7 simple rules to mitigate most threats related to passwords

[BinaryMage]

Does anyone use PasswordMaker ?

https://addons.mozilla.org/en-us/firefox/addon/passwordmaker/

I'm thinking of using this system.

I don't know anything about that, but I use and reccomend LastPass. It is essentially the same type of thing as PasswordMaker, but works on all major browsers, has mobile apps, and is generally very secure.

[1714141536]

1714141536

[1714141536]

1714141536

[holgero]

One way to construct a somewhat easily remembered long password is to think of a song, poem or somesuch, which you could remember in your sleep, and then apply some algorithm on the words.

As an example, pick the first three letters of each word from the first line of Paranoid:

Finished with my woman 'cause she couldn't help me with my mind

Then pick some characters to delimit the letters and maybe start or end the password. Make up some rule by which you make some of letters uppercase. For example:

3Fin.wIt.my.Wom.'Ca.she.Cou.hEl.me.Wit.mY.min%

That's 46 characters fairly easily remembered. Half of that would be enough, and in fact 3 letters may be a bit much since I ended up with a couple of dictionary words in there.

(You want the brute-force search space be large: use 1 or more characters from each group: uppercase, lowercase, numbers, symbols.)

Here is a much simpler way to create easy to remember (not only somewhat easily remembered) and secure passwords: Use a complete sentence as your password! If it has more than four words, it is secure enough, and if you make it a bit obscure, nobody can guess it. So instead of
3Fin.wIt.my.Wom.'Ca.she.Cou.hEl.me.Wit.mY.min%
just use
Finished with your wife, although she helped my cat.

And BTW, forget about these special characters and such. The blanks that separate the words suffice. Special characters only make your password more complex and harder to remember. If you are concerned about the security, just choose a sentence that is a word longer.

Why? Because nothing beats length! (an increase in length adds to the exponent of the complexity, one more special character only adds to the mantissa).

In other words: Just make words the atoms of your "password" and you win twofold:
1. It easier to recall a (near)-sensible sentence than a single word (or the trace your cat left when it walked over your keyboard).
2. It is much more secure, because it is harder to crack (both by a dictionary attack and by simple brute force).

Here is the downside: It will take you longer to enter your password...

[MikesMechanix]

Here is a much simpler way to create easy to remember (not only somewhat easily remembered) and secure passwords: Use a complete sentence as your password! If it has more than four words, it is secure enough, and if you make it a bit obscure, nobody can guess it. So instead of

Dictionary words are always a bad idea, even though you are correct that length does always make a password stronger.

And BTW, forget about these special characters and such.

Don't.

There's a huge difference between having to brute force through 65^n and 95^n. Though you don't really need that many. The passwords that I need to type often look like bab+ef+qeo+feo+F9!. It's still pretty fast to type. Most of my passwords are KeePass generated, though...

[TiagoTiago]

I use Password Maker ; it's way easier to remember a few settings than to remember hundreds of secure passwords, and i don't have to worry about someone finding my passwords stored anywhere (well, except in the databases of unsecure sites)

[myrkul]

I Second Lastpass.

Strong encryption of the pwd database (Which even they cannot break), Automatic syncing to all my computers, Auto-filling of passwords and forms, and everything is encrypted on my computer, then sent.

[dserrano5]

As I read all these password posts and don't happen to read any advice remotely near to the system I use, I only get more and more astonished. I just can't believe no one does this. Well, let me share what I do—may not be the best of the world but it works for me.

All* of my passwords are derived from the corresponding login and a couple of rules. Example:

• Take a reasonable string like vU4p!,a'fZx*
• Change its first character into the last in the login
• Change its fourth character into the second in the login
• Change its seventh character into the length of the login (or its last digit if the length is greater than 9)

So, if the login is "an0therlr3", the password would be 3U4n!,0'fZx*.

It takes a little of practice, but it pays off. The initial string could be based on a real sentence (as already suggested on this thread) for easy remembering. You can have more than one of these rules, of course. It's important not to change the last characters in the initial string, since some sites have an absurd limit of eg. 8 characters, and the modifications wouldn't be taken into account.

This even allows you to have the passwords written in a text file, stored unencrypted in the computer. Example:

Code:

Site, Login, Ruleset
my windows account, joesmith, 3
bitcoin forum, an0therlr3, 2
facebook, foobar@example.com, 2

A given attacker would have to break (by brute force) at least two passwords built with the same ruleset to be able to easily break a third.



* Excluding the typical bank PIN and the likes, which are severely crippled.

[nathanrees19]

Using Sha512 instead of MD5 will change nothing.

What you mean is that it will not change enough.

Each hash will still take ten times longer, and remove a layer of script kiddies who can't be bothered finding cracking tools that support SHA-512.

