26 replies to this topic

[justplainandy]

Right then. Following ANOTHER bloody password change (following battle.net getting hacked), I've decided that I really need to use unique passwords for EVERYTHING. I normally have 3 or 4 I use, and rotate them, but I happened to have the same login for Battle.net as Origin, so potentially compromised my Battlefield access. This can not be allowed to happen.

So what do people do? Subtle variations on a theme, or random 16 digit hexadecimal strings?

And more importantly, how do you remember them?

[ThorZ]

8 or more character password with Numbers and Symbols. usually somthing like this:

@f0rM3n1!0n

[cptwhite]

E-mail: thorz@gmail.com
PW: @f0rM3n1!0n

...got it...cheers

[Driver]

There's an xkcd for every occasion.

http://xkcd.com/936/

[Sobtanian]

Right then. Following ANOTHER bloody password change (following battle.net getting hacked), I've decided that I really need to use unique passwords for EVERYTHING. I normally have 3 or 4 I use, and rotate them, but I happened to have the same login for Battle.net as Origin, so potentially compromised my Battlefield access. This can not be allowed to happen.

So what do people do? Subtle variations on a theme, or random 16 digit hexadecimal strings?

And more importantly, how do you remember them?

I've been thinking more about doing this, cos I use more or less the same password for EVERYTHING (with an added digit or two).
I read a scary account recently on wired about a man who was the victim of very simple social engineering (they rang apple and got them to reset his password).
From there, he lost a ton of shit on various sites. http://www.wired.com...an-hacking/all/

So, I think I'm going to use a free password generator/reminder program, and it would seem keepass (http://keepass.info/) is the one to use

[bsoltan]

I use http://keepass.info/ it is Free.

It is a program that can store and generate passwords and has an encrypted database with a master password.

It has both desktop and portable versions, so you can install it on a USB stick and carry it around. I only recently installed the desktop version, before I always used a USB key.
You can also set it up to read the file from Cloud storage (DropBox/Google Drive etc.) I use a third party app called KyPass on iOS for my iPhone and iPad that can pick up the file from Dropbox and access the data as well.

So with this I can generate very complex (some passwords I have are over 16 characters) passwords, store them securely and access them anytime. I only need to remember 1 password to access everything else - yes that is the weak link but if you keep that password fairly strong even if someone gets hold of the database file it is unlikely to be decrypted. Unlike other systems (LastPass) the file is stored where I put it, so if I don't want it on DropBox I can just store it locally and even less likely it will get accessed by a third party.

There are also other options including ones that you pay for or require a subscription; LastPass and 1Password (for Mac).

I've used it since Uni, so that's over 5 years and never had a problem. I don't know the passwords to most things as it is all generated through that programme. I do keep a few passwords memorised for things that I may need to access without being able to use the programme like my email.

[madwedge]

Went to a mates BBQ/Camping weekend last week and asked to use his wi-fi. He uses a 65 character password!!!

[Sobtanian]

Went to a mates BBQ/Camping weekend last week and asked to use his wi-fi. He uses a 65 character password!!!

Holy moly! My wifi password is just the same one I use everywhere else

[madwedge]

Holy moly! My wifi password is just the same one I use everywhere else

Shhhhhhh....me too!

[Nige]

I tend to use, and recommend to clients, passwords based on phrases that mean something to you.

For example, an Elvis fan might use:

Wi1ftm,2fts,32grNGCG!

Whereas a Daphne du Maurier fan might use:

Ln1d1wiMa!

Or a Charles Dickens fan may use:

Iwtb0t.Iwtw0t.

Or a Specials fans may use:

Wmurmpc?RumabLP?

I often also use the first initials of my mum, me, my wife, my first dog, my sister, my niece, and the number of the house I was brought up in. The wife's childhood cat's name (suitably numerically altered) added to my parents' first phone number, are also used.

[mus422]

Another recommendation for Keepass. I've been using it for a few years now and it works well so long as you have access to the application when you need to re-enter a password.

[dummkopf]

There's an xkcd for every occasion.

http://xkcd.com/936/

Good workz on spreading the xkcd awesomeness there Driver!

I do agree 100% with what that particular comic says, and it actually works. I recently created a password for mySQL that was 40 characters long, and I can remember it very easily every time as it is made up of 4 random words, that you wouldn't normally ever see together, but form something that is very memorable.

I would definitely recommend using this approach, even combining it with something like Keepass (which I use myself a bit to keep track of logins - more usernames than passwords!) There was also a section on QI that said that it is OK to write down your passwords, as the people who are burgling your house, aren't generally the same people trying to hack your Diablo 3 account, so it would mean nothing to them - especially if you don't make it obvious to which service each password relates.

[madwedge]

There's an xkcd for every occasion.

http://xkcd.com/936/

I actually don't get this?? How is a 44 character password using all lower case letters harder to crack than a small word comprising of upper case, lower case, numbers and symbols??

[dummkopf]

Well, the hacker/cracker doesn't know what all of the characters are, so they have to go through the long list each time. Sure, a 48 char password combining numbers and letters (lower/uppercase) is more secure than a 48 char password with all lowercase, but that would be very hard to remember, so most people do 8-12 characters because it is easier to remember. So, the hacker/cracker has to only guess 8-12 characters, instead of 48 characters. Using numbers only adds an additional 10 options that need to be tested to every character, whereas every extra character that you add to the password, adds an extra 26 (if they are all lowercase).

I'm no expert, but it makes sense in my head, even if I can't explain it properly.

[madwedge]

Well, the hacker/cracker doesn't know what all of the characters are, so they have to go through the long list each time. Sure, a 48 char password combining numbers and letters (lower/uppercase) is more secure than a 48 char password with all lowercase, but that would be very hard to remember, so most people do 8-12 characters because it is easier to remember. So, the hacker/cracker has to only guess 8-12 characters, instead of 48 characters. Using numbers only adds an additional 10 options that need to be tested to every character, whereas every extra character that you add to the password, adds an extra 26 (if they are all lowercase).

I'm no expert, but it makes sense in my head, even if I can't explain it properly.

Yes, how you've explained it there makes sense. Thanks.

Gonna go rethink all my passwords now!

[grrrpoop]

So.. the mixed upper/lower/numerical passwords we're forced to create at work (and help customers set up), which everyone universally hates, are actually less secure and harder to remember than a few random words strung together lower case? Great.

I read that comic over half an hour ago and remember thinking of 4 random words. I can still easily remember them now..

[madwedge]

i thought I'd google a Password Stregth Checker and found this.

http://www.passwordmeter.com/

Have tried a few combinations and an 8 character password containing upper, lower, numbers and symbols comes out stronger than 4 lower case words strung together. However this site is purely checking for the number of different type of characters.

I guess without using some sort of password cracker we'll never know what's a stronger method.

Edit - Opposed to what I said before, here's a Microsoft password checker which actually favors a long string of lowercase letters over an 8 digit mix of letters, numbers and symbols etc.

https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx

[dummkopf]

Incidentally, Microsoft have just introduced a 16 character limit to their Hotmail/Live logins.

[madwedge]

Incidentally, Microsoft have just introduced a 16 character limit to their Hotmail/Live logins.

Hahaha oh dear! Fail!

[dummkopf]

From looking up the term "entropy", I some how ended up installing the "freenet" client, just to see what it was like... weird evening.