From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computing / Security (Rated C-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computer Security (marked as Top-importance).
WikiProject Cryptography / Computer science  (Rated C-class, Top-importance)
WikiProject icon This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the quality scale.
 Top  This article has been rated as Top-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as Top-importance).

Cypherpunk mention?[edit]

I wonder if a mention of cypherpunk would be appropriate. ex.#'_x,01>U+6 — Preceding unsigned comment added by (talk) 15:14, 9 May 2013 (UTC)

minus biometrics[edit]

I've removed some information about biometrics from the article as it wasn't really about passwords, I'll be moving it to a new article about user identification. --Imran 00:50, 10 Jan 2004 (UTC)

You are, strictly, correct. However, password is taken in practice by many of the (non security specialist) user community to be anything which is used as access control. Hence my comments. I was attempting to make the issue of adequacy of access controls explicit, and so to inform the reader on something that is almost always implicitly assumed to be sufficient. Security is an odd thing in that humans characteristically have considerable difficulty in even seeing it (a figure / ground problem I suspect) and when thinking about it, thinking clearly.
My comments were, thus, intended to inform where information was not even suspected to be needed. In a modest sense, of course!
Perhaps a revision of the articles in this area into something like 'access control' which is pointed at by password, biometrics, user identification, ... This would allow some discussion of meta issues not strictly belonging in any of the referencing articles. ??

randomly generated passwords not good[edit]

The article said it was "sensible" for the system to give the user a randomly generated password. Please don't write such things. Don't treat the users as pawns that exist to serve the computer system. It is the other way round. Sorry for venting. Been bitten by this attitude more than once in real life.

Anyway the above is just one example of the fact that this article has a non-obvious type of POV: a security-POV. It assumes that the computer security is the most important thing in the world and everything else is secondary. A perfect example is the last paragraph: If even the smallest possibility exists that the password has become known to anyone other than those to whom it 'belongs', it should be considered compromised, and immediately changed. This is obviously never the case in reality, for no-one can expend infinite amounts of resourced in securing computers, and there's always a tradeoff between the level of security you get and users' productivity.

I'm starting to get the feeling that many other security articles also have this POV. It is no more acceptable than other types of POV, and needs to be fixed. -- Arvindn 03:54, 18 Apr 2004 (UTC)

Arvindn, If security is not the point of using passwords, why bother. If you bother to use them at all, then any chance of compromise ... Not clear this is POV at all for anyone using passwords.
As for the 'sensible' comment, you are not the only one to have been bitten by this. VMS (and other operating systems) had/has(?) an auto password generation option. Every single user I had hated it when we required them to use it after 'too many' passwords got loose. That should be read, by the way, as 'we learned of too many'. How many actually got loose was and remains unknown. It was experience speaking there. And the intent was to convey that '...from an ideal security perspective...' etc. Reword as desired to make this clear if the original intent is acceptable. I agree with the bold faced sentiment, and in the VMS experience noted here, was implementing policy from above.
I considering writing a paragraph or two on adequate alternatives to such passwords, but figured that I'd catch flak for being too long winded. Would you think such a para or two would be appropriate?
ww 17:43, 18 Apr 2004 (UTC)

UID assigned from username/password combo[edit]

IIRC, user rights are determined per UID, and UID is given from a unique username/password combo. On the first UNIX systems (and on some current ones), you may very well have (hopefully) different passwords for the same username, resulting in multiple UIDs.

"Writing down passwords" suggestion[edit]

I removed the following text:

A possible way by which one could get away with having one's password written down would be to have it written in a place in a list of false passwords. If one uses a weak password, the list should be full of false week passwords. If one uses a strong passwords, false strong passwords should be used. Thus, instead of having to recall a seemingly random alphanumeric string, one needs only remember what login goes with which password. Numbering the list can help with that. However, this measure should be taken if there is no other way for the user to remember his or her password.

