Back in the late 1960s and the start of the 1970s (or so we’ve heard), primary school children in the UK got a special treat.
Unlike their parents and grandparents before them, they were exempted from learning how to do calculations involving money.
Their teachers were no longer expected to show them how to do the confusing and needlessly complex sums required when working with the UK’s “old money”, even though it was still the official currency.
Widely referred to as LSD, short for the old Latin words librum, solidus and denarius, the units of Pounds, Shillings and Pence (itself an archaic alternative form of the word pennies) made up the strange monetary system of the day.
There were twelve pence in a shilling, and 20 shillings in a pound, so even simple shopping tasks in Britain used to require familiarity with decimal, duodecimal and vigesimal numbers, or base 10, base 12 and base 20 respectively.
Also, the coins not only had a mishmash of historical names, including florins, half-crowns and thr’p’ny bits, but also a curious array of values: 0.5d, 1d, 3d, 6d, 1 shilling, 2 shillings, 2.5 shillings and 5 shillings.
The reason for this late 1960s pedagogical exemption from learning about LSD was obvious: the “old money” was scheduled for blanket replacement in 1971.
A much simpler decimal currency of 100 pence to the pound was on the way, with a more predicable progression of coins going 0.5p, 1p, 2p, 5p, 10p, 50p. (For some reason, the 20p coin was omitted at first and didn’t come out for a further 11 years; the minuscule 0.5p coin vanished forever in 1984.)
Why bother?
Why bother learning the intricacies of a counting system that had next to no life left in it, and that would ultimately not be missed for a moment even by people who thought it would be a wrench to leave behind?
Well, that’s where some people seem to think we are with passwords right now.
No one likes passwords; everyone is gasping to leave them behind; and the technology marketplace is promising a perfectly passwordless future any time now.
So why bother with World Password Day when we’re soon going to have a great big World Password Bonfire…
… and replace passwords with something else that’s easier and better?
Real soon now
In fairness, it’s OK to assume that passwords are ultimately going to to be replaced, but only if you also remember to ask the important question, “When?”
We suspect, though we’d love to be wrong, that we’ll take delivery of our Permanent Password Replacement Device at the same time that we get the personal jetpacks, the flying cars and the self-ironing shirts that everyone was promised back in the day…
…way back in the day, in fact, when that previous generation in Britain was being promised “new money”.
Britons, of course, did get their decimal currency as planned, but the other technological marvels that were “expected soon” have turned out to be “a few years away yet” ever since.
And that’s why we still support the idea of World Password Day here on Naked Security, because our passwordless future is still largely in the future.
We think that we’re likely to be stuck with passwords on at least some of our accounts, if not most of them, for several years yet.
So we might as well do the best job we can with the “old money” password technology that we still rely upon today.
The problem with passwords
The problem with passwords is that if they’re hard for criminals to guess, they’re also hard for you to remember.
So, if you’ve fallen into the bad habit of choosing easy passwords, or if you repeat the same password over and over again, switch to using a password manager instead.
Password managers can make up weird and complex passwords automatically, mixing up All S0rts! OF Ch*r@cters, and can remember those passwords securely so you don’t have to.
Also, password managers don’t remember websites by what they look like (something criminals can easily copy), but by matching the exact website name.
Fake web pages, known as “phishing sites” because they try to reel you in like an angler and capture your password, won’t fool your password manager, even if the crooks come up with a website that looks very similar to the real thing.
You might be tricked by a website name containing the digit one (1) instead of the letter I, or the digit four (4) instead of A, but a password manager won’t, so you’re much less likely to put your real password into a fake website by mistake.
Of course, you will need a really strong password for the password manager itself, but you can use a series of words or a passphrase instead of just a single word, as explained in our popular How To Pick A Proper Password video:
If in doubt
As we said above, even though lots of companies claim to be working on technologies to replace passwords completely, we think that passwords will be an unavoidable and necessary part of our everyday digital life for many years yet.
So it’s still worth learning how to pick proper passwords, and how to avoid getting tricked by bogus phishing messages that lure you onto fake login sites to steal your login details.
Remember, not just on World Password Day, but every day: If in doubt, don’t give it out!
J Burns
I don’t want to be told by a site that I can’t use a password because they don’t think it is strong enough. I don’t want to be told that I need to change my password because I have had it for a year. I don’t want to be told that I can’t use a password because I’ve used it before! I don’t want to be told my password has to have 12 digits of which 1 must be a letter, 1 must be a number & one another kind of symbol. IT’S MY PASSWORD. Let me use what I want!!!
