Jump to content

(Archived) Multi-word passwords


Recommended Posts

  • Level 5*

I'd really love to be able to include a space in a password for more security. Also individually passworded notes/private notes.

Hi. Welcome to the forums. Does anyone allow spaces, and how would that increase security? My recommendation would be to use random, regularly changed, and long passwords. These are far more effective than a space would be, and they are immediately accessible in the app now :)

As for password protecting notes, you can do that on the desktop by selecting a block of text and right clicking to get the option.

Link to comment

Thanks for the reply Grumpy.

Mutli word passwords have been shown to defeat brute force password hackers where normal password fail. "Spot chases the ball" is a better password than "Alison2012". Most web site/apps allow spaces. After all a space is just another ASCII character, if you don't allow it then the password is easier to crack. Your 'recommendation' is good but does not replace the use of a strong password that include spaces.

In any case, I am a user of Evernote and the customer is always right ;-)

Give me a good reason why you CAN'T allow spaces.

Re password protecting notes - what desktop? what right-click? I use Android app and web site.

cfallen

Link to comment
  • Level 5*

Thanks for the reply Grumpy.

Mutli word passwords have been shown to defeat brute force password hackers where normal password fail. "Spot chases the ball" is a better password than "Alison2012". Most web site/apps allow spaces. After all a space is just another ASCII character, if you don't allow it then the password is easier to crack. Your 'recommendation' is good but does not replace the use of a strong password that include spaces.

In any case, I am a user of Evernote and the customer is always right ;-)

Give me a good reason why you CAN'T allow spaces.

Re password protecting notes - what desktop? what right-click? I use Android app and web site.

cfallen

Hi.

(1) Do Spaces Matter?

Maybe spaces are the secret ingredient. I don't know, but I don't see them coming up among discussions by experts. My takeaway from this Ars Technica article (http://arstechnica.com/security/2012/08/passwords-under-assault/) is that we all need long, unique, random, regularly changed passwords. If spaces are not going to help much, then why should Evernote invest resources into them?

(2) The Customer Isn't Always Right

Sorry. It's just not true, and you can test this yourself by looking at this thread! I don't want Evernote to invest their resources into providing support for spaces. You do. Both of us can't be "right"! But, one of us can be more persuasive. If you have a more persuasive argument to support your case, you are in luck, because developers read these forums and sometimes take up our requests.

(3) Password protection

I don't think the Android and Web clients will encrypt notes (thereby providing protection). Sorry. It would be nice if they did, so we agree there!

Link to comment
  • Level 5*

I once read a long, scholarly article (but sadly didn't Evernote it!!) that 'proved' that long passwords with spaces were 1) easier to remember and 2) harder to crack - so hard in fact that thousands or millions of processor years were quoted as being the requirement for a brute-force hack. The root of the argument was "you can never predict where the space might come".

I was idly impressed with that, but more taken by the fact that a phrase - like a line from a poem - is a darn sight easier to remember that a long series of random characters. Longer passwords are clearly more protection against brute-force approaches, but Mxyztplk is about as much as I can handle in random-speak.

Then, when trying to explain this to someone else, it occurred to me that brute-force hacks require trying all the alphanumeric characters in every available position - and that a 'space' character is just one more character. So in adding a space, you kick the number of variables up from 62 (a-z, A-Z, 0-9) to 63.

That's a significant improvement, don't get me wrong; but no better than adding $ % & or * - and lots of websites now allow any character in passwords, so you can get 255x255x255... levels of security, and you are getting towards 'age of the Universe' levels of protection.

Having said all of which: as long as the current system is secure, and we have no sign that it is not, I'd rather see shiny new features than have someone spending lots of time polishing the brasswork.

I'm sure the Evernote Powers That Be will take all of this on board when they're considering the next step in their ongoing plan to take over the world - and maybe they already have plane to beef up security. We may never know until the next release!

Link to comment
  • Level 5*

Agreed. The difference between a space and an underscore, from the perspective of a computer, is negligible.

