Test your password

Topic

New Reply

At Gibson Research Corporation.

Reply | Quote

Replies

Even “password” takes nearly 7 years to crack, but because it’s a dictionary word it will happen much faster – seconds probably. A very simple change will make it much less likely to be broken but still easy to remember. Add an upper case character somewhere and add the position of the upper case character to the end, e.g. “passWord5”. Now you can add a character to the end, based on the number and the Shift key, e.g. “passWord5%”, and you end up with an easy to remember password that would take centuries to crack.

Importantly, do not use the same password on more than one site. Once someone steals your password they can access any site you use, and at the rate web sites are being hacked that is a real possibility. Create an easy to remember but difficult to crack password and use it as the password for your password manager. The password manager does the rest.

cheers, Paul

Reply | Quote

Now you can add a character to the end, based on the number and the Shift key, e.g. “passWord5%”, and you end up with an easy to remember password that would take centuries to crack.

cheers, Paul

Unfortunatly that may no longer be true. There are both legitamate and black hat software out there that takes advantage of the power of Amazon’s “cloud”. This method is in its infancy. I’m sure in the next few years what we all thought was so clever and secure will be no better what we thought was very secure 10 years ago. The price of progress I guess.

http://www.w7forums.com/researcher-uses-amazon-cloud-crack-wi-fi-passwords-t9595.html

http://www.securityweek.com/commercial-software-harnesses-amazon-cloud-crack-passwords-faster

Reply | Quote

Unfortunatly that may no longer be true. There are both legitamate and black hat software out there that takes advantage of the power of Amazon’s “cloud”. This method is in its infancy. I’m sure in the next few years what we all thought was so clever and secure will be no better what we thought was very secure 10 years ago. The price of progress I guess.

http://www.w7forums.com/researcher-uses-amazon-cloud-crack-wi-fi-passwords-t9595.html

http://www.securityweek.com/commercial-software-harnesses-amazon-cloud-crack-passwords-faster

Probably why biometrics is being introduced more & more.

Joe

--Joe

Reply | Quote

Thanks Paul, I have all different passwords & a master to keep them all safe (ME)

Reply | Quote

“Assuming one hundred billion guesses per second, 19.24 years”
That’s still a long time for a short password. Your master password should always be as long as you can get away with.

You also need to factor in the system you are trying to crack. Assuming it is an encrypted file and the cracker has a copy, if the designer has done it properly it will still take at least 1 second per attempt. That increases the time to crack by at least an order of magnitude, even in the cloud. Much easier to steal your bank password directly from the browser via a trojan.

cheers, Paul

Reply | Quote

If I used the same password in ‘WSL’ & another forum for logging in only, with the same email address in both, which has a good, long, different password, how vurnerable would I be.????

Reply | Quote

If I used the same password in ‘WSL’ & another forum for logging in only, with the same email address in both, which has a good, long, different password, how vurnerable would I be.????

If someone were to find a forum where he could log in as you, he could (1) exercise your powers on the forum (most important for administrators and moderators), (2) impersonate you in social engineering attacks in that community (e.g., requesting information or action via posts or private messages that would only be undertaken based on trust), and (3) take actions in your name that could affect your reputation in the community or potentially create legal liability.

Writing that makes me want to upgrade some of my passwords. :o:

Reply | Quote

If someone were to find a forum where he could log in as you, he could (1) exercise your powers on the forum (most important for administrators and moderators), (2) impersonate you in social engineering attacks in that community (e.g., requesting information or action via posts or private messages that would only be undertaken based on trust), and (3) take actions in your name that could affect your reputation in the community or potentially create legal liability.

Writing that makes me want to upgrade some of my passwords. :o:

My thought entirely. I have just upgraded mine which are so complicated I’ve to copy/paste to re log in.

Reply | Quote

Too many web sites restrict you to 12 character passwords with only alphanumerics – very poor.

cheers, Paul

Reply | Quote

Too many web sites restrict you to 12 character passwords with only alphanumerics – very poor.

cheers, Paul

As Roger Grimes of Infoworld advises us, security researchers have found that it is the length of a password, not its complexity, which makes it more secure. The 12-character limit bothers me more than any restrictions on using higher-order characters. Alphanumerics are fine. But the length should be 16 to 32 characters, as in a passphrase. One you can remember, but which is gibberish to most folks. All in simple letters and numbers.

-- rc primak

Reply | Quote

And how good will you security be when This Happens?:rolleyes:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

And how good will you security be when This Happens

If the encryption is designed properly it will still be safe. To do this you define X number of encryption rounds required before the password will unlock the encryption.

cheers, Paul

Reply | Quote

At Gibson Research Corporation.

Not saying this is, but what a great way to phish for passwords. 🙂

Reply | Quote

Cynic!

cheers, Paul

Reply | Quote

How timely — there was an article about Passwords in Ask Leo! just the other day!:

http://ask-leo.com/how_long_should_a_password_be.htmlI’ll say the same thing here that I said there:

The book “Perfect Passwords: Selection, Protection, Authentication” by Mark Burnett ($18.96) recommends a 16-character minimum length password for this reason, but then, it was written in 2005 — so I would expect by now that the standard rainbow tables have been rather expanded by now!!! I would very seriously recommend a twenty-character password by now.

