Creating strong passwords and keeping them secret.
Hey AO,
I read a post on another forum earlier about someone whose email password was compromised - we see them all the time. After a brief Google search, I didn't find any sites that suggested ways to create strong passwords and to keep them secret that I liked. I had been wanting to add a tips and tricks section to my site, and I had some spare time today. Give it a read and tell me what you think: http://jeremydeanonline.com/tips/tips.php
Please note that I don't expect to educate any members on this site - this is targeted at the general population of computer users.
In my opinion, http://www.passwordmeter.com/ isn't complete. It does a much better job than M$ but still doesn't seem to include anything about defense against wordlist attacks. for example, if you used the password "!@#$%^&*()" It has a score of 95. I think this is dead wrong, as any wordlist attack that has symbols included would have this contained within, as it is 1-0 holding shift on the keyboard. Not to say that the website isn't any good. Just that keyboard patterns are fairly commonly used, and can be weak.
When im breaking into websites I'll create a list of usernames, emails, and passwords I've gained then I'll actually grind them to see if they use the same passwords for their email address.
Its not much use for defacements but let me tell you something... its a goldmine! I have more access to things payment-wise than most botnets and the entire republic of Nigeria combined.
Last edited by The-Spec; December 21st, 2010 at 05:07 AM.
I typically use passphrases to create passwords. Which would work out like this for
the previous passphrase:
ituptcp
Then I add four digits from a phone number, and a symbol or two, varying the order in
ways I won't specify here, but it might look like this:
itu12ptcp34#
So all I need to remember is the passphrase, and how I order the add'l numbers and
symbols. It is a password and it can be broken. Eventually. The idea is to make it
more difficult.
“Everybody is ignorant, only on different subjects.” — Will Rogers
When im breaking into websites I'll create a list of usernames, emails, and passwords I've gained then I'll actually grind them to see if they use the same passwords for their email address.
Its not much use for defacements but let me tell you something... its a goldmine! I have more access to things payment-wise than most botnets and the entire republic of Nigeria combined.
Teach us Spec! Teach us!
To be honest I am very bad with passwords.
And another things.
You are a member of 10 forums, have 5 email accounts & your work domain logon etc.
HTF do you create a password as you are saying wiskic10_4 and remember everything? Surely you have to place it somewhere. Encrypt it maybe?
Last edited by Cider; December 21st, 2010 at 10:25 AM.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it. Albert Einstein
I use KeePass. It will generate strong passwords for you [or let you specify your own], and then stores them in an encrypted database. Very handy little program.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
I usually have ~20 character passwords, all different for different accounts. Maybe I have a really good memory or something, but its not really a problem for me. My trick is to make them 'similar'. Meaning similar in the way I remember them. But then again some accounts I use just have weak passwords because I don't care about them and its faster to log in.
HTF do you create a password as you are saying wiskic10_4 and remember everything? Surely you have to place it somewhere. Encrypt it maybe?
Well, personally atm I have like 10 passwords that I use on a daily basis. 8 or 9 digits. They are all a twist on thee or four different words. It's not that hard to remember. Just think of all the variations you could come up with using my method for three words. For example, "cornbread, mayonnaise and bakingsoda"
Write these down in some oddball txt file somewhere - I wouldn't bother encrypting them, but that's just me.
Sure, there are leet-speek dictionary files out there, but they're not the norm (afaik). The point of the page was to help common users create stronger passwords and warn them about common methods people use to steal them. We could sit around and "what if" all day.
Originally Posted by brokencrow
It is a password and it can be broken. Eventually. The idea is to make it more difficult.
Sure, there are leet-speek dictionary files out there, but they're not the norm (afaik). The point of the page was to help common users create stronger passwords and warn them about common methods people use to steal them. We could sit around and "what if" all day.
I don't think having a leet-speek word-list would be very effective, as there are many combinations of possible 'leet-speek words' for each real dictionary word. This would mean that a leet-speek dictionary would have to be huge. Especially with larger words, and even more so if you include letters that can be made with multiple symbols (ex: V = \/). You would end up with word lists that are hundreds of megs or even gigs that are for cracking leet-speek, which may not even be very commonly used in passwords.
So in my personal opinion, using leet-speek in a password is fairly secure. But I would still probably include more than just a single word in leet-speek. Like add 'padding' around the word or something.
It is a password and it can be broken. Eventually. The idea is to make it more difficult.
It depends on what you mean by broken. If you're talking theoretically then yes, your statement is true. But when you enter the realm of practicality everything changes. Probability comes into play. As characters are added to the length, the probability becomes exponentially decayed. Personally, I wouldn't feel safe with an 8 or 9 character password, even if it contained special characters and/or spaces (this is all assuming the account we're dealing with is containing important data or at least has value). If you pad this 8 or 9 character password with 3 characters of 'unique pseudo-random data' (ie: not just the symbols from left to right on the top of the keyboard) you go from ~4.6*10^15 to ~1.5*10^21 possibilities. That means it will take ~330000 times longer to crack using bruteforce methods. Id say padding is worth it.
Last edited by metguru; December 22nd, 2010 at 04:09 AM.
Reason: grammar