I don't think this is good advice. If you have a list of passwords and non-passwords, you are dramatically reducing the number of passwords that need to be checked. "Never write down a password" is better and more straightforward advice. --Huppybanny 21:54, Aug 16, 2004 (UTC)

I agree with this removal (in fact, I'd planned to do it myself when I came in today...); has any security expert endorsed this idea? — Matt 23:41, 16 Aug 2004 (UTC)
I agree having a list of false passwords does not provide good cover and is not significantly more secure than having the password written down. However, "Never write down a password" is not strictly correct. It depends on your threat model. Peter 03:38, 18 Aug 2004 (UTC)
Indeed; writing down your password can provide better security in many situations. Schneier: "You can't memorize good enough passwords any more, so don't bother. Create long random passwords, and write them down. Store them in your wallet, or in a program like Password Safe. Guard them as you would your cash." (emph mine) [1] — Matt 02:29, 19 Aug 2004 (UTC)
Matt, Much as I admire Schneier, I think he's wrong on this. Password Safe (his freeware password database program) is probably very good and all, and 'long random passwords' are certainly good in many respects, but anything which lets the user shuffle off his responsibilities to safeguard these little chunks of key data to something or someone else is wrong psychologically. Even if PSafe were to be perfect, it would still be bad advice. We h sap don't do this sort of stuff very well, and apparently need have our noses rubbed in it more or less continuously to do even as well as we can. Peter's observation above about dependence on your threat model is quite relevant. Missing in Schneier's comment, and exceptionally hard to sensibly apply, but quite relevant. ww 16:34, 20 Aug 2004 (UTC)
Well, it does depend on the threat model. We're happy to carry around keys to things like cars and houses on our person; this is considered an acceptable risk, even though there's a chance the keys could be stolen. In many cases passwords protect less valuable information (think Hotmail). For these cases, why is it a horrendous security failing to write down a password and keep it in your wallet? There's a compelling argument to use an unguessable password stored in your wallet rather than memorise a guessable password. Regardless, getting back to the article, we clearly need to modify statements such as "most observers regard written down passwords as necessarily insecure". — Matt 07:13, 21 Aug 2004 (UTC)


Perhaps we should mention diceware?

This is the best system for producing a strong password:

  • Diceware can provide very strong passwords.
  • The password/passphrase is fairly easy to remember.
  • The password/passphrase is truly random.
  • It is possible to quantize the strength associated with a diceware password.

The only drawback of diceware is that the passwords are quite long. They take longer to type. So it works best for high-security situations (such as protecting a private PGP key).

This is my first time contributing to Wikipedia. I want to make sure I don't step on anyone's toes. Would it be alright if I add a Wiki page about diceware and then add a section to the Password page about diceware?

Go for it, your contribution would be very welcome! I'd encourage you to try and write in a neutral fashion about Diceware (even though it's great) — try and avoid advocacy, if you can. If you need any help on formatting / other queries, I'd be glad to help. — Matt 02:19, 19 Aug 2004 (UTC)
Dcarrera, Always glad to see bravery in those new to WP! I second Matt's comment (Go for it!), and agree with his observation about P(oint)O(f)V(iew). An example of such is "This is the best system for producing a strong password:". A point which would be hard to defend against a claim of POV. Some attention might also be paid to the "...password is truly random." observation. This is a veritable tarpit of confusion, trapping many insufficiently suspicious folk, probably because of the many oh so tempting! (but wrong) ways of thinking about random and randomness.
But on the question of password choice, usability is relevant in real world situations (see Arvindn's comment above), and must be considered lest users rise up and lynch the system admins for making their lives secure, but hell on earth otherwise. When people are involved, sensible security design becomes something of a black art and requires the patience of Job, the knowledge/perspective of a Turing, the ruthlessness of a Bismark, and the luck of the Irish. Since these are seldom available simultaneously, security design in the real world becomes the art of the possible. An infuriating situation for those who like clarity, logic, and finality. Much like herding cats, really.
Don't worry over much about stepping on toes. By getting involved here, you agree not to object, and so did everyone else. It's good for egos which need a little reshaping. Nonetheless, it's an interesting place, and I applaud your concern for others. It's a trait WP needs more of, albeit while being BOLD in editing. If you're interested in security and crypto (not quite the same things, mostly) you might wish to check in at Wikipedia:WikiProject Cryptography to see how things are (somewhat) organized in the WP crypto corner. ww 16:29, 20 Aug 2004 (UTC)

Randomness a good thing?[edit]

Ignoring for the moment, the problem of computer generated random numbers, is total randomness in a password inherently good? Here's my thought. If a password is used that is highly random in nature, a file search for entropy would detect it if in a file. Also, the more random the password is, the less chance of remembering that password. From an admin standpoint, is it better to reset passwords when forgotten, or to have fewer helpdesk tickets?

