Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Thread beginning with comment 542109
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2007-02-18
But, and as I've repeatedly stated, if you use a password hash generator (plenty of free tools online) then you can have a memorable password and a secure password.
Basically, find an online password hash generator, use the same password for every website / application and a salt being the site/app name. For example, using http://www.insidepro.com/hashes.php I could do the following:
password "i like steak"
hash "osnews.com"
user "laurence"
and I would get a password of something like "fK8dyanyjaLzEqohAixCjl+FbLbELvwphJPC0yce7xY7ZuO0TP4OBGZ/a/iqqvquh9Ht Q+5Pwcoq8nOa5rGlvQ==" for a sha512 encoding.
That's a random password which is 88 characters long, unique for each website and memorable (as all I need to remember is "i like steak" for every site.
That method is far more secure than using a passphrase.
Basically, find an online password hash generator, use the same password for every website / application and a salt being the site/app name. For example, using http://www.insidepro.com/hashes.php I could do the following:
password "i like steak"
hash "osnews.com"
user "laurence"
and I would get a password of something like "fK8dyanyjaLzEqohAixCjl+FbLbELvwphJPC0yce7xY7ZuO0TP4OBGZ/a/iqqvquh9Ht Q+5Pwcoq8nOa5rGlvQ==" for a sha512 encoding.
That's a random password which is 88 characters long, unique for each website and memorable (as all I need to remember is "i like steak" for every site.
That method is far more secure than using a passphrase.
I still fail to see how a cracker tool can tell, even with the information that a string is 88 characters long, that the user chose to go with a password hash and not a password phrase.
If a cracker tool is sophisticated enough to figure that out, it may as well be sophisticated enough to figure out which tool you used to generate your hash and what you put in as the parameters. It's a few more levels of indirection, but you've basically still used a passphrase. It's just the passphrase is for different data.
Member since:2007-03-26
I still fail to see how a cracker tool can tell, even with the information that a string is 88 characters long, that the user chose to go with a password hash and not a password phrase.
They don't need to know - they just work on the assumption it is a standard passphrase because that's how most people have engineered their passwords and that's the routine that returns the most results for the least effort.
If a cracker tool is sophisticated enough to figure that out, it may as well be sophisticated enough to figure out which tool you used to generate your hash and what you put in as the parameters. It's a few more levels of indirection, but you've basically still used a passphrase. It's just the passphrase is for different data.
You're thinking about this backwards. You're arguing that because the attacker doesn't know the type of password you'd be using that they wouldn't be able to use an appropriate routine to crack your password. That simply isn't true.
As I've stated before, attackers will use routines such as dictionary attacks to gain access to as many accounts as they can with as little effort as they can. Then worry about using a "blunter" brute force routine to catch the remainder should they need to.
Using a longer random password using the methods I've exampled will protect you from both dictionary attacks and against most brute force attacks (due to the length of the generated password hash and computation time required to match it). You're also relatively secure against poorer security on the server's databse end (eg lack of a password hash or even clear text passwords) as you have a unique password for each site - thus minimizing cross-site damage to zero.
Using a passphrase will only protect you if you manage to pick words that aren't already stored in the massive dictionaries available - which is quite a risk give the size and intuition of these dictionaries.
This makes good further reading as it's actually real world security researchers describing the very attack methods I'm discussing and how easy it makes cracking passphrases: http://arstechnica.com/security/2012/08/passwords-under-assault/
So anyone who doubts the truth behind the points I'm raising, then I implore you to have a read. (And I really wish more technology commentators read similar articles before giving security advice as well - because even some of the best technology experts aren't specialises in security and thus have an outdated understanding of modern cracking techniques).
Edited 2012-11-12 11:24 UTC
Features
Linked by Thom Holwerda on 06/13/13 14:35 UTC
The third and final WWDC product I want to talk about is - of course - OS X 10.9 Mavericks. While iOS 7 was clearly the focus of this year's WWDC, its venerable desktop counterpart certainly wasn't left behind. Apple announced OS X 10.9 Mavericks, the first OS X release not to carry the name of a big cat.
Linked by Thom Holwerda on 06/11/13 17:07 UTC
We already talked about iOS 7 yesterday (after a night of sleep, it's only looking worse and worse - look at this, for Fiona's sake!), so now it's time to talk about the downright stunning and belly flutters-inducing new Mac Pro. As former owner and huge, huge, huge fan of the PowerMac G4 Cube - I haven't been this excited about an Apple product since, well, I would say the iMac G4. This is the Apple I used to love.