You’ve guessed it. I don’t like being told what password I need to use, especially when it is just to access a site to read without it having any possible financial data in it. And don’t even get me started on cookies. Surfice to say, that every site that uses cookies should have 1 botton to reject them all in the same way as they have 1 button to accept them all. As for legitimate interest….I will decide that, thank you very much.
Paul Ducklin
What really gets my goat is when you take 16 random bytes from /dev/aura don, convert to hex, paste into password field and get told “too weak” because it’s digits and lower case only. Then you put in Pa55word! (thus getting at least one each of upper, lower, digit and wacky) and are mendaciously informed it’s “strong”.
(Also a bad thing: “password cannot be longer than X characters”. Sure, if X were 128 or even 64 I would accept it as a limit, but why 12 or 16 or even 20? And worst of all is when you put in X characters and later accidentally put in X-1 by forgetting the last character and the password works anyway, because they invisibly “edited down” what you typed in.)
Cookies are a story for another day (as you see, I didn’t even wander into 2FA today) because it is *password* day)…
…but I agree.
“Accept all” and “Use only necessary” (for strict understandings of necessary, e.g. for remembering you prefer large text or dark mode) are fine. But “Accept all” and “Enter 20-minute Crystal Maze-type challenge questionnaire to negotiate custom cookie settings that is so annoying you will back out and choose Accept all anyway“ most certainly is not!
Bryan Chou
I use a banking system at work that has a max password length of 14. Fourteen! It’s so ludicrous. Sometimes, I want to cry at the password decisions made by sites.
Paul Ducklin
When there are weird and inexplicable limits like that (why 14 exactly?), I always find myself wondering, “What other weirdnesses are going on back there? Is this to coerce the password into a format so that it can be supplied to some legacy backend system built to 1980s-era cryptographic strengths?”
And then I start to wonder what other pruning-and-tuning they might do on the password I actually entered. Do they make all characters upper case? Are there some punctuationscharacters that the old mainframe code doesn’t like that get quietly discarded?
If they can’t handle more than 14 bytes of password data, how much salting, hashing and stretching is going on with the data you enter?
(If you use, say, PBKDF-2 with a 128-bit salt salt, HMAC-SHA-256 and 100,000 iterations, you need, what, 16 bytes for the salt, 32 bytes for the hash, and 4 bytes for the iteration count. So every password produces the same amount of password database data, even if the password is 72 characters long… and the amount of data is going to be way more than 14 bytes in total anyway.)
I’ve heard (but not indepdendently verified) that at least some companies that force you to have passwords “more complex that X but less complex than Y” do so in order that they are at least doing *something* to stop you having a password of CAT, yet also reducing the chance that you will type it in wrongly later on and then need to bug their customer service for a password reset.
(They’re not worried that it might take a lot of your time to go through the process, but that it might cost them something in call centre fees to help you out. Of course, you could just go into your local branch office of the company concerned, in person, with formal ID… Hmmm. I didn’t think that through, did I?)
In short, I agree with you. I have never understood how artificial and restrictive rules on password construction can be said to “improve” randomness and boost entropy. That smacks of the false argument that encryption will keep us all much safer if we deliberately weaken it on purpose so the {government, intelligence service, law enforcement, judiciary, cybercriminal who knows the “secret” backdoor} can crack it when needed.
There *are* places where carefully planned weaknesses serve a legitimate purpose, such as crumple zones in automobiles, thosre one-time-only squishable polystyrene liners inside bike and motorcycle helmets, or fire doors that fail into the “unlocked and open” position in an emergency. But cryptography, including the science of passwords, doesn’t strike me as a field where purposeful weakenesses are ever anything but a weakness.
Big Jay
I bet you like being told your accounts have been compromised. We need people like you!
Tech
Thank you, people like you keep me employed.
Richard Pennington
Farthings (equal to 1/4 old pence, so 960 to the pound) were taken out of legal tender on 1 January 1961. I was less than two years old at the time.
They were minted up to 1956.
Paul Ducklin
I wanted to put farthings in but as you say they long gone by the time of decimalisation. I’ve seen some (my Dad had some leftovers in a box in the shed) but can’t imagine what you would usefully have bought with one.
Going back further, there was a groat coin, which IIRC was 4d.
(I am not sure…could old sixpences be spent as 2.5p for a while after decimalisation?)
