Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
Bugs & Viruses If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Order by: Score:
make 'm long
by cobbaut on Sat 10th Nov 2012 09:12 UTC
cobbaut
Member since:
2005-10-23

Pick a couple of words, at least one of them in your local dialect (to avoid dictionary attacks) and stick them together with numbers like this:

Coca300ColaInEmpireStrikesBack (imagine Luke drinking 300 cans of Coke)

Or make a phrase that you can easily remember:

IWant14XtraVacationDaysAfterEaster
YesINEED3cupsofcoffeeEVERYsingleday

..don't forget to insert at least one word in your local dialect.

Os use http://xkcd.com/936/

Reply Score: 5

RE: make 'm long
by UltraZelda64 on Sun 11th Nov 2012 04:23 UTC in reply to "make 'm long"
UltraZelda64 Member since:
2006-12-05

A really good password should include, I'd say, at the very least 12 characters (more is better; most of mine are at least 25 characters long), and include both upper and lower case letters, numbers and symbols. How many of each specific letter/number/symbol is not really important, at least compared to the total length of the password itself.

The thing to try to achieve is lowering the chance of any kind of brute-force attack to be successful within a reasonable time period by increasing the total number of possibilities for each individual character. The more varied the characters in the password, the stronger it is--even with a given number of total characters. If at least one of each group of characters is used (uppercase, lowercase, symbols, numbers), every added character adds a large number of possibilities to have to go through in order to be able to successfully brute-force the password.

Length and complexity are the key; the idea is to increase the total number of possible combinations to make it take an extremely long time to crack, and each added character adds to that time. But equally importantly... don't use the same username/password combo across more than one site! This is especially true with passwords used for sensitive (ie. bank) accounts. You don't want to use those ones for web forums, online VoIP services, online pizza delivery services, etc.

Steve Gibson and Leo Laporte have talked a lot about this on Security Now. Here is a link useful page on Steve's site with an interesting clip halfway down the page taken from one of their podcasts (episode 303, I believe):

https://www.grc.com/haystack.htm

His pseudo-random password generator is also useful, and the podcast itself tends to be a good listen.

Edited 2012-11-11 04:43 UTC

Reply Score: 2

RE[2]: make 'm long
by Soulbender on Sun 11th Nov 2012 05:55 UTC in reply to "RE: make 'm long"
Soulbender Member since:
2005-08-18

Steve Gibson


Congratulations, your technical credibility just went rock-bottom.

Edited 2012-11-11 05:55 UTC

Reply Score: 2

RE[3]: make 'm long
by UltraZelda64 on Sun 11th Nov 2012 06:01 UTC in reply to "RE[2]: make 'm long"
UltraZelda64 Member since:
2006-12-05

Congratulations, your technical credibility just went rock-bottom.

Care to say what your references are, what your complaints are of his views on security, and how you do things differently? Many of the things I do really are, IMO, common sense and can be found at various web sites; Steve just happens to have made a few podcast episodes that put it all together and explains it nicely in ways that are easy to understand.

That said, just go use the password "pee" or "poop" or something like that if you want. As far as I know he never recommended anything like that, so it must be safe!

Edited 2012-11-11 06:04 UTC

Reply Score: 2

RE[4]: make 'm long
by Soulbender on Sun 11th Nov 2012 09:23 UTC in reply to "RE[3]: make 'm long"
Soulbender Member since:
2005-08-18

Care to say what your references are, what your complaints are of his views on security


Gibson's reputation among actual security professionals is shoddy at best and a joke, or even fraud, at worst.

For some insight into the matter (with links to further reading): https://allthatiswrong.wordpress.com/2009/10/11/steve-gibson-is-a-fr...

Edited 2012-11-11 09:24 UTC

Reply Score: 2

RE[5]: make 'm long
by UltraZelda64 on Sun 11th Nov 2012 11:12 UTC in reply to "RE[4]: make 'm long"
UltraZelda64 Member since:
2006-12-05

Funny, because Mark Russinovich was on a recent episode of Security Now as a guest to talk about a sci-fi book he wrote, so apparently Mark must get in contact with Steve and not think he's a total joke like that blog post would like you to believe... and that article specifically mentions Mark as one of the greats to look up to. Ironic.

Reply Score: 2

RE: make 'm long
by Bill Shooter of Bul on Sun 11th Nov 2012 06:40 UTC in reply to "make 'm long"
Bill Shooter of Bul Member since:
2006-07-14

Yeah, my local dialect is standard US English. So, I think I need to write my own language for that to work. HaobwoHut tihdiesa?

Reply Score: 2

RE: make 'm long
by Laurence on Sun 11th Nov 2012 11:32 UTC in reply to "make 'm long"
Laurence Member since:
2007-03-26

Pick a couple of words, at least one of them in your local dialect (to avoid dictionary attacks) and stick them together with numbers like this:

Coca300ColaInEmpireStrikesBack (imagine Luke drinking 300 cans of Coke)

Or make a phrase that you can easily remember:

IWant14XtraVacationDaysAfterEaster
YesINEED3cupsofcoffeeEVERYsingleday

..don't forget to insert at least one word in your local dialect.

Os use http://xkcd.com/936/

Unfortunately all of those things are easily crackable by current attack algorithms.


Common misconceptions with password security:

* concatenating words together is more secure == false. Modern attacks use a dictionary of words and tries combinations of such words concatenated.

* using txt spk / l33t style words are harder to crack than common words == false. Modern dictionaries have every imaginable combination of number and non-alpha/numeric substitutions of letters as well as plain English words.

* using non-English words are more secure == false. Dictionaries include words from most languages, proper-nouns and even slang that isn't technically part of any language.


Password cracking has come a long way in the last few years and current security advice hasn't kept up with development. In my opinion there's only 3 things you can do to have a truly secure password:

1/ use a password hash. This will be a mixture of alpha, numerics and symbols. Generate this hash from any site like this: http://www.insidepro.com/hashes.php?lang=eng and have the website / application name as the salt and the same password as the password. This way you get a unique, non-guessable password for each service and an easy way for you to "keep" your passwords without having to write them down nor store them in any digital keychains.

2/ use a unique password for each service. I'd already mentioned that above, but it's so important it needs repeating.

