Be careful. You don't want to use that INXS.
Passwords: Before I write my article about this, can someone explain its "logic"?
- Thread starter Ron_Tomkins
- Start date
Be careful. You don't want to use that INXS.
Don't call me a melon!
I always use the old take a phrase, take some of the letters (first, last, whatever), add some random special chars (incl spacebar) bung in some numerals and pad it out to a nice length. Steve Gibson recommends this so it's good enough for me too (for now).
Blue Bubble
Sharper than a thorn
You might also consider this method: https://www.passwordcard.org/
Sooo, if your friend is all wet, he/she would be Water Mellon!!!!
Dabop
Master Poster
I have several ways depending on how often I have to type it in
I often use my encrypted usb stick with text files stored on it with the various totally random passwords (I often open notepad, bash the keyboard with my keys closed and then save the result to my usb stick- copy paste into the password field whenever needed) That way I often dont even know what the password actually is, I've never even seen it
The other way is make up a sentence only I would remember, make it long, and then modify it in strange ways (like remove all spaces from a long sentence then leet it, then reinsert spaces at different points according to a pattern
Short version would be something like this "I love to play fetch with my #1 dog!" becomes ilovetoplayfetchwithmy#1dog! then il0v3t0playf3tchw1thmy#1d0g! then spaces at certain places by pattern 4,2,3,1,4,2,3,1 becomes il0v 3t 0pl a yf3t ch w1t h my#1 d0 g!
For really secure passwords (such as encrypt keys passwords etc) I might reverse the whole thing, or reverse every second character grouping il0v t3 0pl a yf3t hc w1t h my#1 0d g! and becomes
!g d0 1#ym h t3fy a lp0 3t v0li
Whatever takes your fancy and you can easily remember but makes a tough to crack password- you dont have to write it down permanently, just remember your sentence and patterns and you can rewrite it down on the spot easily to recreate it (just remember to swallow it afterwards in best spy traditions LOL)
I used a variation of this at a place that wanted new passwords every month and they couldn't be a repeat of any old one- it became (as an example) month name, boppa name,year,I hate this password****!, then my usual leeting swapping etc
I often had the IT guys come around wanting to know where I had written it down (also a big nono there) and he was much bemused that I had it all in my head lol
I often use my encrypted usb stick with text files stored on it with the various totally random passwords (I often open notepad, bash the keyboard with my keys closed and then save the result to my usb stick- copy paste into the password field whenever needed) That way I often dont even know what the password actually is, I've never even seen it
The other way is make up a sentence only I would remember, make it long, and then modify it in strange ways (like remove all spaces from a long sentence then leet it, then reinsert spaces at different points according to a pattern
Short version would be something like this "I love to play fetch with my #1 dog!" becomes ilovetoplayfetchwithmy#1dog! then il0v3t0playf3tchw1thmy#1d0g! then spaces at certain places by pattern 4,2,3,1,4,2,3,1 becomes il0v 3t 0pl a yf3t ch w1t h my#1 d0 g!
For really secure passwords (such as encrypt keys passwords etc) I might reverse the whole thing, or reverse every second character grouping il0v t3 0pl a yf3t hc w1t h my#1 0d g! and becomes
!g d0 1#ym h t3fy a lp0 3t v0li
Whatever takes your fancy and you can easily remember but makes a tough to crack password- you dont have to write it down permanently, just remember your sentence and patterns and you can rewrite it down on the spot easily to recreate it (just remember to swallow it afterwards in best spy traditions LOL)
I used a variation of this at a place that wanted new passwords every month and they couldn't be a repeat of any old one- it became (as an example) month name, boppa name,year,I hate this password****!, then my usual leeting swapping etc
I often had the IT guys come around wanting to know where I had written it down (also a big nono there) and he was much bemused that I had it all in my head lol
At my work I have about 75 user accounts, and I need to type the password for about ten of them several times a day. Most situations, like Windows login screens, have no access to the clipboard. It is very impractical with passwords longer than about 8 characters. The longer a password is, the greater is the possibility that there is a typing error.
I really hope that some day soon we can do away with passwords altogether. On my phone and tablet there is a workable fingerprint recognition. This can probably be fooled rather easily, but I am sure that currently this needs physical access to the unit, and apart from theft, my units seem quite safe with this system.
I really hope that some day soon we can do away with passwords altogether. On my phone and tablet there is a workable fingerprint recognition. This can probably be fooled rather easily, but I am sure that currently this needs physical access to the unit, and apart from theft, my units seem quite safe with this system.
Ron_Tomkins
Satan's Helper
- Joined
- Oct 29, 2007
- Messages
- 44,024
Man.... this got a really weird yet interesting turn. What originally was meant to be a short, informal article about my experience with the password guidelines, became an actual article that I'm trying to pitch to this online magazine I collaborate with, because as I mentioned earlier, I actually got a hold of William Burr himself and he answered some questions, which was great... however, some of the answers are very technical and I don't know if I can/should include everything he says. For instance, he talks a lot about SP 800-63 Appendix A which is basically the document that he created listing all the password security requirements. However, sometimes when he talks about these developments, he sounds very technical (duh, being the engineer who designed password security as we know it) and I fear it might sound too complicated for the average reader.
In the end, I'll just try to edit and research myself as much as I can to clarify anything that comes off as too technical. I'm trying to avoid as much as possible bothering him with more e-mails asking him questions.
That said, if there's anyone here who is very tech savy about this topic and wants to give it a read, PM me and I'll send you a copy of the e-mail William Burr sent me.
In the end, I'll just try to edit and research myself as much as I can to clarify anything that comes off as too technical. I'm trying to avoid as much as possible bothering him with more e-mails asking him questions.
That said, if there's anyone here who is very tech savy about this topic and wants to give it a read, PM me and I'll send you a copy of the e-mail William Burr sent me.
