Bitcoin Forum

It's important to have a good password for your online accounts; to best combat and minimize hacker threats. A lot of online web servers use the best online security, for example, hotmail is Microsoft emailing hosting, they use some of the best firewalls/encryption that can be offered, but yet I have personally seen some of my friends account get hacked in very easily, and the root to the security compromise is the lack of a good password.

According to this NBC News tech article:http://www.nbcnews.com/tech/security/8-character-passwords-just-got-lot-easier-crack-f1C7530242

"A password expert has shown that passwords can be cracked by brute force four times faster than was previously thought possible. ", "Jeremi Gosney of the Stricture Consulting Group shared the findings at the recent Passwords^12 conference in Norway, where researchers do nothing but focus on passwords and PIN numbers. What Gosney showed is that a computer cluster using 25 AMD Radeon graphics cards let it make 350 billion — that's right, billion — password attempts per second when trying to crack password hashes made by the algorithm Microsoft uses in Windows."

As the article continues to state this claim, "Eight characters "just isn't long enough for a password these days," Sophos Labs' Paul Ducklin told NBC News in an email. "Even before this latest 'improvement' in cracking, standalone GPU (graphics processing unit)-based servers could do the job on eight-character Windows passwords in under 24 hours." "

So you need to make your passwords longer than 8 characters. 23 Characters long password are nearly crack proof because of the mass amount of resource are not easily available. We are talking about you need to have some of the worlds most powerful super computer to be begin to crack those long passwords.


Here are some tips to shared from that article that can help better protect your online accounts, and I will also add in ways to better remember new passwords, without sacrificing security.

1) Never use the same password on the different accounts. This just makes sense. because we all have data bases on our computers that will likely content all of the accounts we even signed up to. If that information where to fall into the wrong hands all the hacker would have to do in know one password to get into them all. It's not just what's on your computer, but if a number of web servers get compromise with all of those different linked to your IP address the lazy hacker now has the same easy job of breaking in.

2) Use Complex passwords. For example, "Guinness_ROCK@#!2014_01" (without quotes). Most website will allow you to add in special symbols, and up to 23 character. An example of one site that will let you do this is google. In fact they will let you make a password that is 27 characters long.

3) If you do run into a site that doesn't let you use special character, still try to make a password that is 23 characters long but use UPPER case, lower case letters, and a mix of numbers to still keep your account secure. For example, GUINnessROCKSatYR201401.
Personally, any site that doesn't allow you to use special character may not be using the best method of security protection, so with any online account sign up on using that server is both not going to be hosting any important information, and will not be use as my primary.

If you want to test out a password you can use this site: https://howsecureismypassword.net/

It states that they don't steal peoples passwords, but I wouldn't go off testing a password that either I currently use or about to use fully. Always change it up.

Now for the main part of this thread. You might be asking your self How do I remember all of these long passwords.  

The answer is very simple. Just change one thing to your password and to a computer cracking program it's like you just made up an whole entire new password.
For example,

email #1
Guinness_ROCK@#!2014_01

email #2
Guinness_ROCK@#!2014_A2

email #3
Guinness_ROCK@#!2014_B3


Or just add in an extra character.

email #1
Guinness_ROCK@#!2014_01

email #2

Guinness_ROCK@#!2014_01A

email #3
Guinness_ROCK@#!2014_01A1

You can go up to the maximum numbers of characters allowed in the service register panel.

The thing is you might think this maybe increasing the risk of someone getting all of your so-called hard to break in online accounts, but you have to know that computers are very dumb. adding characters or changing numbers increases the difficulty of you password being cracked.


I hope this thread was helpful to someone. donate if you want.

