I appreciate your idea, but I don't think it's that good a fit for the Segway.

People that can't walk a mile most likely needs their own assistance tech - a walker, a wheelchair - on the bus or train as well. And people that don't have time to walk a mile or two won't be helped by a thing that barely moves above walking speed. A bicycle rental spot (or free city bikes) would be more helpful and less costly.

Yeah, that sucks.

I use a password manager as well, mostly because I'm lazy typing. It gives me the added benefit that if one of the sites gets hacked, I can check the PW manager to see where else I use the same PW.

You can use different passwords, if you like. I don't do it because it would mean that when I find myself without my PW manager, I'd be fucked. And it happens quite often that I do.

These bullshit "security questions" are actually the weakest link. I don't use them. If the site enforces it, I fill them with noise.

Depends on your bank. Mine doesn't let me log in with username or password or any such crap. Also, every bank worth its money these days will use 2-factor authentication, or send a TAN by SMS or something like that. More and more banks will also send you SMS to inform you about every transaction made, so you can stop any abuse immediately.

Banks are among the few who actually take security seriously. They're not perfect, not by far, but they are still among the only commercial entities to use one-time-passwords (those TAN lists) and were among the very first to use 2-factor authentication.

So, to answer your question: What do you need to access my bank account? Nothing you would find on any of the forums, games sites or even my Amazon or iTunes account.

Changing passwords doesn't make them magically more secure.

What do you hope to accomplish? If you have a good reason to change, change. If you don't, you change for prophylaxis, to stop someone who may have been using your account for something. But if you didn't even notice, what's the damage? And if he's a pro, he's also changed the password reset email address, at least on sites that don't send a notice to the old address.

You're doing a lot of effort for - what? If you can't answer that question, don't do it.

You're right on that. If you have an account on some random forum, you should treat the password you use there as if it has already been compromised.

Sorry that I thought that's so obvious it doesn't need to be mentioned.

Because 9 orders of magnitude applied down towards zero would give you 3.

But the population of the US is closer to the zero point than the naive complexity estimate. To give a proper comparison of "we are wrong by relatively this much", you have to scale the offset correspondingly.

No, it wouldn't help.

The problem is techies thinking in techie terms. What would help is get a normal user into the room and give him an actual voice in the matter, when the policy is decided. You know, not John from the call center, but Frank the philosophy doctor who's now head of product management.

And they're not going to do anything about it until it actually happens, because that would cost money and some douchebag CEO wants a fat bonus this quarter. There could be a law if you could get Congress to cooperate. And if they weren't all old and actually understood anything about computers. You'd think as much as most of them fly, they'd be worried about that. I'd guess if you ask any given one, it wouldn't even be on their top 100 list of things to be worried about. Probably not even on their top 100 list of things to be worried about while flying.

Oh! Well... I'll tell you what! Listen to this!

So... can we have your liver, then?

Google does have an effective monopoly in search, and it's not a bad idea to have some degree of regulation in place to make sure that it doesn't harm consumers. (Though nonsense like a 'right to be forgotten' is going too far, and should be dropped)

The problem is that that very well may not be the EU's only motive here. At about the same time that the charges were announced, Gunther Oettinger, the EU's Digital Commissioner gave a speech where he said:

A great challenge is also Europe's position in the development of the next digital platforms that will gradually replace the current Internet and mobile platforms. We have so far missed many opportunities in this field and our online businesses are today dependent on a few non-EU players world-wide: this must not be the case again in the future. ... We need European industry 4.0 champions to win the global game in industry 4.0. ... Industry in Europe should take the lead and become a major contributor to the next generation of digital platforms that will replace today's Web search engines, operating systems and social networks.

Maintaining a level playing field and ensuring fair competition is one thing. Using the law to rig the market in order to engage in protectionism, however, is not acceptable. If the EU wants to pursue Google, they're going to need to do so in a way that is justifiably beyond reproach. Otherwise it's relatively easy for Google to restructure the way it does business internationally to avoid the EU from having any power over them, while still offering its services to persons in the EU, and to have many people cheer them on in the process.

That's consultant bullshit. The legal requirements are nowhere near this specific. It's only consultants that turn them into this nightmare of nonsense. I've worked in IT Compliance (SOX) for years. As long as you can describe why your password policy is good, it doesn't matter what it actually is. The problem is too many people don't invest the time to think a bit and simply take a so-called "best practice" and apply it. In way too many cases without reading to the end and realizing that this "best practice" was published in 1998 and may be a little outdated.

You can wait a long time, because there are too few computer scientists on the intersection of poetry, linguistic analysis and computer security to make that happen. You would need a good estimate of likely sentences used for input and that requires skills far outside the computing sphere.

A statistical analysis will likely reduce the set of probably letter combinations somewhat, but probably not by more than one or two orders of magnitude. An analysis of word-beginning distribution of letters will gain you more. Taking all that into account, my best gut feeling is that you'll end up somewhere in the area of 10^10 in complexity for an 8-character output. Better than passwords (which I've repeatedly estimated at around 10^7) but still not so great and probably much less than you'd expect.

Also, taking into account psychology and the fact that a fairly small set of phrases is much more popular than all the others combined, and that many users will choose a popular phrase instead of a personal one, you would also end up with the "password"-as-my-password problem in that a lot of accounts would have phrases from a list of maybe 1000 popular ones.

Well, if you own your own business you probably *should* make a salary. Incorporating and paying yourself moderate salary (with the rest being profits as the primary/only shareholder, of course) is almost always going to be better for tax purposes. Thank the current ridiculous discrepancy between individual and corporate tax rates for that one...

And it turns out, that's not all *that* different from what I was saying - those houses are definitely bought by people who "earn" money, it's just not through their salary. Basically they took a risk (and were possibly paid less *salary* than they were worth) in exchange for stock options. If that risk was at Facebook, Twitter, etc (or one of the MANY other companies that either IPOed or was acquired) then they may have ended up with $$$ in stock options. That windfall then gets used to make a huge down payment on a house, since their *salary* just wouldn't be enough for an $8000/mo mortgage...

Been there, done the math, and I can confirm that the guy is 100% spot on. According to the slides of my last keynote on the subject, it basically goes like this:

We think the complexity of a password made in accordance to a typical password policy (at least 8 letters, at least 2 of them special characters or numbers, mixed upper and lower case) is on the order of 10^16.

What users actually read is more along the lines of "take a word, maybe abbreviate it, add one number and one of the easy-to-type special characters", giving us a complexity in the order of 10^7.

That's not a small difference. That's 9 orders of magnitude. That's like thinking the population of the USA is around 3000 people. That's how far off we are when we think about complexity of passwords in purely cryptoanalysis terms, without taking user preferences into account.

What this guy did is really great, I wish I had time to do such a proof-of-concept instead of just speaking about it every time I get an opportunity.

Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.

Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.

Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.

I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).

And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.