3/ at all times possible, use key based systems (eg SSH keys instead of login passwords). Even just 2048bit RSA keys are significantly more difficult to crack than 99% of passwords. Sadly though, key based systems are rarely available for most systems.



Password security isn't difficult, however there's a lot of outdated advice that people still hold tight to.

Edited 2012-11-11 11:36 UTC

Reply Score: 2

RE[2]: make 'm long
by kwan_e on Sun 11th Nov 2012 14:34 UTC in reply to "RE: make 'm long"
kwan_e Member since:
2007-02-18

I'm ignorant on these matters, but I don't see how passphrases could feasibly be cracked using dictionary based attacks.

The number of possible words and alternate "spellings" is large, especially if you consider multiple languages as you've mentioned.

You also mentioned "without writing it down", but I was under the impression that was also out of date ideas about password protection. The chances of someone physically getting your password is practically zero, since most people won't risk it, most people aren't that important, and those who do risk stealing things generally aren't after written down passwords (assuming they know the username the person uses).

Edited 2012-11-11 14:44 UTC

Reply Score: 2

RE[3]: make 'm long
by Laurence on Sun 11th Nov 2012 20:59 UTC in reply to "RE[2]: make 'm long"
Laurence Member since:
2007-03-26

I'm ignorant on these matters, but I don't see how passphrases could feasibly be cracked using dictionary based attacks.

The number of possible words and alternate "spellings" is large, especially if you consider multiple languages as you've mentioned.

While you're right that such attacks would require massive dictionary of words - it's still significantly more streamlined than a typical 'brute force attack' which will try every character combination individually.


You also mentioned "without writing it down", but I was under the impression that was also out of date ideas about password protection. The chances of someone physically getting your password is practically zero, since most people won't risk it, most people aren't that important, and those who do risk stealing things generally aren't after written down passwords (assuming they know the username the person uses).

You're talking about 'security through obscurity' and that's a pretty bad philosophy to have.

There's been cases where 'normal' individuals like ourselves have become over-night public figures because of stories that break out in the press (eg relatives of crime suspects) and have subsequently been stalked over social media by reporters after a cheap story.

There's also cases about answer phone hacking that broke out earlier this year and many of those cases were against regular people.

And finally, regular people do get their accounts hacked all the time (eg my Paypal account was hacked a few years ago)

So don't think that your relative obscurity will protect you.

Edited 2012-11-11 21:00 UTC

Reply Score: 2

RE[4]: make 'm long
by kwan_e on Mon 12th Nov 2012 02:48 UTC in reply to "RE[3]: make 'm long"
kwan_e Member since:
2007-02-18

"I'm ignorant on these matters, but I don't see how passphrases could feasibly be cracked using dictionary based attacks.

The number of possible words and alternate "spellings" is large, especially if you consider multiple languages as you've mentioned.

While you're right that such attacks would require massive dictionary of words - it's still significantly more streamlined than a typical 'brute force attack' which will try every character combination individually.
"

But from the point of view of the cracker, a passphrase containing words is indistinguishable from a password of the same length with random letters, numbers and symbols.

First, they have to make the assumption that the passphrase is made of words, rather than just a long password. Then they have to test out combinations of words. So you have word choices of possibly over 10,000 words per word; you have alternative "spellings" of those words which can be a mixture of capitals and lower case and numbers making the word choice at least twice as many; then you have combinations of words for an unbounded number of words in the sentence. Then there's the problem of how the words are joined together.

A quick search doesn't turn up anything significant about dictionary based attacks on passhprases for me, so I don't know how much research has been done on it.

"
You also mentioned "without writing it down", but I was under the impression that was also out of date ideas about password protection. The chances of someone physically getting your password is practically zero, since most people won't risk it, most people aren't that important, and those who do risk stealing things generally aren't after written down passwords (assuming they know the username the person uses).

You're talking about 'security through obscurity' and that's a pretty bad philosophy to have.

There's been cases where 'normal' individuals like ourselves have become over-night public figures because of stories that break out in the press (eg relatives of crime suspects) and have subsequently been stalked over social media by reporters after a cheap story.

There's also cases about answer phone hacking that broke out earlier this year and many of those cases were against regular people.

And finally, regular people do get their accounts hacked all the time (eg my Paypal account was hacked a few years ago)

So don't think that your relative obscurity will protect you.
"
[/q]

I'm not talking about security through obscurity, but the relative unlikeliness that a password written down will be any less safe. Your hacked Paypal account was not hacked because you wrote down your password and it was copied somehow. None of the hacking cases, as far as I know, was because they wrote down the password.

The threat of hacking is not remedied by obscurity, but the stealing of passwords that are written down is mitigated by obscurity.

There's been a few articles in recent times about the whole "don't write down the password" being outdated advice. People regularly forgetting passwords and needing them to be reset opens up to many potential mim or phishing attacks posing as the password reset service.

Reply Score: 2

RE[5]: make 'm long
by Laurence on Mon 12th Nov 2012 08:50 UTC in reply to "RE[4]: make 'm long"
Laurence Member since:
2007-03-26

But from the point of view of the cracker, a passphrase containing words is indistinguishable from a password of the same length with random letters, numbers and symbols.

That's besides the point as crackers are using the method I described and for the reasons I've described. Hence why I advised using random characters instead.


First, they have to make the assumption that the passphrase is made of words, rather than just a long password.

they do make that assumption because they understand user habits when creating passwords. As I've already stated, so many passwords have been leaked in recent years that there's a wealth of data to build more intelligent routines. Gone are the days when "dumb" brute force attack was the preferred method of attack.


Then they have to test out combinations of words. So you have word choices of possibly over 10,000 words per word; you have alternative "spellings" of those words which can be a mixture of capitals and lower case and numbers making the word choice at least twice as many; then you have combinations of words for an unbounded number of words in the sentence. Then there's the problem of how the words are joined together.

Indeed, but that's still significantly permutations that a blind brute force attack.


A quick search doesn't turn up anything significant about dictionary based attacks on passhprases for me, so I don't know how much research has been done on it.

