They’ll never recover the plain text passwords - they’re not stored in encrypted form - they’re hashed.
They may run a rainbow table against the hashed values that may return plain text values that happen to hash to the same thing as your password, but there’s no guarantee it will be the original password.
You’re making it sound like literally nothing anyone could do could ever prevent hackers from obtaining a password if they want it badly enough. Why, then, haven’t they installed ransomware on the Federal Reserve’s computers? These hackers are not gods; they are still limited by the laws of mathematics when cracking passwords. Even the NSA has resorted to physically intercepting someone’s laptop delivery and installing malware on it rather than using brute-force decryption.
The SDMB spends less on securing its servers than does the Federal Reserve (I’m actually guessing this fact, but I’m certain of it).
But people aren’t framing the hackers as gods - they’re merely sayng: prepare for the worst case and you will automatically be prepared for anything less than the worst case.
It’s not “break the encryption on the file”. Each individual password is cracked or not individually, and the way they do the cracking is, in fact, by guessing the passwords. So if you had a genuinely strong password before the attack here, you’re still completely secure, and have lost nothing.
The problem is that most passwords that most people think are “genuinely strong”, really aren’t. It’s not good enough, for instance, to take a dictionary word and mangle it by replacing some of the characters with numbers and symbols, because that’s one of the things the attackers will try guessing.
As I understand it, complexity (and seeming randomness) are most important. But, of course, it needs to be reasonably easy to remember since most people just aren’t going to carry around slips of paper to remind them of what it is. Or, if they do, they post said paper to the monitor’s bevel. (I just chewed out my boss yesterday for doing this.)
It seems a fair trade off to make the password out of old phone numbers of dead relatives, street names of childhood friends, middle names of friends’ kids, name of your neighbor’s pet, etc. Mix and match. Make it easy to associate, but hard to guess unless the person knows you really well.
Just an opinion.
True, but the point some are making is that why not just use a PW manager? It’s even easier than your scheme because you only have to remember one long password and it does the rest for you. If one is concerned that a password site could be hacked use a local one like Keepass. Once it is set up it is way easier and way more secure than any of other the schemes mentioned here.
It’s a nitpick but rainbow tables are hardly used anymore because they’re easily thwarted by salt.
… aabdil … aabdim … aabdin … aabdio … aabdip …
Take a look at this sample of Vietnamese:
http://travel.state.gov/images/vietnamese_optional.jpg
If you know how to encode all those accents, umlauts, etc. NO-ONE will figure it out!
Yeah - speaking of that, can you use Unicode characters as passwords? On smartphones it’s easy to install, say, a Chinese keyboard and input Chinese characters. Could those be guessed from normal characters?
Thanks all for the responses. I posted to learn, not to instruct. I will comment on only three posts. First, yabob (Post #16), the insecurity of mentioning a password strategy occurred to me. IMHO, the hackers are smart enough to think of anything which occurs to me, so I assume there is little lost by raising one for discussion. Second, iamthewalrus(:3= (Post #19) and Deeg (Post #26), I recognize a password manager is the best currently-available strategy and that the hackers are much smarter than me on this issue. I’m willing to live with “pretty good” security, though, hence this thread.
And, yes, folks, I’ve seen the xkcd: Password Strength cartoon. In fact, it was one of the main inspirations for the thread.
I think it’s a brilliant idea, but according to some posters even if you used a Klingon keyboard the hackers would swiftly latch on to that and go straight into your bank account.
Ummm … I love to throw cold water on your advice.
(Note: I was going to say, "I hate to throw cold water on your advice. But that would just be so terribly dishonest.)
I’m guessing you will make a follow-up post saying that you and your SO have been married for 75 years and you are both in your 90s and so the odds of your marriage hitting the rocks is pretty slim.
But for most married people, no matter how happily married you think you are, even considering the national stats on the state of marriage, the odds of any marriage crashing and burning is just too high to jeopardize your computer info together with your marriage.
This is very probably the worst advice I can ever imagine giving a married couple.
It is very easy to be wrong in specific cases of happy long-term marriages and for anyone who has such a marriage, I wish to express my extreme admiration and befuddlement. However, it has to be a bad idea to combine two high-risk failures into one. It makes the combined risk even very much greater than either of the individual risks.
I do not want to insult anyone who is happily married or their SO. I’m sure that many of you have wonderfully happy longterm marriages. But the national average is such that most marriages are headed straight for the rocks and you really do not want to place a bet that you can defeat those odds and bet something like your financial security on that bet.
you hide your pin number from your spouse?
Which is ironic, because this is the whole point of the “correcthorsebatterystaple” comic – that people shouldn’t mistake “complex looking to a human” for “secure”. Anyone who takes a “correcthorsebatterystaple”-style password and starts twiddling with it to make it “more secure” has completely missed the point of the comic.
Then perhaps it could be interesting to make a very, very rough estimate of the entropy of your passwords.
The word:
This is a bit tricky because it depends on how many words you choose from. If it is a single word, then even including exotic words that’s certainly under 20 bit (a million words) - perhaps around 14-16 bit (16k-65k words) if you use a relatively big word list. If you think of one manually and you have a preference for ‘good’ long words, then it will be considerably less.
The number:
If it is a random four-digit number, then that’s not quite 14 bit. (<16k)
The position of the break:
That depends on the length distribution of your words, but for this rough estimate let’s say it is in the general neighborhood of 4 bit.
A total of more than the 28 bit of the weak example in the comic should be doable, but probably not that much more. Reaching the level of the good example will be difficult unless you tweak the system.
Here is my solution.
i take the following 3 strings.
Phone number i grew up with, as in 123-456-7890
The street address i grew up with as a kid, as in 128Elm
My parents current address and zip code, as in 1256Oak01255
Each of these is so in my head i not ever have to try and remember, they are just there, always.
For passwords I always start with a minus sign, and place a + between the strings, and end with the +
For plain entry at somewhere i have no security worries then it is usually -123-456-7890+
For a more security then i put 2 together as in.
-123-456-7890+128Elm+
Since every password is a combination of only those 3 all i have to remember for any place is which combination I used. Works for me and i believe is quite secure.
It actually sounds terribly insecure - using combinations of the same three long components isn’t much better than using combinations of the single digits A B and C.
I was going to post that! I will add a link to the discussion of that particular comic over on the xkcd forums. It gets quite involved.
For me, the simplest system is to use the same strong universal password for everything, with a one-letter cap suffix appended which corresponds to the first letter of the site. For example, for Paypal, I use “passwordP”, for First National Bank I use “passwordF”, etc.