Talk:Password/Archive 1

Cypherpunk mention?
I wonder if a mention of cypherpunk would be appropriate. ex.#'_x,01>U+6 — Preceding unsigned comment added by 190.34.168.183 (talk) 15:14, 9 May 2013 (UTC)

Giving out default password lists
In the main article, 2 links to webpages that list default passwords are given, is this not dangerous to put this out into the public arena, may some doofus kiddy pick it up and try and use it to hack into cpanels, wireless networks etc.


 * It's not clear that such links are very encyclopedic, and might be deletable from WP on those grounds alone. Hawever, the underlying problem noted here both is, and isn't, serious. Default passwords will be required in any software distributed in large numbers as customization at the vendor will be uneconomic for them. Given this, there is, first, that any sysadmin who leaves any default passwords active on a system is foolish, perhaps even incompetent, and probably overworked. They're an open door for those inclined to mischief or worse. Second, since more than a few sysadmins don't actually change some or all default passwords, since vendors don't always make finding them even remotely straightforward, and since ..., the possibillity of a doofus script kiddy picking up such a list does pose some potential problems. Unfortunately such problems shouldn't exist (sysadmins should do their jobs) and can't be prevented by keeping widely spread information from the doofuses of the world (malicious or otherwise).


 * There is some controversy about whether security goofs (as such lists might be regarded) should be publicized or not. Advocates suggest that it encourages vendors to fix problems. Opponents (including many vendors) disagree, thinking something like Security through  obscurity, and they have gotten some statutory support (eg, in the US, the DMCA) for their position. Even some security organizations (eg, CERT) have taken the position that reported security flaws should not be added to publicly available lists until the vendor has addressed them.


 * No easy answer, in practice. ww 06:23, 16 October 2005 (UTC)

Randomness a good thing?
Ignoring for the moment, the problem of computer generated random numbers, is total randomness in a password inherently good? Here's my thought. If a password is used that is highly random in nature, a file search for entropy would detect it if in a file. Also, the more random the password is, the less chance of remembering that password. From an admin standpoint, is it better to reset passwords when forgotten, or to have fewer helpdesk tickets?

One thing I have done is tried to teach how to come up with strong passwords, that meet arbitrary password criteria/limits/etc, that CAN be remembered. There are very few resources online that help typical users come up with passwords. The article does so, but only one such technique.

First time on WP. :) Hope it works.
 * Regarding storage of random passwords, you could store the password information in a very redundant form if you were worried about an attacker searching for it specifically. In actual systems, passwords are normally stored hashed anyway, so if you've chosen a sufficiently strong password it's unlikely to be recovered by an attacker if the password file is compromised. &mdash; Matt Crypto 13:20, 10 November 2005 (UTC)

Please clarify recent edit
"A suficiently long password, and a sufficiently good hash algorithm have made this a reasonable strategy in many cases as the work factor imposed on such an attakcer can be made impossible in practice." Not sure what is meant.--agr 01:39, 25 May 2006 (UTC)


 * AR, Was attemtpting to revise/rescue previous edit. Took its meaning to be an attemtp at an historical comment on previous techniques of protecting passwords (a la early *nixen prior to shadow password file technique). Not satisfactory, I agree. Can you suggest something better that preserves what was (perhaps?) meant by prior edit? ww 03:41, 25 May 2006 (UTC)

What does it mean to "know" a password?
What does it really mean to say that "those wishing to gain access are tested on whether or not they know the password"? For the purposes of my argument, a PIN is easier: I happen to know every number between 0000 and 9999. That is, I know every four digit PIN. Does an automatic teller machine really want to test whether I "know the PIN"?

So, strictly speaking, it's more a question of whether the person can supply the correct password (within various constraints such as the number of attempts in a certain time period). Or perhaps it's whether I "know" the relationship between the particular system I'm trying to access and the particular password.

