Is your Bitcointalk password strong enough?

[NavI_027]

Okay, I get bothered right now because I can't believe that my password is very close on the verge of getting hacking. I thought that setting long series of numbers alone is enough to be considered strong because that's what I used to know especially when i use the same pw format when playing online games. They told me it was "strong" after I sign up. My whole life is a lie . Thanks for the info OP, it's better to change my pw now than to be sorry.

Ps: Done changing, keep safe guys .

[1713547751]

1713547751

[1713547751]

1713547751

[pooya87]

the times in this picture depend a lot on how the passwords are stored in the database and what the hacker has access to. passwords aren't stored as plaintext, instead the hash of them is stored. and depending on the method used it could be trivially easy or extremely hard to brute force it.
for example both of the following are the hash of a very simple password "123"

Code:

a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3
74b2eb3b47120a4af6acb7d0a9af9e299a68233939fbd9d856a4d22598560601

while the first one is ridiculously easy to break because it is a single SHA256 hash of the password but the second one (although still easy due to shortness of the password) is a lot harder to break because it is using a strong KDF called scrypt with a strong salt.
the later is what any good website does to make it more expensive for an attacker to be able to brute force things even if they got access to their database somehow.

[tranthidung]

for example both of the following are the hash of a very simple password "123"

Code:

a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3
74b2eb3b47120a4af6acb7d0a9af9e299a68233939fbd9d856a4d22598560601

while the first one is ridiculously easy to break because it is a single SHA256 hash of the password but the second one (although still easy due to shortness of the password) is a lot harder to break because it is using a strong KDF called scrypt with a strong salt.
the later is what any good website does to make it more expensive for an attacker to be able to brute force things even if they got access to their database somehow.

Amazing thing I have not yet known and only began to learn today. Thank you.

Regarding to good websites, it is appropriate to choose big platforms to use and I can believe in their security structures and operations. It is the side of companies people choose to use, nevertheless. To secure account, it requires carefulness and efforts from both related sides: companies and users.

Users must do some things from their sides:

• Strong passwords (for accounts)
• Strong passwords (for emails)
• 2FA (for accounts) *
• 2FA (for emails) *
• Do neither disclose email address nor 2FA secret code/ phone numbers (sim swap attacks) nor which platforms they use
• Even attackers find their email fIf curious (but should not never click on), simply hovering the mouse on links to see full links (for non-shortened links).

* Avoid SMS code: because unexpected problems with receiving code or sim swap attacks.

[Little Mouse]

Although I use mostly or same passwords on here and other sites, I believe my password is strong enough accoding to your above info graph. I have everything included in my password.
What I suggest is changing password frequently. I change my exchange password more frequently than other sites though.

[tranthidung]

What I suggest is changing password frequently. I change my exchange password more frequently than other sites though.

It depends on how you change your password. Some people think frequently change passwords will be good for their accounts but such will become awful if they create some sort of repeated templates for their passwords:

• LM@bitcointalk@2020Agust
• LM@bitcointalk@2020September
• LM@bitcointalk@2020October
• LM@bitcointalk@2020November
• LM@bitcointalk@2020December

Let's assume that guy changes his/ her password each month but they are terrible changes. I would not say you doing like that, just take your phrase and expand it further to illustrate for newbies and help them to avoid such mistakes.

Personally, if the companies I use their services don't force me to change my passwords each 3 or 6 months, I would not change my passwords.

[notblox1]

It depends on how you change your password. Some people think frequently change passwords will be good for their accounts but such will become awful if they create some sort of repeated templates for their passwords:

• LM@bitcointalk@2020Agust
• LM@bitcointalk@2020September
• LM@bitcointalk@2020October
• LM@bitcointalk@2020November
• LM@bitcointalk@2020December

Let's assume that guy changes his/ her password each month but they are terrible changes. I would not say you doing like that, just take your phrase and expand it further to illustrate for newbies and help them to avoid such mistakes.

Personally, if the companies I use their services don't force me to change my passwords each 3 or 6 months, I would not change my passwords.

Have you ever saw any list with leaked passwords? I have, and it is very funny and sad in the same time.
They use something like 12345qwerty, and I saw only a few randomly generated passwords using special characters.
Here are some real life password examples from list I saw (not including emails here):

Code:

23232323
50cent
xxxxyyyy
llllllll8
america
moonmoon11111
1223334444
12345600
....

Nobody should use something like this!

[Pffrt]

So, my password is strong enough to not be bruteforced at least till I'm alive  I used to use a significant number of characters in my password but that force me to reset my password once in a quarter on average.

Personally, if the companies I use their services don't force me to change my passwords each 3 or 6 months, I would not change my passwords.

I think 6 months is too long to change a password. You should be more frequently if it's related to financial activities.