3point14
Pi
- Joined
- Nov 4, 2005
- Messages
- 23,071
I came here to post XKCD, but that's been done.
This is tangentially related and slightly interesting:
https://howsecureismypassword.net/
This is tangentially related and slightly interesting:
https://howsecureismypassword.net/
TheGnome
Thinker
elgarak
Illuminator
- Joined
- Nov 7, 2003
- Messages
- 4,472
That's the point I want to drive home using sentences. Because it's easier to type full sentences to get long-ish passwords with less typing errors. Long passwords are prone to typing errors because you have to type "!Wt4iTf@*****".
The concensus here seems to be balancing the security of a password with usability - especially for naive/disinterested users for whom passwords can be painful.
With that in mind, I like the idea of one strong password to be used across all sites instead of multiple passwords. The idea is one key for everything, but a strong key. I think I can make a case for lumping the entire internet under one "seal" and essentially, one password. Just make it a good one.
I get 35 quintillion years given to crack a password that consists of my pet's name with my birthdate and elementary school name. That's the full, 21 character password. If I cut it short at ten characters (or the site limits length) the strength is given as only 8 months.
With that in mind, I like the idea of one strong password to be used across all sites instead of multiple passwords. The idea is one key for everything, but a strong key. I think I can make a case for lumping the entire internet under one "seal" and essentially, one password. Just make it a good one.
I get 35 quintillion years given to crack a password that consists of my pet's name with my birthdate and elementary school name. That's the full, 21 character password. If I cut it short at ten characters (or the site limits length) the strength is given as only 8 months.
Or a couple of hours if someone reads that and is mates with you on facebook
Lol
Sent from my SM-J500Y using Tapatalk
Probably.
Should I rank that as a higher worry than someone getting my car/house keys or wallet? I admit I've left all those items where they can be snatched - more than once.
I think, too often, we mirror what happens to others (extreme cases) and take unwarranted and costly measures to fight the anxiety and worry.
Segnosaur
Penultimate Amazing
The problem with that...
You may be dealing with multiple sites, each with different levels of security.
Lets say you use the same (unbreakable) password on your email account as on your online banking accounts. If your email account is hacked (perhaps someone finds a flaw in their security), they will then have access to your banking password too.
Now, that doesn't necessarily mean you need a unique password for EVERYTHING. But, grouping accounts makes some sense. (e.g. non-critical accounts like your password here could be reused with other on-line forums, since its not a major target for hackers.)
This is true. However, remember we are trying to strike a compromise between security and ease of use. My premise is that people pick easy, stupid passwords just because they need so many. I think, overall, one solid one is better than a bunch of "guessables."
Further, we are always vulnerable to system errors (by the website) beyond our control. How realistic is it to think, if you get my netflix username and password, you will then be able to access other accounts I have? And, what would you gain?
My thinking is to parallel how I handle physical security in the brick and mortar world. Naturally, people's comfort level will vary. I'd like a single key for my car, bike lock, and house.
Segnosaur
Penultimate Amazing
I agree that's a problem. I'm just pointing out a possible flaw in your solution.
Depends on what accounts you share the passwords with, and if other information is included in the hack.
Pay your netflix with a credit card or on-line banking transaction? If the netflix hack includes your banking account number (since you use it to pay for their service), then they could try using your netflix password on your banking account.
Or do you have an email contact (like gmail) attached to your netflix? They use your netflix password on your gmail account and they can access your email. Then, they can do a quick search in your mailbox for the word 'credit card'.
Again I have to agree these make the practice less than optimal.
Curious though. Do the things you describe actually happen regularly? Is it a risk inflated by theory - as in: if they steal my house key they can sneak in an attack me while I sleep - or is what you describe actually going on and how much/often?
I can't rely on my own experience (at least a decade of using online as much as possible for financial, social and entertainment). I might have been lucky so far not to have any trouble whatsoever.
In truth, I use the same base password and add site specific info to each to make it different enough but still easy to remember. So, for example, I might have "Happydog*gmail&791" for gmail and then swap in hotmail or paypal for those sites. I get a slightly different password but still have the base format so I'm not remembering too much new stuff.
That's the compromise I ended up with - not as secure as possible, but works for me.
True, but I also wanted to stress that all long passwords, even those with full sentences, are prone to typing errors. The dots that traditionally are used to tell how many characters you have typed, compound the problem.
In Lotus Notes, there was a system that showed Egyptian hieroglyphs dependent on the password you typed. This was absolutely brilliant, because after a while you could recognize by the hieroglyphs if your typing was correct (and the number of hieroglyphs was not directly tied to the number of characters), and you could not reconstruct the password simply by trying to achieve the same hieroglyphs.
Working on VAX/VMS system years ago the login procedure introduced longer and longer pauses between failed login attempts. Is this not a solution to the brute-force methods of cracking passwords? Let's say the system recognises the IP address of the failed login and forces increasing delays on further attempts from that IP address - how would the hacker get around that? Change IP addresses for each attempt? There are only so many proxies, I'd have thought.
Last edited:
Hellbound
Merchant of Doom
Yes.
In fact, the main reason that hackers will go after low security passwords (like free email accounts and similar) is that they can sell those usernames and passwords to others, or use them themselves, against a variety of financial institutions and similar. Although usually it's fishing attempts, social engineering, or other similar methods to collect these, rather than cracking an actual system.
But it's common for hackers to attempt using names and passwords at other locations. My wife accidentally fell for a phishing email once, and gave a password we used on several sites. The Phishing attempt was for Amazon, IIRC (some sort of online store like that, can't recall immediately now). She knew what she did immediately, so we were able to change those passwords right away. But over the next few weeks, we saw several failed login attempts to two of our credit card accounts.