Of course, this is subtle, and some (especially those not involved in epistemic logic) might think it's too pedantic to worry about. Does anyone think it's worth making the point on the article page? Maybe someone could suggest a page that would be more appropriate for such a point.
 * John Y 07:43, 6 August 2006 (UTC)


 * I think you are correct that "knowing a password" is an assertion that string a is a valid password for system A and one can only claim that without knowledge of the password the probably of successfull access with in some time or number of tries window can be made arbitrarily small but not zero. There is always the possibility of a successful guess. --agr 14:01, 9 August 2006 (UTC)


 * Knowing a password is usually not enough: one has to know the password. A pedantic explanation would explain that even though you already may already know every number between 0000 and 9999, you do not know which one is the PIN in question.  I don't think it is necessary to explain the meaning of the, at least not in this article.  DRLB 18:37, 9 August 2006 (UTC)

Designing a personal user friendly password
I'm a little concerned about this. There are many good software applications which are capable of storing passwords securely.(eg Password_Safe Yet none are mentioned.  Instead people are told to use common phrases which can easily be brute forced.  Why is there no mention of incorporating symbols, ASCII Characters.  Would it not add merit to the article to explore writing a better password?  RLaudanski 21:58, 26 August 2006 (UTC)

Masking
The article does not mention "password masking", that passwords usually are masked with a character such as ***** or ●●●●●, but when logging on at Unix system, it doesn't output any masked characters.
 * Password masking is mentioned here. Tra (Talk) 16:49, 14 October 2006 (UTC)

External links section
I think the external link section is getting out of hand. There are a large number of links to password generation programs, many of questionable technical merit. We have a separate page on random password generation, so maybe we should remove password generation links from this article. --agr 20:26, 9 June 2006 (UTC)

I removed the "One Thousand Passwords" link @  - users who access this article may be falsely led to believe that these passwords provide excellent security. If they weren't permanently posted on a website, they would provide decent security; unfortunately, they *are* permanently posted on the website and are *not* re-generated for each person who hits the page. There are enough password generators out there so that if someone really wants a unique password, they can get one created exclusively for them. Sarah 19:22, 27 July 2006 (UTC)

I agree, in fact some links are just spam an must be deleted. 198.68.242.149 20:17, 25 January 2007 (UTC)

Merger: Graphical passwords
The notability of Graphical passwords has been questioned. It might be best to merge the content here (it's in fact only a few lines). If you agree, just go ahead and merge the articles.

Proposed as part of the Notability wikiproject. --B. Wolterding 17:11, 31 May 2007 (UTC)

Python / obfuscation

 * For additional security, many of the larger websites like Yahoo and Google utilize a language called Python in controlling and maintaining secrecy of the pages they dynamically serve to the browser by completely obfuscating any reference to file names in the URL that appears in the address window of the browser.

This idea is surely not restricted to Python. Also, what exactly is this alleged obfuscation, anyway? - furrykef (Talk at me) 06:22, 8 July 2006 (UTC)
 * I concur with this comment. If this can't be filled in, we should remove it. ww 15:54, 8 July 2006 (UTC)


 * This section doesn't make much sense to me. Have tagged it in need of attention Tjwood 14:01, 2 April 2007 (UTC)


 * It makes no sense, is off-topic, uncited and seems to be nonsense anyway. I've removed it. TGoddard (talk) 10:45, 26 January 2008 (UTC)

Lead sentence
It appears that the lead sentence, which defines the word, uses the word itself:
 * A password is a form of secret password authentication data that is used to control access to a resource.