That's because, and as I've already stated, the old advice is still pretty much widespread. I've been following blogs of a number of security researchers in recent years (as my profession is moving into that arena) and the advice I'm giving is what I've read industry experts advice.

The only people I've seen that suggest otherwise are blogs by journalists and system administrators - which with the greatest of respect to them, are not working as close to this field to understand the latest developments in cracking. Much like how I wouldn't expect professional application develops to keep up with the latest security patches for *nix platforms. After all, IT is a massive field these days.

Anyhow, I'll have a dig out for some of the blogs I've read that supports these claims I'm making. If you don't mind checking back in a couple of hours ;)

Reply Score: 2

RE[6]: make 'm long
by Laurence on Mon 12th Nov 2012 09:47 UTC in reply to "RE[5]: make 'm long"
Laurence Member since:
2007-03-26

Here's a link describing how crackers now use dictionary based attacks:
http://arstechnica.com/security/2012/08/passwords-under-assault/

Reply Score: 2

RE[5]: make 'm long
by Laurence on Mon 12th Nov 2012 09:15 UTC in reply to "RE[4]: make 'm long"
Laurence Member since:
2007-03-26

(sorry for replying to you over two posts - i didn't spot the 2nd half of your reply until I'd already responded)

I'm not talking about security through obscurity, but the relative unlikeliness that a password written down will be any less safe.

Your hacked Paypal account was not hacked because you wrote down your password and it was copied somehow. None of the hacking cases, as far as I know, was because they wrote down the password.

Which is what "security through obscurity" means. I do sympathise with your sentiment, but discussing the likelihood of being targeted or having a stored password located does fall under security through obscurity. and while you are right that the likelihood is low, I'd rather offer up some genuine security advice instead of luring people into complacency. After all, unlikely scenarios do haven all the time.

The advice I have was to use a hash generator to provide a random password. This way you don't need to store passwords as you only need to remember 1 password (and the salt, but the salt will be your application / website name) and from that you can just generate your password each time you need to log in and you can guarantee to have the same password for that service each time.

Thus with my method, you have a random, unique and secure password for each service - and not be forced into a position of having to write your passwords down. it's a win-win.

Edited 2012-11-12 09:16 UTC

Reply Score: 2

RE[2]: make 'm long
by Fergy on Sun 11th Nov 2012 17:26 UTC in reply to "RE: make 'm long"
Fergy Member since:
2006-04-10

Common misconceptions with password security:

* concatenating words together is more secure == false. Modern attacks use a dictionary of words and tries combinations of such words concatenated.

* using txt spk / l33t style words are harder to crack than common words == false. Modern dictionaries have every imaginable combination of number and non-alpha/numeric substitutions of letters as well as plain English words.

* using non-English words are more secure == false. Dictionaries include words from most languages, proper-nouns and even slang that isn't technically part of any language.


Password cracking has come a long way in the last few years and current security advice hasn't kept up with development.

Use lower case: 26 possibilities
Use upper case: 26 possibilities
Use numbers: 10 possibilities
Use punctuation: 32 possibilites
Use them all: 94 possibilities per character

Using English is the easiest way to fall victim to dictionary attacks. Put in another language and suddenly the cracker would have to include 20+ dictionaries. Put in a dialect and the cracker would need to put 2000+ dictionaries in.

How can you possibly claim that increasing the possibilities is _not_ more secure?

Reply Score: 2

RE[3]: make 'm long
by Laurence on Sun 11th Nov 2012 20:49 UTC in reply to "RE[2]: make 'm long"
Laurence Member since:
2007-03-26


Use lower case: 26 possibilities
Use upper case: 26 possibilities
Use numbers: 10 possibilities
Use punctuation: 32 possibilites
Use them all: 94 possibilities per character

Using English is the easiest way to fall victim to dictionary attacks. Put in another language and suddenly the cracker would have to include 20+ dictionaries. Put in a dialect and the cracker would need to put 2000+ dictionaries in.

How can you possibly claim that increasing the possibilities is _not_ more secure?

You're missing my point. Modern attacks aren't the old style brute force attacks which would try every combination of character. Instead they have every more sophisticated dictionaries (I'm not sure if those are hardcoded possibilities or heuristics).

The problem is we've had an influx of leaked passwords over recent years. Nearly every month another website gets hacked and passwords are leaked - and this provides a massive amount of source to learn user behaviour when selecting passwords which in turn allow attacked to build more intelligent cracking tools.

So I'm not saying that your examples are less secure than having plain English passwords; what I'm saying is that such passwords isn't more secure these days. What is more secure is a random hash of characters or doing away with passwords entirely - which is what I actually advocated if you go back and re-read my post. ;)

Reply Score: 2

RE[4]: make 'm long
by kwan_e on Mon 12th Nov 2012 03:13 UTC in reply to "RE[3]: make 'm long"
kwan_e Member since:
2007-02-18

You're missing my point. Modern attacks aren't the old style brute force attacks which would try every combination of character. Instead they have every more sophisticated dictionaries (I'm not sure if those are hardcoded possibilities or heuristics).

The problem is we've had an influx of leaked passwords over recent years. Nearly every month another website gets hacked and passwords are leaked - and this provides a massive amount of source to learn user behaviour when selecting passwords which in turn allow attacked to build more intelligent cracking tools.


You're kind of switching the bait here.

The second paragraph only provides knowledege for old style single-word passwords. A passphrase is made up of multiple words, which is much more difficult to analyse behaviour.

Assuming that the cracker somehow can distinguish a passphrase from a long password, they're just confronted with using an almost brute force attack on the word combinations.

Using a 10,000 word dictionary, a passphrase of five words is a space of 100,000,000,000,000,000,000 possibilities. The English language alone has about 250,000 words depending on the OED estimate.

Reply Score: 2

RE[5]: make 'm long
by Laurence on Mon 12th Nov 2012 09:08 UTC in reply to "RE[4]: make 'm long"
Laurence Member since:
2007-03-26


You're kind of switching the bait here.

I'm really not. I might not be explaining things that well (English isn't me strongest skill), but my advice here has been consistent.


The second paragraph only provides knowledege for old style single-word passwords. A passphrase is made up of multiple words, which is much more difficult to analyse behaviour.