One thing I have done is tried to teach how to come up with strong passwords, that meet arbitrary password criteria/limits/etc, that CAN be remembered. There are very few resources online that help typical users come up with passwords. The article does so, but only one such technique.

First time on WP. :) Hope it works.

Regarding storage of random passwords, you could store the password information in a very redundant form if you were worried about an attacker searching for it specifically. In actual systems, passwords are normally stored hashed anyway, so if you've chosen a sufficiently strong password it's unlikely to be recovered by an attacker if the password file is compromised. — Matt Crypto 13:20, 10 November 2005 (UTC)

Writing down password - security flaw or not?[edit]

It appears that Microsoft's Jesper Johanssen thinks that users should write down passwords. See [2]. Perhaps we should note this? - Ta bu shi da yu 07:24, 9 Jun 2005 (UTC)

We already do. See "Likelihood that a password can be remembered." Wikipedia had this advice before Mr. Johanssen's remarks. --agr 10:43, 9 Jun 2005 (UTC)

== اعادة تعين كلمة المرور ==180389

اعادة تعين كلمة المرور180389

Giving out default password lists[edit]

In the main article, 2 links to webpages that list default passwords are given, is this not dangerous to put this out into the public arena, may some doofus kiddy pick it up and try and use it to hack into cpanels, wireless networks etc.

It's not clear that such links are very encyclopedic, and might be deletable from WP on those grounds alone. Hawever, the underlying problem noted here both is, and isn't, serious. Default passwords will be required in any software distributed in large numbers as customization at the vendor will be uneconomic for them. Given this, there is, first, that any sysadmin who leaves any default passwords active on a system is foolish, perhaps even incompetent, and probably overworked. They're an open door for those inclined to mischief or worse. Second, since more than a few sysadmins don't actually change some or all default passwords, since vendors don't always make finding them even remotely straightforward, and since ..., the possibillity of a doofus script kiddy picking up such a list does pose some potential problems. Unfortunately such problems shouldn't exist (sysadmins should do their jobs) and can't be prevented by keeping widely spread information from the doofuses of the world (malicious or otherwise).
There is some controversy about whether security goofs (as such lists might be regarded) should be publicized or not. Advocates suggest that it encourages vendors to fix problems. Opponents (including many vendors) disagree, thinking something like Security through obscurity, and they have gotten some statutory support (eg, in the US, the DMCA) for their position. Even some security organizations (eg, CERT) have taken the position that reported security flaws should not be added to publicly available lists until the vendor has addressed them.
No easy answer, in practice. ww 06:23, 16 October 2005 (UTC)

Please clarify recent edit[edit]

"A suficiently long password, and a sufficiently good hash algorithm have made this a reasonable strategy in many cases as the work factor imposed on such an attakcer can be made impossible in practice." Not sure what is meant.--agr 01:39, 25 May 2006 (UTC)

AR, Was attemtpting to revise/rescue previous edit. Took its meaning to be an attemtp at an historical comment on previous techniques of protecting passwords (a la early *nixen prior to shadow password file technique). Not satisfactory, I agree. Can you suggest something better that preserves what was (perhaps?) meant by prior edit? ww 03:41, 25 May 2006 (UTC)

External links section[edit]

I think the external link section is getting out of hand. There are a large number of links to password generation programs, many of questionable technical merit. We have a separate page on random password generation, so maybe we should remove password generation links from this article. --agr 20:26, 9 June 2006 (UTC)

I removed the "One Thousand Passwords" link @ <> - users who access this article may be falsely led to believe that these passwords provide excellent security. If they weren't permanently posted on a website, they would provide decent security; unfortunately, they *are* permanently posted on the website and are *not* re-generated for each person who hits the page. There are enough password generators out there so that if someone really wants a unique password, they can get one created exclusively for them. Sarah 19:22, 27 July 2006 (UTC)

I agree, in fact some links are just spam an must be deleted. 20:17, 25 January 2007 (UTC)

Python / obfuscation[edit]

For additional security, many of the larger websites like Yahoo and Google utilize a language called Python in controlling and maintaining secrecy of the pages they dynamically serve to the browser by completely obfuscating any reference to file names in the URL that appears in the address window of the browser.