This should be fixed, but I'm out of ideas at the moment. -- Ynhockey (Talk) 21:35, 15 May 2008 (UTC)

History
It's interesting that there seems to be no history to passwords. What system was the first to use passwords? Who came up with the idea?

noktulo 14:31, 31 May 2007 (UTC)


 * Your wish is our command. I've added a history section.--agr 15:32, 31 May 2007 (UTC)


 * Nicely written. I feel it belongs closer to the start of the article -- probably directly following the summary in fact. As it is, it reads like an afterthought.--Rfsmit (talk) 23:05, 3 March 2009 (UTC)

"Hacker" usage
The use of the word "hacker" with no explanation seems like it would be better replaced with "people/persons attempting to discover/guess the password." Hacker implies several different ideas including key logger users, or accessing the password from the disk of the computer by "hacking." --Iamjp180 (talk) 17:35, 2 July 2010 (UTC)


 * Agreed. I have changed "hacker" to "attacker", although note the first instance still links to Hacker (computer security), which I think is reasonable in the context. Mitch Ames (talk) 02:49, 3 July 2010 (UTC)

2D Key run-on sentence
This sentence is too long, has grammar issues, and needs some reworking:

"2D Key (2-Dimensional Key)[29] is a 2D matrix-like key input method having the key styles of multiline passphrase, crossword, ASCII/Unicode art, with optional textual semantic noises, to create big password/key beyond 128 bits to realize the MePKC (Memorizable Public-Key Cryptography)[30] using fully memorizable private key upon the current private key management technologies like encrypted private key, split private key, and roaming private key."

Unfortunately I don't know what they're talking about so I can't help. Unjedai (talk) 20:18, 29 September 2010 (UTC)

employee —Preceding unsigned comment added by 187.75.242.239 (talk) 15:56, 25 February 2011 (UTC)

potential resource
Logging In With a Touch or a Phrase (Anything but a Password) by Somini Sengupta published New York Times December 23, 2011 (page A1 and B6 in print) 99.181.153.29 (talk) 06:23, 29 December 2011 (UTC)

More citations?
Is this page really still in need of more citations? Reading through the article and seeing the list of references I'd say this article uses more than enough sources. I've not checked the validity of the sources themselves at this point, but don't see major concerns raised by others. Perhaps the tag at the top of the page could be removed? Apologies if this is not the right way to bring this up, I'm fairly new to Wikipedia. Mythio (talk) 17:50, 27 February 2012 (UTC)
 * You're quite right. Mythio. That tag was placed almost 4 years ago and the history shows that a lot of work has gone into this article since. As you said, there are plenty of references, which is all the reason you need to remove the tag. In future may I suggest that you be bold and do whatever you feel is right. You won't break anything! (And bad edits can easily be reverted.) Kind regards, nagualdesign (talk) 19:12, 27 February 2012 (UTC)

Willy Wonka
I'm pretty frustrated that a couple users won't allow my Willy Wonka trivia piece of information to stand on the password page. Quick google search confirms that it was a real piece of information. I explained to them why it was notable - fun and creative piece of information to add. Techno-fascists taking over Wikipedia, making it bland. I guess that's to be expected from a TOTALLY open source encyclopedia. — Preceding unsigned comment added by 184.56.165.100 (talk) 14:34, 29 April 2012 (UTC)
 * I noticed that it was added/removed once. If you try adding something a second time without discussing it first you will generally meet with opposition (this applies to the whole of WP) because not only will the reason for removal have not changed, but your apparent lack of willingness to engage in open discussion will be evident. At least you've said something now, if a little belatedly (ie, post frustration). You say you've explained why it was notable but there's no evidence of that here, or in the summaries of the article history page, so I'm not sure how you expect to get assistance from the wider community. And name calling and casting aspersions will get you nowhere. Show a little maturity and treat others with a little respect, even when they disagree with you, and you'll get much further (in Wikipedia and in life!) I only say this to help you, not to be combative, so please don't have a go at me! ;-)
 * Now, I'd personally say that the Willy Wonka thing isn't really notable enough for an article about passwords. Like you said yourself, it's trivia. So what makes you think otherwise? (Discuss) nagualdesign (talk) 17:52, 29 April 2012 (UTC)
 * ...Ah, now I notice your second attempt at including this piece of trivia, and the subsequent edits by Jasper Deng. My guess would be that it was Twinkle which flagged your edit as vandalism, probably because it was badly formatted and included a 'raw' link to another site. Then he noticed that it was a good faith edit and did you the service of undoing the Twinkle edit, but ultimately removed your contribution anyway because it was not notable. That about right? In which case I'd say you were treated respectfully. Perhaps you should have recognized that. Regards, nagualdesign (talk) 18:09, 29 April 2012 (UTC)