You're making an assumption that dictionary attacks can only work against a single instance within the dictionary file. What modern dictionary attacks actually do is use a the dictionary as a basis for a "brute force-style" attack.

Let me explain this better:
the old style brute force attack would try every character permutation (eg (if you don't mind some crude regex) m/[0-9a-zA-Z]/ and any symbols opted for).

Modern dictionary attacks use the dictionary as a bases for building the permutations. So if the dictionary file has: add, dad, bad then the attack will use add, dad, bad, addadd, adddad, addbad, dadadd, daddad, dadbad, badadd, baddad, badbad plus the "l33t" variants ("d4d") formating variants ("dad dad", "dad!") and so on.

So while it's technically still a dictionary based attack, it's significantly more sophisticated than a standard dictionary attack yet also significantly quicker to run through likely permutations than the old style brute force attack.


Assuming that the cracker somehow can distinguish a passphrase from a long password, they're just confronted with using an almost brute force attack on the word combinations.

Using a 10,000 word dictionary, a passphrase of five words is a space of 100,000,000,000,000,000,000 possibilities. The English language alone has about 250,000 words depending on the OED estimate.

Indeed. But the point is that's still massively quicker than doing every character permutation.

To put it another way, you stated that 5 word match might offer up 10^19 combinations (which I think is an over-estimate, but I'm still willing to use those figures), using a standard brute force attack offers up (10+26+26+20)^16 combinations (10 numeric characters, 26 alpha in both cases and 20 symbols) for a 16 character sequence. That works out at 2044140858654976 possible solutions and that's not even the entire length of an average 5 word string (which is what you're basing your example on).

So an intelligent dictionary attack really is the better cracking routing and why you have to assume that attackers are using it.

Reply Score: 2

RE[6]: make 'm long
by kwan_e on Mon 12th Nov 2012 09:35 UTC in reply to "RE[5]: make 'm long"
kwan_e Member since:
2007-02-18

This is getting beyond my level of expertise, but what I'm saying is generating a password of five words is different to figuring out that the password actually has five words.

10^19 is just a lower bound for a 10,000 word dictionary. Counting variations of those words, whether it's a change in casing or a numerical substition, you have at least an order of magnitude more word choices for each word. There's no requirement for there to be syntactical or grammatical structure to the passphrase.

z/OS supports passphrases of 100 characters long, which may be 10 or 20 words long, which obviously has a greater space of valid passwords than the 20 character passwords boxes that some sites are adopting. A 20 word sentence is more memorizable than a 20 character random string let alone a 100 character random string.

Reply Score: 2

RE[7]: make 'm long
by Laurence on Mon 12th Nov 2012 09:45 UTC in reply to "RE[6]: make 'm long"
Laurence Member since:
2007-03-26

But, and as I've repeatedly stated, if you use a password hash generator (plenty of free tools online) then you can have a memorable password and a secure password.

Basically, find an online password hash generator, use the same password for every website / application and a salt being the site/app name. For example, using http://www.insidepro.com/hashes.php I could do the following:
password "i like steak"
hash "osnews.com"
user "laurence"
and I would get a password of something like "fK8dyanyjaLzEqohAixCjl+FbLbELvwphJPC0yce7xY7ZuO0TP4OBGZ/a/iqqvquh9Ht Q+5Pwcoq8nOa5rGlvQ==" for a sha512 encoding.

That's a random password which is 88 characters long, unique for each website and memorable (as all I need to remember is "i like steak" for every site.

That method is far more secure than using a passphrase.

Reply Score: 2

RE[2]: make 'm long
by Soulbender on Mon 12th Nov 2012 02:11 UTC in reply to "RE: make 'm long"
Soulbender Member since:
2005-08-18

4. Use one-time pads. Impossible to break with brute-force attacks.

Reply Score: 2

RE[3]: make 'm long
by Laurence on Mon 12th Nov 2012 16:07 UTC in reply to "RE[2]: make 'm long"
Laurence Member since:
2007-03-26

4. Use one-time pads. Impossible to break with brute-force attacks.

Funny enough I did write my own one-time pad routine when I was still at school.

The program was rather crude (I think I wrote it in Javascript and this was back in the 90s when Javascript largely sucked), but it did work.

Reply Score: 2

Comment by Anonymous Penguin
by Anonymous Penguin on Sat 10th Nov 2012 09:30 UTC
Anonymous Penguin
Member since:
2005-07-06

Take something that means a lot to you but nothing to strangers. Example: name, place and date of birth of somebody you hold dear (not yourself, too easy to guess), add a few random characters. Done!
BTW, it shouldn't be somebody who has a Facebook account!

Edited 2012-11-10 09:31 UTC

Reply Score: 2

RE: Comment by Anonymous Penguin
by Morgan on Sat 10th Nov 2012 09:51 UTC in reply to "Comment by Anonymous Penguin"
Morgan Member since:
2005-06-29

I realize this won't work for everyone, but I have a knack for remembering long strings of random characters. My vehicle's VIN alternated with a Windows 98 key that I still have the CoA for up in the attic, along with my uncle's Romanian name, make for a nearly uncrackable but easy to remember password.

To be able to use it for different accounts, I just add a mnemonic related to that site. For local security, of course, I just use a simple 8 to 10 character alphanumeric string. That's more than enough to deter the few friends and family that visit my home.

Reply Score: 2

Anonymous Penguin Member since:
2005-07-06

Indeed, it wouldn't work for me. I am very bad at remembering long strings of random characters, including telephone numbers.

Reply Score: 2

UltraZelda64 Member since:
2006-12-05

Me too. That's one hell of a skill he's got. I have to maintain a few text files to keep track track of my passwords; partially because I've got so many, but also because they're all pretty long and complex, and many of my important ones are similar but subtly different so they couldn't be used across accounts even if they were cracked.

Then again, I never made an attempt to remember my passwords and I tend to just use the web browser's password manager most of the time. The main exception here is on my phone; I would never store any passwords on a computer I take everywhere I go that I could easily lose, forget somewhere I go or have stolen.

That said... I am considering eventually attempting to remember my three Google account passwords, because it's kind of a pain when I am automatically logged out for my protection and I'm basically locked out until I get home to check my password files. ;)

By the way... any Google users, if you have important data on your account, it would be a good idea to use Google's two-step authentication. Works with any phone, though probably best with a cell phone (text message) or, even better, with the Google Authenticator app.

