OT - Password Protection
Just finished reading an outstanding article on how a hacker could try to steal your information through weak passwords. It was quite compelling, and frightening. I had no idea even adding one capitalized letter and one character could make it exponentially more difficult to hack.
Money quote:
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn't important because "I don't get anything sensitive there." Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank's Web site and tell it I've forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?You have been warned.
March 31st, 2010 at 12:18 PM ^
Yeah, but at what point do password requirements become so ridiculous that you simply can't remember the damn thing and have to have it posted on a sticky next to your computer? One of the websites that I have to use at work requires the following:
At least 15 characters
2 numbers
2 special characters
2 capital letters
No dictionary words
No consecutive characters
None of the above requirements (numbers, specials, etc.) can be next to each other
Must change every 30 days
Fuck it. I wrote it down. I can't remember all that shit. If someone steals it, oh well, it's not personal information.
March 31st, 2010 at 12:28 PM ^
try using a password protected document to store all your passwords.
But I agree with you 100%. I think I went to restore my UM uniqname and password on the alumni page and had similar issues.
March 31st, 2010 at 12:48 PM ^
"try using a password protected document to store all your passwords."???
Isn't that like locking the key to the safe in the locked safe?
It's like locking all your keys except the one key that opens the safe. Any time you need any of the other keys, you just need the one key to the safe to access them.
so once I infect your computer, I know which document to crack first. that makes it easier.
If you infect my computer to the point that you're searching for files to decrypt, you're getting all that information eventually anyways. I'll just plan on avoiding sketchy links and not running software I don't trust on my computer. Unless you think post-its on the bottom of my keyboard is a better way to keep track of all the passwords.
March 31st, 2010 at 10:00 PM ^
If you break into a computer, cracking that document is probably going to take more time than installing a keystroke recorder that gets the passwords anyway.
There are solutions for this. I've been using keepass (it's mentioned in the article) for a while. There's a portable version at http://www.portableapps.com, so you can take it and your database with you wherever you go (if you use a pc). It's also available for linux; not sure about OS X (but there is an OS X solution also mentioned in the article).
Important: Use a very strong password that you can remember to lock your database.
Same here, I figured that I have about 10 passwords that I'm supposed to remeber, and they have different length, character requirements, and valid timeframes--I could never remember them if I didn't write them down.
March 31st, 2010 at 12:43 PM ^
Take a phrase you like that you will remember and 1337 speak it. Take this Farscape quote "Look Upward and share the wonder" = sh@rethe1der. It makes it more difficult because if its all the same case you have 27 characters of alphabet you have 27 characters.
My stats is hazy but a computer can easily brute force a password of length 6-7 pulling from a collection of 27 symbols. But if you add numbers thats plus 10 symbols, different cases its another 27. ASCII symbols is what really makes a tough password.
I wouldnt trust any password unless it had at least one number and a capital letter.
My stats is hazy but a computer can easily brute force a password of length 6-7 pulling from a collection of 27 symbols. But if you add numbers thats plus 10 symbols, different cases its another 27. ASCII symbols is what really makes a tough password.
I wouldnt trust any password unless it had at least one number and a capital letter.
This is the brute force data he quoted in the article OP posted. This is computation time using an average PC, not a supercomputer or anything.
That only serves to piss me off even more about some of the password requirements. Do I really need a password that would require a computer to have been working since before the Horrendous Space Kablooie to crack?
I can see your point. And it's true, it's probably not necessary for almost everything.
For my passwords, I find a combination of 6 keys that are near each other and run through them one time without holding shift, and then again while holding shift. For example, start at the top left of the keyboard and use "qwe" and "123". Your password using this combo would then be "qwe123QWE!@#". For your situation, use three rows of keys and do it vertically: "aq1sw2de3AQ!SW@DE#" is a heck of a password and is relatively easy to remember. You can even write down the first three letters and it doesn't give away much.
I've done something like that before, when both of the base passwords I use weren't acceptable to the system. Normally I have two base passwords that I simply add what I have to on the end to make it work. Very strong, no dictionary words, already with symbols in them....they work for 99% of everything I want to do, which is why I get so damn irritated with the places where they don't.
Yes, this is the time your average computer would take. However, someone could build many computers with top end processors and then link them together to create a super computer that would take significantly less time to crack.
Also, there is this thing called a rainbow table that does the calculations ahead of time, so that the attacks that would usually take millennia now take hours.
do all of our passwords in a combination of Japanese and Roman numerals with a minimum number of total digits not less than 100...
My over-drafted checking account would be safe!
