OT - Password Protection

Submitted by GoBlueScott on March 31st, 2010 at 12:08 PM

Just finished reading an outstanding article on how a hacker could try to steal your information through weak passwords. It was quite compelling, and frightening. I had no idea even adding one capitalized letter and one character could make it exponentially more difficult to hack.

Money quote:

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn't important because "I don't get anything sensitive there." Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank's Web site and tell it I've forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

You have been warned.

Comments

MaizeAndBlueWahoo

March 31st, 2010 at 12:18 PM ^

Yeah, but at what point do password requirements become so ridiculous that you simply can't remember the damn thing and have to have it posted on a sticky next to your computer? One of the websites that I have to use at work requires the following:

At least 15 characters
2 numbers
2 special characters
2 capital letters
No dictionary words
No consecutive characters
None of the above requirements (numbers, specials, etc.) can be next to each other
Must change every 30 days

Fuck it. I wrote it down. I can't remember all that shit. If someone steals it, oh well, it's not personal information.

wile_e8

March 31st, 2010 at 9:22 PM ^

If you infect my computer to the point that you're searching for files to decrypt, you're getting all that information eventually anyways. I'll just plan on avoiding sketchy links and not running software I don't trust on my computer. Unless you think post-its on the bottom of my keyboard is a better way to keep track of all the passwords.

quakk

March 31st, 2010 at 2:01 PM ^

There are solutions for this. I've been using keepass (it's mentioned in the article) for a while. There's a portable version at http://www.portableapps.com, so you can take it and your database with you wherever you go (if you use a pc). It's also available for linux; not sure about OS X (but there is an OS X solution also mentioned in the article).

Important: Use a very strong password that you can remember to lock your database.

kielpedia

March 31st, 2010 at 12:43 PM ^

Take a phrase you like that you will remember and 1337 speak it. Take this Farscape quote "Look Upward and share the wonder" = [email protected] It makes it more difficult because if its all the same case you have 27 characters of alphabet you have 27 characters.

My stats is hazy but a computer can easily brute force a password of length 6-7 pulling from a collection of 27 symbols. But if you add numbers thats plus 10 symbols, different cases its another 27. ASCII symbols is what really makes a tough password.

I wouldnt trust any password unless it had at least one number and a capital letter.

e.go.blue

March 31st, 2010 at 3:54 PM ^

I can see your point. And it's true, it's probably not necessary for almost everything.

For my passwords, I find a combination of 6 keys that are near each other and run through them one time without holding shift, and then again while holding shift. For example, start at the top left of the keyboard and use "qwe" and "123". Your password using this combo would then be "[email protected]#". For your situation, use three rows of keys and do it vertically: "aq1sw2de3AQ![email protected]#" is a heck of a password and is relatively easy to remember. You can even write down the first three letters and it doesn't give away much.

MaizeAndBlueWahoo

March 31st, 2010 at 6:30 PM ^

I've done something like that before, when both of the base passwords I use weren't acceptable to the system. Normally I have two base passwords that I simply add what I have to on the end to make it work. Very strong, no dictionary words, already with symbols in them....they work for 99% of everything I want to do, which is why I get so damn irritated with the places where they don't.

joeyb

March 31st, 2010 at 4:26 PM ^

Yes, this is the time your average computer would take. However, someone could build many computers with top end processors and then link them together to create a super computer that would take significantly less time to crack.

Also, there is this thing called a rainbow table that does the calculations ahead of time, so that the attacks that would usually take millennia now take hours.

Snowden

March 31st, 2010 at 6:20 PM ^

Another one-off of your phrase idea is to just remember the first letter of every word in a line from a song, play, book, poem, movie, &c. For capital letters, just the first word in a line or a sentence should suffice.

So for example:

AswyoYrfoAyftsaAtlyBtlaseTtgsfcAityfwiia

Looks impossible to remember until you know where it comes from:

"And sometimes when you're on
You're really fuckin on
And your friends they sing along
And they love you
But the lows are so extreme
That the good seems fuckin cheap
And it teases you for weeks in its absence"

joeyb

March 31st, 2010 at 1:28 PM ^

The reason it does this is because if you only use lower case letters, an 8 character password has 26^8 combinations. When you capitalize one letter, the hacker doesn't know which one that is or which letter is capitalized, so he has to add the entire set of capital letters. That means your 8 character password has 56^8 possible combinations. That is 256 (2^8) times more capital letters. Adding numbers and special characters increases the number of possibilities to 98^8 which is 40740 times more than the original lower case password. Even adding 3 more lowercase characters to your password doesn't add the same number of combinations.

So, the best bet is to come up with a password with characters from all 4 sets (uppercase, lowercase, numbers, symbols) and make it as long as you can without making it impossible to remember.

KinesiologyNerd

March 31st, 2010 at 1:48 PM ^

I came up with a nonsensical phrase that still rolls off the tongue a long time ago. So now every so often I just go to an anagram maker, get a new combination of the letters, add some numbers and capital letters. boom nobody's getting my password.

goblue_westcoast

March 31st, 2010 at 4:18 PM ^

Unfortunately, when you make the requirements so hard, people either write passwords down on a piece of paper or jitter the differences very minor between forced password changes. The company I used to work for made it so hard to pick a password but enforced almost no deltas between new and old passwords so my password always incremented by one digit every quarter. hardly secure.

At least some financial type websites have stepped it up in the past few years and enabling some form of Two Factor authentication. My Chase account requires having possession of my cellphone which will be sent SMS's with one time passwords when Chase can't figure out which computer I'm using. E-trade has RSA tokens, etc. Hopefully more support is coming from websites to enable Two Factor. Then you have Facebook who purposely tries to make it hard on you from using SSL-secured pages since it requires more compute power.

Seth

March 31st, 2010 at 4:29 PM ^

My company came out with a corporate online posting policy about a year ago.

Part of it was we had to surrender the password info for any business-related account (e.g. the magazine's Facebook page). Our online media content guru would be in charge of all the passwords.

Now I've been by her desk. It has crimson and it has silver. And she is not a Lions or Red Wings fan. You get my meaning.

So before handing over my passwords, I changed them all to not the following, but things very like the following:

Facebook: "Hail2theVictorsvaliant"

Twitter: "[email protected]"

Website: "Ohowihateohiostate"

I noted that the login for Facebook only works if you sing "The Victors" while punching it in.

Strangely, none of these accounts has had anyone access them but me since that e-mail...

mtzlblk

March 31st, 2010 at 6:01 PM ^

As in, you can use the same password across multiple sites with varying degrees of complexity, i.e.:

For a site with no security issue that you probably couldn't care less if it is hacked, use something like 'Temp81' with 81 being the year you were born

For the next level, say facebook or something, where you definitely don't want it hacked, but there is no private/financial information, use something like 'MierdeMio81' that has both caps and #s and an easy to remember phrase for all those sites. My youtube, fbook, twitter, etc. all use the same pword

For anything financial or very private, create individual ones that follow a pattern like 'MierdeMio_[Site/BusinessName]_81' so that you have an individual one for each site, but an easy to remember scheme, password would look like '[email protected]_81'

It keeps lower security passwords easy to remember and higher ones separate/different, but also easy to remember.

ebbtide

April 1st, 2010 at 8:08 AM ^

I recommend the following to help keep your password difficult to crack while allowing you to remember it..

For instance, take your favorite 12 character drink name..

jagermiester

Now capitalize the third letter

jaGermeister

now replace all the e's with 3's..

jaG3rm3ist3r

Finally, replace the i's with !'s..

jaG3rm3!st3r

Complex password. Brute Force will take a good while. And you can still remember what it is.