DEV Community

Cover image for Please Explain Passwords Like I'm Five
Vishwa Jay
Vishwa Jay

Posted on

Please Explain Passwords Like I'm Five

While I was trying to create a new website (the hobby kind of site, not the business kind), I encountered a problem: user login.

And yes, I'm a beginning coder. I need the five-year-old-level of this.

My friend saw me code the more typical "one-uppercase, one-lowercase, one number, and one special character" version with a minimum of 12 characters. That that's when he hit me with both the US National Institute for Science and Technology (NIST) guidelines guidelines (800-63b) and XKCD comic about Correct Horse Battery Staple.

But then someone else overheard, and sent me this rather awful slippery-slope straw-man article. And when I went to get the actual thinking behind each, I found there was more subjectivity than sound reasoning.

The debate quickly devolved into each side calling the other side names like "idiot" and "fascist", while neither side really made its case (other than taking lots of time to show me "what ifs" and engage in slippery-slope, strawman, red herring, and various other fallacious arguments).

So, what's the actual logic behind the answers? Can you please explain to me the actual thinking as if I'm five years old?

Top comments (9)

Collapse
 
mellen profile image
Matt Ellen-Tsivintzeli • Edited

I can't say I have logic, as that's a mathematical word that requires proofs and stuff. I have reasons.

The important thing for me is reasoning how much people want my passwords.

Who am I to them?

As much as I am the hero of my own story, in the grand scheme of things I'm nobody. NoΓΆne is coming after me with a crowbar to get my details. I am not targeted by spearphishing attacks (or regular phishing attacks, to be quite honest).

If I'm brutally honest, I am quite paranoid. I over think every interaction I have with people and spend too much time worrying about what they might do to me.

So on balance I overestimate the likelihood any account will be hacked.

This has led me to using a password manager where I can, and four arbitrary words where I can't.

A password manager generates random passwords, and I don't even know them, let alone remember them. Luckily the manager never* forgets. This covers most of my passwords. I even use it to fill in security questions.

I'm pretty good at chosing arbitrary words. I try and cover most of the alphabet, to keep the "entropy" high, and I only use a password once.

This makes my passwords hard to guess and if you get one, you only have the password for that account and not all of them.

If I get told to change a password because of a breach, I do it. Better safe than sorry. (If it's because of a policy of password changing, then I do it to keep using the account.) I don't change my passwords unless I have to, because it's a hassle.

So for passwords that I have to remember I use uppercase and lowercase characters. For passwords I don't have to remember I use whatever I'm allowed to. I try to make both types of password long.

*so long as I have and test good back ups.

Collapse
 
vishwajay profile image
Vishwa Jay

This seems sensible, but as was raised in another reply, what about things like TV or game console logins, where typing things one character at a time is likely to take several minutes just to login?

The rest of the advice, that's just good advice in general for passwords, and all as we should be doing. The question is more about the choice between randomized strings and human-memorable password systems.

And for the record: I use a password manager with random strings because it's handy for digital interactions on my various systems; but it's not great for every application.

The issue once again boils down to the thinking behind why 18-character random strings are superior to 30+ character random quotation strings, randomized human words, etc.?

Collapse
 
vishwajay profile image
Vishwa Jay

Addendum: The word "logic" in a computer context is not the same as the word "logic" in a human context. Socially, we use the word to imply higher reasoning and linearity of causal relationships (e.g., cause-and-effect). So, the way I used it, it was still perfectly acceptable, and doesn't require mathematics or proofs.

Thread Thread
 
mellen profile image
Matt Ellen-Tsivintzeli • Edited

I didn't mean to imply you'd used the wrong word. The question seems couched in information security, which is a highly mathematical field. Since my reasons are not mathematical I thought it best to preface my post with a disclaimer.

Collapse
 
mellen profile image
Matt Ellen-Tsivintzeli

That's a good point about smart TVs etc. I hate having to put in passwords on those things regardless of the type. My LG TV has a system where I can log in via my phone, but my Nintendo Switch is a PITA.

Collapse
 
tiguchi profile image
Thomas Werner

I skimmed over Diogo's article and the main takeaway I can see there is that we should not bother with generating memorable passwords such as the XKCD password scheme, because everyone (in an ideal world) should be using a password manager application that handles the creation and use of completely random passwords. Most of them also come with features for automatic login (e.g. via browser extension), so it shouldn't be necessary to know or memorize any passwords.

Overall it seems the author is concerned that the XKCD comic spawned a series of blog posts about "creating memorable passwords" that could lead people to come up with their own "random" pass phrases without using a proper random generator, which could diminish the strength of those passwords, since people would probably tend to use words that have meaning to them (e.g. the city they live in, name of spouse, children or pets etc.) in a syntactically correct order. The attack angle here would be that a hacker would study LinkedIn and other social media profiles of their victim and come up with a possible dictionary of words that are relevant to the user. Based on that they could try to brute force passwords that might be used by their victim.
Well made authentication servers however recognize brute force attacks and would suspend the account, send an email to the victim and ask them to reset their password.

XKCD-style passwords are strong enough though when completely random words are chosen from a big enough dictionary in a completely random order. My password manager of choice "KeePassXC" can generate pass phrases like that. I do not come up with my passwords or pass phrases myself. I also do not memorize or know any of my own passwords, except for the master password for opening my password manager.

In situations where password managers are unavailable though, and where users are forced to manually enter a password into a login form, such as on TV apps or video game consoles, XKCD-style pass phrases are much easier to deal with.
Regular secure passwords with upper case, lower case and special character requirements are really painful to enter correctly by hand without the help of a password manager.

Collapse
 
vishwajay profile image
Vishwa Jay

While I absolutely agree with what you've said, there's an unsaid part that I'm still not clear about. You have an unspoken assumption (the word "enthymeme" applies) that human-memorable passwords of the length of any famous quotation (including spaces and punctuation) are insufficiently secure. I mean, even a short quote is going to be something like 30 characters in length. So, why would we then need to encipher passwords beyond the XKCD comic, if the real measure is brute force cracking?

And if it's not, then what is the measure, and why is randomization of a password string considered more secure at 18 characters than a random quotation of 30+ characters?

That's really the point, here: I don't get the actual thinking behind your position (or the opposite, really, even if it sounds in my reply as if I'm taking their side ... because I really don't).

Collapse
 
entrptaher profile image
Md Abu Taher

I asked ChatGPT.

Please Explain Passwords Like I'm Five

A password is like a secret code that you use to keep your things safe. It's like a lock that you put on your stuff, and only you know the code to open it. You can use your password to keep your toys safe from your little brother, or to keep your cookies safe from your friends. That way, only you can get to your stuff, and no one else can take it or mess with it.

Collapse
 
hollychilde profile image
HollyChilde

Thanks for sharing informative information.vashikaran removal mantra