Forgotten password
I'm aware this is going to sound like the most stupid newbie question ever, but Wikipedia seems to have no obvious way of saying 'I am stupid enough to have forgotten my password'. Where does one do this, and how does one reset it? —Preceding unsigned comment added by 84.71.15.72 (talk) 21:21, 9 April 2009 (UTC)


 * If you are asking about how to reset one's Wikipedia password, I agree it's not the easiest thing to find. On the left sidebar on every page of Wikipedia, under the "Interaction" section, the "Help" link takes you to a page that has a link to the "frequently asked questions" page, which mentions the Help:Logging in page, which has a "What if I forget the password?" section. Perhaps you may find the tips there useful. One of those tips describes a self-service password reset system at Wikipedia more-or-less the same as ones used by other systems. Good luck. --DavidCary (talk) 07:18, 6 July 2013 (UTC)

Some missing common info on passwords???
I don't know precisely how widely this is known, but, theorectically speaking, I believe it's a common fact that many individuals choose their passwords (such as e-mail or a personal site) by having it be the name of something or someone with deep, personal value to them, thus making their password easy to remember. (i.e. the name of a deceased loved one, a favorite cartoon character, a favorite place, or a favorite article of clothing). Therefore, I think there should be a section that addresses this.

Throughout my life, I've learned from MANY password users that they customize their passwords based on something of great significance to them, personally. The logic behind this approach is that strangers would not be able to guess someone's password unless they knew that person very intimately, and could clearly observe where their tendencies point to. The downside to this, of course, is that if a close companion, or a family member tried to access that person's personal information, they would have a very good idea at what kind of emotional canvas they are dealing with. (For example: If you have a devoted fan of 'Dora the Explorer' in your household, the chances of that person having a password like 'Swiper22', or 'Isa74', would be rather high. [Those were purely examples I made up. I don't actually know a password with those names. If they've actually been used, it's purely a coincidence.])

Case and point: In the book "Star Wars: Jedi Apprentice #2 The Dark Rival", Qui-Gon Jinn enters a security center of Offworld Corporation, on the planet Bandomeer. He comes to a computer searching for security files protected by his former apprentice, Xanatos. Suddenly, there reaches a point where a soft computer voice asks for a password, but at the same time, a red, pulsating light illuminates the room, complete with a terrifying faint, steady beep, and Qui-Gon is able to figure out that he has only one chance to get the password right. He enters the name of Xanatos' father, Crion, whom he was forced to kill, at the expense of his padawan's loyalty. The only way he knows this is because Qui-Gon knows how Xanatos thinks, and furthermore, the way Xanatos could, in a matter of speaking, keep his beloved father alive and at the forefront of his and Qui-Gon's mind is by making the typing of his name mandatory in order to proceed onto other business affairs.

Again, this principle I discussed doesn't have to be the case ALL the time, but I know it to be very typical: Know the person, know the password. — Preceding unsigned comment added by 74.197.200.162 (talk) 04:50, 15 July 2013 (UTC)

case-sensitivity
Does anyone know of research about whether case-sensitivity policies makes passwords more secure? My guess is that it is mostly an annoyance for users (capslock problems). The search space (for brute force hacking) does not grow very much, especially since users do not tend to write pASSwOrDS but, if they have to use both capitals and non-capitals: Password or passworD; in effect only doubling the search space. Even if they did use completely random casing, the extra information for a 7-letter password would be around 1 extra character. A policy stating that the password must be 8 instead of 7 characters would have the same effect, but lacks the disadvantages of numerous helpdesk calls involving the capslock key. Joepnl (talk) 20:47, 26 November 2007 (UTC)

