I have a hash that I’ve been using for years now- it generates a unique password for every organization I use, and is easy enough for me to generate mentally on the fly. Using that system, the password I generated for that site scored at 93 trillion years. And the great thing about the system that I use is that even if hackers manage to get that password, it’ll only work on that site. The only drawback is that if I need to change the password for a particular site, it can be difficult to remember that I’ve got a new password.
If he was able to do this, IT was doing something seriously wrong. Passwords should never be stored as plain text and as such should not be analyzable in this way. Maybe that’s why he got the boot, not the public shaming.
This is not entirely true. Depending on a lot of factors, a hack of the password database does not expose you right away and the strength of your password could still be an issue. Passwords are generally stored as a hash (the password is run through a math function). But once a hacker has the database, they can hash all the most common passwords and look through the DB for the accounts that have those hashes, then they have your password without ever having to try it against your account specifically.
I do know that. That’s why I put “hack of the database perhaps” because some companies are stupid about how they store their passwords. I grew up with “rainbow tables” and all that sort in the 90s, and we did attacks like that on UNIX systems for fun. At our university, the hashes were public, for whatever reason. In those cases, yes, making a password more complicated will keep it from being hacked in a human timeframe. A database breach is probably the least likely way someone will get my password, but that’s only if everyone is paying attention to how they store the user passwords. You’d hope they’re all hashed and salted.
Facebook, for instance, stored their passwords in plain text for years.
I thought that passwords were stored as encrypted hashes, so perhaps the IT employee was running an analysis of the encrypted passwords to see how easily the hashes could be decoded?
It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.
I mean, of course not. But so did Facebook. How do I know whom I’m giving my password to is properly securing my data? I essentially do not trust anybody. If Facebook and GoDaddy couldn’t do it (at least for a time) then how can I trust my municipal gas company or a restaurant ordering website or any of thousands of places that require passwords? I can’t. So I assume it will be stolen from some place at some time some day. (And it of course has. My data has been part of several data breaches, though I don’t know who has done what, if anything, with it.) And yes, the best practice is use a unique password everywhere. Or a password manager. But I don’t trust those either or someone somehow finding their way into mine and getting all my passwords. So, screw it. I keep it difficult enough but easy enough for me to remember across various websites.
The “strength checker” he was using might have been a password cracker, with the strength ranking being based on how long it took the cracker to get each password (with, hopefully, an n-way tie for best at “the cracker wasn’t able to break it”).
…Does this imply that you use the same password everywhere? If so, your risk assessment is seriously faulty. If you use a password manager and the password cracker is crooked, then someone has access to all of your passwords. If you use the same password everywhere and even one of those places has a data breach, which you know has in fact happened multiple times, then someone has access to all of your passwords. The chance that your password manager is crooked is fairly low, but even if you don’t accept that, surely the chance is less than 1. Which is the chance that your password has been part of a data breach.
Depends on what I’m using it for. Shit I don’t care about gets the same password. Stuff I do gets something that I can still remember and is difficult to figure out the pattern for unless you’ve hacked several of my sensitive passwords (not the aforementioned don’t give a shit ones.)
Our password manager is a simple excel document. It is “encrypted” (Microsoft) with a password, then the resulting file is encrypted again via a combination Rijndael and SHA-1 algorithm on my PC. The passphrases for this are not stored anywhere (except my noggin).
I’m assuming this is fairly secure, as it’s stored locally (AFAIK). I don’t trust any commercial entity to keep my passwords.
I’m more likely to trust some smaller entity - they’ve probably purchased a turnkey system that (odds are) has some level of security baked in.
A tech company like Godaddy or Facebook is more likely to have built their own security, and there are just as many idiots/cowboys in IT as anywhere else who think they know a better way.
At the end of the day, it’s just not something I worry about. The passwords I know that have been stolen are from like twenty plus years ago and I don’t use. (I know as I’ve had them repeated to me in those scam “I know what you’ve been watching!” blackmail emails.) Plus google has a bunch of passwords I still use on sites I don’t care about flagged as being part of a data breach. Whatever. The actual crap I’ve had to deal with is credit card details skimmed from brick and mortars. I pretty much have a permanent credit hold in the agencies.
The more complicated a password a system insists upon (at least ten characters! at least three numbers! at least two uppercase characters! at least one punctuation mark! must be changed every month!), the more likely the user is just going to write the damn thing down and hide it somewhere around his desk, or even stick it on the screen with a Post-It note - thereby defeating the whole purpose of a password, at least in the workplace.
I am thinking of going to a password manager. Does anyone have any recommendations?
I was going to go with 1Password because my next door neighbor is one of their software engineers but I am interested to know if there are much better options.
I personally use KeePass – advantages: free, doesn’t require any form of remote storage (but can work with your personal cloud storage if you like); disadvantages: a bit more of a learning curve than most of the commercial alternatives.
I started with LastPass when it was free, but now it costs. Featurewise it’s great on all my flavors of device, but if I was starting over I’d probably choose free / open source. Right now the hassle of switching outweighs the incremental annual cost.
Big picture, I think PW managers are really the only same way to handle PWs in our modern world. Trying to do anything else is just an accident waiting to happen. If you only own one device, the OS’s or browser’s PW manager may be enough. As soon as you need multi-device, or worse yet, multi-OS capability, 3rd party is pretty much the only game in town.
Good to know. I had expected that most brands can import the export file format of the market leaders, so I wasn’t expecting to have to type all 300+ gibberish passwords into a new UI. I was more concerned with the learning curve of operating the add-in on my various browsers and apps.
As well, I use LastPass for storing many other sorts of secure info beyond just url/username/PW for websites. I’d want any alternative gizmo to have similar features.
I’ll give BitWarden a look. Thanks for the recommendation.
I found it pretty straightforward. Export CSV file from LP, import it into BW. The browser plugins work pretty much the same way, so there’s not much learning curve. The color scheme is pretty much the biggest difference .
BW has site notes and such as well, and I believe that also imported just fine.
Most browsers nowadays have a password manager built in. Probably the easiest path, given that most of your passwords are going to be used on a webpage anyway.
.