Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Creating strong passwords and keeping them secret.

  1. #1
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254

    Creating strong passwords and keeping them secret.

    Hey AO,

    I read a post on another forum earlier about someone whose email password was compromised - we see them all the time. After a brief Google search, I didn't find any sites that suggested ways to create strong passwords and to keep them secret that I liked. I had been wanting to add a tips and tricks section to my site, and I had some spare time today. Give it a read and tell me what you think: http://jeremydeanonline.com/tips/tips.php

    Please note that I don't expect to educate any members on this site - this is targeted at the general population of computer users.

    Thanks guys!
    My Corner of the Intarwebz: Jeremy Dean Online

  2. #2
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    In my opinion, http://www.passwordmeter.com/ isn't complete. It does a much better job than M$ but still doesn't seem to include anything about defense against wordlist attacks. for example, if you used the password "!@#$%^&*()" It has a score of 95. I think this is dead wrong, as any wordlist attack that has symbols included would have this contained within, as it is 1-0 holding shift on the keyboard. Not to say that the website isn't any good. Just that keyboard patterns are fairly commonly used, and can be weak.

  3. #3
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I have seen some debates that a password like:

    "This is my passw0rd, and you will have a hard time cracking it!"

    is actually better than:

    "Qj$ndl(lsp*vf_12PgD"

    Any thoughts on that?
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  4. #4
    Banned
    Join Date
    Jan 2008
    Posts
    605
    When im breaking into websites I'll create a list of usernames, emails, and passwords I've gained then I'll actually grind them to see if they use the same passwords for their email address.

    Its not much use for defacements but let me tell you something... its a goldmine! I have more access to things payment-wise than most botnets and the entire republic of Nigeria combined.
    Attached Images Attached Images
    Last edited by The-Spec; December 21st, 2010 at 05:07 AM.

  5. #5
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    I typically use passphrases to create passwords. Which would work out like this for
    the previous passphrase:

    ituptcp

    Then I add four digits from a phone number, and a symbol or two, varying the order in
    ways I won't specify here, but it might look like this:

    itu12ptcp34#

    So all I need to remember is the passphrase, and how I order the add'l numbers and
    symbols. It is a password and it can be broken. Eventually. The idea is to make it
    more difficult.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  6. #6
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Quote Originally Posted by The-Spec View Post
    When im breaking into websites I'll create a list of usernames, emails, and passwords I've gained then I'll actually grind them to see if they use the same passwords for their email address.

    Its not much use for defacements but let me tell you something... its a goldmine! I have more access to things payment-wise than most botnets and the entire republic of Nigeria combined.
    Teach us Spec! Teach us!

    To be honest I am very bad with passwords.

    And another things.

    You are a member of 10 forums, have 5 email accounts & your work domain logon etc.

    HTF do you create a password as you are saying wiskic10_4 and remember everything? Surely you have to place it somewhere. Encrypt it maybe?
    Last edited by Cider; December 21st, 2010 at 10:25 AM.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  7. #7
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I use KeePass. It will generate strong passwords for you [or let you specify your own], and then stores them in an encrypted database. Very handy little program.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  8. #8
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    I usually have ~20 character passwords, all different for different accounts. Maybe I have a really good memory or something, but its not really a problem for me. My trick is to make them 'similar'. Meaning similar in the way I remember them. But then again some accounts I use just have weak passwords because I don't care about them and its faster to log in.

  9. #9
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254
    Quote Originally Posted by Cider
    HTF do you create a password as you are saying wiskic10_4 and remember everything? Surely you have to place it somewhere. Encrypt it maybe?
    Well, personally atm I have like 10 passwords that I use on a daily basis. 8 or 9 digits. They are all a twist on thee or four different words. It's not that hard to remember. Just think of all the variations you could come up with using my method for three words. For example, "cornbread, mayonnaise and bakingsoda"

    Write these down in some oddball txt file somewhere - I wouldn't bother encrypting them, but that's just me.

    <0rnbr34d, k0rnbr3ad, c0rn8r34d, ...
    m4y0nn4153, maY0NnA1z3, m4y0nna!ze, ...
    b4k!ng50d4, 84k1ng50d4, BaKinG$0d4, ...

    Sure, there are leet-speek dictionary files out there, but they're not the norm (afaik). The point of the page was to help common users create stronger passwords and warn them about common methods people use to steal them. We could sit around and "what if" all day.

    Quote Originally Posted by brokencrow
    It is a password and it can be broken. Eventually. The idea is to make it more difficult.
    Precisely.
    My Corner of the Intarwebz: Jeremy Dean Online

  10. #10
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    Quote Originally Posted by wiskic10_4 View Post
    Sure, there are leet-speek dictionary files out there, but they're not the norm (afaik). The point of the page was to help common users create stronger passwords and warn them about common methods people use to steal them. We could sit around and "what if" all day.
    I don't think having a leet-speek word-list would be very effective, as there are many combinations of possible 'leet-speek words' for each real dictionary word. This would mean that a leet-speek dictionary would have to be huge. Especially with larger words, and even more so if you include letters that can be made with multiple symbols (ex: V = \/). You would end up with word lists that are hundreds of megs or even gigs that are for cracking leet-speek, which may not even be very commonly used in passwords.

    So in my personal opinion, using leet-speek in a password is fairly secure. But I would still probably include more than just a single word in leet-speek. Like add 'padding' around the word or something.

    It is a password and it can be broken. Eventually. The idea is to make it more difficult.
    It depends on what you mean by broken. If you're talking theoretically then yes, your statement is true. But when you enter the realm of practicality everything changes. Probability comes into play. As characters are added to the length, the probability becomes exponentially decayed. Personally, I wouldn't feel safe with an 8 or 9 character password, even if it contained special characters and/or spaces (this is all assuming the account we're dealing with is containing important data or at least has value). If you pad this 8 or 9 character password with 3 characters of 'unique pseudo-random data' (ie: not just the symbols from left to right on the top of the keyboard) you go from ~4.6*10^15 to ~1.5*10^21 possibilities. That means it will take ~330000 times longer to crack using bruteforce methods. Id say padding is worth it.
    Last edited by metguru; December 22nd, 2010 at 04:09 AM. Reason: grammar

Similar Threads

  1. Tips
    By XTC46 in forum Site Feedback/Questions/Suggestions
    Replies: 15
    Last Post: August 24th, 2005, 07:52 PM
  2. Creating a Secure SUSE Linux server for FTP and SSH
    By gore in forum The Security Tutorials Forum
    Replies: 3
    Last Post: March 16th, 2005, 10:33 PM
  3. Secure Passwords Tutorial
    By NeonWizard in forum The Security Tutorials Forum
    Replies: 5
    Last Post: August 13th, 2004, 06:54 PM
  4. The history of the Mac line of Operating systems
    By gore in forum Operating Systems
    Replies: 3
    Last Post: March 7th, 2004, 08:02 AM
  5. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •