• 0
Sign in to follow this  
Followers 0

Password Strategies

Question

Posted · Report post

Right then. Following ANOTHER bloody password change (following battle.net getting hacked), I've decided that I really need to use unique passwords for EVERYTHING. I normally have 3 or 4 I use, and rotate them, but I happened to have the same login for Battle.net as Origin, so potentially compromised my Battlefield access. This can not be allowed to happen.

So what do people do? Subtle variations on a theme, or random 16 digit hexadecimal strings?

And more importantly, how do you remember them?

Share this post


Link to post
Share on other sites

26 answers to this question

  • 0

Posted · Report post

8 or more character password with Numbers and Symbols. usually somthing like this:

@f0rM3n1!0n

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

E-mail: thorz@gmail.com

PW: @f0rM3n1!0n

...got it...cheers

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Right then. Following ANOTHER bloody password change (following battle.net getting hacked), I've decided that I really need to use unique passwords for EVERYTHING. I normally have 3 or 4 I use, and rotate them, but I happened to have the same login for Battle.net as Origin, so potentially compromised my Battlefield access. This can not be allowed to happen.

So what do people do? Subtle variations on a theme, or random 16 digit hexadecimal strings?

And more importantly, how do you remember them?

I've been thinking more about doing this, cos I use more or less the same password for EVERYTHING (with an added digit or two).

I read a scary account recently on wired about a man who was the victim of very simple social engineering (they rang apple and got them to reset his password).

From there, he lost a ton of shit on various sites. http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

So, I think I'm going to use a free password generator/reminder program, and it would seem keepass (http://keepass.info/) is the one to use

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

I use http://keepass.info/ it is Free.

It is a program that can store and generate passwords and has an encrypted database with a master password.

It has both desktop and portable versions, so you can install it on a USB stick and carry it around. I only recently installed the desktop version, before I always used a USB key.

You can also set it up to read the file from Cloud storage (DropBox/Google Drive etc.) I use a third party app called KyPass on iOS for my iPhone and iPad that can pick up the file from Dropbox and access the data as well.

So with this I can generate very complex (some passwords I have are over 16 characters) passwords, store them securely and access them anytime. I only need to remember 1 password to access everything else - yes that is the weak link but if you keep that password fairly strong even if someone gets hold of the database file it is unlikely to be decrypted. Unlike other systems (LastPass) the file is stored where I put it, so if I don't want it on DropBox I can just store it locally and even less likely it will get accessed by a third party.

There are also other options including ones that you pay for or require a subscription; LastPass and 1Password (for Mac).

I've used it since Uni, so that's over 5 years and never had a problem. I don't know the passwords to most things as it is all generated through that programme. I do keep a few passwords memorised for things that I may need to access without being able to use the programme like my email.

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Went to a mates BBQ/Camping weekend last week and asked to use his wi-fi. He uses a 65 character password!!!

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Went to a mates BBQ/Camping weekend last week and asked to use his wi-fi. He uses a 65 character password!!!

Holy moly! My wifi password is just the same one I use everywhere else :P

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Holy moly! My wifi password is just the same one I use everywhere else :P

Shhhhhhh....me too!

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

I tend to use, and recommend to clients, passwords based on phrases that mean something to you.

For example, an Elvis fan might use:

Wi1ftm,2fts,32grNGCG!

Whereas a Daphne du Maurier fan might use:

Ln1d1wiMa!

Or a Charles Dickens fan may use:

Iwtb0t.Iwtw0t.

Or a Specials fans may use:

Wmurmpc?RumabLP?

I often also use the first initials of my mum, me, my wife, my first dog, my sister, my niece, and the number of the house I was brought up in. The wife's childhood cat's name (suitably numerically altered) added to my parents' first phone number, are also used.

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Another recommendation for Keepass. I've been using it for a few years now and it works well so long as you have access to the application when you need to re-enter a password.

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

There's an xkcd for every occasion.

http://xkcd.com/936/

Good workz on spreading the xkcd awesomeness there Driver!

I do agree 100% with what that particular comic says, and it actually works. I recently created a password for mySQL that was 40 characters long, and I can remember it very easily every time as it is made up of 4 random words, that you wouldn't normally ever see together, but form something that is very memorable.

I would definitely recommend using this approach, even combining it with something like Keepass (which I use myself a bit to keep track of logins - more usernames than passwords!) There was also a section on QI that said that it is OK to write down your passwords, as the people who are burgling your house, aren't generally the same people trying to hack your Diablo 3 account, so it would mean nothing to them - especially if you don't make it obvious to which service each password relates.

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

There's an xkcd for every occasion.

http://xkcd.com/936/

I actually don't get this?? How is a 44 character password using all lower case letters harder to crack than a small word comprising of upper case, lower case, numbers and symbols??

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Well, the hacker/cracker doesn't know what all of the characters are, so they have to go through the long list each time. Sure, a 48 char password combining numbers and letters (lower/uppercase) is more secure than a 48 char password with all lowercase, but that would be very hard to remember, so most people do 8-12 characters because it is easier to remember. So, the hacker/cracker has to only guess 8-12 characters, instead of 48 characters. Using numbers only adds an additional 10 options that need to be tested to every character, whereas every extra character that you add to the password, adds an extra 26 (if they are all lowercase).

I'm no expert, but it makes sense in my head, even if I can't explain it properly.

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Well, the hacker/cracker doesn't know what all of the characters are, so they have to go through the long list each time. Sure, a 48 char password combining numbers and letters (lower/uppercase) is more secure than a 48 char password with all lowercase, but that would be very hard to remember, so most people do 8-12 characters because it is easier to remember. So, the hacker/cracker has to only guess 8-12 characters, instead of 48 characters. Using numbers only adds an additional 10 options that need to be tested to every character, whereas every extra character that you add to the password, adds an extra 26 (if they are all lowercase).