This idea is surely not restricted to Python. Also, what exactly is this alleged obfuscation, anyway? - furrykef (Talk at me) 06:22, 8 July 2006 (UTC)

I concur with this comment. If this can't be filled in, we should remove it. ww 15:54, 8 July 2006 (UTC)
This section doesn't make much sense to me. Have tagged it in need of attention Tjwood 14:01, 2 April 2007 (UTC)
It makes no sense, is off-topic, uncited and seems to be nonsense anyway. I've removed it. TGoddard (talk) 10:45, 26 January 2008 (UTC)

What does it mean to "know" a password?[edit]

What does it really mean to say that "those wishing to gain access are tested on whether or not they know the password"? For the purposes of my argument, a PIN is easier: I happen to know every number between 0000 and 9999. That is, I know every four digit PIN. Does an automatic teller machine really want to test whether I "know the PIN"?

So, strictly speaking, it's more a question of whether the person can supply the correct password (within various constraints such as the number of attempts in a certain time period). Or perhaps it's whether I "know" the relationship between the particular system I'm trying to access and the particular password.

Of course, this is subtle, and some (especially those not involved in epistemic logic) might think it's too pedantic to worry about. Does anyone think it's worth making the point on the article page? Maybe someone could suggest a page that would be more appropriate for such a point.

John Y 07:43, 6 August 2006 (UTC)
I think you are correct that "knowing a password" is an assertion that string a is a valid password for system A and one can only claim that without knowledge of the password the probably of successfull access with in some time or number of tries window can be made arbitrarily small but not zero. There is always the possibility of a successful guess. --agr 14:01, 9 August 2006 (UTC)
Knowing a password is usually not enough: one has to know the password. A pedantic explanation would explain that even though you already may already know every number between 0000 and 9999, you do not know which one is the PIN in question. I don't think it is necessary to explain the meaning of the, at least not in this article. DRLB 18:37, 9 August 2006 (UTC)

Designing a personal user friendly password[edit]

I'm a little concerned about this. There are many good software applications which are capable of storing passwords securely.(eg Password_Safe Yet none are mentioned. Instead people are told to use common phrases which can easily be brute forced. Why is there no mention of incorporating symbols, ASCII Characters. Would it not add merit to the article to explore writing a better password? RLaudanski 21:58, 26 August 2006 (UTC)


The article does not mention "password masking", that passwords usually are masked with a character such as ***** or ●●●●●, but when logging on at Unix system, it doesn't output any masked characters.

Password masking is mentioned here. Tra (Talk) 16:49, 14 October 2006 (UTC)


It's interesting that there seems to be no history to passwords. What system was the first to use passwords? Who came up with the idea?

noktulo 14:31, 31 May 2007 (UTC)

Your wish is our command. I've added a history section.--agr 15:32, 31 May 2007 (UTC)
Nicely written. I feel it belongs closer to the start of the article -- probably directly following the summary in fact. As it is, it reads like an afterthought.--Rfsmit (talk) 23:05, 3 March 2009 (UTC)

Merger: Graphical passwords[edit]

The notability of Graphical passwords has been questioned. It might be best to merge the content here (it's in fact only a few lines). If you agree, just go ahead and merge the articles.

