic life has been non-typical. Stay at homes still ought to be able to think of some non-typical aspects of their life & home town. Btw, Schneier says that security should be good enough to make it not worth the value of what you secure. If you want to hack your old college roommate, are you really going to source the name of every shop, street, landmark, sports team, school, etc, etc in Detroit, try them all in every combination and then not get it because you don't know that he drops the last letter, or first vowel, or leet speaks every (Nth) word? – Mawg says reinstate Monica Feb 05 '17 at 10:10
  • 1
    This is fine for generating _one_ password, but then you've got to remember which pub for which site, along with which book, which phone number etc. This isn't eaiser than using a password manager. – djsmiley2kStaysInside Feb 05 '17 at 13:50
14

For someone who can't/won't use a password generator (and we all know enough of them), this is better than correct horse battery staple.

Is it "good enough"? If someone refuses to use a password generator, should I urge them to try thinking of personal and unrelated info, which they are sure that no one other person would know and no one would remember.

The real security benefit in using a password manager is not having long and pseudo-random passwords. Rather, it is that you have different passwords per site.

It is unfortunately still common to find websites (and mobile applications, etc.) that store their passwords in an easily reversible manner. If your friend's password gets revealed in such a way, it no longer matters how difficult it is to guess - the attacker doesn't need to guess, because they have a password to try on every other site.

Unless they're going to memorize different passwords per-site, I'd posit that teaching someone to use a complicated password scheme like this is irresponsible: it gives them an undue feeling of security.

Xiong Chiamiov
  • 9,402
  • 2
  • 35
  • 78
  • 3
    That's a really good point. But think about using a strong, unique password for your E-Mail account, which basically serves as a password resetter for every other site, and you've already done much good. – Out of Band Feb 04 '17 at 16:37
  • 6
    Or you can use that single strong, unique password for your password manager, and achieve much better security while remembering the same number of strong passwords. ;) – Xiong Chiamiov Feb 04 '17 at 16:57
  • Yes, agreed :-) – Out of Band Feb 04 '17 at 17:10
  • The best that one might hope for is a strong base password to use with a non-obvious part derived from the site name. ***Not*** `correctstaplebatteryhorseGmail` Of course, it can't be the same pattern for every site. How to go about it? – Mawg says reinstate Monica Feb 04 '17 at 17:47
  • 2
    @Mawg there are many posts here about building secure rememberable passwords, but they're all much more complicated than using a password manager. Whether your friend likes the answer or not, the answer is a password manager. – Xiong Chiamiov Feb 04 '17 at 17:53
  • Hokey, cokey, I will explain that to great aunt Edith :-) Yup, I agree with you - what you gonna do? – Mawg says reinstate Monica Feb 04 '17 at 17:55
3

Your idea is completely fine. If your password is sufficiently long, the only way an attacker could figure out your personal details is if they specifically target you and research your life. Unless you are famous, or extremely wealthy, or have access to secret information that could affect other people's lives, then it's probably the case that no one is specifically targeting you online. If you aren't being targeted, then the only way someone can guess your password is by intelligent attacks not specific to you, or by brute force. In other words, even combining your current licence plate number and current phone number and your dog's name and favorite food to make a 30 digit password will be more than sufficient protection against both non-targeted intelligent attacks and brute force. What you described sounds pretty much the same as that but on the order of 1000 times better.

Shout out to XiongChiamiov's answer though. This idea only works for any single password. If you want to remember 50 derivations of it for every different site you use, and one is compromised, the others could all be at risk too if the pattern is discovered.

CaffeineAddiction
  • 7,567
  • 2
  • 21
  • 41
TTT
  • 9,132
  • 4
  • 19
  • 32
0

There are two problems with obscure personal information for passwords (and password recovery questions).

One is that things simply aren't as secret as you think, especially in the hands of regular users. Watch https://youtu.be/opRMrEfAIiI?t=45

The other is that in actual implementation, this will get dumbed down. Someone will think that users need a hint what to choose, so he'll just include your list. Then some UIX person will complain that list is too long and most people won't read it, so it gets shortened. Then someone doesn't like entry #3 because it hints at racial bias in his mind (or whatever) and it gets removed. In the end, everyone uses the same three obscure pieces of information and you're back in the realm of enumerability.

Tom
  • 10,201
  • 19
  • 51
  • "complain that list is too long" - what list? I mentioned no list. There are obscure facts in my head, but no list. Or, am I missing something? – Mawg says reinstate Monica Nov 10 '21 at 20:04
  • @MawgsaysreinstateMonica - yes, you are missing that as soon as you make that a policy, or a best practice or anything outside of your head, someone will want it in list form. I may have skipped that step because it's so obvious to me (way too much experience in the field). – Tom Nov 11 '21 at 06:55
  • No one wants, or will get, such a list. It is for my personal use only. I get that people here agree that I should not do this, but there is no list, and giving such a list - which does not exist - to anyone would, I think we agree, render it useless. Which is why there is not any such list. – Mawg says reinstate Monica Nov 11 '21 at 08:34
  • 1
    @MawgsaysreinstateMonica if you want this strictly for personal use, then yes. – Tom Nov 11 '21 at 09:33
  • Thanks (+1). I guess that I did not make question clear enough. – Mawg says reinstate Monica Nov 12 '21 at 10:35