Edited 2012-11-11 04:56 UTC

Reply Score: 2

Morgan Member since:
2005-06-29

I had an eidetic memory as a child; I remember being able to read an entire encyclopedia page and recite it back with about 95% accuracy at six years old. Unfortunately it started fading away as I got older. I still recall a lot more than the average person after reading a passage or string, but it's a shadow of what I could do as a child.

Still, it's good enough to remember important alphanumeric strings. My limit is about 35 characters, give or take, and it helps if it's a pattern that I recognize. That's why I use the VIN/license key combo; I deal with VINs daily at my full time job and reinstalling Windows 98 every few months made it easy to recall that key. I also tend to memorize phone numbers, my credit and debit cards, and other pattern based strings very easily.

Reply Score: 2

UltraZelda64 Member since:
2006-12-05

Damn. It took me almost a year to remember my cell phone number with enough reliability that I would not screw it up when someone asked me what it is (and I still occasionally get confused or my mind goes blank). ;)

Back when I was toying around with Google Voice earlier this year and I was considering giving it a try, the ability to choose a certain area code and even a string of letters when picking a number was really appealing to me. I'm just horrible with remembering phone numbers. Even if there are only 10 possible digits, the phone number itself is ten digits long, and likely only the last seven digits will likely be unique.

It was so much easier years ago when I was younger... the area code was always the same, the following three-digit prefix was always one of only two or three three possibilities, and the last four digits were really the only ones that were different. Now cell phones seem to rule the country, and while the area code tends to remain the same it seems that every cell phone provider has a different prefix (and some of them seem to be getting more than one these days in my area).

I know what you mean about the Win98 (and later XP) registration key though... I used to have mine almost (but not quite) completely memorized for the same reason. No idea what they were now, though. If I am forced to enter something enough times, I'll eventually remember it (or at least parts of it) whether I want to or not.

Edited 2012-11-11 07:08 UTC

Reply Score: 2

Comment by Luminair
by Luminair on Sat 10th Nov 2012 10:13 UTC
Luminair
Member since:
2007-03-30

those stories are pretty crappy. way to confuse people so they dont improve their passwords

all you need to know is you should have a passphrase. the details of password security are irrelevant. the solution is passphrase. it is not maximum protection, but it is good enough and better than what people already use.

example:

compactdisksareOLD!
dogseatpoopbutIdont
wheninromehavesexwithromangirls

passphrase. its whats for dinner. (passphraseitswhatsfordinner)

Reply Score: 3

RE: Comment by Luminair
by darknexus on Sat 10th Nov 2012 11:50 UTC in reply to "Comment by Luminair"
darknexus Member since:
2008-07-15

Passphrases don't work everywhere. Many sites either won't let you have spaces, require you to have numbers, limit you between 8 and 12 characters, disallow certain punctuation marks, etc. In principal I actually agree with you (although I doubt people would pick more secure passphrases than they currently pick passwords now). The other thing we really need is intelligence on the part of people who design service web sites. There is no reason, for example, that a dictionary attack should ever work, ditto for brute force attacks. If someone tries a wrong password more than three times, the account should be locked and the account owner notified at once by all means of contact that they have on file. A temporary block on the IP address initiating said transaction wouldn't be unwise as well. That account will then be absolutely disabled until the account owner can take whatever steps necessary to reactivate it and, in the mean time, good luck hacking into a disabled account with a dictionary. Period. That is as it should be. Sadly, it seems like very few institutions, including banks and other financial sites, don't implement such basic security for the sake of convenience. I would think that the potential inconvenience of a three-strike password would outweigh the inconvenience if, let's say, your bank account gets hacked and someone takes all your cash. No, it won't protect against key logger trojans and other, more sophisticated forms of attack but, if you've got a key logger on your machine, no amount of strong passwording is going to help you anyway.
Security is a two-way street. Intelligence on the part of the end-user, and intelligence on the part of the system designer. Both, sadly, are lacking right now. Password safety is not rocket science, and that applies to both parties.

Reply Score: 5

RE[2]: Comment by Luminair
by kwan_e on Sat 10th Nov 2012 12:13 UTC in reply to "RE: Comment by Luminair"
kwan_e Member since:
2007-02-18

Passphrases don't work everywhere. Many sites either won't let you have spaces, require you to have numbers, limit you between 8 and 12 characters, disallow certain punctuation marks, etc.


The main reason, as I understand it, is that those rules are there because of the outdated ideas about how to make secure passwords such as having numbers etc.

But the way to go has to be passphrases, and this technique needs to be taught. A passphrase can be much longer and thus more secure without much more memorization than a normal passwords.

Even z/OS now has support for passphrases. That is how out of date plain old passwords are.

Edited 2012-11-10 12:13 UTC

Reply Score: 3

RE[3]: Comment by Luminair
by Laurence on Mon 12th Nov 2012 09:23 UTC in reply to "RE[2]: Comment by Luminair"
Laurence Member since:
2007-03-26


The main reason, as I understand it, is that those rules are there because of the outdated ideas about how to make secure passwords such as having numbers etc.

But the way to go has to be passphrases, and this technique needs to be taught. A passphrase can be much longer and thus more secure without much more memorization than a normal passwords.

Even z/OS now has support for passphrases. That is how out of date plain old passwords are.

Pass-phrases are better than *short* passwords, but most modern attacks target passphrases these days.

I've explained the technique modern attacks use and how it reduces the number of attempted permutations required in detail in this post: http://www.osnews.com/permalink?542101 .

Edited 2012-11-12 09:25 UTC

Reply Score: 2

RE[2]: Comment by Luminair
by unclefester on Sun 11th Nov 2012 01:37 UTC in reply to "RE: Comment by Luminair"
unclefester Member since:
2007-01-13

My bank locks the online account after three failed password attempts per day. You are required to phone customer service to reset the password.

Reply Score: 2

RE[3]: Comment by Luminair
by darknexus on Sun 11th Nov 2012 03:20 UTC in reply to "RE[2]: Comment by Luminair"
darknexus Member since:
2008-07-15

My bank locks the online account after three failed password attempts per day. You are required to phone customer service to reset the password.