Proposed as part of the Notability wikiproject. --B. Wolterding 17:11, 31 May 2007 (UTC)


Does anyone know of research about whether case-sensitivity policies makes passwords more secure? My guess is that it is mostly an annoyance for users (capslock problems). The search space (for brute force hacking) does not grow very much, especially since users do not tend to write pASSwOrDS but, if they have to use both capitals and non-capitals: Password or passworD; in effect only doubling the search space. Even if they did use completely random casing, the extra information for a 7-letter password would be around 1 extra character. A policy stating that the password must be 8 instead of 7 characters would have the same effect, but lacks the disadvantages of numerous helpdesk calls involving the capslock key. Joepnl (talk) 20:47, 26 November 2007 (UTC)

"Password or passworD; in effect only doubling the search space." The amount of possible variation (entropy) of such a password is a function of its length:

For lower-case characters only, that's a set of 26 characters:
1 character password = 26 possibilities (26^1)
2 character password = 676 possibilities (26^2)
3 character password = 17,576 possibilities (26^3)
4 character password = 456,976 possibilities (26^4)
5 character password = 11,881,376 (26^5)

If you use upper and lower-case characters, that's a set of 52 characters:
1 char = 52 (52^1)
2 char = 2,704 (52^2)
3 char = 140,608 (52^3)
4 char = 7,311,616 (52^4)
5 char = 380,204,032 (52^5)

So if you only use the 26 English letters, using mixed case gives you:
1 char... twice the security
2 char... 4 times the security
3 char... 8 times the security
4 char... 16 times...
5 char... 32 times...

Using an English (or other language) word in this calculation ruins everything, because English (or other language) has so many patterns (Q is almost always followed by U, etc.). Many programs are available that cycle through a dictionary, trying each word with variations in capitalization, rotation, etc.

Hope that helps.
--GlenPeterson (talk) 17:01, 19 January 2008 (UTC)

I think your are missing the questioner's point. Most users only capitalize one or two letters, which adds little security, and for short passwords, even random capitalization only adds about as much as just adding one more letter. It gets even worse if you consider security per keystroke, see [3]. I believe users often pick weak passwords because they fear forgetting them and forcing them to use mixed capitalization only adds to that fear. --agr (talk) 00:25, 20 January 2008 (UTC)
Thank you for expressing exactly what i mean. I'm not a native English speaker so my apologies to Glen for not making my point clear. I hadn't even thought about the number of keystrokes, but that is definately another argument for banning case-sensitive passwords alltogether. I think the pro/contra argument about case sensitivity should be in the article because it is a quite basic thing about passwords. My POV is obviously that they shouldn't be case sensitive, but since every security system I know except for the ones i made myself are case sensitive there must be an NPOV way of describing the issue. Pro being the math Glen did, contra being the "real people don't do those things" argument. Joepnl (talk) 04:35, 24 January 2008 (UTC)
In case anyone missed it, Munroe says I'm right so that settles it. Joepnl (talk) 20:28, 28 December 2013 (UTC)

-- (talk) 17:04, 11 October 2012 (UTC)

Lead sentence[edit]

It appears that the lead sentence, which defines the word, uses the word itself:

A password is a form of secret password authentication data that is used to control access to a resource.

This should be fixed, but I'm out of ideas at the moment. -- Ynhockey (Talk) 21:35, 15 May 2008 (UTC)

Forgotten password[edit]

I'm aware this is going to sound like the most stupid newbie question ever, but Wikipedia seems to have no obvious way of saying 'I am stupid enough to have forgotten my password'. Where does one do this, and how does one reset it? —Preceding unsigned comment added by (talk) 21:21, 9 April 2009 (UTC)

If you are asking about how to reset one's Wikipedia password, I agree it's not the easiest thing to find. On the left sidebar on every page of Wikipedia, under the "Interaction" section, the "Help" link takes you to a page that has a link to the "frequently asked questions" page, which mentions the Help:Logging in page, which has a "What if I forget the password?" section. Perhaps you may find the tips there useful. One of those tips describes a self-service password reset system at Wikipedia more-or-less the same as ones used by other systems. Good luck. --DavidCary (talk) 07:18, 6 July 2013 (UTC)

"Hacker" usage[edit]

The use of the word "hacker" with no explanation seems like it would be better replaced with "people/persons attempting to discover/guess the password." Hacker implies several different ideas including key logger users, or accessing the password from the disk of the computer by "hacking." --Iamjp180 (talk) 17:35, 2 July 2010 (UTC)

Agreed. I have changed "hacker" to "attacker", although note the first instance still links to Hacker (computer security), which I think is reasonable in the context. Mitch Ames (talk) 02:49, 3 July 2010 (UTC)

2D Key run-on sentence[edit]

This sentence is too long, has grammar issues, and needs some reworking:

"2D Key (2-Dimensional Key)[29] is a 2D matrix-like key input method having the key styles of multiline passphrase, crossword, ASCII/Unicode art, with optional textual semantic noises, to create big password/key beyond 128 bits to realize the MePKC (Memorizable Public-Key Cryptography)[30] using fully memorizable private key upon the current private key management technologies like encrypted private key, split private key, and roaming private key."

