All I can say is this...
Randomness != secure
Length and non-biometric information is far more secure in the long run, and easier to remember
Researchers have uncovered a massive cache of stolen account credentials which could impact some two million users. Security firm Trustwave said that its SpiderLabs reconnaissance team has detected a malware operation which has been able to pilfer account credentials on infected machines and build an archive of lifted …
And watch that long password fall to a dictionary attack. Ars Technica: “thereisnofatebutwhatwemake”—Turbo-charged cracking comes to long passwords, and How the Bible and YouTube are fueling the next frontier of password cracking. 1000 guesses per second is stupidly slow. Try 30 billion per second!
1000 guesses per second is stupidly slow. Try 30 billion per second!
And how many websites let you ender that many guesses a second, or even a year?
If they have the password file, they have your password. Reading the articles you linked (thanks!), no matter how stupidly complex your password is you're screwed. It's a matter of time and like the article says, some passwords fell very quickly but others took a while. Once the software/techniques and of course source lists were enhanced, those harder passwords were cracked.
Read the article found on the following link to understand how passwords are cracked. It's not one user password at a time. User passwords are stored within an encrypted hash. Steal the hash and test words against it until you get matches.
Easy passwords are quickly solved; repeat test with a better algorithm for more passwords; repeat again until the return (resolved passwords) on investment (time) is no longer worth the effort.
The log into site with username and cracked password.
Various nuances are discussed within the article.
So I was in a retail store the other day and something was amiss with the register. The cashier called for her manager who came over to diagnose the problem. With me standing right there the manager said 'Push the Mgr Override button. Enter my employee ID (she spoke it aloud) then enter my password (again aloud) 1234567 and delete the transaction'.
This was at a gigantic retail store with huge amounts of cash in each till and here's the manager not only blabbing her override information to another employee, but also to customers and the password is 1234567.
Since I have no intention of getting done up for stealing from a retail store this information is useless to me. But it may not be useless to the employee or to their friends. Plus it's just epically stupid. Billions a year in revenue and even basic security isn't in place. I really don't have much confidence it's in place elsewhere either.
You only need to remember one password; the master password to a vault such as KeyPass
Quite why, in this day and age, people continue to try to *remember* different passwords for different sites or, worse, re-use the same one with multiple sites, is beyond me. I can only conclude it's ignorance and/or laziness.
(Edit: And yet these same people are happy to use a contacts list in their phone and email, rather than remembering phone numbers and email addresses)
I was guilty of reusing a couple of passwords for multiple sites and did eventually turn to KeePass and haven't looked back since. All sites I use have a minimum 20 character password automatically generated when I create an entry.
The only downside is I keep my database on an encrypted USB (backed up in my own cloud at home) so have to sort that out before I can access them and the auto type is a bit flaky on quite a few sites. Apart from that it's bloody marvellous.
> But, how do we know that the people who make KeePass are trustworthy?
It's Open Source software, so the source code is there for inspection should you wish to audit it.
Maybe the guys currently independently auditing TrueCrypt can move onto KeyPass next?
There is a flaw in thinking that 'open source' means secure.
Once upon a time, a western firm provided controllers to the then USSR for the operation of their pipe line. This was at a time the the USSR could make a microprocessor from stolen technologies, but the device was 5 times the size with twice the inefficiencies in power and speed.
The US gov't inserted a backdoor into the compiler and decomplier used to create new firmware. The resulting binary always had the backdoor and available decompliers always hid the backdoor. I think that was in 1970-ish. I am old and forget what I have done.
I know what you mean Mr Harvey, its a real pain in the backside so just do what i do and write them down on a piece of paper then refer to that piece of paper when you need to. To provide an extra layer of security, you could write them down in a pad (paper one not Apple) and put the pad in your trouser pocket thus "Air-Gapping" your collection of passwords from any potential Hacker.......this advice is 'No Charge' to you Sir.
No good writing 'em down, only takes a spill of coffee, coke (*) or small child needing some scrap paper and they'll all gone...unless you have a strongbox in the house with a photo-copy of the written down passwords, or better still make that a fireproof safe!
