If you want to ensure you have adequate passwords but don’t have the time or interest to study the topic, there’s a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Pick a couple of words, at least one of them in your local dialect (to avoid dictionary attacks) and stick them together with numbers like this:
Coca300ColaInEmpireStrikesBack (imagine Luke drinking 300 cans of Coke)
Or make a phrase that you can easily remember:
IWant14XtraVacationDaysAfterEaster
YesINEED3cupsofcoffeeEVERYsingleday
..don’t forget to insert at least one word in your local dialect.
Os use http://xkcd.com/936/
A really good password should include, I’d say, at the very least 12 characters (more is better; most of mine are at least 25 characters long), and include both upper and lower case letters, numbers and symbols. How many of each specific letter/number/symbol is not really important, at least compared to the total length of the password itself.
The thing to try to achieve is lowering the chance of any kind of brute-force attack to be successful within a reasonable time period by increasing the total number of possibilities for each individual character. The more varied the characters in the password, the stronger it is–even with a given number of total characters. If at least one of each group of characters is used (uppercase, lowercase, symbols, numbers), every added character adds a large number of possibilities to have to go through in order to be able to successfully brute-force the password.
Length and complexity are the key; the idea is to increase the total number of possible combinations to make it take an extremely long time to crack, and each added character adds to that time. But equally importantly… don’t use the same username/password combo across more than one site! This is especially true with passwords used for sensitive (ie. bank) accounts. You don’t want to use those ones for web forums, online VoIP services, online pizza delivery services, etc.
Steve Gibson and Leo Laporte have talked a lot about this on Security Now. Here is a link useful page on Steve’s site with an interesting clip halfway down the page taken from one of their podcasts (episode 303, I believe):
https://www.grc.com/haystack.htm
His pseudo-random password generator is also useful, and the podcast itself tends to be a good listen.
Edited 2012-11-11 04:43 UTC
Congratulations, your technical credibility just went rock-bottom.
Edited 2012-11-11 05:55 UTC
Care to say what your references are, what your complaints are of his views on security, and how you do things differently? Many of the things I do really are, IMO, common sense and can be found at various web sites; Steve just happens to have made a few podcast episodes that put it all together and explains it nicely in ways that are easy to understand.
That said, just go use the password “pee” or “poop” or something like that if you want. As far as I know he never recommended anything like that, so it must be safe!
Edited 2012-11-11 06:04 UTC
Gibson’s reputation among actual security professionals is shoddy at best and a joke, or even fraud, at worst.
For some insight into the matter (with links to further reading): https://allthatiswrong.wordpress.com/2009/10/11/steve-gibson-is-a-fr…
Edited 2012-11-11 09:24 UTC
Funny, because Mark Russinovich was on a recent episode of Security Now as a guest to talk about a sci-fi book he wrote, so apparently Mark must get in contact with Steve and not think he’s a total joke like that blog post would like you to believe… and that article specifically mentions Mark as one of the greats to look up to. Ironic.
Yeah, my local dialect is standard US English. So, I think I need to write my own language for that to work. HaobwoHut tihdiesa?
Unfortunately all of those things are easily crackable by current attack algorithms.
Common misconceptions with password security:
* concatenating words together is more secure == false. Modern attacks use a dictionary of words and tries combinations of such words concatenated.
* using txt spk / l33t style words are harder to crack than common words == false. Modern dictionaries have every imaginable combination of number and non-alpha/numeric substitutions of letters as well as plain English words.
* using non-English words are more secure == false. Dictionaries include words from most languages, proper-nouns and even slang that isn’t technically part of any language.
Password cracking has come a long way in the last few years and current security advice hasn’t kept up with development. In my opinion there’s only 3 things you can do to have a truly secure password:
1/ use a password hash. This will be a mixture of alpha, numerics and symbols. Generate this hash from any site like this: http://www.insidepro.com/hashes.php?lang=eng and have the website / application name as the salt and the same password as the password. This way you get a unique, non-guessable password for each service and an easy way for you to “keep” your passwords without having to write them down nor store them in any digital keychains.
2/ use a unique password for each service. I’d already mentioned that above, but it’s so important it needs repeating.
3/ at all times possible, use key based systems (eg SSH keys instead of login passwords). Even just 2048bit RSA keys are significantly more difficult to crack than 99% of passwords. Sadly though, key based systems are rarely available for most systems.
Password security isn’t difficult, however there’s a lot of outdated advice that people still hold tight to.
Edited 2012-11-11 11:36 UTC
I’m ignorant on these matters, but I don’t see how passphrases could feasibly be cracked using dictionary based attacks.
The number of possible words and alternate “spellings” is large, especially if you consider multiple languages as you’ve mentioned.
You also mentioned “without writing it down”, but I was under the impression that was also out of date ideas about password protection. The chances of someone physically getting your password is practically zero, since most people won’t risk it, most people aren’t that important, and those who do risk stealing things generally aren’t after written down passwords (assuming they know the username the person uses).
Edited 2012-11-11 14:44 UTC
While you’re right that such attacks would require massive dictionary of words – it’s still significantly more streamlined than a typical ‘brute force attack’ which will try every character combination individually.
You’re talking about ‘security through obscurity’ and that’s a pretty bad philosophy to have.