Using a password manager, you can easily manage hundreds of random passwords of any length. For those of you old enough, and fortunate enough to have watched Star Trek the Next Generation, you'll know the value of modulating laser and shield frequencies -- in other words, regularly changing the passwords in a random manner that makes it impossible for your Borg opponents to handle.

I am quite confident that a good hacker (the NSA or another state-funded entity) could break my passwords, but only if they are really determined (long, random, and unique passwords) and quick (regularly changing). I don't think a space will present a significant deterrent to hackers. And, as the article I linked to said, non-random, short passwords are breakable within a few seconds / minutes. In a sense, it doesn't matter what the content of a password is, as long as it is long.

Link to comment

I am quite confident that a good hacker (the NSA or another state-funded entity) could break my passwords, but only if they are really determined (long, random, and unique passwords) and quick (regularly changing). I don't think a space will present a significant deterrent to hackers. And, as the article I linked to said, non-random, short passwords are breakable within a few seconds / minutes. In a sense, it doesn't matter what the content of a password is, as long as it is long.

Agreed. IMO, us "regular folks" who have strong passwords likely have nothing to worry about. Think about it... Unless one has worked for the CIA, has billions of dollars or slept with a President, what draw is there to brute force into our accounts??? As GM has pointed out before (and I agree), often the reason "regular folks" get hacked is because they don't put PINS on their phones/computers or use strong passwords (that are not easily guessed like your dog's name). Once a hacker realizes it's going to take a brute force attack, unless you are an obvious/intentional target (aforementioned CIA employment, financial status or sexual activity), then they are going to move on to the next potential target.

Link to comment
  • Level 5*

Once a hacker realizes it's going to take a brute force attack, unless you are an obvious/intentional target (aforementioned CIA employment, financial status or sexual activity), then they are going to move on to the next potential target.

"Sexual activity"? Do hackers and governments target you more the more sexually active you are?

Link to comment

Once a hacker realizes it's going to take a brute force attack, unless you are an obvious/intentional target (aforementioned CIA employment, financial status or sexual activity), then they are going to move on to the next potential target.

"Sexual activity"? Do hackers and governments target you more the more sexually active you are?

I don't think it's quantity...rather if you've slept with someone famous. :P It may increase your chances of getting hacked if you've slept with a lot of famous people...??? I don't know. OTOH, if you've slept with a lot of Hollywood folks, probably not hacker target material, since that's probably already out there in People, Us or one's autobiography. OTOH, if you've slept with someone like a President. Or if you have photos of a naked future Queen of England...you may want to have a really, really, really strong password. :lol:

Link to comment

You have it right there GM, longer is better where passwords (and sexual activity?) are concerned. But that's the point. "The Queen of Sheba" is a more memorable phrase than 3v3rn0t31sth3B35t but just as secure - in fact more secure because of there are 63 possible characters instead of 62, and, I disagree with you here, it does make a significant difference.

Here's some interesting web content for you:

http://programmers.stackexchange.com/questions/126924/why-do-certain-sites-prevent-spaces-in-passwords

http://www.symantec.com/connect/articles/ten-windows-password-myths

http://stackoverflow.com/questions/632167/should-users-be-allowed-to-entered-a-password-with-a-space-at-the-beginning-or-e

Yes, there are lot's of fancy new bells and whistles that we'd love to see in the app, in the end however, it's getting the basics right that makes for the superb experience that we all enjoy.

Link to comment
  • Level 5*

Personally, I think it's a fair request, but it's just not clear to me that allowing for spaces in passwords is a 'basic', particularly when you can already include punctuation in your password. Your "The Queen of Sheba" vs. "3v3rn0t31sth3B35t" is a bit of a straw personage, since you can just as easily use "The-Queen-of-Sheba" without any loss of security (aside from the extra little bit you get by extending the range of characters to include space characters).

