Related story: For some weird reason, I memorized the serial key for a very popular software (I must be fifteen then). Even today, I can recite the 25-letter key without a hitch. And I have used its first ten letters as a password to one of my accounts. Guess what? The password has been used 4000+ times before [1]. It's hard to digest the fact that there are at least a thousand people in the world who did the same thing.
That fact that it's even at the risk of being published on the public web should be enough to disqualify it as a passphrase for everyone.
I've had users use parts of lesser known poems or stories in some foreign language, because who would expect that, right? Turns out that's not what's relevant to a good password but rather whether it is in any available corpus.
If your passphrase consists of something likely to be in wikipedia you are guaranteed to get owned in minutes.
I memorized the win95 one (legit copy) which was easy since it was just digits (and I was way younger). It ended in 18805 iirc. Win98 was a copy from a friend and already had letters, much harder, but I eventually memorized that to. It started with g3pdy bdkv7.
Now that I think of it, a non pirated OEM windows key would have made for a great password. ;)
Sorry to scare you! I didn't think you were still using it. Honestly, it was the first thing that came to mind in terms of "culturally important serial keys"
I didn't know the well-known part. Besides, I was assuming that this was only of the multiple, multiple keys. But, it's funny how popular it is, and that so many had a reason to memorize it.
Even if you've provided information which narrows your password down to ~5,000 possible values, you've effectively handed out your password to one of 5,000 internet strangers whom you will never meet in real life.
Then consider that this is Hacker News, and how many of those 5,000 have both the skills and motivation to exploit the information you've provided.
Never give out "hints" about your password. Not its contents, not its exact length, the physical location in which you store a copy, nothing.
If giving out the length hurts anything, there's enough going wrong that you should probably assume it's already compromised.
Unless there's something fundamentally wrong with the password, a public length of n is almost as secure as a secret length of n, and significantly more secure than a secret length of n-1
Never get into the specifics of a password, but explaining the basic structure should be a tiny impact and well within your margin of safety, or you didn't make a good enough password to start with.
While you're correct mathematically, I still think it's a good habit to give zero information about your password. If you attempt to estimate the information leakage with every "hint", sooner or later you'll slip up.
My view is your secrets should be secure even if the attacker knows everything about how they are generated and used.
For example:
My password is 8192 characters long, leveraging only the ASCII character set (except \n\r\t\0)
It is changed every 28days at 11:05am
It is only used on exactly 1 website and the username on that website is also only used on that website and randomly generated as well.
Good luck
(Tell me how and where I can make this stronger)
Telling someone your password is 8 characters long and memorable vs telling them it is 8192 characters long and unrecallable are two entirely different things.
This is a very hilarious post. Bravo, sir, or brava, madam. (Revealing your gender would likely be a security risk - if you leave that unspecified it doubles the space of possibilities!) I don't know what joyless types would downvote you.
Think of it this way: assume someone is trying to brute force your password. For simplicity let's say they know nothing about it, except that its characters are randomly drawn from a 50 character pool. As they guess passwords starting with 1 character, each added character takes 50x longer than all previous guesses put together to guess all possible passwords of that length. Put another way, if they knew the length beforehand, it would only save them from testing about 2% of the overall possible combinations.
Gotcha. I guess I was unclear about what "almost as secure" meant in this context.
So whether providing your length is a tangible security leak or not is essentially a function of the size of your character pool, because if your password is short enough for n-1 to contain a significant percentage of possible combinations then it's probably already short enough to brute force anyway.
That's not right. You can make a secure password using only ABC as your character pool, if you make it 60 characters long. In that case the percentage of combinations covered by n-1 is a full third of the n character combinations, and your attacker can get a 25% speed boost by you revealing the length. But it's still more secure than a 59 character password, and far more secure than a 57 character password, and all of them are extremely secure.
A good way to look at it is to measure the password in bits of randomness. At most, revealing length can shave off one bit. For any reasonable character set it shaves off a small fraction of a bit. And one bit does not make the difference between good or borderline or bad.
What you're missing is that a 59 character password (with secret length) is extremely secure, despite the even larger speed boost.
If you worry about any speedup in password cracking that is less than an order of magnitude, your password was too close to failing to start with. Make your password 5% longer, which will make it at least 20x slower to crack, and then you won't have to care if "20x" gets reduced to "15x".