( * My Missus did have a book of passwords and logins written down and they did get soaked from an ice-cold frosty, sugar-beverage! Luckily she dried the book out and learned her lesson, put them in an encrypted software vault! )
Absolutely! That is one thing many people do not understand! My GF uses the same unlock code on all of her devices. And the same lame response I get whenever it's brought up, "But what if I forget one? I don't want to have to remember that many passwords." FFS!
The response I often hear when questioning someone's limp choice of password is along the lines of "well what do I care if someone gets access to my facebook/twitter account?". About half are a bit more sheepish when pressed as to whether their recycling policy extends to banks, credit cards etc.
I finally changed my GFs mind when I found her email and favourite multi use password in a list dumped after a well publicised hack.
Don't worry, you can keep track of them in one of these:
Are you tired of losing track of those login/usernames and passwords you create every time you visit a new Web site? Do you have sticky notes and scraps of paper scattered about your office and home computer space covered with these vital pieces of information, but never seem to be able to put your hands on them when you need them? Now you can keep important Web site addresses, usernames, and passwords in one convenient place! Introducing the Personal Internet Address & Password Organizer! This time-saving, headache-preventing little organizer features:
Lots of space: 144 pages, including tabbed alphabetical pages
Plenty of room for all those Web site addresses, usernames, passwords, and additional notes
A spiral binding that allows pages to lie flat for ease of use
Handy elastic band closure
Pages in the back on which to record additional useful information, such as your home network configuration, software license numbers, and other notes
Removable label and discreet cover design
4-1/4'' wide x 5-3/4'' high
No it's not April 1st, this and several similar ones get 4*+ reviews.
It even says "Personal Internet Address and Password Log Book" on the front (in big friendly letters as required by law).
I've asked my local IT folks if they can supply them, given that their expertise doesn't seem to cope with anything other than Active Directory authentication from Windows XP/7 clients (and deffo no Lunix).
Yep, I've got one of those. I got so annoyed with remembering all the passwords I needed that I bought one.
I knew it wasn't very secure though, so I created an encryption sheet of 987 letters with a master sheet which changes every week to give a new lead key. As long as I remember the decryption sequence it's easy.
People who don't take basic security steps, like anti-malware and anti-virus, also trend to choose dumb passwords!
Providers need to put basic checks into their systems to prevent such passwords in the first place. Just because 12345 is the combination for your luggage doesn't mean you should use it for your bank accounts!
12345? That's amazing! I put the same combination on my luggage!
But SERIOUSLY, remembering the password IS an issue just as big as having it stolen which is why it creates a second, competing barrier to passwords: you need one that's hard enough to guess but not SO hard you can't recall it. Think of it like having a ring full of keys. If time is pressing, could you retrieve the one key you need quickly enough? And if you use anything to help differentiate the keys, then someone who STEALS the keys can use those mnemonics, too. And key vaults only help if you're in known systems. What if you MUST login on a new or otherwise unknown device where the key vault can't be retrieved?
Sometimes I wonder if we should try to develop something better than passwords because, let's face it, people's memory can be flakey, but what alternatives are out there that can tick all the boxes?
Now imagine some future exploit el reg falls for means your password hash is discovered. You had better hope they are using some appropriate salt in their password hash. If not your password will be identified in seconds. The same credentials can thenbe checked for the email, ebay, amazon, etc. If they can access your email they will get all sorts of passwords reset.
" I'm only 4 votes off a silver badge so hands off the reg account"
It's posts, I thought, not votes (it's certainly not word count, otherwise I'd have a platinum badge with diamond adornments).
So on that basis, open your Reg account to the hackers, let them spill their bile, advertise their tawdry tat etc, and those posts will push you over the limit. But you can have a free upvote on me, if that's any help.
Ah the old FB is not a bank and I don't care if someone hacks my Yahoo account line.
Do you realise your FB account contains lots of personal details that would be useful in impersonating you to your bank?
