|
|
|
|
#1
05-09-2012, 04:23 PM
|
|||
|
|||
|
Choosing a password.
There's several methods, for general security, in creating a password for online accounts.
I hate passwords that mix caps and numerals. The height of annoying. I mixed names and dates and a string of random words (yes, I've seen the XKCD comic on that). I've also employed the keyboard pattern, too, which I do like, as you can devise a complex but memorable pattern, yet end up with seemingly random letters and numbers. However, I've thought about doing this: pick a word and double or triple up the characters. For instance, taking my user name, you'd end up with "ccmmyykk." Might this be a bad idea, or is it about as secure as any other method? Also, any other clever tips for generating passwords would be appreciated. Last edited by cmyk; 05-09-2012 at 04:24 PM. 
|
| Advertisements | |
|
|
|
|
#2
05-09-2012, 04:35 PM
|
|||
|
|||
|
My old boss was half-Polish. He'd use Polish words backwards with a spelling error. He claimed all the Zs and Ks meant his passwords were almost impossible for bots to guess. I'd say for the same reason your passwords might be quite good but I'm no computer whizz.
__________________
My photograpy Last edited by Fiendish Astronaut; 05-09-2012 at 04:36 PM.
|
|
#3
05-09-2012, 04:42 PM
|
|||
|
|||
|
Quote:
See this blog post for more details, or search under the keywords "password haystack".
|
|
#4
05-09-2012, 05:14 PM
|
|||
|
|||
|
To make things easy for various relatives of mine, I taught them the following password rules that makes a secure password, strong enough for 99% of the sites.
1. Use name. 2. Then an At symbol (@). 3. Then the website location. 4. Then either the 4 digits of your phone, or 4 other digits you like. For example, for Google, "John Smith" would use a password of "John@Google1234". Its unique to each website, easy for people to remember, and very secure.
|
|
#5
05-09-2012, 05:18 PM
|
|||
|
|||
|
The most important thing is to make sure you don't use a normal word. Hackers already have tables of all the dictionary words pre-encrypted called a Rainbow Table. When they steal the password table from a website, they compare the encrypted passwords with the passwords in their rainbow table to find the original password. All these goofy password rules are to make sure you're not typing a regular word as a password.
But some enterprising hackers have created rainbow tables of all 8 character and less lowercase passwords. So it doesn't matter if your password is 'password' or 'adieiqoq', it's just as easy for that hacker to break. By adding capital letters, numbers and symbols, you're making the hacker's job harder since the table has to get so big to account for all options. So at this point, ccmmyykk is not really a secure password. Add some special characters in there so it can't be reversed so easily. But the most important thing about passwords is: DO NOT USE THE SAME PASSWORD ON MULTIPLE SITES!!! If you have unique passwords, then the worst thing is that the hacker could login to the site he hacked. But if you have common passwords, then the hacker can try the same login on other sites like facebook, gmail, etrade, banks, etc. Some sites don't even encrypt the password. Whatever you type in is stored in the database. When the hacker steals the database, they have your login, email, and password in the clear. So even if you have a super complicated password like '$Ia)0192w1=', a hacker may discover it from a site with poor security. So this means you need unique, goofy passwords for each site. Try to come up with passwords that incorporate part of the domain and user name. Figure out some pattern that works for you. So my password for this site could be something like f1ilst2r. On CNN it might be f1ilcn2n, etc.
|
|
#6
05-09-2012, 07:46 PM
|
|||
|
|||
|
Quote:
|
|
#7
05-09-2012, 08:17 PM
|
|||
|
|||
|
I use made up names from characters I had in role-playing games when I was a kid. They're nonsense words, completely meaningless to anyone else, but really memorable to me. Then I just tack on some numbers that have a meaning to me, but aren't a birthday or anything obvious.
Here's an example: Character name (never had this, just made it up now): Varindal Ex-girlfriend's street address: 1538 Password: Varindal1538 Last edited by Darth Panda; 05-09-2012 at 08:19 PM.
|
|
#8
05-09-2012, 08:24 PM
|
|||
|
|||
|
One of the early programs I coded (back in the 1970s, believe it or not) was a password generator. It was limited to 8 alphanumeric characters but so was the target OS. I created about 20 of these passwords and still use them with significant variations (extending the length and adding nonalphanumerics). So far, so good.
Really, if your password is Dog@P0N33#H0r2e, it is going to be a bit of a challenge to crack it. The real trick is to make it difficult enough to crack that the infiltrating agent is unwilling to spend the time to brute-force it. If the system has a timeout/lockout provision setup for failed password attempts, then brute-force becomes less of a problem. But, many online sites don't use timeout/lockout because that requires active systems administration and when your site has millions of users, then that becomes something of a challenge.
|
|
#9
05-09-2012, 08:55 PM
|
|||
|
|||
|
I use many methods, but currently am going with song lyrics -- taking the initial letter of each word and using a few numbers and special characters. Thus PamtimI1mow&t uses the first line of "Sympathy for the Devil."