I'm no expert, but it makes sense in my head, even if I can't explain it properly.

Yes, how you've explained it there makes sense. Thanks. :)

Gonna go rethink all my passwords now!

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

So.. the mixed upper/lower/numerical passwords we're forced to create at work (and help customers set up), which everyone universally hates, are actually less secure and harder to remember than a few random words strung together lower case? Great.

I read that comic over half an hour ago and remember thinking of 4 random words. I can still easily remember them now..

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

i thought I'd google a Password Stregth Checker and found this.

http://www.passwordmeter.com/

Have tried a few combinations and an 8 character password containing upper, lower, numbers and symbols comes out stronger than 4 lower case words strung together. However this site is purely checking for the number of different type of characters.

I guess without using some sort of password cracker we'll never know what's a stronger method.

Edit - Opposed to what I said before, here's a Microsoft password checker which actually favors a long string of lowercase letters over an 8 digit mix of letters, numbers and symbols etc.

https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Incidentally, Microsoft have just introduced a 16 character limit to their Hotmail/Live logins.

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Incidentally, Microsoft have just introduced a 16 character limit to their Hotmail/Live logins.

Hahaha oh dear! Fail!

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

From looking up the term "entropy", I some how ended up installing the "freenet" client, just to see what it was like... weird evening.

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

It's worth remembering that if a word appears in a dictionary, anywhere, then it can be hacked in seconds.

It's not people who do the cracking of passwords, it's software, so the fact that golfbananarobincheese are unrelated words gives absolutely no protection whatsoever from a hacker using an automated password cracker.

Given that any password will, eventually, be cracked, I prefer to think in terms of how long before it does!

Complexity AND length are equally important.

http://www.certainkey.com/demos/password/

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Incidentally, Microsoft have just introduced a 16 character limit to their Hotmail/Live logins.

This hasn't just been introduced. i have had my hotmail account since time began and my password is 16 characters long (which is a fair few characters less than the actual word/words that are in my password ;) )

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Well I set up a password about 40 characters long a couple of months back, and it worked fine for a month or so, then I started getting an error saying that passwords have been changed to just the first 16 characters.

It's worth remembering that if a word appears in a dictionary, anywhere, then it can be hacked in seconds.

It's not people who do the cracking of passwords, it's software, so the fact that golfbananarobincheese are unrelated words gives absolutely no protection whatsoever from a hacker using an automated password cracker.

Given that any password will, eventually, be cracked, I prefer to think in terms of how long before it does!

Complexity AND length are equally important.

http://www.certainke...demos/password/

The point here is not that a long password of lowercase letters is more secure than a long password of mixed characters, but that a long password based on several reasonable length words, is more secure than an 8 character password that uses any type of character - and that it is also easier to remember the longer one.

There is no doubt that a password like: "avSFjd8u&sd.4sdfcSfr3£rfdf.Rlfdsm" is more secure than, for instance: "crab.sails.caffeine.glasses", however, it would generally be harder to guess than "Sm1th67!".

From http://oxforddiction...nglish-language regarding the number of words in the English language:

If distinct senses were counted, the total would probably approach three quarters of a million.

A hacker would not know when they have guessed one word, only when they have guessed all of them, so potentially, the number of attempts needed could be as large as:

750,000^4=316,406,250,000,000,000,000,000

At 400,000 guesses per second, as per Nige's link, that would take up to:

316,406,250,000,000,000,000,000/400,000=791,015,625,000,000,000 seconds to crack (or 9,155,273,437,500 days).

I think my maths is right, anyway...

This also doesn't include the separators between words, which might not exist, or might be dots, spaces, underscores, hyphens, etc.

Edit: On separators, imagine that someone tries to break your password. They know that it is 4 words strung together, but that is all. So, they try a dictionary attack just putting the words together like: crabsailscaffeineglasses.

9 trillion days later, they find out that you must have used a separator, so now they must re-do the attack for each possible separator - 9 trillion days for "period", 9 trillion days for "hyphen", etc, etc.

But then most attackers wouldn't know that you used 4 words - it could have been 3, it could have been 5, so basically it is so unlikely that anyone could ever crack a password that long without some clue as to the contents of the password - even with a super computer - that it doesn't even matter any longer. You just have to stop someone stealing it with malware/key logger/phishing email etc.

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

Well I set up a password about 40 characters long a couple of months back, and it worked fine for a month or so, then I started getting an error saying that passwords have been changed to just the first 16 characters.

strange.. i set my hotmail account up pretty much when i joined the internet and i put in my password as what my password is (which is over 16 charachters). Anyway i happily used this for a few years until i once typed the password in where the "show password" was ticked and i noticed that the characters stopped on the 16th character..this was also many years ago...

do you have a .co.uk or .com?? wonder if that makes a difference

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

I had the same problem with my bank. They redesigned their website and changed the maximum password length allowed. Mine was 2 characters too many and of course they didn't mention anywhere, on their website, how many characters were allowed - that caused me a weekend of stress and worry until I finally got to speak to one of their human representatives and found out about the new password length.

Share this post


Link to post
Share on other sites
  • 0

Posted · Report post

strange.. i set my hotmail account up pretty much when i joined the internet and i put in my password as what my password is (which is over 16 charachters). Anyway i happily used this for a few years until i once typed the password in where the "show password" was ticked and i noticed that the characters stopped on the 16th character..this was also many years ago...

do you have a .co.uk or .com?? wonder if that makes a difference

.com - I have had it for over 10 years now! However, I thought that some of my passwords had been compromised recently (as my computer appeared to have malware) so I changed a lot of my passwords.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.