There's not much point in complaining about joke websites (it presents just a single password that is always the same) like this existing, simply because statistically it is expected that some people will build them for a laugh. They are harmful though, because some people enjoy spreading fake advice like this; and often they will gain traction.
For the more ethically inclined amongst us the best course of action is probably to add this 'password' to some of the lists of common passwords out there, to help password strength utilities to filter it out on the level of 'correct horse battery staple' — an excellent password in itself, but used as an oft quoted example and thus not suitable for actual use.
perhaps a better way to make this joke is to randomly generate a strong password every time the page is loaded-- who's going to look at it more than once anyway?
Which would basically be a password that is randomly generated from very poor quality entropy, giving almost as much insecurity as the current example, while fooling even more people (because it changes). Nice idea.
I reloaded it a couple times to verify that it was a joke. Unfortunately, my Grandma was looking over my shoulder and is now using this password on Facebook.
Is this a joke? Because this is already added to password crack dictionaries now...
If it is a joke, then they need something to indicate that, and very blatantly at that. Because there's a great deal of people who'd see that and not give it a second thought to use it.
Please don't use emoji in passwords until UTF-128 comes out.
Half of its code points (2 ^ 64) will be characters whose glyphs are every possible combination of 8x8 bit images. That way you can make monochrome graphics simply with rows and rows of adjacent characters in the enormous sized UTF-128 font.
And imagine how many emojis there will be? There would more than one emoji for every human who has ever lived.
In short, we'll have really safe passwords using characters from UTF-128. So be patient. ;-)
EFF Diceware FTW. >128 bits of entropy there. Has uppercase, lowercase, a number, and a symbol to satisfy misguided password strength rules. Being a passphrase it's much more memorable than simple passwords. Clearly this passphrase is the best.
I'd rather append 0A! to passphrases to satisfy silly requirements instead of capitalizing Every Single Word (impossible to type at speed) and inserting a symbol at a random place. This looks a little troubador-sy.
I think it'd be even better if they delved into the math behind why this password is so secure. It should then become apparent that the site is satire, and that the site doesn't randomly generate secure passwords.
Bonus points to only have the password below-the-fold so that those who aren't going to read the explanation will be less likely to copy, paste, and carry on.
Ideally, as mentioned in an earlier comment, the password could be seeded through the browser's fingerprint to allow the joke to remain (it'll be the same password upon refreshing) but still won't be as damaging for those who don't get the joke (it's still not cryptographically secure).
Those are some very good points. I was also thinking "oh someone computed the least likely password based on leaks, that's cool!" but it's just a static page with some garbage in a box...
Unamused. If anything, ambiguous characters should have been excluded. It's a very small reduction of keyspace in exchange for not entering the wrong passwords because of glyph similarities.
Either you're expected to remember these 20-character monstrosities (which is going to be beyond the abilities of most people with 5+ accounts), or more likely you're going to be reading them from a password manager.
Being ISO-compliant is all well and good, but it's been shown many, many times that making password restrictions this extreme causes more problems than it solves.
But then I thought about the users who don't know any better and might stumble onto this site. They aren't stupid. They just don't know any better, and a lot of education attempts can go over their heads. Worse yet, sites with poor password policies (seemingly every online banking site in existence, workplaces, sites with 16 character maximums, etc.) reinforce bad practices in their minds, while attempts at explaining the problems are forgotten. I'd probably explicitly note that it's a joke, especially if someone tries to copy the password. :)
Even if this site was not a joke, I wouldn't trust an online password generator, especially if the pass is generated on the backend instead of the client. A quick Google for 'password generator' yields hundreds of these sites which are more than likely run by the same outfit and are possibly logging the passes into a database to make cracking various accounts easier.
There's a few PW generators which run on the client only and don't send any requests to third parties, and I use them sometimes. They are typically very JS heavy and use different seeds to generate sufficient entropy, like client fingerprint, mouse co-ordinates, timezone, etc
The Mersenne Twister algorithm takes a random seed (which should be highly entropic) as input and then deterministically generates a series of outputs. It does not generate any entropy by itself, nor does it specify where your source of entropy should come from.