Bonus -- you get to hear the song whenever you log in. 
__________________
"One never knows, do one?" Provider of quality fantasy and science fiction since 1982.
|
|
#10
05-09-2012, 09:52 PM
|
|||
|
|||
|
Quote:
I use the first three letters of whatever the website is that I'm logging into, plus a string of characters that only make sense to me. For example, if I'm logging in to Facebook, the login would be: Fac7321!Dar! Easy peasy.
|
|
#11
05-09-2012, 10:36 PM
|
|||
|
|||
|
Quote:
Last edited by pulykamell; 05-09-2012 at 10:36 PM.
|
|
#12
05-10-2012, 12:52 AM
|
|||
|
|||
|
To really do it right, you want something such that, even if the attacker knows your method and a sample password from a different site, they still can't get your password for a different site in any sane amount of time. Like, with the OP's method, if I know that he's using a dictionary word with each letter doubled, then I can code up something quickly that will do that, and get in after a number of tries equal to the number of words in the dictionary.
__________________
Time travels in divers paces with divers persons. --As You Like It, III:ii:328
|
|
#13
05-10-2012, 01:52 AM
|
|||
|
|||
|
Quote:
But there are many other ways in: packet sniffing, keyboard-sniffing Trojans, and, with so many stolen laptops and foolish security, I'd not be surprised to learn that many thousands of user passwords are for sale on the black markets! I watched a friend log-in to his British bank using a challenge-response protocol that would be hard to crack. Do any American banks do that? (Mine doesn't.)
|
|
#14
05-10-2012, 03:54 AM
|
|||
|
|||
|
Really great advise here, thanks folks.
I've so many accounts now, and I'm starting to feel a bit weary about the passwords I've been using, so I'm meaning to update most of my important passes with some kind of system; as mentioned, a unique pass for every account. Some of the methods described in generating passwords and also in how hackers crack them has already inspired some good ideas for a new system. The point I seem to be hearing is devising a consistent method for generating passwords for myself, but impossible to decode the method even if one is directly exposed, and even if it's obviously generated using some method. Also that mixing in numerals or other acceptable non-alphanumeric characters helps to defy brute force probing. Last edited by cmyk; 05-10-2012 at 03:56 AM.
|
|
#15
05-10-2012, 07:54 AM
|
|||
|
|||
|
Back in the Pentium 150MHz days, L0phtcrack was taking (IIRC) about a week to try all possible 8-character combinations. Of course, in those days, Microsoft cleverly broke all passwords into 8-character chunks and stored them upper case to allow for logon to the old Windows networking as well.
I ran the program against the large corporate datase, and surprisingly (not?) it found about 1/3 of the passwords from the dictionary-plus-one attack (i.e. SNOWMAN7) - within half an hour. Considering how much faster machines are today, a brute force attack can take very little time (days, weeks) if your password is short and they get the encrypted version.
|
|
#16
05-10-2012, 08:42 AM
|
|||
|
|||
|
Quote:
|
|
#17
05-10-2012, 09:37 AM
|
|||
|
|||
|
Quote:
The trick is to generate a long and complex password while making it easy for you to remember long term and reproduce, and also not making too process to obvious (i.e. site name in password). If it's harder to shoulder-surf, so much the better. Hence the "Sympathy for the Devil" trick above. What's annoying while convenient is the sites that need your email as userid and send a verification to there, thus ensuring that half your credentials are fairly obvious. Last edited by md2000; 05-10-2012 at 09:37 AM.
|
|
#18
05-10-2012, 10:44 AM
|
|||
|
|||
|
Quote:
Even better security is obtained if the challenge-response cycle involves client performing an irreversible calculation -- some USB "dongles" do that I think. This is better security. With the choice of good security or better security, it seems odd that some sites opt instead for bad security. Is it true that UK banks generally do use challenge-response protocol to protect against sniffers? Is it true that US banks generally do not? If so, why the difference?
|
|
#19
05-10-2012, 10:56 AM
|
|||
|
|||
|
Quote:
|
|
#20
05-10-2012, 12:05 PM
|
|||
|
|||
|
Quote:
|
|
#22
05-10-2012, 01:45 PM
|
|||
|
|||
|
Quote:
The more information that's not automatically available, the better. But yes, you are right, relying on the fact the other person does not know your name is not a good start. It's like whether the burglar knows you have a key hidden near your front door. If he burglar KNOWS you do, he will look harder and longer than if he simply suspects that there may be one.
|
|
#23
05-10-2012, 02:12 PM
|
|||
|
|||
|
I'm not sure if I understood the "challenge-response" discussion.