Unfortunately I don't know what they're talking about so I can't help. Unjedai (talk) 20:18, 29 September 2010 (UTC)

employee —Preceding unsigned comment added by (talk) 15:56, 25 February 2011 (UTC)

potential resource[edit]

Logging In With a Touch or a Phrase (Anything but a Password) by Somini Sengupta published New York Times December 23, 2011 (page A1 and B6 in print) (talk) 06:23, 29 December 2011 (UTC)

More citations?[edit]

Is this page really still in need of more citations? Reading through the article and seeing the list of references I'd say this article uses more than enough sources. I've not checked the validity of the sources themselves at this point, but don't see major concerns raised by others. Perhaps the tag at the top of the page could be removed? Apologies if this is not the right way to bring this up, I'm fairly new to Wikipedia. Mythio (talk) 17:50, 27 February 2012 (UTC)

You're quite right. Mythio. That tag was placed almost 4 years ago and the history shows that a lot of work has gone into this article since. As you said, there are plenty of references, which is all the reason you need to remove the tag. In future may I suggest that you be bold and do whatever you feel is right. You won't break anything! (And bad edits can easily be reverted.) Kind regards, nagualdesign (talk) 19:12, 27 February 2012 (UTC)

Willy Wonka[edit]

I'm pretty frustrated that a couple users won't allow my Willy Wonka trivia piece of information to stand on the password page. Quick google search confirms that it was a real piece of information. I explained to them why it was notable - fun and creative piece of information to add. Techno-fascists taking over Wikipedia, making it bland. I guess that's to be expected from a TOTALLY open source encyclopedia. — Preceding unsigned comment added by (talk) 14:34, 29 April 2012 (UTC)

I noticed that it was added/removed once. If you try adding something a second time without discussing it first you will generally meet with opposition (this applies to the whole of WP) because not only will the reason for removal have not changed, but your apparent lack of willingness to engage in open discussion will be evident. At least you've said something now, if a little belatedly (ie, post frustration). You say you've explained why it was notable but there's no evidence of that here, or in the summaries of the article history page, so I'm not sure how you expect to get assistance from the wider community. And name calling and casting aspersions will get you nowhere. Show a little maturity and treat others with a little respect, even when they disagree with you, and you'll get much further (in Wikipedia and in life!) I only say this to help you, not to be combative, so please don't have a go at me! ;-)
Now, I'd personally say that the Willy Wonka thing isn't really notable enough for an article about passwords. Like you said yourself, it's trivia. So what makes you think otherwise? (Discuss) nagualdesign (talk) 17:52, 29 April 2012 (UTC)
...Ah, now I notice your second attempt at including this piece of trivia, and the subsequent edits by Jasper Deng. My guess would be that it was Twinkle which flagged your edit as vandalism, probably because it was badly formatted and included a 'raw' link to another site. Then he noticed that it was a good faith edit and did you the service of undoing the Twinkle edit, but ultimately removed your contribution anyway because it was not notable. That about right? In which case I'd say you were treated respectfully. Perhaps you should have recognized that. Regards, nagualdesign (talk) 18:09, 29 April 2012 (UTC)

Some missing common info on passwords???[edit]

I don't know precisely how widely this is known, but, theorectically speaking, I believe it's a common fact that many individuals choose their passwords (such as e-mail or a personal site) by having it be the name of something or someone with deep, personal value to them, thus making their password easy to remember. (i.e. the name of a deceased loved one, a favorite cartoon character, a favorite place, or a favorite article of clothing). Therefore, I think there should be a section that addresses this.

