Jump to content
Brian Enos's Forums... Maku mozo!

Passwords

Flexmoney
 Share

Recommended Posts

Flexmoney Burned Out

Flexmoney

Posted
Posted

How safe are they?

What can you do to make them safer?

Aren't there site that you can type your password into and it will tell you how strong a password your have?

If you type it into one of those sites...what are the chances that it is run by some computer thug and now he has added it to his password crawler list???

Link to comment
Share on other sites
AzShooter Beyond it All

AzShooter

Posted
Posted

Good point. Passwords, like alarm systems keep the honest honest.

If someone wants to figure out your password there are programs to do it or they can spend the time and get it from a lot of normal sources.

Never use PASSWORD as a password. Never leave it blank or use your birthday, the reverse spelling of your name. And remember to change your password occationally.

Link to comment
Share on other sites
BritinUSA Beyond it All

BritinUSA

Posted
Posted

Here are some ideas, we use these at work (in addition to some others)...

Identity verification passwords must not be trivial or predictable, and must:

  • Be at least 8 positions in length
  • Be changed at least once every three months (90 days)
  • Contain a mix of alphabetic and non-alphabetic characters (numbers, punctuation or special characters) or a mix of at least two types of non-alphabetic characters
  • Not contain the userid as part of the password

Link to comment
Share on other sites
Clay1 Finally read the FAQs

Clay1

Posted
Posted

I use this site to help come up with a random password instead of me using some kind of pattern for my passwords: http://www.randomizer.org/form.htm

I have too many individual passwords and it is a pain and a security risk on where and how to store them since I can't remember them all. I probably should have one single password that I use for all the different forums that I visit and a different one for financial applications and then change that password every 30 days.

You don't want a very secure password but it is too hard to remember so you write it on a sticky note and post it next to your computer. :P

I have to keep passwords in my Palm then I lock that file and hopefully remember the password so that I can access the passwords :wacko:

There has to be a better way. Have you seen the fingerprint scanners that you can connect to your computer via an USB port that you just touch and this replaces a password? Cool idea if you have the scanner with you and always just use one machine but accessing accounts from different machines it would be a pain in the rear.

Rick

Link to comment
Share on other sites
raz-0 Finally read the FAQs

raz-0

Posted
Posted

minimum of 6 characters, 8 is better.

use a minimum of 3 character classes. character classes are lower case alphabet, upper case alphabet, 0 through 9, and special characters (usually some subset of the punctuation and characters like !@#$%^&*()-_=+[{]};',./~`).

Preferably come up with a system that keeps you from writing it down.

For example, I have a scheme for generating my passwords, and at a designated interval I come up with new ones. I generate one for work, one for online shopping, one for online financials, and one that is essentially disposable that I use for online forums, IM, etc. (the disposable one I tend to change less often as I'm not that concerned with the security of those items.)

For general safety, your password should not be a regular dictionary word, and don't rely on leetspeak translation to protect you.

i.e. Don't use something like Floppy and then try to make it safe by turning it into F10ppy. Or something like a birthdate 04041984 and make it o4o4lg84. It's better than plain words, but it's still fairly easy to guess.

IT sounds like something hard to do, but you can use schemes. Like say you ahve a favorite band. Pick your favorite album. Lets say you like nine inch nails album pretty hate machine. Your favorite track on it is that's what I get. That's something the brian is geared towards recalling better than some clump of numbers. forumla could be something like alternate caps and lowercase on all letters. make acronyms separated by your favorite special character, tracks indicated by number.

NiN!PhM!08 very derivable and memorable.

You can use music,movies, books, pieces of software, cars, car parts, etc (just use year of release, version number, etc for the numeric component as appropriate. Avoid things like the bible though.)

Of coruse really secure things use one time passwords with hardware tokens with pins.. and then maybe add in biometrics to boot.

Unfortunately all teh good password chosing cna be for naught if the environment you have to use it in is bad. Hence why I have multiple passwords at the same time as well as a hardware one time use password token for sensitive stuff at work.

Link to comment
Share on other sites
j2fast Finally read the FAQs

j2fast

Posted
Posted

I borrowed this idea from the Security Now podcast put on by Leo Laporte and Steve Gibson. It really helped me becuase I was always forgetting my passwords because I used so many different ones.

The episodes in question are Person Password Policy parts 1 & 2 (ep 4 &5). One thing they discussed was creating your own little password hash. Using their example of combining the website name with a set of numbers. For instance if you did it with this site it might be something like B1r2I3a4Nenos. Alternate letters and numbers while capitalizing the 1st, 3rd, and 5th alpa character. That's a little bulky for a gun forum IMO but you get the idea.