You could also use Lastpass, 1Password and even better the open-source Keepass. :)

Theoretically, one cannot bruteforce most of those email services since they have bruteforce protections. Also, they offer two factor authentication, it actually provides more security than just using a strong password. Most hackers actually use viruses to hack accounts instead of exploiting weak passwords.

http://keepass.info/

Keepass is your friend  :D

i use lastpass to generate secure password (more than 15 characters) and save it there for online account

so this is password manager for windows
i think i must store my password there instead write in notepad like i do now
too bad they don't accept bitcoin for donating options ;D

The only way that one could brute force a web-based account is if the attacker had the hash of the password, in order which to obtain they would need to compromise the site

One issue with modifying a long base password like Guinness_ROCK@#!2014_01 is if you ever get keylogged, that password may be used as a base to guess other passwords. Many password cracking algos make extensive use of their dictionaries by transforming each character various ways. Using completely random passwords for each service is better -> Keepass.

Thank you, going to look into that it seems promising :)

This type of service is much better then making each password different with only miner differences.

The only issue is that you would have a central point of failure.

Good password is strong and easy to remember.
Its a whole science, making passwords.

+1 for keepass.
It is free, user-friendly, open source, and you can make random strong passwords with it. :)

keepass +1

Strong password for you wallets too

If you lose your credentials to your keepass then you will lose your credentials to everything. If your keepass file somehow gets corrupted or otherwise inaccessible then you will lose access to everything.

You can always write all your password down on a piece of paper and place it somewhere which is secure.

Another alternative is passwordsafe https://www.schneier.com/passsafe.html

Made by the creator of twofish encryption algorithim. Been using for the last one year and it doesnt look like am going to stop anytime.


Thats why its always good to backup the database from time to time on a cloud like MEGA

Best way:

Use Diceware (http://world.std.com/~reinhold/diceware.html) to create a strong master password consisting of 6 or more random words. Keep a written copy in a safe place until it's memorized, then destroy it. Remember to keep your computer unplugged from the internet while you do this, and don't say the numbers or corresponding words out loud while rolling the dice.

Download Keepass on your devices (ports available for Windows, Linux, Android and ios). Unlike other password managers, Keepass is fully open source.

Use your Diceware password as your master Keepass password. Use it to generate long random passwords for everything you do online.

Keep multiple copies of your Keepass database file backed up. Using a cloud service for this is a no-brainer as the database file is useless unless someone knows your master password.

When you need a password simply open Keepass, type in your master password to unlock the database and copy/paste. Keepass has lots of neat features like 2-channel auto-type obfuscation to thwart keyloggers, clipboard auto-clear, and database auto-lock after a specified amount of time. There are dozens of options to customize it to your security comfort level.

Enjoy the extra sleep you get from having unbreakable passwords :)

I suggest cutting them to parts then encrypting them using a reversible algorithm (like base64) and memorizing the order of segments.

Bruteforce use a dictionary of words. So use a password with no words. example {#.#--#.#}_GLLo--->>69 {Mixture of Uppercase and lower case and symbols and numbers}

But as a previous poster said, if you get keylogged, NO password is strong enough. Or if you webcam is not covered, and your keystrokes streamed, via cam and logged, hmmm well you f$%^.

So cover those cams guys and girls.  ;D

I'm curious about keylogging. What happens if you use a password manager? Like, does it just give hackers "CMD+V or CTRL+V"? Auto form filling?

My password generator is currently set for 23 characters. How long until somebody comes up with something to break that?

-W

It can be possible for hackers to steal your passwords by infecting your computer. Some keyloggers can reveal your clipboard history. Your password should be secure enough for a long time, an even long time if you include nonstandard characters like (#?$&!). Your password should not be a common word which most people can think of.

I've been Lastpass user for nearly 3 years now. It costs me about $12/year but that's nothing to have peace of mind over my banking and shopping passwords.

I also use a YubiKey for multi factor authentication if I'm away from my own computer. That'll set you back another £25 but it's a neat little gadget.

I'm not saying don't use Keepass, or another free alternative. Just saying LastPass is really good too.

LastPass also lets you backup all of your passwords into a csv file on your computer, should anything happen to the Web server.

I make a backup about once a month and store the csv into a password protected rar file, using a Sha256 hash as the password, then shredding the original csv file.

In the unlikely event that someone gets a copy of my rar csv backup good luck to them trying to brute force a sha256 password.