Another one-off of your phrase idea is to just remember the first letter of every word in a line from a song, play, book, poem, movie, &c. For capital letters, just the first word in a line or a sentence should suffice.
So for example:
AswyoYrfoAyftsaAtlyBtlaseTtgsfcAityfwiia
Looks impossible to remember until you know where it comes from:
"And sometimes when you're on You're really fuckin on And your friends they sing along And they love you But the lows are so extreme That the good seems fuckin cheap And it teases you for weeks in its absence"
March 31st, 2010 at 12:52 PM ^
I'm a grad student. There isn't much to steal in my bank account...
I thought all this technology was supposed to make our lives so much easier....
Well, it has...for crooks.
The reason it does this is because if you only use lower case letters, an 8 character password has 26^8 combinations. When you capitalize one letter, the hacker doesn't know which one that is or which letter is capitalized, so he has to add the entire set of capital letters. That means your 8 character password has 56^8 possible combinations. That is 256 (2^8) times more capital letters. Adding numbers and special characters increases the number of possibilities to 98^8 which is 40740 times more than the original lower case password. Even adding 3 more lowercase characters to your password doesn't add the same number of combinations.
So, the best bet is to come up with a password with characters from all 4 sets (uppercase, lowercase, numbers, symbols) and make it as long as you can without making it impossible to remember.
I came up with a nonsensical phrase that still rolls off the tongue a long time ago. So now every so often I just go to an anagram maker, get a new combination of the letters, add some numbers and capital letters. boom nobody's getting my password.
My password is 'password'. It's easy to remember.
Verify me.
Password!!
just as easy to remember, way harder to crack
This is one of the many reasons why I don’t own nice things
Dont need no password for my shotgun.
If a hacker wants to take my identity it's his loss.
Too true.
They should be chained to a tree and hacked apart.
Sweet, sweet, irony.
Unfortunately, when you make the requirements so hard, people either write passwords down on a piece of paper or jitter the differences very minor between forced password changes. The company I used to work for made it so hard to pick a password but enforced almost no deltas between new and old passwords so my password always incremented by one digit every quarter. hardly secure.
At least some financial type websites have stepped it up in the past few years and enabling some form of Two Factor authentication. My Chase account requires having possession of my cellphone which will be sent SMS's with one time passwords when Chase can't figure out which computer I'm using. E-trade has RSA tokens, etc. Hopefully more support is coming from websites to enable Two Factor. Then you have Facebook who purposely tries to make it hard on you from using SSL-secured pages since it requires more compute power.
My company came out with a corporate online posting policy about a year ago.
Part of it was we had to surrender the password info for any business-related account (e.g. the magazine's Facebook page). Our online media content guru would be in charge of all the passwords.
Now I've been by her desk. It has crimson and it has silver. And she is not a Lions or Red Wings fan. You get my meaning.
So before handing over my passwords, I changed them all to not the following, but things very like the following:
Facebook: "Hail2theVictorsvaliant"
Twitter: "1996Mich13OSU9@theshoe"
Website: "Ohowihateohiostate"
I noted that the login for Facebook only works if you sing "The Victors" while punching it in.
Strangely, none of these accounts has had anyone access them but me since that e-mail...
You my friend are a walking “Never Graduate” commercial... +1
His Mom said!
As in, you can use the same password across multiple sites with varying degrees of complexity, i.e.:
For a site with no security issue that you probably couldn't care less if it is hacked, use something like 'Temp81' with 81 being the year you were born
For the next level, say facebook or something, where you definitely don't want it hacked, but there is no private/financial information, use something like 'MierdeMio81' that has both caps and #s and an easy to remember phrase for all those sites. My youtube, fbook, twitter, etc. all use the same pword
For anything financial or very private, create individual ones that follow a pattern like 'MierdeMio_[Site/BusinessName]_81' so that you have an individual one for each site, but an easy to remember scheme, password would look like 'MierdeMio_b@nksite_81'
It keeps lower security passwords easy to remember and higher ones separate/different, but also easy to remember.
All my passwords are my social security number. Hell, it took me so long to remember it, how could anyone else?
March 31st, 2010 at 10:12 PM ^
I had a coworker who used his pin number as his office phone's voicemail password so it would be easier to remember. It was pretty funny when he suddenly realized that the numbers showed up on the phone when he typed in his voicemail password.
I recommend the following to help keep your password difficult to crack while allowing you to remember it..
For instance, take your favorite 12 character drink name..
jagermiester
Now capitalize the third letter
jaGermeister
now replace all the e's with 3's..
jaG3rm3ist3r
Finally, replace the i's with !'s..
jaG3rm3!st3r
Complex password. Brute Force will take a good while. And you can still remember what it is.