Throughout my life, I've learned from MANY password users that they customize their passwords based on something of great significance to them, personally. The logic behind this approach is that strangers would not be able to guess someone's password unless they knew that person very intimately, and could clearly observe where their tendencies point to. The downside to this, of course, is that if a close companion, or a family member tried to access that person's personal information, they would have a very good idea at what kind of emotional canvas they are dealing with. (For example: If you have a devoted fan of 'Dora the Explorer' in your household, the chances of that person having a password like 'Swiper22', or 'Isa74', would be rather high. [Those were purely examples I made up. I don't actually know a password with those names. If they've actually been used, it's purely a coincidence.])

Case and point: In the book "Star Wars: Jedi Apprentice #2 The Dark Rival", Qui-Gon Jinn enters a security center of Offworld Corporation, on the planet Bandomeer. He comes to a computer searching for security files protected by his former apprentice, Xanatos. Suddenly, there reaches a point where a soft computer voice asks for a password, but at the same time, a red, pulsating light illuminates the room, complete with a terrifying faint, steady beep, and Qui-Gon is able to figure out that he has only one chance to get the password right. He enters the name of Xanatos' father, Crion, whom he was forced to kill, at the expense of his padawan's loyalty. The only way he knows this is because Qui-Gon knows how Xanatos thinks, and furthermore, the way Xanatos could, in a matter of speaking, keep his beloved father alive and at the forefront of his and Qui-Gon's mind is by making the typing of his name mandatory in order to proceed onto other business affairs.

Again, this principle I discussed doesn't have to be the case ALL the time, but I know it to be very typical: Know the person, know the password. — Preceding unsigned comment added by (talk) 04:50, 15 July 2013 (UTC)

Password being not a computer concept[edit]

I don't know why, but this whole Wikipedia article is only about password used with computers (in the broad sense of the word "computers"). But passwords pre-date computers by thousands of yeards, ever since humanity exists. Why is there no word of spoken, graphical, other varieties of all the passwords widely used all the way until modern ages? Nick

Presumably because the utility of passwords has massively increased since the advent of computers and the need for computer security. Feel free to contribute by adding a history of pre-computer passwords, so long as it cites reliable sources. If you have any suggestions for reliable sources but don't feel like writing the text, you can also leave the citations here and they may be useful to someone who comes around to fix this article eventually. 0x0077BE (talk · contrib) 15:58, 10 December 2014 (UTC)
Thanks for the invitation, unfo I don't have any particular ideas or citations. It just struck my mind how such a wide concept was narrowed down to computing only, and no historical section (even a stub). As if the article was written by XXI century people exclusively :) Actually it wouldn't be a truly history section, because even nowadays people use passwords in non-computing environments. Anyway, let this section be a call for furute endeavours in this direction. Nick

Merge Passphrase with Password, then redirect Passphrase to Password[edit]

The majority of the text in Passphrase exist in the Password article. The only thing needed is to state in the Password article that a Passphrase is the same as a very long password but that it usually refer to passwords that consist of multiple words, like a sentence. Rescator (talk) 07:13, 25 December 2014 (UTC)

Merge discussion is now ongoing at Rescator (talk) 18:56, 25 December 2014 (UTC)

Removed several paragraphs[edit]

I've removed several paragraphs/sentences from the 'number of users per password' section because they were both inaccurate and not about password management but identity management. I'd rather even nuke the whole section since what's left is mosty 'citation needed'.

I've also deleted a paragraph from the 'password longivity' section, because it was unsourced misadvice misrepresenting the problem password ageing is supposed to address (as also noted by the already linked Scheier source!)

--TheGuyOfDoom (talk) 19:06, 26 September 2015 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just added archive links to one external link on Password. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

You may set the |checked=, on this template, to true or failed to let other editors know you reviewed the change. If you find any errors, please use the tools below to fix them or call an editor by setting |needhelp= to your help request.

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

If you are unable to use these tools, you may set |needhelp=<your help request> on this template to request help from an experienced user. Please include details about your problem, to help other editors.

Cheers.—cyberbot IITalk to my owner:Online 21:17, 5 February 2016 (UTC)