[nathanrees19]

Dictionary words are always a bad idea, even though you are correct that length does always make a password stronger.

Not necessarily. Four obscure words joined together may be beyond the length of what many popular cracking tools support, and of relatively high strength. Assuming each word is only found in 100k+ dictionaries, there are 100000000000000000000 possibilities.

If such passwords are not strong enough, you really need to reconsider how much of your life should be tied to computers.

[foo]

2. If you can remember your password, it is probably weak.

This actually isn't true, though one might think so. See new reasearch by Steve Gibson: https://www.grc.com/haystack.htm

"research"? That is more like a very weak and naive claim. Old man seems to be getting way behind the curve.

With all due respect, to Steve Gibson and his cute idea of easy to remember passwords, I am going to have to disagree with him on this. He claims that 'D0g.....................' is stronger password than 'PrXyc.N(n4k77#L!eVdAfp9'. He should know better.

It might be the case when stupid brute force is employed, but these days attackers use much much more effective ways to reduce the key space than simply iterating over all permutations, as Steve seems to believe. These include permutations of dictionary words with common replacements of letters by numbers with various uppercase/lowercase scenarios in combination with sets of same symbols repeating as well as other methods of reducing keyspace by emulating various patterns people use to create passwords they can remember. These techniques often reduce keyspace by many orders of magnitude.

Read the page again. The point is not that everyone should use passwords that's a dictionary word followed by repeating the same character X times, the point is that entropy is overrated, and a longer and memorable password is stronger than a shorter and impossible-to-remember one.

[foo]

This actually isn't true, though one might think so. See new reasearch by Steve Gibson: https://www.grc.com/haystack.htm

This page contains a serious flaw.  It may well be true that padding increases the strength of your password, but if an attacker cracks one of your passwords, he will know what padding to use for your other passwords.

That's true, if a password is cracked, and a human examines it. But if your password is something like 15 characters, it will take centuries to crack, so it won't be your problem if anyone ever succeeds.

[Vladimir]

This actually isn't true, though one might think so. See new reasearch by Steve Gibson: https://www.grc.com/haystack.htm

This page contains a serious flaw.  It may well be true that padding increases the strength of your password, but if an attacker cracks one of your passwords, he will know what padding to use for your other passwords.

That's true, if a password is cracked, and a human examines it. But if your password is something like 15 characters, it will take centuries to crack, so it won't be your problem if anyone ever succeeds.

For me it is all simple. I have two types of passwords. Those which I do want to remember and others (for which it is task of my computer to remember and store securely).

For those passwords which I want to remember I am fine with using Steve padding approach or something else.

For the rest of them there is not a single good reason whatsoever to make them any less random or short than it can possibly be. Too bad some idiotic websites unreasonably limit maximum password length and alphabet. I'd be happy to have all such passwords 1000 symbols long. I quite often encounter systems which limit password length to 10 or even 8 characters!!! Particularly some banks, are guilty of this (idiots!).

[ErgoOne]

I don't know anything about that, but I use and reccomend LastPass. It is essentially the same type of thing as PasswordMaker, but works on all major browsers, has mobile apps, and is generally very secure.

In early May of this year, LastPass announced that it believed that its user database had been compromised, very much like Mt. Gox recently.  Here's a link to a story in a respected technical news source, TechWorld:

http://www.techworld.com.au/article/385447/lastpass_hack_fear_leads_password_reset/

I work as a technical writer for a Fortune 1000 firm in the U.S., in a product area that provides security software for use by banks and other institutions that deal with financial and other highly sensitive (usually legally protected) information.  I would NEVER use or recommend a cloud-based product to protect passwords to any account that is linked with a bank account that I own or a credit card that I am responsible for.  LastPass is a great idea for managing all of those accounts you have to sign up for to get access to news sites or other fun stuff, but not for the accounts that actually matter.  

For accounts that matter (your bank accounts, accounts on your credit card site, PayPal, Dwolla, investment firm accounts, accounts with a currency or stock exchange, accounts with your utility company, etc.), you need something local and secure.  I recommend keeping those passwords stored in a text file encrypted with GPG or in some other form that uses a strong encryption method.  I also recommend backing the encrypted file up on a USB dongle or (even better) a CD that you replace every time you add a password.  Finally, use a product that wipes (rather than just deleting) files on the computer that you use to encrypt and decrypt this file, and wipe the swap file every time you access that file.  Another option is to use a product that encrypts your hard disk or swap file, or both, such as TrueCrypt or my favorite, Jetico Bestcrypt.

I'm not entirely immune to hackers or a password-stealing trojan; nobody is.  But if you do what I suggested, your chances of surviving a hacker or virus intent on stealing valuable information are much improved.