You may say "It's not harmless to give up 25%. What if I give up 25% several times? That could make even a good password become insecure." but there's a limit to how much speedup someone can get from knowing the structure of your password. And the best way to evaluate the strength of a password is to assume that all the structure is public. So I can say that my typical passwords, being 20 mixed-case letters and numbers, all have a security of 2^119. It's possible that an attacker that uses the wrong algorithm would have to guess even more, but I'm not just worried about a clumsy attacker, I'm also worried about a moderately-high-quality attacker. It's a bad idea to depend on that extra .1 bit I could get with this character set, or that extra .4 bits I could get with a smaller character set. Just assume the length is known.
I'm confused about how that has anything to do with disproving my conjecture that whether whether providing your length is a tangible security leak or not is essentially a function of the size of your character pool, because if your password is short enough for n-1 to contain a significant percentage of possible combinations then it's probably already short enough to brute force anyway. You're just redefining what "secure" means.
I think we disagree about what a "tangible leak" is. I don't see it as tangible because it's eating into a tiny margin that you never should have counted in the first place. You do see it as tangible because it might make the attacker's job faster by several percent.
And that's fine, we can have different opinions on that part.
But "probably already short enough to brute force" is definitely not right. That percentage depends entirely on character set, not the length of your password. If your password is just numbers, then n-1 always has 10% as many combinations, whether your password is 5 characters long or 200. If you meant "probably already weak enough to brute force" that's not true either. Lots of passwords with mixed case and numbers and symbols are very short and pretty weak. Lots of passwords with only letters are very long and quite strong because they're made-up phrases. You can't guess the strength of a password just by knowing the percentage of [length n-1 combos] / [length n combos].
But 10% of 100 is magnitudes different from 10% of 10,000. The smaller the length, the more each percent (in terms of entropy) matters when we're talking about complexity as a function of brute force time.
And by that metric losing 2% of 1000 is a far bigger problem than losing 10% of 100,000. I agree that length is the most important factor, I'm just saying that character pool isn't very important to final security.
You need "sufficient" n no matter what your character pool is, and knowing the character pool of a password doesn't let you reliably predict if n is sufficient.
We'll take 60 possible characters (alphanumeric with caps and a few special characters). The summation 1...N of 60^x is (60/59) (60^N - 1). Known length is 60^N. If we assume N is big enough that the minus one isn't important, you can see going from known to unknown only increases the guesses by a factor of 60/59!
Well I was referring to the intersection between the two. Out of all of the potential people to see OP's post here, there is a much higher likelihood of at least one of them containing both the skillset and the motivation required to exploit the information than on other popular aggregators.
Popular electronics stores would do a in-store setup of your computer before you left with it. Part of this involved entering the users name and windows key.
I probably used the same key to setup over 1000 PC's when I worked there.
'Back in the day' regular formats were a pretty good way of maintaining system performance. They still are really but computers being an order of magnitude overpowered for all the tasks 90% of users do makes it less relevant. You'd be surprised how easy it is to memorize long series of digits when you enter them a few times. For instance FCKGW. Who was the president in 2001? You'll now literally never forget those 5 letters.
It was the first consumer NT-based Windows, the first with activation and this key, which let you bypass all that, was out before the OS was officially released.
Whatever way you phrased this I feel Sherlock Homes mode is happening here. And the following is tangential to the OPs headline so it may or may not be interesting to HN folk. Last week in my local paper the daily quiz asked what is the common name for "Galanthus nivalis". To my younger self it would have seemed impossible, but now that I am older and more informed (though NOT smarter) I spotted the 'gala' at the start. Hmmm. The word 'galaxy' starts with 'gala'. I remember that galaxy and milky way are somehow related. Milk is white. What flower (given it is Spring here in Northern Europe) could be white (-ish?). Aha, snowdrop! And to me (seriously) I felt utter astonishment that I was right. I am not smart. But this machine that I seem to have could do that. Well, wow to the maker that did that.
Wow. I remember this key too. It's amazing how far we've come from those days..just think, each open chrome tab takes up as much memory as your entire machine had back then.
What's this from? I have definitely seen it before but I can't put my finger on it and a quick search doesn't turn it up like the others on here - VLK for more recent version of Windows perhaps?