I use different sets of numbers, letters, and special characters to create random passwords that if I forget I can reconstruct based on the type of site. I use lighter weight stuff for registering on a news site and long more complex for banks, etc. In the end though I know my little personal hash so I can recontruct the passwords if I can't remember them for a given site.

http://www.grc.com/securitynow.htm

http://www.twit.tv

Link to comment
Share on other sites
kruger Looks for Range

kruger

Posted
Posted (edited)
How safe are they?

What can you do to make them safer?

Passwords can be reasonably strong, if selected well. The easiest way past strong passwords is social engineering (getting you to tell me your password), or by using another exploit into the system. Weak passwords fall to dictionary attacks, informed guesses, and in the case of short passwords, brute force attacks.

Examples of poor passwords:

Dictionary attack: I had a guy once use the term "foofoo" as a password.

Informed guess password: One gentleman was famous for the fancy tierack in his office. Guess what his password (before I made him change it) was?

Aren't there site that you can type your password into and it will tell you how strong a password your have?

If you type it into one of those sites...what are the chances that it is run by some computer thug and now he has added it to his password crawler list???

In the computer security world, paranoia reigns. Would you trust your password to an unknown third party?

There are tools that can check passwords for vulnerablity to dictionary attacks and weakness to brute force attacks.

My favorite password scheme is to take an easy to remember phrase and use it as a base for a password.

Examples:

To be or not to be? -> 2B||!2b?

Four score and twenty years ago, -> F20&tya,

Twas brillig and the slithy toves did gyre -> Tbat5tdG

Respectfully,

Mark Kruger

Edited by kruger
Link to comment
Share on other sites
shred Back From the Dead

shred

Posted
Posted

I find that changing passwords every 30 or 90 days is pretty much a waste except for things like wireless WEP keys, where you should change 'em every month or two since you broadcast them all over the neighborhood continuously.

I generally use 'weak' PWs for forums and web sites, and stronger ones for important stuff.

Things like gun serial numbers (not custom #'s) make pretty good passwords as well, especially if you use more than one run together.

Link to comment
Share on other sites
mcoliver Looks for Target

mcoliver

Posted
Posted

I have an online banking account that I could no longer use because my password was "too strong" I can't remember it. Gotta find the time to visit the bank to reset it. :( Or I could have probably written it down and stuck it in my monitor. :P:D

In all seriousness (and no intention to hijack Flex's thread), those secure sites, are they really "secure"? If I see a padlock icon in my browser's status bar, is that an indication that I'm already in a secure connection or can somebody spoof that icon?

Link to comment
Share on other sites
D.Hayden Calls Shots

D.Hayden

Posted
Posted

Something like this can help too:

http://passwordsafe.sourceforge.net/

It'll generate good passwords, and then you can just 'click' them in.. and never really have to know them (but you can view them).

I suspect however, that most access of data isn't from getting yuor password, but rather someone hacking to the site and stealing large quanities of information from the server.

And, the policies of some companies... enable these hackers to get your userid and passwords.. Maybe not your logon and password, but the account numbers, passwords or PINs that ae stored there

Same thing with using SSL vs not... the majority of the hackers aren't using packet sniffers to get data..

Used to be one of the most common password patterns.. invlolved your local sports teams...

Link to comment
Share on other sites
geezer-lock Finally read the FAQs

geezer-lock

Posted
Posted (edited)

If you work with OPM* for about twenty minutes you will realize the importance of strong passwords. Maybelle Eddincott does not want to know about how much she has in her checking account, she wants to know exactly.

Think about your own money when you go on-line. Listen to what these guys are telling you. If you don’t already have one, get a credit card that will let you create a new “stealth” number for every transaction.

Remember what your mother told you, if you tell just one person it’s no longer a secret.

David C

*other peoples money

Edited by geezer-lock
Link to comment
Share on other sites
Flexmoney Burned Out

Flexmoney

Posted
  • Author
Posted
Just curious as to what prompted Flex to start this thread...did you get hacked or something...

Curiosity killed the cat...better change your password. ;)

Nah...just wondering. I had/have a different password here than for other things...as my log-in here has some juice. It was pretty simple though (not easily guessed, but could have been hacked by a dictionary attacker). I changed it and thought it would be a good topic to throw out to raise awareness.

Link to comment
Share on other sites
benos Back From the Dead

benos

Posted
Posted

The guy who owns my cart system told me of an interesting technique hackers use to get past your "good" password. Say I have a "weak" password for my email account. So a hacker cracks that, now they can intercept my emails. Then they try to log into the cart system (which has credit card info) with my account name, and click the "Lost password" link. They intercept the email the cart system sends, and now they're logged in to my cart account.

be

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


×
×
  • Create New...