"Password or passworD; in effect only doubling the search space." The amount of possible variation (entropy) of such a password is a function of its length:

For lower-case characters only, that's a set of 26 characters:

1 character password = 26 possibilities (26^1)

2 character password = 676 possibilities (26^2)

3 character password = 17,576 possibilities (26^3)

4 character password = 456,976 possibilities (26^4)

5 character password = 11,881,376 (26^5)

If you use upper and lower-case characters, that's a set of 52 characters:

1 char = 52 (52^1)

2 char = 2,704 (52^2)

3 char = 140,608 (52^3)

4 char = 7,311,616 (52^4)

5 char = 380,204,032 (52^5)

So if you only use the 26 English letters, using mixed case gives you:

1 char... twice the security

2 char... 4 times the security

3 char... 8 times the security

4 char... 16 times...

5 char... 32 times...

Using an English (or other language) word in this calculation ruins everything, because English (or other language) has so many patterns (Q is almost always followed by U, etc.). Many programs are available that cycle through a dictionary, trying each word with variations in capitalization, rotation, etc.

Hope that helps.

--GlenPeterson (talk) 17:01, 19 January 2008 (UTC)


 * I think your are missing the questioner's point. Most users only capitalize one or two letters, which adds little security, and for short passwords, even random capitalization only adds about as much as just adding one more letter. It gets even worse if you consider security per keystroke, see . I believe users often pick weak passwords because they fear forgetting them and forcing them to use mixed capitalization only adds to that fear. --agr (talk) 00:25, 20 January 2008 (UTC)


 * Thank you for expressing exactly what i mean. I'm not a native English speaker so my apologies to Glen for not making my point clear. I hadn't even thought about the number of keystrokes, but that is definately another argument for banning case-sensitive passwords alltogether. I think the pro/contra argument about case sensitivity should be in the article because it is a quite basic thing about passwords. My POV is obviously that they shouldn't be case sensitive, but since every security system I know except for the ones i made myself are case sensitive there must be an NPOV way of describing the issue. Pro being the math Glen did, contra being the "real people don't do those things" argument. Joepnl (talk) 04:35, 24 January 2008 (UTC)
 * In case anyone missed it, Munroe says I'm right so that settles it. Joepnl (talk) 20:28, 28 December 2013 (UTC)

--78.137.88.175 (talk) 17:04, 11 October 2012 (UTC)

Password being not a computer concept
I don't know why, but this whole Wikipedia article is only about password used with computers (in the broad sense of the word "computers"). But passwords pre-date computers by thousands of yeards, ever since humanity exists. Why is there no word of spoken, graphical, other varieties of all the passwords widely used all the way until modern ages? Nick
 * Presumably because the utility of passwords has massively increased since the advent of computers and the need for computer security. Feel free to contribute by adding a history of pre-computer passwords, so long as it cites reliable sources. If you have any suggestions for reliable sources but don't feel like writing the text, you can also leave the citations here and they may be useful to someone who comes around to fix this article eventually. 0x0077BE  ( talk ·  contrib ) 15:58, 10 December 2014 (UTC)


 * Thanks for the invitation, unfo I don't have any particular ideas or citations. It just struck my mind how such a wide concept was narrowed down to computing only, and no historical section (even a stub). As if the article was written by XXI century people exclusively :) Actually it wouldn't be a truly history section, because even nowadays people use passwords in non-computing environments. Anyway, let this section be a call for furute endeavours in this direction. Nick

Merge Passphrase with Password, then redirect Passphrase to Password
The majority of the text in Passphrase exist in the Password article. The only thing needed is to state in the Password article that a Passphrase is the same as a very long password but that it usually refer to passwords that consist of multiple words, like a sentence. Rescator (talk) 07:13, 25 December 2014 (UTC)
 * Merge discussion is now ongoing at https://en.wikipedia.org/wiki/Talk:Passphrase#Merge_Passphrase_with_Password.2C_then_redirect_Passphrase_to_Password. Rescator (talk) 18:56, 25 December 2014 (UTC)

Removed several paragraphs
I've removed several paragraphs/sentences from the 'number of users per password' section because they were both inaccurate and not about password management but identity management. I'd rather even nuke the whole section since what's left is mosty 'citation needed'.

