The secret of a secure password

[GaryB]

Saw this on one of my news feeds and thought it might be of interest. It describes the best (and surprisingly simple) ways to choose a secure password. It also shows how long some of them would take to crack:

The Usability of Passwords (by @baekdal)

 

[Mr_Wistles]

Is God not a good one?

 

[IAN P]

I'm secure forever.


Let's hope so.

 

[kav]

At university we logged into a particularly one-dimensional friend's account just by guessing his details. Username: "manutd". Password: "football". I've been working in that area since and have seen some cracking examples of stupidity with password security, but that one always sticks out for me.

 

[imightbewrong]

This means it takes the following time to hack a simple password like "sun":

•Brute-force: 3 minutes
•Common Word: 3 minutes
•Dictionary: 1 hour 20 minutes

Maybe I'm missing something here - how can dictionary search be several orders of magnitute slower than brute force? Looping over all 1/2/3 letter words in a dictionary over an hour? Really? I could do that in over an hour

 

[imightbewrong]

Also, all their 'how to hack a password' attacks are defeated by systems that lock you out after a few tries. Even if they only lock you out for one minute a hacker has no chance if they are purely generating guesses.

 

[GasDad]

I'm missing something here as well.

To me a dictionary attack takes seconds - but requires a copy of the encrypted users password (not impossible on lots of systems). You only need to encrypt each word once and store it - and then simply use the encrypted users password as a hash to look up the plain text password - really not difficult.

Because this can all be done in advance of the actual 'attack', depending on storage available, multiple word dictionary attacks also become possible.

 

[Ian J]

It's often the name of a child or the dog.

We used to have an interesting program a few years ago that showed us a list of forum members using the same password and there were sometimes 25 or more people using the same password.

Fortunately for site security the passwords were encoded and so we couldn't actually read them but I wouldn't mind betting that the more popular ones were "password" or "letmein" or even "123456"

I used to catch loads of banned people re-registering as they tended to use the same password every time they registered but unfortunately changes made in later versions of vbulletin rendered this nifty little program unusable.

 

[MIghtyG]

Im sorted for life then, random numbers, letters and cases ^_^

 

[Singh400]

Im sorted for life then, random numbers, letters and cases ^_^

Rainbow tables

 

[rickinyorkshire]

That document doesn't mention case sensitivity either..

 

[IAN P]

That document doesn't mention case sensitivity either..

Mixed case is mentioned in one of the tables.

 

[Geege]

So the article suggested that using three uncommon words were both easy to remember and highly secure. Does this include adding a space or without?

Thisisfun or This is fun? I assume the former, as sign ins don't allow spaces.

 

[rickinyorkshire]

So the article suggested that using three uncommon words were both easy to remember and highly secure. Does this include adding a space or without?

Thisisfun or This is fun? I assume the former, as sign ins don't allow spaces.

I think it was suggesting the spaces... strange article all in all.

 

[mattclarkie]

So you think I should change from 'password1'

The only easy way to have a complex password is to use a sentence such as 'Iate1biscuit', pee easy to remember, and almost impossible to brute-force in a reasonable time.

 

[MIghtyG]

So you think I should change from 'password1'

The only easy way to have a complex password is to use a sentence such as 'Iate1biscuit', pee easy to remember, and almost impossible to brute-force in a reasonable time.

I use 1qaz2wsx 3edc, really easy to remember but the numbers and letters make it impossible to brute force....

 

[kav]

I use 1qaz2wsx 3edc, really easy to remember but the numbers and letters make it impossible to brute force....

*tries to log into AVF as MIghtyG*

 

[imightbewrong]

So how many of you have really great passwords and then keep them for years and use them for all and sundry no-reptuation web-sites as logins?

 

[GasDad]

So how many of you have really great passwords and then keep them for years and use them for all and sundry no-reptuation web-sites as logins?

I used to do that - then made a concious decision around 18 months ago not to.

 

[imightbewrong]

Here's why it's a bad idea

xkcd: Password Reuse

 

[Dancook]

How Secure Is My Password?

try this bad boy - might be an idea not to use actual passwords..

 

[Marc]

the company i last worked for introduced a complex password policy to improve security, which required users to change their password once every 45 days, and the password had to have 8 characters, and use three of upper case, lower case, numbers and symbols, and could not be any of your last 10 passwords, or contain more than 3 consecutive characters from your username

People complained it was too hard to remember their passwords and started writing them on post-it notes stuck to their monitors

 

[imightbewrong]

that's the classic outcome when enforced complexity is ramped up too much

I worked at one place where you had to regularly change your password, and it said 'Your password cannot be the same as any past or future passwords'

 

[IronGiant]

Username: admin
password: admin

Simples

 

[Marc]

that's the classic outcome when enforced complexity is ramped up too much

I worked at one place where you had to regularly change your password, and it said 'Your password cannot be the same as any past or future passwords'

lol, that sounds like a Linux message, there are some right doozies on that OS

yeah the complex password thing just crashed and burned but as an IT department it was something we had to do, just to say we'd done it more than anything else. If the users want to compromise their own security it's not on our heads.

Other people would just change the number at the end of their password each time it expired, and some even more cunning blighters would change their password 10 times so they could go back to the first one again! We stopped them though by preventing more than 1 password change per day (which then caused problems because it also counted if someone in IT reset someone's password for them to 123456 or something, they couldn't then change it to something secure till the next day )

Social engineering is still the way to go though, i just know i could phone up someone at that company and go "hi, i'm jeff in IT (people don't know our names) and i'm really sorry but i accidentally just changed your password instead of someone else's, could you tell me what you had it set to, and i'll quickly change it back so it doesn't cause your programs to disconnect from the network" and i'm pretty sure i'd get their password right then and there.