Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
Bugs & Viruses If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Thread beginning with comment 541800
To read all comments associated with this story, please click here.
Comment by Luminair
by Luminair on Sat 10th Nov 2012 10:13 UTC
Luminair
Member since:
2007-03-30

those stories are pretty crappy. way to confuse people so they dont improve their passwords

all you need to know is you should have a passphrase. the details of password security are irrelevant. the solution is passphrase. it is not maximum protection, but it is good enough and better than what people already use.

example:

compactdisksareOLD!
dogseatpoopbutIdont
wheninromehavesexwithromangirls

passphrase. its whats for dinner. (passphraseitswhatsfordinner)

Reply Score: 3

RE: Comment by Luminair
by darknexus on Sat 10th Nov 2012 11:50 in reply to "Comment by Luminair"
darknexus Member since:
2008-07-15

Passphrases don't work everywhere. Many sites either won't let you have spaces, require you to have numbers, limit you between 8 and 12 characters, disallow certain punctuation marks, etc. In principal I actually agree with you (although I doubt people would pick more secure passphrases than they currently pick passwords now). The other thing we really need is intelligence on the part of people who design service web sites. There is no reason, for example, that a dictionary attack should ever work, ditto for brute force attacks. If someone tries a wrong password more than three times, the account should be locked and the account owner notified at once by all means of contact that they have on file. A temporary block on the IP address initiating said transaction wouldn't be unwise as well. That account will then be absolutely disabled until the account owner can take whatever steps necessary to reactivate it and, in the mean time, good luck hacking into a disabled account with a dictionary. Period. That is as it should be. Sadly, it seems like very few institutions, including banks and other financial sites, don't implement such basic security for the sake of convenience. I would think that the potential inconvenience of a three-strike password would outweigh the inconvenience if, let's say, your bank account gets hacked and someone takes all your cash. No, it won't protect against key logger trojans and other, more sophisticated forms of attack but, if you've got a key logger on your machine, no amount of strong passwording is going to help you anyway.
Security is a two-way street. Intelligence on the part of the end-user, and intelligence on the part of the system designer. Both, sadly, are lacking right now. Password safety is not rocket science, and that applies to both parties.

Reply Parent Score: 5

RE[2]: Comment by Luminair
by kwan_e on Sat 10th Nov 2012 12:13 in reply to "RE: Comment by Luminair"
kwan_e Member since:
2007-02-18

Passphrases don't work everywhere. Many sites either won't let you have spaces, require you to have numbers, limit you between 8 and 12 characters, disallow certain punctuation marks, etc.


The main reason, as I understand it, is that those rules are there because of the outdated ideas about how to make secure passwords such as having numbers etc.

But the way to go has to be passphrases, and this technique needs to be taught. A passphrase can be much longer and thus more secure without much more memorization than a normal passwords.

Even z/OS now has support for passphrases. That is how out of date plain old passwords are.

Edited 2012-11-10 12:13 UTC

Reply Parent Score: 3

RE[2]: Comment by Luminair
by unclefester on Sun 11th Nov 2012 01:37 in reply to "RE: Comment by Luminair"
unclefester Member since:
2007-01-13

My bank locks the online account after three failed password attempts per day. You are required to phone customer service to reset the password.

Reply Parent Score: 2

RE: Comment by Luminair
by Doc Pain on Sun 11th Nov 2012 03:38 in reply to "Comment by Luminair"
Doc Pain Member since:
2006-10-08

While simple words or phrases that could be "guessed" by dictionary-based attacks, their concatenation introduces much more permutations, as by your example:

compactdisksareOLD!
dogseatpoopbutIdont
wheninromehavesexwithromangirls


Words like "compact", "disks", "are", "old", "dogs", "eat", "poop, "but, "I", "dont" and so on would be a simple target. Concatenating simple words to form a new word perfectly fits the current startup naming culture. No need to introduce spelling errors here. :-)

An alternative is to learn intendedly "mis-spelled" artificial words that you can remember easily, but that won't show up in any directory, not even partially.

Some examples:

Mowdoodenlompar
Gnortlingsobiddenpoul
Gickbreddlequeckenrommodune

You can easily pronounce them and "learn their written representation". You could even say them to someone, but without the knowledge on how to write them it won't be useful.

A slight modification of this approach is to write one of the words of your native language in either a typeface-oriented or a pronounciation-oriented "emulation".

Examples:

WKOJIANgOM
derived from школаидом - школа и дом (school and house)

Rule: Make the word look as if it would have been written with cyrillic letters. Use phantasy as needed.

Advantage: As long as you restrict yourself to the "normal letters", you can even enter the password in "severely limited environments", e. g. in those where you cannot enter "non-english characters" maybe due to a misconfiguration or missing support.

DeeOumarHuttUynanHootOuf
derived from Die Oma hat einen Hut auf (the grandmother is wearing a hat, literally "has a hat on")

Rule: Construct a word that, if read (and pronouced) properly in English, would sound like the corresponding word (or sentence) in German. Ignore any possible accent.

Combine all discussed methods for more optimum security. :-)

Reply Parent Score: 2

RE: Comment by Luminair
by UltraZelda64 on Sun 11th Nov 2012 05:03 in reply to "Comment by Luminair"
UltraZelda64 Member since:
2006-12-05

compactdisksareOLD!
dogseatpoopbutIdont
wheninromehavesexwithromangirls

passphrase. its whats for dinner. (passphraseitswhatsfordinner)

Meh. Only your first example has both capital letters and symbols (in this case, a single exclamation point), and your second one has one single capital letter. Your last two win the length contest, but they're still only lower case letters. They would probably also fail a dictionary attack relatively easily. So I disagree; those passwords are actually quite weak. They're probably better than what most people use, though. Use a mix of lowercase, caps, numbers *and* symbols for the best effect...

Edited 2012-11-11 05:18 UTC

Reply Parent Score: 2

RE[2]: Comment by Luminair
by Luminair on Sun 11th Nov 2012 09:19 in reply to "RE: Comment by Luminair"
Luminair Member since:
2007-03-30

those passphrases are long enough to be secure even with all lower case letters and english words. they will not be brute forced or dictionary attacked because it would take too long.

Reply Parent Score: 2