Richard Pennington
Sixpences were legal tender (at 2.5p) until 30 June 1980. They were minted until 1967 (with a few proof coins in 1970).
Also half-crowns (also minted until 1967 with a few proof coins in 1970), which would have been 12.5p if they had not been demonetised on 1 January 1970.
The decimal halfpenny (1/2 p) was introduced at decimalisation on 14 February 1971 and demonetised in December 1984. They were minted up to 1983 (with 1984 occurring in proof and uncirculated sets).
Paul Ducklin
When South Africa decimalised from LSD, it took the same approach that Australia subsequently followed, which was possible because the whole idea was to create a *new* currency, with a new sense of national identity (Australia’s new money was originally the “Royal” until wiser, if more boring, minds decided just to go with “Dollar”.)
Basically, the pound was split in two, for the slightly more convenient conversion of 10 shillings –> 1 Rand, and for decades afterwards you would hear 50 cents referred to as “five bob”. Apparently, public telephones in those days used 3d coins, but they weren’t like the British 12-sided thr’pp’ny bit, they were the old “threepenny joeys”, known as “tickeys”. Decades later, when you needed at least 20c to use a payphone, people would still say, “Do you have some coins for the tickey box”, meaning that they needed to make a call. Apparently there was a short-lived 2.5 cent coin that filled the gap that the withdrawal of the tickey would otherwise have left.
In Oz, which ultimately decimalised a few years after ZA, there were several proposals over the years, including the South African “two-for-one” approach, with the handy trait of 10 shillings -> $1 or 100 cents; a one-for-one switch with $1 split into 10 florins (2 old shillings) and each florin split into 100 cents; a one-for-one switch like the UK ultimately used, with £1 -> $1 split into 100 cents; and the weird-but-not-crazy idea of making $1 equal to 8 shillings and fourpence (8×12+4 = 100), so that 1 old penny (1d) would equal 1 new cent, but with 100 cents to the dollar instead of 240d to £1.
The last system has the neat side effect that all old coins easily map onto new ones, so that instead of 3d –> 2.5 cents (2-for-1) or 3d –> 1.25 cents (1-for-1) you just have 3d –> 3c.
In the end, it was two-for-one. ZA, AU and NZ all did it the same way, in the 1960s. The UK couldn’t follow suit because the pound remained the pound: it wasn’t a new currency, just a new way of subdividing the same Pound Sterling unit. So one-for-one it was.
Alan Roddis
Google give you the option of remembering your passwords ,but how secure are they ?.
John Knops
Can you please make a comment on how good the save password utilities are that come with browsers and Operating systems? I am thinking Apple’s Safari and Firefox in particular. The passwords are long and look as random as a monkey typing on a keyboard. Are they stored reasonably securely? I don’t use Microsoft very often having gravitated to Apple some years ago so I don’t even know if Edge generates random passwords.
Paul Ducklin
Apple’s built-in cryptographic storage vault is called KeyChain. It’s had a few security scares in its time, but the operating system itself relies on it – including iOS, which Apple likes to keep totally locked down – so you can assume that Apple puts plenty of effort into maintaining its security!
Apple also allows you to synch your KeyChain data via its iCloud KeyChain service. As far as I know, it will generate new-and-funky passwords as needed (and it will do its best to prevent you having the same password twice by mistake). As far as I am aware, Apple’s server-side iCloud password storage only ever stores pre-encrypted data, so the company can’t peek at your passwords without your pewrmission, and can’t (as in literally can’t, not merely won’t or doesn’t like to) hand over those passwords to law enforcement. In other words, the passwords are only ever decrypted on your device, using your master key, at the moment they’re needed.
I haven’t used any browser-based password storage systems myself, firstly because I have my own offline password vault, and secondly because they aren’t much use for anything except website passwords, so I’d need a second password vault anyway for all my other passwords, private keys, authentication tokens and so on.
If you are an Apple fan, and would prefer to use a password storage system built into the OSes or apps you already have, I suggest starting out by reading up on KeyChain and iCloud KeyChain. See if that will meet your needs and desires…
Paul Ducklin
LEO actually dates right back to the 1950s, running its first business app, oops, program on 1951-11-29:
https://nakedsecurity.sophos.com/2011/11/30/leo-worlds-first-business-software-ran-60-years-ago-today/
Jk
I now use Bitwarden to generate my passwords or my preference Passphrases which it can generate with 3 words min separated by special characters and including caps and numbers. Personally I find Passphrases much easier to read and type over long complex passwords! Just my 2 cents