That's good. I'm glad there are still some people out there that understand how to implement some basic security. Now, if they would just teach the rest…

Reply Score: 3

RE: Comment by Luminair
by Doc Pain on Sun 11th Nov 2012 03:38 UTC in reply to "Comment by Luminair"
Doc Pain Member since:
2006-10-08

While simple words or phrases that could be "guessed" by dictionary-based attacks, their concatenation introduces much more permutations, as by your example:

compactdisksareOLD!
dogseatpoopbutIdont
wheninromehavesexwithromangirls


Words like "compact", "disks", "are", "old", "dogs", "eat", "poop, "but, "I", "dont" and so on would be a simple target. Concatenating simple words to form a new word perfectly fits the current startup naming culture. No need to introduce spelling errors here. :-)

An alternative is to learn intendedly "mis-spelled" artificial words that you can remember easily, but that won't show up in any directory, not even partially.

Some examples:

Mowdoodenlompar
Gnortlingsobiddenpoul
Gickbreddlequeckenrommodune

You can easily pronounce them and "learn their written representation". You could even say them to someone, but without the knowledge on how to write them it won't be useful.

A slight modification of this approach is to write one of the words of your native language in either a typeface-oriented or a pronounciation-oriented "emulation".

Examples:

WKOJIANgOM
derived from школаидом - школа и дом (school and house)

Rule: Make the word look as if it would have been written with cyrillic letters. Use phantasy as needed.

Advantage: As long as you restrict yourself to the "normal letters", you can even enter the password in "severely limited environments", e. g. in those where you cannot enter "non-english characters" maybe due to a misconfiguration or missing support.

DeeOumarHuttUynanHootOuf
derived from Die Oma hat einen Hut auf (the grandmother is wearing a hat, literally "has a hat on")

Rule: Construct a word that, if read (and pronouced) properly in English, would sound like the corresponding word (or sentence) in German. Ignore any possible accent.

Combine all discussed methods for more optimum security. :-)

Reply Score: 2

RE: Comment by Luminair
by UltraZelda64 on Sun 11th Nov 2012 05:03 UTC in reply to "Comment by Luminair"
UltraZelda64 Member since:
2006-12-05

compactdisksareOLD!
dogseatpoopbutIdont
wheninromehavesexwithromangirls

passphrase. its whats for dinner. (passphraseitswhatsfordinner)

Meh. Only your first example has both capital letters and symbols (in this case, a single exclamation point), and your second one has one single capital letter. Your last two win the length contest, but they're still only lower case letters. They would probably also fail a dictionary attack relatively easily. So I disagree; those passwords are actually quite weak. They're probably better than what most people use, though. Use a mix of lowercase, caps, numbers *and* symbols for the best effect...

Edited 2012-11-11 05:18 UTC

Reply Score: 2

RE[2]: Comment by Luminair
by Luminair on Sun 11th Nov 2012 09:19 UTC in reply to "RE: Comment by Luminair"
Luminair Member since:
2007-03-30

those passphrases are long enough to be secure even with all lower case letters and english words. they will not be brute forced or dictionary attacked because it would take too long.

Reply Score: 2

RE[3]: Comment by Luminair
by UltraZelda64 on Sun 11th Nov 2012 11:14 UTC in reply to "RE[2]: Comment by Luminair"
UltraZelda64 Member since:
2006-12-05

Maybe so, but I'd prefer to play it safe and use more than just primarily lower-case letters. IMO, they could be a lot better.

Edited 2012-11-11 11:17 UTC

Reply Score: 2

RE[3]: Comment by Luminair
by Laurence on Mon 12th Nov 2012 12:32 UTC in reply to "RE[2]: Comment by Luminair"
Laurence Member since:
2007-03-26

those passphrases are long enough to be secure even with all lower case letters and english words. they will not be brute forced or dictionary attacked because it would take too long.

They would be dictionary attacked easily.

Modern dictionary attacks are designed to target passphrases just like that.

I've discussed dictionary attacks earlier in this thread, so have a read through that. Alternatively, read an account from some professionals in the field: http://arstechnica.com/security/2012/08/passwords-under-assault/

Reply Score: 2

RE[4]: Comment by Luminair
by Luminair on Mon 12th Nov 2012 18:56 UTC in reply to "RE[3]: Comment by Luminair"
Luminair Member since:
2007-03-30

so far I've got no proof of what I said, and you've got proof of what I said. not looking good for you so far, but thanks:

passwords longer than nine or 10 characters require rainbow tables with unwieldy file sizes. That leaves only a small sweet spot of seven or eight characters where rainbow tables are especially useful these days.


Reply Score: 1

RE[5]: Comment by Luminair
by Laurence on Mon 12th Nov 2012 22:11 UTC in reply to "RE[4]: Comment by Luminair"
Laurence Member since:
2007-03-26

so far I've got no proof of what I said, and you've got proof of what I said. not looking good for you so far, but thanks:

Clearly you just skipped to the pretty pictures because that article repeatedly talked about how the preferred method of attack has now shifted to using advanced dictionary attacks which are fine tuned to crack passphrases. In that that was pretty much the basis for the whole f--king story.

The quote you lifted was just in reference to the older technique of using rainbow tables and how it's modern applications are limited due to better cracking routines and more powerful computers. So it's not even relevant to this discussion.

But who actually gives a shit about facts when you can instead offer up security advice like the egotistical novice that you are. And what's the point in talking to me like a human being when you can act like a complete c*nt instead. After all, what's the point in using intelligence and research to make a point when you can hide your stupidity behind blind arrogance. Smoothly done asshole. <_<

Edited 2012-11-12 22:18 UTC

Reply Score: 2

RE[6]: Comment by Luminair
by spiderman on Tue 13th Nov 2012 07:30 UTC in reply to "RE[5]: Comment by Luminair"
spiderman Member since:
2008-10-23

Smoothly done asshole.

I didn't even read your posts or the ones your are replying to but when you've come to this, you know it's time to take a break. It doesn't matter if you are right or wrong, this is just a web comment section that 4 people read in total. Cool down man.

