Stolen passwords integrated into the ultimate dictionary attack Targeted password guessing turns out to be significantly easier than it should be, thanks to the online availability of personal information, leaked passwords associated with other accounts, and our tendency to incorporate personal data into our security codes. In a paper [PDF] presented at the ACM Conference of Communication …
One way to generate effective passwords is to use a good password manager that will generate gibberish passwords on demand. 48 or 64 characters of random gibberish will take a good while to guess.
This research highlights the more one can learn about a potential victim the easier it is attack. The Internet makes finding a lot information much easier even if was always publicly available.
This post has been deleted by its author
One way to generate effective passwords is to use a good password manager that will generate gibberish passwords on demand. 48 or 64 characters of random gibberish will take a good while to guess.
.. if it weren't for sites which want to enforce the presence of certain characters, but at the same time limit the password length (although I think a password of more than 128 characters is a tad excessive :) ). Yes, I use a random generator too, but I also started to give sites email addresses that tell me who sold mine on to third parties - you have no idea just how many do that to earn an extra buck :(.
Yeah good.
Until said password manager becomes mainstream and the blackhats reverse engineer the "random" generator algo.
Certificates are the way to go with a certificate manager.
Easily revoked at both ends and easily regenerated.
We just need to work out a reliable and secure means of exchanging keys.
"Until said password manager becomes mainstream and the blackhats reverse engineer the "random" generator algo."
Even if they reverse-engineer it (and the one in KeePass is open-source), if the algo was seeded properly with truly random data (or even just truly ephemeral data, like the time of creation to the microsecond--try figuring out THAT one), they'll still be at a loss to reconstruct the password. It's like trying to predict the lottery.
The other day I was creating an account on a site, where the password just had to be typed in manually. Usually I like 20-30 random character passwords, but this site made it practically impossible me! Gee whiz, unknown people, why do you make your sites unfriendly to secure entropy? What is the personal problem with being able to paste a long password into the box?
Ech.
I find that generated random passwords with a slight sorting of characters and removal of some difficult-to-find special characters usually gives a decently typable password. Feel free to use any of my spares, (as long as you use them for your own account ;):
HAwwpy~QU356.uc
jazFURC=Lx+Gb143
iralwDQ+78wmCli
\99@NULC-J45xdc
The site bought some software that is supposed to identify who is typing by looking at the amount of time between key presses and releases. Clearly people pasting a randomly generated password for each site from an encrypted file are a threat to sales of this software. Such people must be bashed repeatedly with inconvenience until they use "correct horse battery staple" for all their accounts.
As a bonus, key timing software can decloak privacy nuts who use different user names for different accounts. It is almost as if these people do not understand that they only exist to promote the sales of analytics software.
This post has been deleted by its author
"There's an even better way - take your business elsewhere."
Ever heard of a Captive Market? If they're the ONE AND ONLY source of something (say the manufacturer's website), you're left with a Hobson's Choice: Take It or Leave It and be left with very expensive bricks.
from a quick read of the ACM paper, I think he means that the 'standard users' use "123456" everywhere, and the 'security-savvy user' however use different pw's for the different websites: such as '123456eBay' and '123456BraclaysBonk'; the very clever Wang team have decided that they can guess 30% of the time what Mr. Savvy uses at Yahoo!
(I think I agree with you that the really really savvy users just won't go near the !)
I leave you with a just-announced revolution, totally OT http://cogink.com/cleese/
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Are you aware of this?
https://youtu.be/-KEE2VdDnY0
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