There’s been cases where ‘normal’ individuals like ourselves have become over-night public figures because of stories that break out in the press (eg relatives of crime suspects) and have subsequently been stalked over social media by reporters after a cheap story.
There’s also cases about answer phone hacking that broke out earlier this year and many of those cases were against regular people.
And finally, regular people do get their accounts hacked all the time (eg my Paypal account was hacked a few years ago)
So don’t think that your relative obscurity will protect you.
Edited 2012-11-11 21:00 UTC
But from the point of view of the cracker, a passphrase containing words is indistinguishable from a password of the same length with random letters, numbers and symbols.
First, they have to make the assumption that the passphrase is made of words, rather than just a long password. Then they have to test out combinations of words. So you have word choices of possibly over 10,000 words per word; you have alternative “spellings” of those words which can be a mixture of capitals and lower case and numbers making the word choice at least twice as many; then you have combinations of words for an unbounded number of words in the sentence. Then there’s the problem of how the words are joined together.
A quick search doesn’t turn up anything significant about dictionary based attacks on passhprases for me, so I don’t know how much research has been done on it.
[/q]
I’m not talking about security through obscurity, but the relative unlikeliness that a password written down will be any less safe. Your hacked Paypal account was not hacked because you wrote down your password and it was copied somehow. None of the hacking cases, as far as I know, was because they wrote down the password.
The threat of hacking is not remedied by obscurity, but the stealing of passwords that are written down is mitigated by obscurity.
There’s been a few articles in recent times about the whole “don’t write down the password” being outdated advice. People regularly forgetting passwords and needing them to be reset opens up to many potential mim or phishing attacks posing as the password reset service.
That’s besides the point as crackers are using the method I described and for the reasons I’ve described. Hence why I advised using random characters instead.
they do make that assumption because they understand user habits when creating passwords. As I’ve already stated, so many passwords have been leaked in recent years that there’s a wealth of data to build more intelligent routines. Gone are the days when “dumb” brute force attack was the preferred method of attack.
Indeed, but that’s still significantly permutations that a blind brute force attack.
That’s because, and as I’ve already stated, the old advice is still pretty much widespread. I’ve been following blogs of a number of security researchers in recent years (as my profession is moving into that arena) and the advice I’m giving is what I’ve read industry experts advice.
The only people I’ve seen that suggest otherwise are blogs by journalists and system administrators – which with the greatest of respect to them, are not working as close to this field to understand the latest developments in cracking. Much like how I wouldn’t expect professional application develops to keep up with the latest security patches for *nix platforms. After all, IT is a massive field these days.
Anyhow, I’ll have a dig out for some of the blogs I’ve read that supports these claims I’m making. If you don’t mind checking back in a couple of hours
Here’s a link describing how crackers now use dictionary based attacks:
http://arstechnica.com/security/2012/08/passwords-under-assault/
(sorry for replying to you over two posts – i didn’t spot the 2nd half of your reply until I’d already responded)
Which is what “security through obscurity” means. I do sympathise with your sentiment, but discussing the likelihood of being targeted or having a stored password located does fall under security through obscurity. and while you are right that the likelihood is low, I’d rather offer up some genuine security advice instead of luring people into complacency. After all, unlikely scenarios do haven all the time.
The advice I have was to use a hash generator to provide a random password. This way you don’t need to store passwords as you only need to remember 1 password (and the salt, but the salt will be your application / website name) and from that you can just generate your password each time you need to log in and you can guarantee to have the same password for that service each time.
Thus with my method, you have a random, unique and secure password for each service – and not be forced into a position of having to write your passwords down. it’s a win-win.
Edited 2012-11-12 09:16 UTC
Use lower case: 26 possibilities
Use upper case: 26 possibilities
Use numbers: 10 possibilities
Use punctuation: 32 possibilites
Use them all: 94 possibilities per character
Using English is the easiest way to fall victim to dictionary attacks. Put in another language and suddenly the cracker would have to include 20+ dictionaries. Put in a dialect and the cracker would need to put 2000+ dictionaries in.
How can you possibly claim that increasing the possibilities is _not_ more secure?
You’re missing my point. Modern attacks aren’t the old style brute force attacks which would try every combination of character. Instead they have every more sophisticated dictionaries (I’m not sure if those are hardcoded possibilities or heuristics).
The problem is we’ve had an influx of leaked passwords over recent years. Nearly every month another website gets hacked and passwords are leaked – and this provides a massive amount of source to learn user behaviour when selecting passwords which in turn allow attacked to build more intelligent cracking tools.
So I’m not saying that your examples are less secure than having plain English passwords; what I’m saying is that such passwords isn’t more secure these days. What is more secure is a random hash of characters or doing away with passwords entirely – which is what I actually advocated if you go back and re-read my post.
You’re kind of switching the bait here.
The second paragraph only provides knowledege for old style single-word passwords. A passphrase is made up of multiple words, which is much more difficult to analyse behaviour.
Assuming that the cracker somehow can distinguish a passphrase from a long password, they’re just confronted with using an almost brute force attack on the word combinations.
Using a 10,000 word dictionary, a passphrase of five words is a space of 100,000,000,000,000,000,000 possibilities. The English language alone has about 250,000 words depending on the OED estimate.
I’m really not. I might not be explaining things that well (English isn’t me strongest skill), but my advice here has been consistent.
