Strong Passwords? (And time to reset YOURS too)

[OmniscientQ]

I wrote them down as the series of numbers shown on the dice. They were tough at first, of course, but repetition made the most commonly-used ones easier. It wasn't too cumbersome.

KeePass is much easier to use, though now I don't know what my passwords are at all.

[Mattlov]

Hell, I stayed logged in so long I don't even remember the password I had for the old forums...

[Liam's Ghost]

In case folks aren't taking the security risk seriously, just today the email account of one of the board members has started spitting out emails that spit out malware.

Without the member's knowledge or consent I might add.

CHANGE YOUR DAMN PASSWORDS!

[monbvol]

In case folks aren't taking the security risk seriously, just today the email account of one of the board members has started spitting out emails that spit out malware.

Without the member's knowledge or consent I might add.

CHANGE YOUR DAMN PASSWORDS!

The screwed up part is as the former holder of that e-mail account I feel the need to add a few details.  First of all the password on that e-mail was not the same as my old forums password.  Second I did get a bit lax since the entire reason I created that e-mail was as a throw away junk account anyway and therefore no real loss on my part.

So even if you do have a variety of passwords change them every now and again.

[SLDF_Spector]

The screwed up part is as the former holder of that e-mail account I feel the need to add a few details.  First of all the password on that e-mail was not the same as my old forums password.  Second I did get a bit lax since the entire reason I created that e-mail was as a throw away junk account anyway and therefore no real loss on my part.

So even if you do have a variety of passwords change them every now and again.

This is a good reason to use lastpass and the audit feature.

[garhkal]

The screwed up part is as the former holder of that e-mail account I feel the need to add a few details.  First of all the password on that e-mail was not the same as my old forums password.  Second I did get a bit lax since the entire reason I created that e-mail was as a throw away junk account anyway and therefore no real loss on my part.

So even if you do have a variety of passwords change them every now and again.

One of the guys i work with had his account hacked twice in 3 years...  He now changes his password(s) every 3 months.

[monbvol]

One of the guys i work with had his account hacked twice in 3 years...  He now changes his password(s) every 3 months.

Which I'm actually pretty good about doing with my accounts that I actually care about.

[garhkal]

I am somewhat lax, but then again, i am also lucky in none of mine have been hacked yet.

[Kamata Bodhisattva]

I suppose I can understand the need for the stronger passwords, but I hate having it foisted on me.  In particularly I despise the mixing of letters and numbers.  It reminds me of the hated 733t53@k!  I can type a massively long passphrase that is just as strong as a mixed number and letter password, but noooo...  for some reason people have to tell me how my own passwords have to be structured.  Annoyance galore.

[Sid]

I suppose I can understand the need for the stronger passwords, but I hate having it foisted on me.  In particularly I despise the mixing of letters and numbers.  It reminds me of the hated 733t53@k!  I can type a massively long passphrase that is just as strong as a mixed number and letter password, but noooo...  for some reason people have to tell me how my own passwords have to be structured.  Annoyance galore.

Disclaimer:  I'm not trying to tell you how you must structure your passwords.  Just explain how it works.

A long string of random letters will not be as strong as an equally strong mix of letters, numbers, and special characters.

Consider trying to crack a passcode of two characters, of which only 0s and 1s may be used.  Possible combinations will be 2² (or 4 total combinations) and they are:

00
01
10
11

Making the password three characters long will give us 2³ combinations, or 8 total, which are:

000
001
010
011
100
101
110
111

Now if we were to try the same with 0-9... well, even just two character long passwords would have 10² combinations, or 100- I won't list them all here (It would be 00 - 99 ;) ).  That's 25 times as many combinations as before.  Likewise, making a password 3 characters long would be 10³, or 1,000 different possible combinations (000-999), which is 125 times more difficult.  Note that while adding a third character to the password in the first case only doubled the amount of possibilities (from 4 to 8 ), when you're using a base set of 10 different characters, going from 2 to 3 multiplies it by the base number of characters- 10.

