How does brute forcing work these days? The websites I use only give you a very limited number of chances to enter a password before you are locked out. How do they get around that?
But if the perp does not know or cannot easily verify your login username, that’s a small bit more of a roadblock.
The more information that’s not automatically available, the better.
But yes, you are right, relying on the fact the other person does not know your name is not a good start.
It’s like whether the burglar knows you have a key hidden near your front door. If he burglar KNOWS you do, he will look harder and longer than if he simply suspects that there may be one.
I’m not sure if I understood the “challenge-response” discussion.
To log onto my bank account, I have a password.
If I answer that correctly, I then have to answer a security question, which I made up myself. There are actually three security questions, which the bank site cycles through with each log- in. Is that a “challenge-response” system?
To add to the confusion, I suspect some folks are using the terms “challenge/response” and “two-factor authentication” interchangeably.
Some banks and websites (PayPal, google gmail, etc) are also using 2-factor authentication (e.g. random digits texted to your cellphone.) Private companies have been doing this for employee remote access for a long time (e.g. SecurID number generators attached to the keychain.)
You could consider 2-factor authentication as a specific subset of “challenge/response”
I would say the “security question” is another form of challenge/response but it’s not 2-factor.
[nitpick] you forgot the a between the 1 and the m. [/nitpick]. 
This is pretty much what I do except I capitalize the first letter of each line in the song. Using the Star Spangled Banner gives OscysBtdelWspwh
The xkcd method was mentioned up thread, and the method I’ve been using is more or less an implementation of that. I use what is often just called a passphrase rather than just choosing random words, I’ll take a concept that I associate with the site and make a sentence out of it and that becomes the password. As long as I can remember that association, I can remember the password.
Let’s take the Dope as an example. I could pick a particular forum and have a comment about that or I could have a comment about a particular doper or something related to a thread I remember or whatever. I’ll have no problem remembering it. So even if they do figure out that my bank password is TheEntireBankingSystemIsCorrupt! that won’t give them any clue that my Dope password is DoperXIsATroll.
I would strongly recommend against using a standard pattern because it’s only half a step better than just using the same password for both sites. As mentioned upthread, if someone sees that I have a password for Facebook like Password123@Facebook then someone would be able to try likely permutations at banking or email sites. The absolutely most important rule is to make sure that at least the major sites like email and banking don’t share the password with anything else. I actually have two-factor authentication on my email precisely because it’s the keys to the kingdom as far as online identity goes.
Most web sites don’t do that. It opens a trivial DoS attack where you can prevent a given user from logging in.
They hack a web site and obtain a full list of users and hashed passwords. They brute-force those hashes on their own machines. Then they try the same user/pass combinations (and variations) on other web sites.
Ys, to run L0phtcrack I needed admin privilege in order to copy the “SAM” or security database. Microsoft had no “levels of secrity” at the time, so a remote site administrator was a full administrator of everything, there were probably 20 or 30 admin level people in the large enterprise.
Similarly, one of the network admins had software that would take the garble in the Cisco device configurations and decode it into a valid password.
Another suggestion that I have heard, but not read an actual case of, is the password passes over the network between client and authentication server encrypted; the same applies, the hacker intercepts the transmission and compares the encryption of the entire dictionary to the captured encrypted password looking for a match. Then checks a, aa, aaa, aaaa, etc. ab, abaaa, etc. A few weeks ater, if the password is not too long, he may find a match.
You can see why it is simpler to create a fake logon screen site, or otherwise trick the user with social engineering, rather than try to hack the increasingly more robust transmission and server infrastructure. You are the weakest link!
Of course, intercepting communications is a lot less trivial with switched ethernet; and many conversations are completely encryptd. FTP used to be a royal gift, because it allowed for no encryption, the password was passed in the clear across the nework. That’s why generally it is used mainly for public distributions and low-security material.
I used to get ingenious and make up rebuses with punctuation marks and so on, but these days I use a password safe (KeePass) and randomly generate one for sites that I really care about security on. If I’m going to use it a lot, I’ll eventually memorize the random string. If I don’t use it that often, it isn’t that big a deal to retrieve it from the password safe.
Dropbox allows you to test if your password is any good:
http://dl.dropbox.com/u/209/zxcvbn/test/index.html
and provides information on how long it would take an attacker to crack it. (The test site is open to the public, you don’t need a Dropbox account).
Always having a complicated password for every different online account is almost impossible. Just in email accounts I have several accounts that I use regularly and then add in banking, credit cards, social media,etc… and then to have different passwords for all of them is a pain, but necessary. However one of the first things I look for when setting up an account is if they offer 2FA (two-factor authentication) where I can telesign into my account. This gives me the confidence that my account won’t get hacked and my personal information isn’t vulnerable. Personally I think if you are just relying on your passwords to protect your info you will pay the price sooner or later.
It’s simple if you use a password manager.
The only place I wouldn’t want to be hacked in my bank. If somone breaks into my linkedin account and changes by work history, I don’t really care. So, if they get my password and I use the same one everywhere, (which I do) how would the hacker even know which bank I use or what my username is there? Is there really some hacker out there thinking, “Today I’ll see if I can find a way into Procrutus’ bank account.”
Here’s how they do it:
-
Break into LinkedIn and steal their user/pw database. From the user information they get your contact email.
-
They attempt to log into your email account with the pw you used on LinkedIn. If it’s the same, they’re in.
-
They download your inbox and find all the emails your bank has sent you. They scan those emails looking for your user id for the bank’s website
-
They attempt to log into the bank’s website using that id and the pw from the LinkedIn website.
Many websites use your email address as your user id (facebook, netflix, amazon, etc). Once the hacker has your email/pw, he may try it on all the other websites which use the email address as the login.
Many people use the same userid across different websites. The hacker may just try the same userid/pw combination in all the bank websites. He doesn’t need to know that you bank at Chase. He tries all the bank websites to see if he can find a match.
It’s interesting you mentioned LinkedIn. Did you know their password database was recently stolen? Hackers have decrypted many of the passwords and published them on the web. Supposedly they only got the passwords and not the user accounts.
Once they have access to your linked in account. They probably know you primary email account. If you share passwords they have access to you email account. If you do on line banking they now know what bank you bank at. Given your real name they can make some good guesses as to your account name. Given access to your email they can go to your bank and say they forgot you account name and the bank will send an email to your account with that information. They can read an delete the message with very little risk you will see the message.
You should have different passwords for your email, banks and credit cards. The same one, but different from email and banking, for linked in, facebook, straight dope etc is not really a big deal.
Thanks** Filmore**. And, yes, that’s why I mentioned LinkedIn.
how can we know we’re not handing over all our passwords through a scam password manager?
I’ve been noticing more and more of this, and I hate it. Let’s go back to not using my email address as the user ID. If there are 2 pieces of information that a hacker doesn’t know about me (ID and password), it makes it much harder to hack my accounts.
how can we know we’re not handing over all our passwords through a scam password manager?
There aren’t that many banks; a hacker who manages to collect a large database of passwords can just try them all. As for the username – er, are you using different hard-to-guess usernames at different sites while recycling one password? 
Ideally, use one with open source code like KeePass. Alternatively, a traffic sniffer can test for such shenanigans; presumably the various malware/antivirus companies check for that when updating their threat databases.