You’re making an assumption that dictionary attacks can only work against a single instance within the dictionary file. What modern dictionary attacks actually do is use a the dictionary as a basis for a “brute force-style” attack.
Let me explain this better:
the old style brute force attack would try every character permutation (eg (if you don’t mind some crude regex) m/[0-9a-zA-Z]/ and any symbols opted for).
Modern dictionary attacks use the dictionary as a bases for building the permutations. So if the dictionary file has: add, dad, bad then the attack will use add, dad, bad, addadd, adddad, addbad, dadadd, daddad, dadbad, badadd, baddad, badbad plus the “l33t” variants (“d4d”) formating variants (“dad dad”, “dad!”) and so on.
So while it’s technically still a dictionary based attack, it’s significantly more sophisticated than a standard dictionary attack yet also significantly quicker to run through likely permutations than the old style brute force attack.
Indeed. But the point is that’s still massively quicker than doing every character permutation.
To put it another way, you stated that 5 word match might offer up 10^19 combinations (which I think is an over-estimate, but I’m still willing to use those figures), using a standard brute force attack offers up (10+26+26+20)^16 combinations (10 numeric characters, 26 alpha in both cases and 20 symbols) for a 16 character sequence. That works out at 2044140858654976 possible solutions and that’s not even the entire length of an average 5 word string (which is what you’re basing your example on).
So an intelligent dictionary attack really is the better cracking routing and why you have to assume that attackers are using it.
This is getting beyond my level of expertise, but what I’m saying is generating a password of five words is different to figuring out that the password actually has five words.
10^19 is just a lower bound for a 10,000 word dictionary. Counting variations of those words, whether it’s a change in casing or a numerical substition, you have at least an order of magnitude more word choices for each word. There’s no requirement for there to be syntactical or grammatical structure to the passphrase.
z/OS supports passphrases of 100 characters long, which may be 10 or 20 words long, which obviously has a greater space of valid passwords than the 20 character passwords boxes that some sites are adopting. A 20 word sentence is more memorizable than a 20 character random string let alone a 100 character random string.
But, and as I’ve repeatedly stated, if you use a password hash generator (plenty of free tools online) then you can have a memorable password and a secure password.
Basically, find an online password hash generator, use the same password for every website / application and a salt being the site/app name. For example, using http://www.insidepro.com/hashes.php I could do the following:
password “i like steak”
hash “osnews.com”
user “laurence”
and I would get a password of something like “fK8dyanyjaLzEqohAixCjl+FbLbELvwphJPC0yce7xY7ZuO0TP4OBGZ/a/iqqvquh9Ht Q+5Pwcoq8nOa5rGlvQ==” for a sha512 encoding.
That’s a random password which is 88 characters long, unique for each website and memorable (as all I need to remember is “i like steak” for every site.
That method is far more secure than using a passphrase.
I still fail to see how a cracker tool can tell, even with the information that a string is 88 characters long, that the user chose to go with a password hash and not a password phrase.
If a cracker tool is sophisticated enough to figure that out, it may as well be sophisticated enough to figure out which tool you used to generate your hash and what you put in as the parameters. It’s a few more levels of indirection, but you’ve basically still used a passphrase. It’s just the passphrase is for different data.
They don’t need to know – they just work on the assumption it is a standard passphrase because that’s how most people have engineered their passwords and that’s the routine that returns the most results for the least effort.
You’re thinking about this backwards. You’re arguing that because the attacker doesn’t know the type of password you’d be using that they wouldn’t be able to use an appropriate routine to crack your password. That simply isn’t true.
As I’ve stated before, attackers will use routines such as dictionary attacks to gain access to as many accounts as they can with as little effort as they can. Then worry about using a “blunter” brute force routine to catch the remainder should they need to.
Using a longer random password using the methods I’ve exampled will protect you from both dictionary attacks and against most brute force attacks (due to the length of the generated password hash and computation time required to match it). You’re also relatively secure against poorer security on the server’s databse end (eg lack of a password hash or even clear text passwords) as you have a unique password for each site – thus minimizing cross-site damage to zero.
Using a passphrase will only protect you if you manage to pick words that aren’t already stored in the massive dictionaries available – which is quite a risk give the size and intuition of these dictionaries.
This makes good further reading as it’s actually real world security researchers describing the very attack methods I’m discussing and how easy it makes cracking passphrases: http://arstechnica.com/security/2012/08/passwords-under-assault/
So anyone who doubts the truth behind the points I’m raising, then I implore you to have a read. (And I really wish more technology commentators read similar articles before giving security advice as well – because even some of the best technology experts aren’t specialises in security and thus have an outdated understanding of modern cracking techniques).
Edited 2012-11-12 11:24 UTC
Since that’s the strategy, it doesn’t really make passphrases any less secure since they’re just going to attack a whole lot of accounts and get as much as they can. There will always be people with weak passphrases.
There’s nothing stopping crackers from targeting password hash generators either.
But nearly all passphrases are weak and that’s why they’re less secure. I’ve stated this several times now. In fact, did you even read the fucking link I provided?
The whole passphrase point is taken directly from professional security experts who specialise in cracking passwords and thus hardening systems against such attacks. But as usual, you know better.