Adding a single number, or better yet, adding a single number and a special character (such as @,$, or #) will change the number of possible combinations a password cracker has to try to guess a password correctly from millions  to quintillions or even more.  In other words, instead of taking a couple hours to crack a password, it takes weeks or even months.

In the end, using a mix of lower and upper base characters is far more simpler than using lower and upper case letters with numbers and special characters.  Adding just numbers isn't as strong as adding just upper case letters, sure, but it still makes it significantly more difficult for a cracker to guess the password.

 

[garhkal]

I suppose I can understand the need for the stronger passwords, but I hate having it foisted on me.  In particularly I despise the mixing of letters and numbers.  It reminds me of the hated 733t53@k!  I can type a massively long passphrase that is just as strong as a mixed number and letter password, but noooo...  for some reason people have to tell me how my own passwords have to be structured.  Annoyance galore.

As someone who works in the IT field, i can say that just making your P.word just a bunch of words (that are in the dictionary) makes it a lot easier to crack than one with a mix of letters and numbers...

Up....  Sid said it better than i could.

[BirdofPrey]

The reason most people come up with weak passwords is that they can't remember the good ones, so here's a tip:  Bake memory cues into the password.
The best passwords are a mix of upper and loser case with numbers and symbols mixed in, but I remember words, so remembering gibberish or randomly capitalized letters is tough for me, so I chose a word, append a multi digit number to the end and then use the numbers as a capitalization guide.  Since the hint is part of the password they have to guess the password to get the hint, so it's not as bad as leaving a sticky note attached to your monitor (but none of you do that right?)

[Neko_Bijin]

I've already forgotten my forum password.  How do I get it emailed to myself so I can change it?

[CrossfirePilot]

In the unlikely event that people use the exact same passwords for their emails, facebook/twitter/social net accounts, bank accounts, and stuff like that.

and luggage!

[garhkal]

so it's not as bad as leaving a sticky note attached to your monitor (but none of you do that right?)

Our last command security manager got BUSTED by the co for doing just that...

[Xtrahmxwohld]

so it's not as bad as leaving a sticky note attached to your monitor (but none of you do that right?)

our users don't do that, they have a sticky note on the bottom of their keyboard.

When users resort to that, then you can't tell me that forced password changes every X months is more secure than 1 strong password that doesn't expire.

[garhkal]

Na.. i just log in using it, and leave a nasty gram for them....

[JamesPryde]

It's just a shame that we have to go through all this at all. This is a place of fun and interaction too bad some are just bad apples out there messing it up. It's a minor nucance for me since I need over 27 different passwords for work anyway. :'(

[GRUD]

Several years ago (7 or 8?) I read in some PC magazine about a way to foil keylogging programs. You open a notepad (or WordPad) file, then type every character on your keyboard. Then, you cut & paste each character to form your password. Thus, while the keylogging program may have logged that you typed EVERY character, when you cut & paste, it can't "see" you doing that!


I started a Notepad file way back when I read about it, and while I do re-use some of my passwords among different sites, I feel safe about doing it, since I've NEVER actually typed the passwords out. On the rare occasions I've had to use a public computer (like at the library), I'll do the same thing. Open a notepad file, type all the keys, then cut & paste my password.


That being said, since I've only got ONE password that consists of UC letters, LC letters, numbers and special characters, I'm thinking I might do that for the others.  #P 


What Fun that will be.  :P


Those of you with other characters on your keyboard can probably make your PWs even more complicated. Basically, I mean you folks that can type other languages in addition to English. For instance, "Øystein", from Norway, can type certain characters I can't. I only got his "Ø" like that because I cut & pasted it from his profile.  ;D From my keyboard, it would look like this "O". Anyway, here's how I typed my characters.

1234567890!@#$%^&*()-_=+[{]}\|;:'",<.>/?`~
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz

[Greyhind]

I would be very surprised if key-logging came close to outright hacking in terms of password stealing. I can't see many people having the guts for that sort of thing.

That said I have been known to type my password in chunks, using my cursor to select where the next character will go. This is both paranoid and not going to work - go me.