Reply Score: 2

RE[7]: Comment by Luminair
by Laurence on Tue 13th Nov 2012 08:24 UTC in reply to "RE[6]: Comment by Luminair"
Laurence Member since:
2007-03-26

I didn't even read your posts or the ones your are replying to but when you've come to this, you know it's time to take a break. It doesn't matter if you are right or wrong, this is just a web comment section that 4 people read in total. Cool down man.

Yeah, I'm giving up on this article now. Too many pseudo-technical people clinging on to old ideal and who are too stubborn to read anything recent on the topic.

Considering how fast paced the technology industry is, I'm amazing how slow some professionals are to update on the latest security methods ;)

But then I shouldn't really care, I get paid to fix the mistakes that those novices introduce ;)

Edited 2012-11-13 08:26 UTC

Reply Score: 2

Some tips of mine
by Lennie on Sat 10th Nov 2012 13:40 UTC
Lennie
Member since:
2007-09-22

First tip: it is already mentioned in the article, but needs repeating: don't reuse passwords.

Second tip: use a password that can't be guessed. Which is getting harder every day: Ars Technica: Why passwords have never been weaker - and crackers have never been stronger:

http://arstechnica.com/security/2012/08/passwords-under-assault/

Third tip: use a password-generator and -manager to handle your passwords.

Fourth tip: there are "single sign in" / "federated login" solutions:

- https://browserid.org/ (Mozilla project for "verified email address", only do email verification ones)

- http://openid.net/ and http://oauth.net/ Some examples: Google-, Yahoo-, Hotmail-account, Twitter- and yes even Facebook connect is based on oAuth. At least Google and probably others also have 2 factor authentication.

- http://en.wikipedia.org/wiki/SAML_2.0 (the solution certain enterprises use)

HTTP/2.0 might get builtin support for "federated login" as well.

There is a tradeoff in using one account of course, but many normal users just don't want to deal with password managers and prefer to use one password.

Edited 2012-11-10 13:43 UTC

Reply Score: 3

Or just...
by bowkota on Sat 10th Nov 2012 19:45 UTC
bowkota
Member since:
2011-10-12

Or just use 1password.
Problem solved

Reply Score: 1

Password nightmares at work
by WorknMan on Sat 10th Nov 2012 22:11 UTC
WorknMan
Member since:
2005-11-13

Where I work, there's about 5 different passwords we have to remember, and they make us change them all at least once every couple of months. Not only that, but you can't have a password that's similar to a previous one, and you can't use a password that you've used in the last 10 rotations. They seem determined to make people memorize a new, random string of letters and numbers every rotation, along with at least one uppercase character, one letter from the Chinese alphabet, and I think the symbol for Boron as well.

There's only one problem though... virtually NOBODY is going to do that!! I would imagine most people probably either keep their passwords written down in a drawer (yeah, real secure ;) ) or else use keyboard macros like I do. I understand the need for strong passwords, but some companies get WAAAAAAAAY too overzealous with the practice.

Reply Score: 3

RE: Password nightmares at work
by benali72 on Sat 10th Nov 2012 23:44 UTC in reply to "Password nightmares at work"
benali72 Member since:
2008-05-03

I hear you! I have the exact same problem. It's particularly bad because I'm a support person, so I'm always switching computers. It's really a big productivity loss to constantly have password changes and hassles.

One place I worked at put all the hundreds of passwords into a spreadsheet. Of course, since it was shared by the 10 people on the team, someone would always corrupt the spreadsheet file. What a mess!

Worst of all was when I'd be on call, get the call at 2 am, and find that some dope had updated the password on some server and forgot to update the password spreadsheet. So here you are beeped at 2 am to solve some problem, only to find yourself unable to log in. Yuck!

Reply Score: 2

Keepass2
by WereCatf on Sun 11th Nov 2012 00:25 UTC
WereCatf
Member since:
2006-02-15

I personally just use Keepass2 to keep my passwords safe. The password database is very strongly encrypted so if you have a strong password for the database there is no way anyone is going to get to the actual contents of the database. Once in Keepass2 allows you to create passwords automatically, allowing you to specify things like which character set to use, how many characters, should there be special characters and so on and so forth. Also, once you copy a password or username from the database to clipboard Keepass2 will empty the clipboard after 10 or 15 seconds, making sure you won't even accidentally reveal your passwords.

I have a strong password set up for the database, I always store any new login stuff in there, and I keep a copy of the database on my desktop, mobile phone, server and in the cloud so that even if one -- or even multiple -- devices were to break I'd still always have a copy somewhere. Also, the Android - app is handy on-the-go.

Reply Score: 2

RE: Keepass2
by Soulbender on Sun 11th Nov 2012 01:44 UTC in reply to "Keepass2"
Soulbender Member since:
2005-08-18

Didn't you read the article? You can't trust password managers because, uh, if someone steals your computer all your passwords are lost. Too bad it's completely impossible to have them backed up somewhere and encrypted. Yeah....

It's kind of interesting that Mr Kocher makes the oldest mistake of all: keeping the passwords on a note in his wallet. Obviously much safer than a password manager with an encrypted database. Apparently it's also impossible to have your wallet stolen. Wtf?

Security expert my ass.

Reply Score: 3

RE: Keepass2
by UltraZelda64 on Sun 11th Nov 2012 05:37 UTC in reply to "Keepass2"
UltraZelda64 Member since:
2006-12-05

I have a strong password set up for the database, I always store any new login stuff in there, and I keep a copy of the database on my desktop, mobile phone, server and in the cloud so that even if one -- or even multiple -- devices were to break I'd still always have a copy somewhere. Also, the Android - app is handy on-the-go.

Yikes. I wouldn't want to store my passwords on my phone or laptop or any other computer I take with me even occasionally or on any USB thumb drive... but there's no way in hell you'd ever see me put all my password in a file up in the "cloud." Even if they were first encrypted in a database file. Just not gonna happen. I just don't have that kind of trust.