I swear to God, sometimes chatting on here is like pulling teeth <_<
You can’t target hash generators for my method. the hash generator is only used as a method to create a random password. You could just as easily mash the keyboard for all the difference it makes. Except with my method you don’t need to store the password anywhere.
You haven’t the slightest idea what you’re talking about, so I beg you, please, for the love of God, read the link I provided. Do yourself a favour and educate yourself on this subject because at the moment it’s pretty clear that your understanding is outdated at best.
Why can’t you target hash generators? After all, to generate your hash, you’re basically using a passphrase and the website for the salt.
If passphrase cracking is as easy as you say it is, then it’s just as easy for a cracker to figure out the passphrase you use to generate the hash.
Edited 2012-11-12 13:27 UTC
I’d already answered that.
The method used to create the hash is irrelevant in this specific context. Whether you used a hash generator or randomly mashed the keys on the keyboard – the password is still a random character string and it’s that password that you need to crack. Knowing the method used to create the password would, at most, only tell you which characters to include in your brute force attack (eg base64 encoded sha512 hashes will have 0-9. a-z, A-Z + and /. Where as another random character string could include different characters.
What you’re thinking about is the storage of passwords in hashes – which is completely different.
If you store a password in a hash then you can use a hash table to match hash strings and effectively reverse engineer the originating password. But the password itself wouldn’t be a hash. That password could be a passphrase or any other password that the user chose.
So using a hash as a password itself doesn’t leave itself vulnerable to detection based on the hash generator used. Using such a generator is just an arbitrary method to produce an arbitrary random string.
No, you’re getting yourself completely muddled there.
The only possible way you could find out the passphrase for the hash used in my method would be if you found out the output password; and if they know that then they already have your password so there’s no bloody point trying to find the passphrase used to generate that password as they already have your login details lol.
My method is little different to randomly mashing a keyboard in terms of the password generated. Except I provide a way to exactly repeat the random mashing in a secure way. However the attack would only ever have exposure to the end result so could not and would not care about the method used to create the password (ie whether it was random keyboard mashing, password generator or a hash generator).
They don’t need to know your password. They just need to know if the hash they generated managed to authenticate themselves to a site as you. ie:
1) Estimate your passphrase
2) Generate the hash
3) Use the hash to try and authenticate
Sure, it’s a few extra steps than
1) Estimate your passphrase
2) Use the passphrase to try and authenticate
It’s one more level of indirection, but it still begins with a passphrase.
lol it’s not nearly as simple as that.
Even just one character different will generate a completely different string of characters. So they have to know all of the following precisely:
* how you decide your salt (ie is it the full website address inc protocol handler, the URI or just the website name?
* the passphrase (obviously)
* how the salt is encoded into the passphrase (eg is the salt and passphrase concatenated, and if so in which order? or is the passphrase hashed then the hash salted? etc)
* exactly which encoding algorithm used (there’s multiple different routines for sha alone. So it’s not even a simple as predicting everyone would use sha512)
* which output encoding (will the output be a standard ASCII character string? Will it be Base64 encoded? is it unicode?)
* has there been any post processing (eg has the output hash been tampered with?)
Sure you could make a number of assumptions, but the level of complexity involved is massive and the difference between getting one details even 99% right but not completely accurate is the difference between eventually cracking the password and never cracking it ever.
So no, in all practicality you cannot reverse engineer in the method you describe and using “raw” passphrases like you keep advocating is still quite a bit less secure in comparison.
Seriously mate, I urge you to read up on this stuff as there’s clearly some large gaps in your understanding here; which would be fine if you were asking questions, but instead you’re trying to argue facts based on these gaps of knowledge and -with the greatest of respect- it’s getting quite frustrating having to debunk all these misconceptions which you’d easily be able to debunk yourself if bothered to do a little independent research
If they can analyze raw passphrases for behavioural patterns in chosen words, they can surely do the same for the salt. As you say before, they don’t have to break everyone’s – just the easy ones.
They can just use the service to generate the hash, so they don’t even need to figure it out. They’ll probably be able to automate the whole process and just target the, say, top 20 most used generators.
They wouldn’t need to reverse engineer. They could figure out the most popular generators and get those generators do the work of generating. All they will have to do is to get all the output variants and try it. They could even just use the web service you linked to, feed in its guesses, then scrape the returned webpage for the generated hashes.
I’m not even trying to argue anything.
You can’t unless salts like that get leaked. They never have.
This is another example how why you need to read up on the subject. It’s not as simple as you state there. There’s a number of different ways a salt can be incorporated and each method would create a completely different and incompatible result.
That’s exactly what I was discussing what I said “reverse engineer”.
Given the massive range of variables involved, what you’re describing would be the least accurate password attack routine to target the smallest subset of passwords (as not everyone currently employs this method). Maybe if 10 years from now everyone used my method, then you’d have a point – after all, security is an ever evolving fight. However in the current here and now, trying to identify which routine created the hash and then what the input values were for that is such an impracticality that brute force attacks are much more efficient. Thus making such hashes a reliable password generator.
As always, things might change in later years (just as how passphrases were best practices in security just a few years previously). But at the moment, what I’m recommending is a decent solution
to be honest, I’m not convinced that you’re now just trolling me.
Edited 2012-11-12 15:47 UTC
Well on the one hand you talk about the mathematical strength of password hashes, but then switch to practical considerations when talking about the weakness of passphrases.