49 comments
[ 2.5 ms ] story [ 110 ms ] threadFor the more ethically inclined amongst us the best course of action is probably to add this 'password' to some of the lists of common passwords out there, to help password strength utilities to filter it out on the level of 'correct horse battery staple' — an excellent password in itself, but used as an oft quoted example and thus not suitable for actual use.
Or just don't and leave it as a joke the way it is, I think we're over-engineering this.
That being said there's an actual password generator "feature" in duckduckgo for some reason: https://duckduckgo.com/?q=!password&t=ffab&ia=answer
I can't really imagine why anybody would want to use that though...
The joke is it's the same every time.
Much more likely: a manager will issue a corporate directive that everyone must begin using this password at once.
https://www.ssllabs.com
And it gets a grade of A.
So that is definitely the password I'm going to use from now on!
Oh, and here's a useful function:
/* Returns a random integer that was determined by a fair roll of a dice. */
function randomInt() { return 4; }
Any internet noob searching for the most secure password might actually use it.
If it is a joke, then they need something to indicate that, and very blatantly at that. Because there's a great deal of people who'd see that and not give it a second thought to use it.
Half of its code points (2 ^ 64) will be characters whose glyphs are every possible combination of 8x8 bit images. That way you can make monochrome graphics simply with rows and rows of adjacent characters in the enormous sized UTF-128 font.
And imagine how many emojis there will be? There would more than one emoji for every human who has ever lived.
In short, we'll have really safe passwords using characters from UTF-128. So be patient. ;-)
EFF Diceware FTW. >128 bits of entropy there. Has uppercase, lowercase, a number, and a symbol to satisfy misguided password strength rules. Being a passphrase it's much more memorable than simple passwords. Clearly this passphrase is the best.
Bonus points to only have the password below-the-fold so that those who aren't going to read the explanation will be less likely to copy, paste, and carry on.
Ideally, as mentioned in an earlier comment, the password could be seeded through the browser's fingerprint to allow the joke to remain (it'll be the same password upon refreshing) but still won't be as damaging for those who don't get the joke (it's still not cryptographically secure).
The general principle is that humor does not scale. With enough users, the probability that a joke will be misinterpreted approaches 1.
I'm reminded of Al Franken's latest book where he talks about having to run what he says through the DeHumorizer now that he's a politician.
Either you're expected to remember these 20-character monstrosities (which is going to be beyond the abilities of most people with 5+ accounts), or more likely you're going to be reading them from a password manager.
Being ISO-compliant is all well and good, but it's been shown many, many times that making password restrictions this extreme causes more problems than it solves.
But then I thought about the users who don't know any better and might stumble onto this site. They aren't stupid. They just don't know any better, and a lot of education attempts can go over their heads. Worse yet, sites with poor password policies (seemingly every online banking site in existence, workplaces, sites with 16 character maximums, etc.) reinforce bad practices in their minds, while attempts at explaining the problems are forgotten. I'd probably explicitly note that it's a joke, especially if someone tries to copy the password. :)
There's a few PW generators which run on the client only and don't send any requests to third parties, and I use them sometimes. They are typically very JS heavy and use different seeds to generate sufficient entropy, like client fingerprint, mouse co-ordinates, timezone, etc
$ ./LinPass.sh luser
xTJ2B2X3
$ ./LinPass.sh luser
JzILD3qd
$ ./LinPass.sh luser
IzlXki81
$ cat LinPass.sh
#!/bin/bash
id "${1}" > /dev/null
if [[ $? -ne 0 || -z "${1}" ]]
then echo -e "Usage: $0 logname [pw]\n\treset logname's pw & force chg"
fiif [[ -z "${2}" ]]
then while [[ $pw != [A-NP-Za-np-z]* ]] || # Begins with a letter
else pw="${2}"fi
#echo "${pw}" | passwd --stdin "${1}"
#chage -d 0 "${1}"
echo "${pw}"
#http://brandonhutchinson.com/wiki/Linux_Password_Policy #chage -m 7 -M 90 -W 14 hutchib; #chage -M 85 -W 5 -I 5 "${1}"