Edited 2012-11-11 05:54 UTC

Reply Score: 2

RE[2]: Keepass2
by WereCatf on Sun 11th Nov 2012 08:56 UTC in reply to "RE: Keepass2"
WereCatf Member since:
2006-02-15

Yikes. I wouldn't want to store my passwords on my phone or laptop or any other computer I take with me even occasionally or on any USB thumb drive... but there's no way in hell you'd ever see me put all my password in a file up in the "cloud." Even if they were first encrypted in a database file. Just not gonna happen. I just don't have that kind of trust.


The Keepass2 password database is encrypted with 256-bit Twofish. You'd need a quantum computer to be able to crack that in any sort of a feasible time. No, using something like that Amazon cloud computing service would still need way more time for cracking that open than I have years left in me. Since there are no fully-functioning quantum computers yet, and I'm not a high-profile target anyways...

EDIT: Few links:
http://keepass.info/help/base/security.html
http://en.wikipedia.org/wiki/Twofish

Edited 2012-11-11 09:02 UTC

Reply Score: 2

RE[2]: Keepass2
by Soulbender on Sun 11th Nov 2012 09:20 UTC in reply to "RE: Keepass2"
Soulbender Member since:
2005-08-18

Just not gonna happen. I just don't have that kind of trust.


That's the thing about encryption, you don't need trust.
The chances that your cloud provider will take so much interest in you that they will use all their computing power to break into your (hopefully Twofish or AES) encrypted password database is minuscule.
Even if they do you'll probably have changed all the passwords by the time they actually manage to brute-force it.

Reply Score: 2

RE[3]: Keepass2
by UltraZelda64 on Sun 11th Nov 2012 10:06 UTC in reply to "RE[2]: Keepass2"
UltraZelda64 Member since:
2006-12-05

The chances that your cloud provider will take so much interest in you that they will use all their computing power to break into your (hopefully Twofish or AES) encrypted password database is minuscule.
Even if they do you'll probably have changed all the passwords by the time they actually manage to brute-force it.

Who's to say it's the cloud provider that will try to do the snooping? I actually didn't mean that with what I originally said. These companies run public servers, and they're not exactly unknown servers... they're well-known, and up for potential attack from anyone, anywhere on the Internet. They're big, easy targets. It's security breaches I would be worried about when putting a file containing *all* of my passwords on a server somewhere on the Internet.

Someone just has to breach the server's security and then take what they can. They can then post all the files they can manage to get on a server somewhere where they and their cracker buddies download away and have a field day playing games seeing who can crack the most password files the fastest. And if there's ever a vulnerability found that allows crackers to easily break the encryption code and read the contents of the file... well, now every single one of your passwords can be found by just accessing one file that's been made publicly available on the Internet to anyone.

Edited 2012-11-11 10:17 UTC

Reply Score: 2

Bad memory
by Yehppael on Sun 11th Nov 2012 19:38 UTC
Yehppael
Member since:
2012-08-01

I have a bad memory, very horrible.
So, this is what I do, I split myself into three online personas.

One I use for games of any kind, always, and I mean always the same password, if they get hacked, I just have them send a mail and reset it. Never needed though, because virtually nobody cares about the games I play.

The second, is for my alternate life online, for this I have yet another password, but I add a number to the end and change it for every site I need.

Third, the RL persona, the one that I use the least, but care for the most, I almost never use it for trivialities, except to establish a personal and professional presence online.

Emails, I have a gmail account for each, none are linked to eachother in any way.
The first one, has a password, based on the one used for games.
Second address, same thing.
and last one, the most important has 40 characters, azAZ09.

But what's the most important, is the fact that other than the email passwords and the one I use in games, I don't memorize anything else.

Because I keep the browser open 20-30 days nonstop, I actually can't remember a password I used only once weeks ago, so, it's password recovery most of the time.

“There is a very, very small handful of people who can get away with saying that they will only trust a password management system that they build themselves,” the company wrote in a blog post. “You should definitely not trust a password management system that you develop yourself.”


Found this on the net, after a simple search. My guess, people only need to read the manual.

$ echo 'Hi Alice! Please bring malacpörkölt for dinner!' |
$ openssl rsautl -encrypt -inkey alice.pub >message.encrypted


Despite what you might hear on the news about "hackers", it's actually quite easy to encrypt things that even alphabet soup agencies would need months if not years to de-crypt.

Oh, and a word to the authors for articles about password security, stop blaming the victims, and blame the websites and the various systems with poor security because they're the ones doing the most damage.

Reply Score: 1

lastpass.com
by Loreia on Mon 12th Nov 2012 11:59 UTC
Loreia
Member since:
2012-01-17

I am a bit late to this party, but I have a nice suggestion for better online security. Use lastpass.com service and have best from both worlds:
- unique passwords for every site
- just one master password to remember
- passwords generated automatically for you
- passwords always available

Free version does everything you need (at least everything _I_ need), and they provide extensions for all major web browsers.

There is nothing I hate more that this meaningless "cloud" buzzword, but this service is just fantastic, and I love every bit of it. Everything is encrypted, and with a good master password (that you, off course, change every say 6 or 12 months), you can enjoy having unique 20 char ([0-9a-zA-Z plus special chars]) long password for every site you register on.

This was suggested to me by Firefox when I once opened add-on tab. Best suggestion ever!!

Reply Score: 2

Comment by nutt
by nutt on Mon 12th Nov 2012 13:52 UTC
nutt
Member since:
2011-06-22

All that needs to be said about passwords has already been said here: http://xkcd.com/936/
:-)

Reply Score: 1

Social engineering
by spiderman on Mon 12th Nov 2012 17:37 UTC
spiderman
Member since:
2008-10-23

O/S/N/E/W/S Alert!
Your account will be deleted.
To prevent account deletion, reply to this post with your username and password.
------------------------------

Seriously, your password need just be good enough for the job. You don't need an armored door when the windows are wide open or the walls are made of paper. Hackers will seek the lowest hanging fruits.
http://xkcd.com/538/
Use your brain online and don't rely on password for anything important. If your bank is only asking for a password to transfer money then change your bank. It should at least send you an SMS with a temporary secret code or chalenge you with something else.

CPU power is cheap, especially to crackers who have access to botnets and it will be worse when they have mobile bots. Even brute force can be done if it pays. Your password is just there to protect unimportant data from being stolen because it is cheaper to get it from another way or because it's not worth the trouble.

Reply Score: 2