It’s almost a useless comparison. You can’t talk about how passphrases are weak because the crackers do a massive spray-and-pray but then say password hashes are strong if we don’t take into account similar spray-and-pray.
Let’s just call it reciprocated trolling.
Clearly you haven’t a fucking clue what you’re talking about if that’s the conclusion you came to.
I’ve provided evidence to substantiate my claim but I guess you’d rather remain stupid. And good for you – every community needs an idiot.
I haven’t a fucking clue what you were talking about because you kept switching back and forth between theoretical and actual attacks.
I never did such thing.
You were the one playing devils advocate with theoretical attacks on the method I was suggesting to generate passwords and kept responding why such attacks don’t currently exist.
I always focused on attacks that are already in use today – and you’d know that if you bothered to read the f–king links I provided.
so don’t you even dare blame me because you’re too technologically inept to hold even the most basic conversation on pen testing. After all, you said yourself you’re ignorant to such matters at the start of this discussion – pity you didn’t stop to listen to someone more experienced than yourself instead of acting like a prick.
But, at least I should be grateful as it’s egotistical novices like yourself that keep me employed – and trust me when I say that I get paid well to fix the f–k ups that you pseudo-techies make
Edited 2012-11-13 11:50 UTC
I probably should apologize for the crappy tone of me recent posts. But in all seriousness, the confusion is entirely at your end. You kept confusing the different stages of the process and raising hypothetical arguments of attacks (which you’re somehow now blaming me for?)
If you did a little research into this you’d see the circular arguments you keep raising, and then when you started accusing me of the above, well it’s no wonder I lost my temper.
I’m sure you’ve had similar arguments with people where they’ve failed to grasp basic concepts then accused you of switching contexts because they were incapable of wrapping their heads around the basic theory you were trying to outline.
You don’t strike me as unintelligent, so this clearly isn’t beyond you; however the arguments you raise made little sense. So I really do suggest you do a little reading up on security blogs (and I mean ones written by respected pen testers – there’s a lot of idiots out there who publish grossly misleading (and often down right inaccurate) information). It’s scary just how sophisticated some attacks are (which is why I’m a huge advocate of using key based systems to do away with passwords; and using automatic firewalling for the few systems that are dependent on password authentication).
Even just outside of my main job, I do some freelance consultancy and it’s pretty alarming just how many servers are exposed to easy attacks due to the administrators running default config (eg no adaptive firewalling, chroot sandboxing, user separation, insecure daemon defaults (eg server tokens enabled in apache) and running local daemon listener on 0.0.0.0).
Security is quite an in-depth and highly specific subject, so it grinds my gears when bad / outdated advice is given so publicly, or when good advice is ignored (particularly if it appears to be ignored purely out of pride).
Anyway, rant over
4. Use one-time pads. Impossible to break with brute-force attacks.
Funny enough I did write my own one-time pad routine when I was still at school.
The program was rather crude (I think I wrote it in Javascript and this was back in the 90s when Javascript largely sucked), but it did work.
Take something that means a lot to you but nothing to strangers. Example: name, place and date of birth of somebody you hold dear (not yourself, too easy to guess), add a few random characters. Done!
BTW, it shouldn’t be somebody who has a Facebook account!
Edited 2012-11-10 09:31 UTC
I realize this won’t work for everyone, but I have a knack for remembering long strings of random characters. My vehicle’s VIN alternated with a Windows 98 key that I still have the CoA for up in the attic, along with my uncle’s Romanian name, make for a nearly uncrackable but easy to remember password.
To be able to use it for different accounts, I just add a mnemonic related to that site. For local security, of course, I just use a simple 8 to 10 character alphanumeric string. That’s more than enough to deter the few friends and family that visit my home.
Indeed, it wouldn’t work for me. I am very bad at remembering long strings of random characters, including telephone numbers.
Me too. That’s one hell of a skill he’s got. I have to maintain a few text files to keep track track of my passwords; partially because I’ve got so many, but also because they’re all pretty long and complex, and many of my important ones are similar but subtly different so they couldn’t be used across accounts even if they were cracked.
Then again, I never made an attempt to remember my passwords and I tend to just use the web browser’s password manager most of the time. The main exception here is on my phone; I would never store any passwords on a computer I take everywhere I go that I could easily lose, forget somewhere I go or have stolen.
That said… I am considering eventually attempting to remember my three Google account passwords, because it’s kind of a pain when I am automatically logged out for my protection and I’m basically locked out until I get home to check my password files.
By the way… any Google users, if you have important data on your account, it would be a good idea to use Google’s two-step authentication. Works with any phone, though probably best with a cell phone (text message) or, even better, with the Google Authenticator app.
Edited 2012-11-11 04:56 UTC
I had an eidetic memory as a child; I remember being able to read an entire encyclopedia page and recite it back with about 95% accuracy at six years old. Unfortunately it started fading away as I got older. I still recall a lot more than the average person after reading a passage or string, but it’s a shadow of what I could do as a child.
Still, it’s good enough to remember important alphanumeric strings. My limit is about 35 characters, give or take, and it helps if it’s a pattern that I recognize. That’s why I use the VIN/license key combo; I deal with VINs daily at my full time job and reinstalling Windows 98 every few months made it easy to recall that key. I also tend to memorize phone numbers, my credit and debit cards, and other pattern based strings very easily.