In theory an attacker could see what is in your clipboard at that moment in time, and your previous clipboards would likely remain accessible for some amount of time (until the memory is overwritten).

If an attacker is able to install a keylogger then they would likely be able to get your encrypted file containing all of your passwords, so the attacker could simply keylog your password to decrypt your password, then use that to get all of your other passwords

It's a good idea to get into the habit of refilling your clipboard with a random word from a Web page straight after you've pasted any secure info.

Just double click on "and" or "the" and copy it to overwrite whatever's in the clipboard.

I searched both windows and ubuntu clipboard functionality a while ago and as far as I know they only store the last entry you use, IIRC.

This is why I like the idea of requiring a fingerprint for everything. Theoretically, it should be harder to steal somebody's thumb than to hack most people's passwords, simply because you might steal their money but they might give you a fight if you demand their thumb too. Even so, it might still be a good idea to use 2FA for everything, but at least if you use fingerprints, you won't have to worry about remembering a password.

I use lastpass and have no complaints..
You can also try oldschool style, just get a notebook  :P

I actually use a bitcoin address for the really important stuff. It is written down in a paper in my home office. It is kind of a pain to type it each time but I don't log into my banking and credit card stuff very often anyway.

A fingerprint password is really nothing more then a picture of your finger.


Also since most people touch a lot of things every day it would not be difficult to simply lift someone's fingerprint after they touch it. If someone were to get a hold of your fingerprints like this then you would have no way of chaining your password. When someone figures out your password you can simply change your password.

Exactly.
You should always backup all your important files (bitcoin wallet, password lists in keepass, etc) as your computer can fail at any second.

Many people look to cloud storage for this. IMO this is a horrible idea as your cloud storage account could get hacked at any time and/or the NSA/government could be snooping around in your private information.

You should really first encrypt the files (use 7zip for example) before putting it on cloud storage.

You have a couple of issues with this.

1 -If the key to decrypt the file is held on your computer then in the event that your computer crashes (all data lost) then you would lose your file.

2 -If all you need is a password to decrypt the file (similar to a brain wallet) then all an attacker would need would be the password instead of the private key. The attacker could simply brute force the password instead of brute forcing the private key to decrypt the file.

True and true.
And so the password I use to encrypt is a very long password (20+ characters, with special characters) that only I know and I am pretty sure I won't forget it ever (as it has some special meaning to me but just random characters to others).

Cloud storage without encryption is asking for trouble. I prefer to keep my important documents/files closer to home, but if needed, encryption/decryption is as easy as using PGP. :)

That's why a service like MEGA is a good option for safe encrypted cloud storage but for extra security you can put your files in a truecrypt container before you upload them.

If your passwords were valuable enough then an attacker could invent/buy a ASIC type device that is designed for brute forcing passwords with your type of encryption

You could use truecrypt and employ AES-Twofish-Serpent then.
Of course it is still possible to crack all the three algorithms or simply brute-force your long password, but it is highly unlikely IMO.

I would say the trick would be to try to hide the type of encryption is being used.

Using multiple encryption types, that is encrypting an encrypted file can sometimes lead to the inability to decrypt the originally encrypted file as encryption can sometimes make small changes to a file that would normally be unnoticeable but can be the difference between not being able to decrypt and being able to decrypt a file.   

Is that a real risk? I mean, I have read lots of people suggesting to use multiple encryption (like 7zip + truescrypt).

Proper encryption should be lossless, or else what's the point of it if it can't be accurately decrypted. So, in effect, the file should restore exactly as it was before encryption. I've not heard of any danger of doubly encrypting a file.

I see. Thanks a lot for your quick clarification. :)

I wouldn't take my word for it: I'm not an expert. It just seems unlikely to me.

If you encrypt a file multiple times then as long as you use the correct password and software for each decryption layer you should end up with a copy of the original, unencrypted file.

Otherwise, what's the point?

The chances are much smaller and it doesn't really happen very much anymore with modern encryption technology but it is still possible.