Really, folks: There is NO such thing as “a password too long” — unless it’s so long that it’s rejected by the system you’re feeding it to.

Reply | Quote

How timely — there was an article about Passwords in Ask Leo! just the other day!:

http://ask-leo.com/how_long_should_a_password_be.htmlI’ll say the same thing here that I said there:

The book “Perfect Passwords: Selection, Protection, Authentication” by Mark Burnett ($18.96) recommends a 16-character minimum length password for this reason, but then, it was written in 2005 — so I would expect by now that the standard rainbow tables have been rather expanded by now!!! I would very seriously recommend a twenty-character password by now.

Really, folks: There is NO such thing as “a password too long” — unless it’s so long that it’s rejected by the system you’re feeding it to.

Pretty much right-on, but sixteen characters is still considered sufficient. Thirty-two if the system allows it. And as I stated before, letters and numbers only is sufficient — no need for special characters.

-- rc primak

Reply | Quote

Have there been any fairly recent studies about the passwords of individuals (not organizations) whose passwords were successfully hacked? I wonder how many of the hacked passwords were even moderately strong–i.e., not containing words found in the dictionary, names of spouses, children, and pets, dates of birth, etc. It may be that a password like db6&=jQ+?tX could be hacked by the folks who bother with individuals’ passwords, but my assumption is that such hackers are looking for lower-hanging fruit.

Reply | Quote

Have there been any fairly recent studies about the passwords of individuals (not organizations) whose passwords were successfully hacked? I wonder how many of the hacked passwords were even moderately strong–i.e., not containing words found in the dictionary, names of spouses, children, and pets, dates of birth, etc. It may be that a password like db6&=jQ+?tX could be hacked by the folks who bother with individuals’ passwords, but my assumption is that such hackers are looking for lower-hanging fruit.

I would think Roger Grimes at Infoworld would be keeping up with the latest research, both for corporate users (who have a big problem with “spear phishing”) and private individuals. Most of the breaches of individuals seem to have been through social engineering or phishing, or though hacking into accounts which were protected by very weak passwords. The weakest individual security is to actually keep emails containing password changes.

Of course, when the breach is on the ISP side of things (Sony Playstation Network, for example) there’s not much we as end users can do about it.

-- rc primak

Reply | Quote

I would think Roger Grimes at Infoworld would be keeping up with the latest research, both for corporate users (who have a big problem with “spear phishing”) and private individuals. Most of the breaches of individuals seem to have been through social engineering or phishing, or though hacking into accounts which were protected by very weak passwords. The weakest individual security is to actually keep emails containing password changes.

What you say is in keeping with what I’ve been assuming. I thus wonder about the attention in this thread and others to the need for immensely long passwords. I doubt that I need a password of 16 characters, which the book mentioned above recommends as the minimum length. What I do need are passwords that are impossible to guess, that aren’t vulnerable to dictionary search techniques, and that are different for almost each site I use, along with enough savvy not to fall for social engineering or phishing schemes.

Reply | Quote

Somewhere or another recently, I read an article on this subject. Someone quoted in the article said that he wrote down all of his passwords–but in a disguised form. He offered no specifics. Anybody else do this?

I’m still thinking about this, but I find it a bit intriguing. Let’s say that you use a top-notch password generator to produce a strong letters-and-numbers password. You can safely write it down and leave it next to your keyboard because only you know that (for example) each letter is offset by -1 (that is, the “d” on paper = “c” in the “real” password) and each number is offset by +1 (5 on paper really means 6).

You could of course make the “disguise” much more complicated than my example above. Perhaps you let the offset be determined by whether the first number in the written-down password is odd or even, for instance.

Like I say, I find this a bit intriguing. Your thoughts?

Reply | Quote

Somewhere or another recently, I read an article on this subject. Someone quoted in the article said that he wrote down all of his passwords–but in a disguised form. He offered no specifics. Anybody else do this?

I’m still thinking about this, but I find it a bit intriguing. Let’s say that you use a top-notch password generator to produce a strong letters-and-numbers password. You can safely write it down and leave it next to your keyboard because only you know that (for example) each letter is offset by -1 (that is, the “d” on paper = “c” in the “real” password) and each number is offset by +1 (5 on paper really means 6).

You could of course make the “disguise” much more complicated than my example above. Perhaps you let the offset be determined by whether the first number in the written-down password is odd or even, for instance.

Like I say, I find this a bit intriguing. Your thoughts?

Owen, Welcome to the Lounge.

What happens if you are visiting a friend or relative in another city and you forgot your PW list (still sitting next to the keyboard at home) but need to access something? Many of us have switched to secure Password Managers on our PC’s. I use Last Passas mine. These have been discussed many times. From Last Pass to Kee Pass to Roboform. I settled on Last Pass and have never looked back. It will generate very secure PW’s, store them on encrypted site that only you have access to with a master password. In fact it is secure enough that if you loose or forget your master PW, Last Pass does not have it to supply to you. This way all you have to do is remember one master PW. Last Pass remembers all the rest.

Reply | Quote

Thanks for the recommendation. I remember just enough from a prob & stat course decades ago to make it entertaining to play around with methods for disguising passwords, but things would of course get pretty clunky if you had more than a few passwords to manage. I’ll check out Last Pass.

Reply | Quote