Damn. It took me almost a year to remember my cell phone number with enough reliability that I would not screw it up when someone asked me what it is (and I still occasionally get confused or my mind goes blank).
Back when I was toying around with Google Voice earlier this year and I was considering giving it a try, the ability to choose a certain area code and even a string of letters when picking a number was really appealing to me. I’m just horrible with remembering phone numbers. Even if there are only 10 possible digits, the phone number itself is ten digits long, and likely only the last seven digits will likely be unique.
It was so much easier years ago when I was younger… the area code was always the same, the following three-digit prefix was always one of only two or three three possibilities, and the last four digits were really the only ones that were different. Now cell phones seem to rule the country, and while the area code tends to remain the same it seems that every cell phone provider has a different prefix (and some of them seem to be getting more than one these days in my area).
I know what you mean about the Win98 (and later XP) registration key though… I used to have mine almost (but not quite) completely memorized for the same reason. No idea what they were now, though. If I am forced to enter something enough times, I’ll eventually remember it (or at least parts of it) whether I want to or not.
Edited 2012-11-11 07:08 UTC
those stories are pretty crappy. way to confuse people so they dont improve their passwords
all you need to know is you should have a passphrase. the details of password security are irrelevant. the solution is passphrase. it is not maximum protection, but it is good enough and better than what people already use.
example:
compactdisksareOLD!
dogseatpoopbutIdont
wheninromehavesexwithromangirls
passphrase. its whats for dinner. (passphraseitswhatsfordinner)
Passphrases don’t work everywhere. Many sites either won’t let you have spaces, require you to have numbers, limit you between 8 and 12 characters, disallow certain punctuation marks, etc. In principal I actually agree with you (although I doubt people would pick more secure passphrases than they currently pick passwords now). The other thing we really need is intelligence on the part of people who design service web sites. There is no reason, for example, that a dictionary attack should ever work, ditto for brute force attacks. If someone tries a wrong password more than three times, the account should be locked and the account owner notified at once by all means of contact that they have on file. A temporary block on the IP address initiating said transaction wouldn’t be unwise as well. That account will then be absolutely disabled until the account owner can take whatever steps necessary to reactivate it and, in the mean time, good luck hacking into a disabled account with a dictionary. Period. That is as it should be. Sadly, it seems like very few institutions, including banks and other financial sites, don’t implement such basic security for the sake of convenience. I would think that the potential inconvenience of a three-strike password would outweigh the inconvenience if, let’s say, your bank account gets hacked and someone takes all your cash. No, it won’t protect against key logger trojans and other, more sophisticated forms of attack but, if you’ve got a key logger on your machine, no amount of strong passwording is going to help you anyway.
Security is a two-way street. Intelligence on the part of the end-user, and intelligence on the part of the system designer. Both, sadly, are lacking right now. Password safety is not rocket science, and that applies to both parties.
The main reason, as I understand it, is that those rules are there because of the outdated ideas about how to make secure passwords such as having numbers etc.
But the way to go has to be passphrases, and this technique needs to be taught. A passphrase can be much longer and thus more secure without much more memorization than a normal passwords.
Even z/OS now has support for passphrases. That is how out of date plain old passwords are.
Edited 2012-11-10 12:13 UTC
Pass-phrases are better than *short* passwords, but most modern attacks target passphrases these days.
I’ve explained the technique modern attacks use and how it reduces the number of attempted permutations required in detail in this post: http://www.osnews.com/permalink?542101 .
Edited 2012-11-12 09:25 UTC
My bank locks the online account after three failed password attempts per day. You are required to phone customer service to reset the password.
That’s good. I’m glad there are still some people out there that understand how to implement some basic security. Now, if they would just teach the rest…
While simple words or phrases that could be “guessed” by dictionary-based attacks, their concatenation introduces much more permutations, as by your example:
Words like “compact”, “disks”, “are”, “old”, “dogs”, “eat”, “poop, “but, “I”, “dont” and so on would be a simple target. Concatenating simple words to form a new word perfectly fits the current startup naming culture. No need to introduce spelling errors here. 🙂
An alternative is to learn intendedly “mis-spelled” artificial words that you can remember easily, but that won’t show up in any directory, not even partially.
Some examples:
Mowdoodenlompar
Gnortlingsobiddenpoul
Gickbreddlequeckenrommodune
You can easily pronounce them and “learn their written representation”. You could even say them to someone, but without the knowledge on how to write them it won’t be useful.
A slight modification of this approach is to write one of the words of your native language in either a typeface-oriented or a pronounciation-oriented “emulation”.
Examples:
WKOJIANgOM
derived from школаидом – школа и дом (school and house)
Rule: Make the word look as if it would have been written with cyrillic letters. Use phantasy as needed.
Advantage: As long as you restrict yourself to the “normal letters”, you can even enter the password in “severely limited environments”, e. g. in those where you cannot enter “non-english characters” maybe due to a misconfiguration or missing support.
DeeOumarHuttUynanHootOuf
derived from Die Oma hat einen Hut auf (the grandmother is wearing a hat, literally “has a hat on”)
Rule: Construct a word that, if read (and pronouced) properly in English, would sound like the corresponding word (or sentence) in German. Ignore any possible accent.