Linked by Thom Holwerda on 06/10/13 23:13 UTC
Apple held its big keynote event thing at WWDC earlier this evening, but since I was away with friends I've had to read up on it later in the evening. The company announced iOS 7, OS X 10.9 Mavericks, and they gave a preview of the new Mac Pro. Especially the Mac Pro impressed me, and while iOS 7's new Holo/Metro-inspired theme looks messy and garish to me, I do commend Apple for finally breaking the mold. This news item will focus on iOS 7 - I'll dive into the Mac Pro and OS X 10.9 tomorrow (it's late here now).
Linked by Thom Holwerda on 06/08/13 14:57 UTC
And yes, the PRISM scandal is far, far from over. More and more information keeps leaking out, and the more gets out, the worse it gets. The companies involved have sent out official statements - often by mouth of their CEOs - and what's interesting is that not only are these official statements eerily similar to each other, using the same terms clearly designed by lawyers, they also directly contradict new reports from The New York Times. So, who is lying?
Linked by Thom Holwerda on 06/07/13 11:40 UTC
This story is getting bigger and bigger. Even though most Americans probably already knew, it is now official: the United States government, through its National Security Agency, is collecting the communications and data of all American citizens, and of non-Americans using American services, through a wide collaboration with the large companies in technology, like Apple, Google, Microsoft, Facebook, and so on. Interestingly enough, the NSA itself, as well as the US government, have repeatedly and firmly denied this massive spying on Americans and non-Americans took place at all.
Linked by Thom Holwerda on 06/04/13 12:45 UTC
Ah, patents - the never-ending scourge of the technology industry. Whether wielded by companies who don't actually make any products, or large corporations who abuse them because they can't compete in the market place or because they're simply jerks, they do the industry a huge disservice and are simply plain dangerous. According to The Wall Street Journal (circumvention link), president Obama is about to take several executive actions to address patent trolls - which may seem like a good idea, but I am very worried that all this will do is strengthen the positions of notorious patent system abusers such as Apple and Microsoft.
Linked by nfeske on 05/31/13 10:12 UTC
With version 13.05, the developers of the Genode OS Framework take measures to ensure that Genode continues to scale well with a growing number of users and the steadily broadening platform coverage. Further highlights are the improved SoC support for Exynos 5, OMAP4, Raspberry Pi, i.MX, and new components for realizing headless systems.
Linked by Thom Holwerda on 05/29/13 16:59 UTC
At the D11 conference, Apple CEO Tim Cook once again took the stage to be interviewed by Walt Mossberg and Kara Swisher. While most of the interview can be replicated by picking and reading 10 random Apple fanblog stories - there were still a number of very interesting things that warrant some closer scrutiny.
Linked by Thom Holwerda on 05/24/13 17:26 UTC
So, the Xbox One disaster continues. Microsoft's policy for dealing with the used games market has reportedly leaked - and it's a clear and direct attack to destroy the used games market. Prices for used games will be set at the retail value of a new game, and retailers have to hook into Microsoft's computer systems and comply with Microsoft's terms and conditions.
Linked by Thom Holwerda on 05/21/13 21:38 UTC
At an event earlier today, Microsoft unveiled the next Xbox - the third model, but confusingly named Xbox One. The big focus was TV, integrated Kinect, and all the other stuff we all expected to be forced down our throats. I think it took them 25 minutes to actually come to what should be the core of the story: gaming. Nothing groundbreaking in the gaming department, except for how Microsoft intends to handle the used games market and borrowing games from friends: pay up, buddy!More Features »
Sponsored Links
Member since:
2007-03-26
But, and as I've repeatedly stated, if you use a password hash generator (plenty of free tools online) then you can have a memorable password and a secure password.
Basically, find an online password hash generator, use the same password for every website / application and a salt being the site/app name. For example, using http://www.insidepro.com/hashes.php I could do the following:
password "i like steak"
hash "osnews.com"
user "laurence"
and I would get a password of something like "fK8dyanyjaLzEqohAixCjl+FbLbELvwphJPC0yce7xY7ZuO0TP4OBGZ/a/iqqvquh9Ht Q+5Pwcoq8nOa5rGlvQ==" for a sha512 encoding.
That's a random password which is 88 characters long, unique for each website and memorable (as all I need to remember is "i like steak" for every site.
That method is far more secure than using a passphrase.