I've done the same, though I never used it as a password. Back around 2000 or so I was experimenting a lot with hardware configurations and I had input my Windows 98 SE key so many times during reinstalls I ended up memorizing it unintentionally. Even today, nearly 20 years later, I can recall it perfectly. It actually came in handy a couple of years ago when I built a P-III retro gaming machine out of scavenged parts; I found a Windows 98 CD at work collecting dust on a shelf, installed it, and instinctively entered the correct key without missing a character.
Word of warning, if you use an ad/content blocker like uBlock Origin, and block 3rd-party JS, then HIBP may give up on its k-anonymity mechanism and just sends your password to their server in cleartext.
Ensure you specifically permit loading jQuery from cloudflare.com, and check network traffic using a test password first.
I'm still impressed by the number of technical people that are willing to give you their passwords by a way or another, a common way being when they are offered to check if his password has been leaked.
Once a friend shared with me one of those services, he got surprised when I raised my concern about compromising his password, he took a second to check the developer tools to see if there was any request including his password, there wasn't, so he called me crazy (it's well known that malicious sites behave differently on certain conditions, one is having the developer tools opened).
Anyway, I suppose that this blind trust is what makes phishing attacks so effective.
> it's well known that malicious sites behave differently on certain conditions, one is having the developer tools opened
I had always wondered if they do, and I've known it's possible, but this is the first time I've heard any accounts of it. Would you have more info on this?
As someone who has worked on scraping sites that really didn't want to be scraped, there is all kinds of interference with dev tools in the wild.
There are many ways to detect it's open (eg. https://github.com/sindresorhus/devtools-detect) and it's also possible to mess with it without knowing it's open. A method that's wildly used is firing the debugger break command many times a second, along with other stuff that makes using the tools nearly impossible (slows the browser down to a halt)
That script doesn't seem to be able to detect the chrome devtools when they're undocked, so that seems pretty easy to circumvent (who has them docked anyway?). The debugger break thing should be solvable with https://developers.google.com/web/tools/chrome-devtools/java...
I memorized my 16-digit library card, but on because it was the password required to access library dial-in unix computer system, which allowed some minor read/write access to the disk, but more importantly, unrestricted access to the internet via lynx, which was, for reasons unknown to me at that age, way faster than the AOL browser with image support.
Yep.
I remember the big eyes of a bank clerk after she asked me to fill in some form regarding my card and I wrote the number without looking at the card.
I remember to have memorized a couple of Windows serials, the reason that the Windows serial was used as a password by thousands of users might be related that some people didn't understood that they needed a new password and just typed the serial thinking that was the required one, or to non-English speakers, they could have misunderstood what was required.
Or just that after spending too many times installing pirated Windows for yourself, your friends and family, the number stuck to their memory. There's a whole spectrum of people between computer professionals like us and the computer-clueless people; some of them know enough to have served as front-line tech support for their family, but not enough to not use what's possibly the widest-known CD-key as a password :).
Being the "techy" kid in a 7 person family meant I was responsible for setting up any new devices on our wifi many many years ago. From the number of phones/consoles/laptops set up on the same WEP key, I have the 26 digit random hex string permanently ingrained in my memory. While I don't use it as a password any more, before password managers I'm pretty sure I had one of if not _the_ most secure banking password at the time.
My bank still has a mandatory fixed 8 numerical digit password, with 3 digit positions asked for login, and "two-factor" SMS confirmation for transfers. Very secure.
(key redacted as I realized they are still selling SC4 Deluxe on Steam. It was your standard 5 groups of 4 alphanumeric key)
When I was a kid I didn't understand why Sim City 4 Deluxe played after install but didn't play when I stuck disk 2 back in and clicked the game. It was my favorite game for a number of years and it wasn't until at least 2 or 3 years in I realized it wanted me to stick disk 1 in for the copyright protection and that disk 2 just worked during install for convenience reasons. I had been uninstalling the game every night before I went to bed (preserving saves!) and reinstalling it every day after school. One day I couldn't find the case with the key (probably got thrown away) and I thought I was going to have to buy it again but when I went to the computer I was able to get it first guess.
Been 15 years now. I suppose I'm never going to forget that key.
I have an old password I made up back when I was 13 that I still remember. Nothing complicated, and it only used 1,3,5,7, and 9 (four corners of the numpad and the center key). 9 digits length. I made it up because it was easy to key in. I went and checked and was surprised there had been no pwnage.
[1]: https://haveibeenpwned.com/Passwords