Combine all discussed methods for more optimum security. 🙂
Meh. Only your first example has both capital letters and symbols (in this case, a single exclamation point), and your second one has one single capital letter. Your last two win the length contest, but they’re still only lower case letters. They would probably also fail a dictionary attack relatively easily. So I disagree; those passwords are actually quite weak. They’re probably better than what most people use, though. Use a mix of lowercase, caps, numbers *and* symbols for the best effect…
Edited 2012-11-11 05:18 UTC
those passphrases are long enough to be secure even with all lower case letters and english words. they will not be brute forced or dictionary attacked because it would take too long.
Maybe so, but I’d prefer to play it safe and use more than just primarily lower-case letters. IMO, they could be a lot better.
Edited 2012-11-11 11:17 UTC
They would be dictionary attacked easily.
Modern dictionary attacks are designed to target passphrases just like that.
I’ve discussed dictionary attacks earlier in this thread, so have a read through that. Alternatively, read an account from some professionals in the field: http://arstechnica.com/security/2012/08/passwords-under-assault/
so far I’ve got no proof of what I said, and you’ve got proof of what I said. not looking good for you so far, but thanks:
Clearly you just skipped to the pretty pictures because that article repeatedly talked about how the preferred method of attack has now shifted to using advanced dictionary attacks which are fine tuned to crack passphrases. In that that was pretty much the basis for the whole f–king story.
The quote you lifted was just in reference to the older technique of using rainbow tables and how it’s modern applications are limited due to better cracking routines and more powerful computers. So it’s not even relevant to this discussion.
But who actually gives a shit about facts when you can instead offer up security advice like the egotistical novice that you are. And what’s the point in talking to me like a human being when you can act like a complete c*nt instead. After all, what’s the point in using intelligence and research to make a point when you can hide your stupidity behind blind arrogance. Smoothly done asshole. <_<
Edited 2012-11-12 22:18 UTC
I didn’t even read your posts or the ones your are replying to but when you’ve come to this, you know it’s time to take a break. It doesn’t matter if you are right or wrong, this is just a web comment section that 4 people read in total. Cool down man.
Yeah, I’m giving up on this article now. Too many pseudo-technical people clinging on to old ideal and who are too stubborn to read anything recent on the topic.
Considering how fast paced the technology industry is, I’m amazing how slow some professionals are to update on the latest security methods
But then I shouldn’t really care, I get paid to fix the mistakes that those novices introduce
Edited 2012-11-13 08:26 UTC
First tip: it is already mentioned in the article, but needs repeating: don’t reuse passwords.
Second tip: use a password that can’t be guessed. Which is getting harder every day: Ars Technica: Why passwords have never been weaker – and crackers have never been stronger:
http://arstechnica.com/security/2012/08/passwords-under-assault/
Third tip: use a password-generator and -manager to handle your passwords.
Fourth tip: there are “single sign in” / “federated login” solutions:
– https://browserid.org/ (Mozilla project for “verified email address”, only do email verification ones)
– http://openid.net/ and http://oauth.net/ Some examples: Google-, Yahoo-, Hotmail-account, Twitter- and yes even Facebook connect is based on oAuth. At least Google and probably others also have 2 factor authentication.
– http://en.wikipedia.org/wiki/SAML_2.0 (the solution certain enterprises use)
HTTP/2.0 might get builtin support for “federated login” as well.
There is a tradeoff in using one account of course, but many normal users just don’t want to deal with password managers and prefer to use one password.
Edited 2012-11-10 13:43 UTC
Or just use 1password.
Problem solved
Where I work, there’s about 5 different passwords we have to remember, and they make us change them all at least once every couple of months. Not only that, but you can’t have a password that’s similar to a previous one, and you can’t use a password that you’ve used in the last 10 rotations. They seem determined to make people memorize a new, random string of letters and numbers every rotation, along with at least one uppercase character, one letter from the Chinese alphabet, and I think the symbol for Boron as well.
There’s only one problem though… virtually NOBODY is going to do that!! I would imagine most people probably either keep their passwords written down in a drawer (yeah, real secure
) or else use keyboard macros like I do. I understand the need for strong passwords, but some companies get WAAAAAAAAY too overzealous with the practice.
I hear you! I have the exact same problem. It’s particularly bad because I’m a support person, so I’m always switching computers. It’s really a big productivity loss to constantly have password changes and hassles.
One place I worked at put all the hundreds of passwords into a spreadsheet. Of course, since it was shared by the 10 people on the team, someone would always corrupt the spreadsheet file. What a mess!
Worst of all was when I’d be on call, get the call at 2 am, and find that some dope had updated the password on some server and forgot to update the password spreadsheet. So here you are beeped at 2 am to solve some problem, only to find yourself unable to log in. Yuck!
I personally just use Keepass2 to keep my passwords safe. The password database is very strongly encrypted so if you have a strong password for the database there is no way anyone is going to get to the actual contents of the database. Once in Keepass2 allows you to create passwords automatically, allowing you to specify things like which character set to use, how many characters, should there be special characters and so on and so forth. Also, once you copy a password or username from the database to clipboard Keepass2 will empty the clipboard after 10 or 15 seconds, making sure you won’t even accidentally reveal your passwords.
