Flexmoney Posted April 5, 2006 Share Posted April 5, 2006 How safe are they? What can you do to make them safer? Aren't there site that you can type your password into and it will tell you how strong a password your have? If you type it into one of those sites...what are the chances that it is run by some computer thug and now he has added it to his password crawler list??? Link to comment Share on other sites More sharing options...
AzShooter Posted April 5, 2006 Share Posted April 5, 2006 Good point. Passwords, like alarm systems keep the honest honest. If someone wants to figure out your password there are programs to do it or they can spend the time and get it from a lot of normal sources. Never use PASSWORD as a password. Never leave it blank or use your birthday, the reverse spelling of your name. And remember to change your password occationally. Link to comment Share on other sites More sharing options...
George Posted April 5, 2006 Share Posted April 5, 2006 Non-trivial is the key. Use at least 8 characters. Mix alpha and numeric randomly and capitalize a letter or two Example of really secure password: 6Rax3Bz8qW Link to comment Share on other sites More sharing options...
BritinUSA Posted April 5, 2006 Share Posted April 5, 2006 Here are some ideas, we use these at work (in addition to some others)... Identity verification passwords must not be trivial or predictable, and must: Be at least 8 positions in length Be changed at least once every three months (90 days) Contain a mix of alphabetic and non-alphabetic characters (numbers, punctuation or special characters) or a mix of at least two types of non-alphabetic characters Not contain the userid as part of the password Link to comment Share on other sites More sharing options...
Clay1 Posted April 5, 2006 Share Posted April 5, 2006 I use this site to help come up with a random password instead of me using some kind of pattern for my passwords: http://www.randomizer.org/form.htm I have too many individual passwords and it is a pain and a security risk on where and how to store them since I can't remember them all. I probably should have one single password that I use for all the different forums that I visit and a different one for financial applications and then change that password every 30 days. You don't want a very secure password but it is too hard to remember so you write it on a sticky note and post it next to your computer. I have to keep passwords in my Palm then I lock that file and hopefully remember the password so that I can access the passwords There has to be a better way. Have you seen the fingerprint scanners that you can connect to your computer via an USB port that you just touch and this replaces a password? Cool idea if you have the scanner with you and always just use one machine but accessing accounts from different machines it would be a pain in the rear. Rick Link to comment Share on other sites More sharing options...
raz-0 Posted April 5, 2006 Share Posted April 5, 2006 minimum of 6 characters, 8 is better. use a minimum of 3 character classes. character classes are lower case alphabet, upper case alphabet, 0 through 9, and special characters (usually some subset of the punctuation and characters like !@#$%^&*()-_=+[{]};',./~`). Preferably come up with a system that keeps you from writing it down. For example, I have a scheme for generating my passwords, and at a designated interval I come up with new ones. I generate one for work, one for online shopping, one for online financials, and one that is essentially disposable that I use for online forums, IM, etc. (the disposable one I tend to change less often as I'm not that concerned with the security of those items.) For general safety, your password should not be a regular dictionary word, and don't rely on leetspeak translation to protect you. i.e. Don't use something like Floppy and then try to make it safe by turning it into F10ppy. Or something like a birthdate 04041984 and make it o4o4lg84. It's better than plain words, but it's still fairly easy to guess. IT sounds like something hard to do, but you can use schemes. Like say you ahve a favorite band. Pick your favorite album. Lets say you like nine inch nails album pretty hate machine. Your favorite track on it is that's what I get. That's something the brian is geared towards recalling better than some clump of numbers. forumla could be something like alternate caps and lowercase on all letters. make acronyms separated by your favorite special character, tracks indicated by number. NiN!PhM!08 very derivable and memorable. You can use music,movies, books, pieces of software, cars, car parts, etc (just use year of release, version number, etc for the numeric component as appropriate. Avoid things like the bible though.) Of coruse really secure things use one time passwords with hardware tokens with pins.. and then maybe add in biometrics to boot. Unfortunately all teh good password chosing cna be for naught if the environment you have to use it in is bad. Hence why I have multiple passwords at the same time as well as a hardware one time use password token for sensitive stuff at work. Link to comment Share on other sites More sharing options...
j2fast Posted April 5, 2006 Share Posted April 5, 2006 I borrowed this idea from the Security Now podcast put on by Leo Laporte and Steve Gibson. It really helped me becuase I was always forgetting my passwords because I used so many different ones. The episodes in question are Person Password Policy parts 1 & 2 (ep 4 &5). One thing they discussed was creating your own little password hash. Using their example of combining the website name with a set of numbers. For instance if you did it with this site it might be something like B1r2I3a4Nenos. Alternate letters and numbers while capitalizing the 1st, 3rd, and 5th alpa character. That's a little bulky for a gun forum IMO but you get the idea. I use different sets of numbers, letters, and special characters to create random passwords that if I forget I can reconstruct based on the type of site. I use lighter weight stuff for registering on a news site and long more complex for banks, etc. In the end though I know my little personal hash so I can recontruct the passwords if I can't remember them for a given site. http://www.grc.com/securitynow.htm http://www.twit.tv Link to comment Share on other sites More sharing options...