I've also deleted a paragraph from the 'password longivity' section, because it was unsourced misadvice misrepresenting the problem password ageing is supposed to address (as also noted by the already linked Scheier source!)

--TheGuyOfDoom (talk) 19:06, 26 September 2015 (UTC)

Semi-protected edit request on 13 January 2018
In the section Factors in the security of a password system, please change:
 * "The overall system must, of course, be designed for sound security, with protection against computer viruses, man-in-the-middle attacks and the like." to "The overall system must, of course, be designed for sound security, with protection against computer viruses, man-in-the-middle attacks and the like."
 * "And, of course, passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any (and all) of the available automatic attack schemes." to "Passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any (and all) of the available automatic attack schemes."
 * "And, of course, if the new password is given to a compromised employee, little is gained." to "If the new password is given to a compromised employee, little is gained."

This is per Manual of Style, which advises against the use of presumptuous and unencyclopaedic phrases such as "of course". It is also not appropriate to begin sentences with connectives, such as "and". 5.151.0.111 (talk) 20:19, 13 January 2018 (UTC)
 * Yes check.svg Done DRAGON BOOSTER   ★  08:37, 14 January 2018 (UTC)

Number of users per password
I suggest that either this topic be removed, or replace it with something like the following.

Computer systems typically use one code, the username, to identity a person and another, the password, to prove identity. In this case, to provide accountability, each username should be assigned to one and only one user, and the password should be kept secret. However, the system should allow different usernames to have the same passwords when users create or change their passwords. Notifying a user that a password is in use would reveal that someone else is using the password, which is a security design flaw. Revealing the identity of the person using the password is especially egregious, since it can reveal the login credentials of that user. [See for example .] 2600:1700:E900:7130:B121:7A0F:4C05:1F0B (talk) 00:55, 9 March 2018 (UTC)

Ad/Biased sentence
This seems very biased and like an ad. Especially the wording using  is odd. Additionally, why is only one out of the many password managers named? I suggest letting the user find an appropriate password manager themselves, or give at least a couple other options. — Preceding unsigned comment added by 46.166.142.214 (talk) 20:52, 27 March 2019 (UTC)


 * I agree. In fact, the entire two-sentence paragraph is out of place. Since there already is an article for password manager, why don't you just remove the whole paragraph? Tom Scavo (talk) 21:20, 27 March 2019 (UTC)

Explanation for recent removals?
The latest edit to the page removed a significant amount of content, citing "unencyclopedic edits and spam", and I was wondering if someone could clarify this. Specifically to the recently added section about Password managers.

Rmoli039 (talk) 02:44, 11 April 2020 (UTC)

UID assigned from username/password combo
IIRC, user rights are determined per UID, and UID is given from a unique username/password combo. On the first UNIX systems (and on some current ones), you may very well have (hopefully) different passwords for the same username, resulting in multiple UIDs. — Preceding unsigned comment added by 212.68.228.236 (talk) 01:29, 21 July 2004 (UTC)

Wiki Education Foundation-supported course assignment
This article was the subject of a Wiki Education Foundation-supported course assignment, between 6 January 2020 and 25 April 2020. Further details are available on the course page. Student editor(s): Rmoli039. Peer reviewers: Lesliany D Vargas.

Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT (talk) 06:11, 17 January 2022 (UTC)