Would you care if I hack your Yahoo email and send a message to your boss telling him you think he's a dick? Maybe send everyone at work an email containing goatse? Or how about sending your wife/husband an email that appears to be one you meant to send to the lover you are having an affair with?
Suddenly that unimportant Yahoo account might need a better password.
So what's the solution?
Remembering 10-20+ strong passwords isn't easy for most people.
I've been thinking of using one of the password vault systems but then all my credentials are in one place - what happens when they get hacked?
Is it really so bad to write everything down? A notebook with all credentials, though instead of using a bank name you'd probably use something a little more cryptic. Stick it on the bookshelf, lock it in a box, whatever. At this point it seems far less likely that it will be compromised than using crap passwords on websites. Especially if you live alone - I suspect very few burglars will be looking for this. Seems like good risk management to me.
Of course this only works for sites you access from home.
Note: just had to reset password to post this as I forgot it.
"reset your password every single time you use a service"
I sort of do this with a lot of passwords. Not on purpose, but the once a year that I might log into some software company's updates page or similar, there's no way in hell that I'm going to remember what I used as a password, let alone which email address I used to sign in, so I make good use of their 'Forgot my password' button. Then I just have to try a few email addresses until it recognises one.
When the passwords are just lifted wholesale in clear text from the site you enter it at, whats the point?
On top of that, its a proven fact that the more complex the password the more likely it is to appear on a post it note stuck to the screen...
Whilst I don't do it (I am fortunate in having a reasonably good memory and a technique for creating passwords), Bruce Scheier actually advocates strong passwords written down and kept in your wallet/purse. I'm not sure I agree, since money, cards and passwords all kept in one place just seems to multiply the pain if it is stolen, but using a simple substitution code (all numbers are +2, or whatever) could help.
I got so peed off with different sites requireing different policies, that I came up with my own.
I have three passwords, (four if you include the ones I don't bother remembering) that I use for everything.
I have my use everywhere password for low value sites that wont hurt me if they are cracked (such as this one). It looks like Passw0rd (but isn't) giving me 8 character mixed case with digit to satisfy most sites.
I have the passwords that must be changed on a regular basis such as work, it looks like Password1311 (but isn't), the digits are the year and month I last had to change it.
I have a complex non-guessable password for bank accounts etc.
And finally, for infrequently visited sites, I just use the "forgot my password" link and have them send me a new one when I want access.
I am not a fan of keypass or the likes as they are just a single point of failure. If someone hacks my hotmail account, if they take the time, they can find references to some of the other sites I access, and maybe even some of the user ids I use. They can they try to access each one individually to see if I have used the same password. If the break my keypass account, they have full access to every site I have registered with keypass, no need to guess. And that motivates hackers to target keypass.
Care to know a password generating scheme that works?
The password checker at https://howsecureismypassword.net/ say that my passwords are pretty good.
It would take a desktop PC about
501 nonillion years
to crack your password
I use a md5 hasher to create a password; I need only remember the method used to create the root word used for all sites. The md5-er will make it different and significantly more complex.
my root word for the password for 'The Register' is two parts. A ' short secret pattern' used at all sites and several characters from site name; ie. 'The Register' = happyregister. The md5 hash is 589c4d4e1f9bf29a16fd66fb385ea351 and The Register likes long passwords :)
For the few sites that don't like long passwords or requires special chars, I reduce the password length until the site is happy and add the special characters as needed. For some sites, I do have to keep up with the length and special chars, but very few; and I have a simple 'tag' based on a common pattern for all such needs. example 589c4d4e1f9bf29a16fd66fb385ea351 plus the tag 'N!'
So I copy & paste the md5 hash and type the tag...
Every site has a different password because I am using the site name as part of the root password.
I never write down a password. I use the md5 hash maker to generate it as needed.
I am never 'without' my password because I know the pattern for the root word and this site will gladly give me the md5 hash. http://www.miraclesalad.com/webtools/md5.php
If you can spot a flaw with my method, please point it out to me.
Biting the hand that feeds IT © 1998–2018