To log onto my bank account, I have a password. If I answer that correctly, I then have to answer a security question, which I made up myself. There are actually three security questions, which the bank site cycles through with each log- in. Is that a "challenge-response" system?
|
|
#24
05-10-2012, 02:21 PM
|
|||
|
|||
|
Quote:
Some banks and websites (PayPal, google gmail, etc) are also using 2-factor authentication (e.g. random digits texted to your cellphone.) Private companies have been doing this for employee remote access for a long time (e.g. SecurID number generators attached to the keychain.) You could consider 2-factor authentication as a specific subset of "challenge/response" I would say the "security question" is another form of challenge/response but it's not 2-factor. Last edited by Ruminator; 05-10-2012 at 02:23 PM.
|
|
#25
05-10-2012, 02:46 PM
|
|||
|
|||
|
Quote:
This is pretty much what I do except I capitalize the first letter of each line in the song. Using the Star Spangled Banner gives OscysBtdelWspwh
__________________
Remember this motto to live by: Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather one should aim to skid in sideways, chocolate in one hand, glass of Scotch in the other, your body thoroughly used up, totally worn out and screaming "WOO HOO! Man, what a ride!"
|
|
#26
05-10-2012, 04:15 PM
|
|||
|
|||
|
The xkcd method was mentioned up thread, and the method I've been using is more or less an implementation of that. I use what is often just called a passphrase rather than just choosing random words, I'll take a concept that I associate with the site and make a sentence out of it and that becomes the password. As long as I can remember that association, I can remember the password.
Let's take the Dope as an example. I could pick a particular forum and have a comment about that or I could have a comment about a particular doper or something related to a thread I remember or whatever. I'll have no problem remembering it. So even if they do figure out that my bank password is TheEntireBankingSystemIsCorrupt! that won't give them any clue that my Dope password is DoperXIsATroll. I would strongly recommend against using a standard pattern because it's only half a step better than just using the same password for both sites. As mentioned upthread, if someone sees that I have a password for Facebook like Password123@Facebook then someone would be able to try likely permutations at banking or email sites. The absolutely most important rule is to make sure that at least the major sites like email and banking don't share the password with anything else. I actually have two-factor authentication on my email precisely because it's the keys to the kingdom as far as online identity goes.
|
|
#27
05-10-2012, 05:18 PM
|
|||
|
|||
|
Quote:
They hack a web site and obtain a full list of users and hashed passwords. They brute-force those hashes on their own machines. Then they try the same user/pass combinations (and variations) on other web sites.
|
|
#28
05-11-2012, 10:26 AM
|
|||
|
|||
|
Quote:
Similarly, one of the network admins had software that would take the garble in the Cisco device configurations and decode it into a valid password. Another suggestion that I have heard, but not read an actual case of, is the password passes over the network between client and authentication server encrypted; the same applies, the hacker intercepts the transmission and compares the encryption of the entire dictionary to the captured encrypted password looking for a match. Then checks a, aa, aaa, aaaa, etc. ab, abaaa, etc. A few weeks ater, if the password is not too long, he may find a match. You can see why it is simpler to create a fake logon screen site, or otherwise trick the user with social engineering, rather than try to hack the increasingly more robust transmission and server infrastructure. You are the weakest link! Of course, intercepting communications is a lot less trivial with switched ethernet; and many conversations are completely encryptd. FTP used to be a royal gift, because it allowed for no encryption, the password was passed in the clear across the nework. That's why generally it is used mainly for public distributions and low-security material.
|
|
#29
05-11-2012, 11:34 AM
|
|||
|
|||
|
I used to get ingenious and make up rebuses with punctuation marks and so on, but these days I use a password safe (KeePass) and randomly generate one for sites that I really care about security on. If I'm going to use it a lot, I'll eventually memorize the random string. If I don't use it that often, it isn't that big a deal to retrieve it from the password safe.
|
|
#30
05-11-2012, 11:56 AM
|
|||
|
|||
|
Dropbox allows you to test if your password is any good:
http://dl.dropbox.com/u/209/zxcvbn/test/index.html and provides information on how long it would take an attacker to crack it. (The test site is open to the public, you don't need a Dropbox account).