I have a strong password set up for the database, I always store any new login stuff in there, and I keep a copy of the database on my desktop, mobile phone, server and in the cloud so that even if one — or even multiple — devices were to break I’d still always have a copy somewhere. Also, the Android – app is handy on-the-go.
Didn’t you read the article? You can’t trust password managers because, uh, if someone steals your computer all your passwords are lost. Too bad it’s completely impossible to have them backed up somewhere and encrypted. Yeah….
It’s kind of interesting that Mr Kocher makes the oldest mistake of all: keeping the passwords on a note in his wallet. Obviously much safer than a password manager with an encrypted database. Apparently it’s also impossible to have your wallet stolen. Wtf?
Security expert my ass.
Yikes. I wouldn’t want to store my passwords on my phone or laptop or any other computer I take with me even occasionally or on any USB thumb drive… but there’s no way in hell you’d ever see me put all my password in a file up in the “cloud.” Even if they were first encrypted in a database file. Just not gonna happen. I just don’t have that kind of trust.
Edited 2012-11-11 05:54 UTC
The Keepass2 password database is encrypted with 256-bit Twofish. You’d need a quantum computer to be able to crack that in any sort of a feasible time. No, using something like that Amazon cloud computing service would still need way more time for cracking that open than I have years left in me. Since there are no fully-functioning quantum computers yet, and I’m not a high-profile target anyways…
EDIT: Few links:
http://keepass.info/help/base/security.html
http://en.wikipedia.org/wiki/Twofish
Edited 2012-11-11 09:02 UTC
That’s the thing about encryption, you don’t need trust.
The chances that your cloud provider will take so much interest in you that they will use all their computing power to break into your (hopefully Twofish or AES) encrypted password database is minuscule.
Even if they do you’ll probably have changed all the passwords by the time they actually manage to brute-force it.
Who’s to say it’s the cloud provider that will try to do the snooping? I actually didn’t mean that with what I originally said. These companies run public servers, and they’re not exactly unknown servers… they’re well-known, and up for potential attack from anyone, anywhere on the Internet. They’re big, easy targets. It’s security breaches I would be worried about when putting a file containing *all* of my passwords on a server somewhere on the Internet.
Someone just has to breach the server’s security and then take what they can. They can then post all the files they can manage to get on a server somewhere where they and their cracker buddies download away and have a field day playing games seeing who can crack the most password files the fastest. And if there’s ever a vulnerability found that allows crackers to easily break the encryption code and read the contents of the file… well, now every single one of your passwords can be found by just accessing one file that’s been made publicly available on the Internet to anyone.
Edited 2012-11-11 10:17 UTC
I have a bad memory, very horrible.
So, this is what I do, I split myself into three online personas.
One I use for games of any kind, always, and I mean always the same password, if they get hacked, I just have them send a mail and reset it. Never needed though, because virtually nobody cares about the games I play.
The second, is for my alternate life online, for this I have yet another password, but I add a number to the end and change it for every site I need.
Third, the RL persona, the one that I use the least, but care for the most, I almost never use it for trivialities, except to establish a personal and professional presence online.
Emails, I have a gmail account for each, none are linked to eachother in any way.
The first one, has a password, based on the one used for games.
Second address, same thing.
and last one, the most important has 40 characters, azAZ09.
But what’s the most important, is the fact that other than the email passwords and the one I use in games, I don’t memorize anything else.
Because I keep the browser open 20-30 days nonstop, I actually can’t remember a password I used only once weeks ago, so, it’s password recovery most of the time.
Found this on the net, after a simple search. My guess, people only need to read the manual.
Despite what you might hear on the news about “hackers”, it’s actually quite easy to encrypt things that even alphabet soup agencies would need months if not years to de-crypt.
Oh, and a word to the authors for articles about password security, stop blaming the victims, and blame the websites and the various systems with poor security because they’re the ones doing the most damage.
I am a bit late to this party, but I have a nice suggestion for better online security. Use lastpass.com service and have best from both worlds:
– unique passwords for every site
– just one master password to remember
– passwords generated automatically for you
– passwords always available
Free version does everything you need (at least everything _I_ need), and they provide extensions for all major web browsers.
There is nothing I hate more that this meaningless “cloud” buzzword, but this service is just fantastic, and I love every bit of it. Everything is encrypted, and with a good master password (that you, off course, change every say 6 or 12 months), you can enjoy having unique 20 char ([0-9a-zA-Z plus special chars]) long password for every site you register on.
This was suggested to me by Firefox when I once opened add-on tab. Best suggestion ever!!
All that needs to be said about passwords has already been said here: http://xkcd.com/936/
🙂
O/S/N/E/W/S Alert!
Your account will be deleted.
To prevent account deletion, reply to this post with your username and password.
——————————
Seriously, your password need just be good enough for the job. You don’t need an armored door when the windows are wide open or the walls are made of paper. Hackers will seek the lowest hanging fruits.
http://xkcd.com/538/
Use your brain online and don’t rely on password for anything important. If your bank is only asking for a password to transfer money then change your bank. It should at least send you an SMS with a temporary secret code or chalenge you with something else.
CPU power is cheap, especially to crackers who have access to botnets and it will be worse when they have mobile bots. Even brute force can be done if it pays. Your password is just there to protect unimportant data from being stolen because it is cheaper to get it from another way or because it’s not worth the trouble.