Link to comment

Fair enough jefito! I can't ever forget my EN password after this little conversation so whats the deal... Of the Web/smartphone apps I use only 3 do not accept spaces: Lastfm, Skype and Vodafone. There are many more that do than don't. I just expect EN to conform with what I consider a basic functionality of passwords and make our lives easier (those other apps too!).

Link to comment
  • Level 5*

You have it right there GM, longer is better where passwords (and sexual activity?) are concerned. But that's the point. "The Queen of Sheba" is a more memorable phrase than 3v3rn0t31sth3B35t but just as secure - in fact more secure because of there are 63 possible characters instead of 62, and, I disagree with you here, it does make a significant difference.

Here's some interesting web content for you:

http://programmers.s...es-in-passwords

http://www.symantec....-password-myths

http://stackoverflow...-beginning-or-e

Yes, there are lot's of fancy new bells and whistles that we'd love to see in the app, in the end however, it's getting the basics right that makes for the superb experience that we all enjoy.

The information feels outdated to me. I could be wrong, but the dictionary hacks and the huge number of password breaches in recent years have allowed hackers to construct much more sophisticated attacks. I haven't heard any expert these days say that memorable passwords are as secure as random ones. It's not just the length, but the random element that makes long passwords so powerful. Again, I think the Ars Technica article explains why.

Link to comment
  • Level 5

Using this site to analyze the two 18 character passwords

https://www.grc.com/haystack.htm

Important to point out that the site is not a Password Strength measurement. It is a Search Space Calculator.

See the link for the discussion.

The Queen of Sheeba wins by a huge margin over 3v3rn0t31sth3B35t

The Queen of Sheba

3 Uppercase, 12 Lowercase, 0 Digits, 3 symbols

1.73 hundred billion centuries

3v3rn0t31sth3B35t

1 Uppercase, 8 Lowercase, 8 Digits, 0 Symbols

9.55 million centuries

But if Quantum computers are developed, neither version will be safe.

Link to comment
  • Level 5*

Using this site to analyze the two 18 character passwords

https://www.grc.com/haystack.htm

Important to point out that the site is not a Password Strength measurement. It is a Search Space Calculator.

See the link for the discussion.

The Queen of Sheeba wins by a huge margin over 3v3rn0t31sth3B35t

The Queen of Sheba

3 Uppercase, 12 Lowercase, 0 Digits, 3 symbols

1.73 hundred billion centuries

3v3rn0t31sth3B35t

1 Uppercase, 8 Lowercase, 8 Digits, 0 Symbols

9.55 million centuries

But if Quantum computers are developed, neither version will be safe.

I've never quite understood this site. Hackers don't just randomly throw in characters, and all this site does is calculate the size. As long as the content is not random, then it is useless, right? It's not just size that matters, especially if your password is not unique and random. If site X gets hacked, and you are using a similar password, then site Y and Z becomes vulnerable. At least, that is how I understand it.

Link to comment
  • Level 5*
The Queen of Sheeba wins by a huge margin over 3v3rn0t31sth3B35t

It's a fun game to play, but perhaps open to less than scientifically rigorous results. For one, you're comparing a 19-character password to a 17-character password. So try extending "3v3rn0t31sth3B35t" by two punctuation characters: 3v3rn0t31sth3B35t!!, and it's a winner. You can also replace the spaces in "Queen of Sheeba" with '.' or '-' and get the identical result.

Link to comment
  • Level 5*
The Queen of Sheeba wins by a huge margin over 3v3rn0t31sth3B35t

It's a fun game to play, but perhaps open to less than scientifically rigorous results. For one, you're comparing a 19-character password to a 17-character password. So try extending "3v3rn0t31sth3B35t" by two punctuation characters: 3v3rn0t31sth3B35t!!, and it's a winner. You can also replace the spaces in "Queen of Sheeba" with '.' or '-' and get the identical result.

Yeah. I trust Ars Technica on this one. The super secure password of "abcdefghijklmnop1234567890" will supposedly take centuries to crack. LOL.

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...