|
|
#31
05-12-2012, 03:20 PM
|
|||
|
|||
|
Always having a complicated password for every different online account is almost impossible. Just in email accounts I have several accounts that I use regularly and then add in banking, credit cards, social media,etc… and then to have different passwords for all of them is a pain, but necessary. However one of the first things I look for when setting up an account is if they offer 2FA (two-factor authentication) where I can telesign into my account. This gives me the confidence that my account won't get hacked and my personal information isn't vulnerable. Personally I think if you are just relying on your passwords to protect your info you will pay the price sooner or later.
|
|
#32
07-06-2012, 10:11 AM
|
|||
|
|||
|
Quote:
__________________
The Internet: Nobody knows if you're a dog. Everybody knows if you're a jackass.
|
|
#33
07-06-2012, 10:57 AM
|
|||
|
|||
|
The only place I wouldn't want to be hacked in my bank. If somone breaks into my linkedin account and changes by work history, I don't really care. So, if they get my password and I use the same one everywhere, (which I do) how would the hacker even know which bank I use or what my username is there? Is there really some hacker out there thinking, "Today I'll see if I can find a way into Procrutus' bank account."
|
|
#34
07-06-2012, 11:25 AM
|
|||
|
|||
|
Quote:
Here's how they do it: 1. Break into LinkedIn and steal their user/pw database. From the user information they get your contact email. 2. They attempt to log into your email account with the pw you used on LinkedIn. If it's the same, they're in. 3. They download your inbox and find all the emails your bank has sent you. They scan those emails looking for your user id for the bank's website 4. They attempt to log into the bank's website using that id and the pw from the LinkedIn website. Many websites use your email address as your user id (facebook, netflix, amazon, etc). Once the hacker has your email/pw, he may try it on all the other websites which use the email address as the login. Many people use the same userid across different websites. The hacker may just try the same userid/pw combination in all the bank websites. He doesn't need to know that you bank at Chase. He tries all the bank websites to see if he can find a match. It's interesting you mentioned LinkedIn. Did you know their password database was recently stolen? Hackers have decrypted many of the passwords and published them on the web. Supposedly they only got the passwords and not the user accounts.
|
|
#35
07-06-2012, 11:38 AM
|
|||
|
|||
|
Once they have access to your linked in account. They probably know you primary email account. If you share passwords they have access to you email account. If you do on line banking they now know what bank you bank at. Given your real name they can make some good guesses as to your account name. Given access to your email they can go to your bank and say they forgot you account name and the bank will send an email to your account with that information. They can read an delete the message with very little risk you will see the message.
You should have different passwords for your email, banks and credit cards. The same one, but different from email and banking, for linked in, facebook, straight dope etc is not really a big deal.
|
|
#36
07-06-2012, 11:39 AM
|
|||
|
|||
|
Thanks Filmore. And, yes, that's why I mentioned LinkedIn.
|
|
#37
07-06-2012, 11:43 AM
|
|||
|
|||
|
Quote:
|
|
#38
07-06-2012, 11:46 AM
|
|||
|
|||
|
Quote:
|
|
#39
07-06-2012, 11:48 AM
|
|||
|
|||
|
Quote:
|
|
#40
07-06-2012, 12:20 PM
|
|||
|
|||
|
Quote:
 Quote:
__________________
The Internet: Nobody knows if you're a dog. Everybody knows if you're a jackass.
|
|
#42
07-06-2012, 03:14 PM
|
|||
|
|||
|
Quote:
Some email services allow you to create different versions of your address. For example, gmail will allow you to add +anything to your email address. For example, both filmore+sdmb@gmail.com and filmore+facebook@gmail.com are valid address for filmore@gmail.com. Using techniques like these mean that you won't have the same email address across multiple websites. In addition, if you start getting spam addressed to one of your custom address, you can disable or direct that mail to go to the trash.
|
|
#45
07-06-2012, 04:59 PM
|
|||
|
|||
|
Obligatory XKCD refer...
Oh, wait. Never mind.
|
|
#46
07-06-2012, 05:27 PM
|
|||
|
|||
|
Quote:
Quote:
|
|
#47
07-08-2012, 05:48 PM
|
|||
|
|||
|
Before I abandoned writing fiction, I would use a password based on the first sentence of whatever story I was working on, taking the first letter of each word and changing a few to @, $, 0, and so forth. Nowadays it's poems.
|
|
#48
07-09-2012, 04:30 PM
|
|||
|
|||
|
Quote:
The purpose of email forwarding sites like that is to figure out who might be selling your email address. Even then, it's of pretty limited utility, since spammers know that gmail can have "word+" appended to an email address, and they'll just strip that off before spamming you. The way to have secure passwords is to use Keepass (or some other highly-regarded password safe), use it to generate long strong unique passwords for every site, and keep the keyfile protected with a good password. Anything else is a half-measure.
|
 |
| Bookmarks |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