kruger Posted April 5, 2006 Share Posted April 5, 2006 (edited) How safe are they? What can you do to make them safer? Passwords can be reasonably strong, if selected well. The easiest way past strong passwords is social engineering (getting you to tell me your password), or by using another exploit into the system. Weak passwords fall to dictionary attacks, informed guesses, and in the case of short passwords, brute force attacks. Examples of poor passwords: Dictionary attack: I had a guy once use the term "foofoo" as a password. Informed guess password: One gentleman was famous for the fancy tierack in his office. Guess what his password (before I made him change it) was? Aren't there site that you can type your password into and it will tell you how strong a password your have?If you type it into one of those sites...what are the chances that it is run by some computer thug and now he has added it to his password crawler list??? In the computer security world, paranoia reigns. Would you trust your password to an unknown third party? There are tools that can check passwords for vulnerablity to dictionary attacks and weakness to brute force attacks. My favorite password scheme is to take an easy to remember phrase and use it as a base for a password. Examples: To be or not to be? -> 2B||!2b? Four score and twenty years ago, -> F20&tya, Twas brillig and the slithy toves did gyre -> Tbat5tdG Respectfully, Mark Kruger Edited April 5, 2006 by kruger Link to comment Share on other sites More sharing options...
mcoliver Posted April 5, 2006 Share Posted April 5, 2006 I'm not sure how it's gauged/computed but Firefox has this password quality meter when you enter a master password for your saved passwords. Probably worth checking if you intend to use a certain password. Link to comment Share on other sites More sharing options...
shred Posted April 5, 2006 Share Posted April 5, 2006 I find that changing passwords every 30 or 90 days is pretty much a waste except for things like wireless WEP keys, where you should change 'em every month or two since you broadcast them all over the neighborhood continuously. I generally use 'weak' PWs for forums and web sites, and stronger ones for important stuff. Things like gun serial numbers (not custom #'s) make pretty good passwords as well, especially if you use more than one run together. Link to comment Share on other sites More sharing options...
mcoliver Posted April 6, 2006 Share Posted April 6, 2006 I have an online banking account that I could no longer use because my password was "too strong" I can't remember it. Gotta find the time to visit the bank to reset it. Or I could have probably written it down and stuck it in my monitor. In all seriousness (and no intention to hijack Flex's thread), those secure sites, are they really "secure"? If I see a padlock icon in my browser's status bar, is that an indication that I'm already in a secure connection or can somebody spoof that icon? Link to comment Share on other sites More sharing options...
D.Hayden Posted April 6, 2006 Share Posted April 6, 2006 Something like this can help too: http://passwordsafe.sourceforge.net/ It'll generate good passwords, and then you can just 'click' them in.. and never really have to know them (but you can view them). I suspect however, that most access of data isn't from getting yuor password, but rather someone hacking to the site and stealing large quanities of information from the server. And, the policies of some companies... enable these hackers to get your userid and passwords.. Maybe not your logon and password, but the account numbers, passwords or PINs that ae stored there Same thing with using SSL vs not... the majority of the hackers aren't using packet sniffers to get data.. Used to be one of the most common password patterns.. invlolved your local sports teams... Link to comment Share on other sites More sharing options...
tightloop Posted April 6, 2006 Share Posted April 6, 2006 Just curious as to what prompted Flex to start this thread...did you get hacked or something... Link to comment Share on other sites More sharing options...
mcoliver Posted April 6, 2006 Share Posted April 6, 2006 I stumbled upon this small info about SSL's. I thought it was informative so I'm posting it here. Link to comment Share on other sites More sharing options...
geezer-lock Posted April 6, 2006 Share Posted April 6, 2006 (edited) If you work with OPM* for about twenty minutes you will realize the importance of strong passwords. Maybelle Eddincott does not want to know about how much she has in her checking account, she wants to know exactly. Think about your own money when you go on-line. Listen to what these guys are telling you. If you don’t already have one, get a credit card that will let you create a new “stealth” number for every transaction. Remember what your mother told you, if you tell just one person it’s no longer a secret. David C *other peoples money Edited April 6, 2006 by geezer-lock Link to comment Share on other sites More sharing options...
Flexmoney Posted April 7, 2006 Author Share Posted April 7, 2006 Just curious as to what prompted Flex to start this thread...did you get hacked or something... Curiosity killed the cat...better change your password. Nah...just wondering. I had/have a different password here than for other things...as my log-in here has some juice. It was pretty simple though (not easily guessed, but could have been hacked by a dictionary attacker). I changed it and thought it would be a good topic to throw out to raise awareness. Link to comment Share on other sites More sharing options...
n2ipsc Posted April 7, 2006 Share Posted April 7, 2006 What can you do to make them safer?Aren't there site that you can type your password into and it will tell you how strong a password your have? 1) Ultra-Strong Password Generator - just cut and paste a lengthy bit from the middle of one or the other, and keep track of them with... 2) Password Vault Link to comment Share on other sites More sharing options...
tightloop Posted April 7, 2006 Share Posted April 7, 2006 (edited) Curiosity might have killed the cat, but satisfaction brought him back again.... How about that Flex? Edited April 7, 2006 by tightloop Link to comment Share on other sites More sharing options...
benos Posted April 7, 2006 Share Posted April 7, 2006 The guy who owns my cart system told me of an interesting technique hackers use to get past your "good" password. Say I have a "weak" password for my email account. So a hacker cracks that, now they can intercept my emails. Then they try to log into the cart system (which has credit card info) with my account name, and click the "Lost password" link. They intercept the email the cart system sends, and now they're logged in to my cart account. be Link to comment Share on other sites More sharing options...
George Posted April 7, 2006 Share Posted April 7, 2006 Never send sensitive info in clear text in an email. Email is swiss cheese! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now