[Lucius]

Although I use mostly or same passwords on here and other sites, I believe my password is strong enough accoding to your above info graph. I have everything included in my password.

Maybe your password is strong enough that it cannot be cracked with brute force, but if you use the same password for all services/accounts then in case someone comes into possession of your password you compromise everything that password protects. One account - unique strong password - unique email and nothing less than that.

[acroman08]

Although I use mostly or same passwords on here and other sites, I believe my password is strong enough accoding to your above info graph. I have everything included in my password.

Maybe your password is strong enough that it cannot be cracked with brute force, but if you use the same password for all services/accounts then in case someone comes into possession of your password you compromise everything that password protects. One account - unique strong password - unique email and nothing less than that.

I do the same as Little Mouse but I tend to mix the upper/lower case, numbers and letters of that same password for every site I deemed important, but if I'm registering on a site that I won't be using regularly I usually just use the password I am most familiar with. I also used unique email for every site that is important and a dummy email I use for those who are not.

[DdmrDdmr]

What could be interesting, at least I find it so, is to have the option to see some sort of information relative to login attempts from your account. I don’t mean receiving an email at every failed attempt (an exploit for trolls), but rather more something similar to when we see the IP connections from our account made over the last 30 days (https://bitcointalk.org/myips.php).

It would be something similar to the IP valid connections, but with invalid attempts. That would enable us to see if someone is trying to hack the account at some point (or make troll attempts).

[Twentyonepaylots]

I had an account here before and it got hacked in last bitcointalk hack, I was naive back then and had used very simple 4 worded password ('easy to remember').

Password should be more personal or better it's you and only you who knows about that thing. Now I upgraded myself giving passwords to my account, if it is allowed to put special characters I'm doing it, that will going to give you a strong passwords not just an alphanumeric. But this is not the era of guessing passwords, it is a new era of new methods of hacking, passwords is just an open padlock.

[Welsh]

Password should be more personal or better it's you and only you who knows about that thing. Now I upgraded myself giving passwords to my account, if it is allowed to put special characters I'm doing it, that will going to give you a strong passwords not just an alphanumeric. But this is not the era of guessing passwords, it is a new era of new methods of hacking, passwords is just an open padlock.

Exactly the reason why I would personally recommend against the idea of using personal identifiable passwords. If you're including something in your password that you personally like in your life for example, that could potentially be a weakness in itself. Its much more recommended to use a password that is as randomly generated as possible, since the human mind isn't exactly great at creating true randomness.

[tranthidung]

What could be interesting, at least I find it so, is to have the option to see some sort of information relative to login attempts from your account. I don’t mean receiving an email at every failed attempt (an exploit for trolls), but rather more something similar to when we see the IP connections from our account made over the last 30 days (https://bitcointalk.org/myips.php).

The myips page is only helpful if user does not always log in account with Tor. With Tor, different exit nodes for all log in attempts. But if the user does not click on New identity option for the forum website, their log in IPs will have a template that can still be discovered.

Because of the ultimate goal to have privacy by using Tor browser, people will click on New identity so that the myips page will be unmeaningful to filter strange log-in IPs.

There are two ways to get A new circuit ^[1,2]

Are there anything incorrect from my understandings? If yes, please correct it. Thanks.

[1] https://support.torproject.org/tbb/tbb-29/
[2] https://tb-manual.torproject.org/managing-identities/

This option is useful if you want to prevent your subsequent browser activity from being linkable to what you were doing before.

Selecting it will close all your tabs and windows, clear all private information such as cookies and browsing history, and use new Tor circuits for all connections.

Tor Browser will warn you that all activity and downloads will be stopped, so take this into account before clicking "New Identity".

[actmyname]

Just remember how many swipes across the keyboard...

One... QWERTYUIOP
Two... ASDFGHJKL
Three... MNBVCXZ

Don't forget the password requirements.

1!a

Secure as a vault

[DdmrDdmr]

<…>

The idea I has in mind cares less for the IP precision, and more for the testimonial fact that, at some point in time, someone tried to access my account with credentials that failed to log in. If I could see a log that showed me the invalid login attempts on my account, I would have an indicator as to whether the account was being attempted to hack.

Say you saw the failed attempts over the last 30 days, and the list had 150 entries in that period of time, possibly in bursts. That could be an indicator of it being an attempt to hack my account, and therefore I could be on alert once knowing that fact. Of course, it could be a troll exploiting this feature (were it to be in place), just to mess with people’s minds, but still.

[Latviand]

I will never used a random word that generated by that app. It will be very convenient to memorized or save it to a notepad for forum account purposes only. I typically using the standard password which minimum 10 characters with at least 1 number, capital letter and symbol. It will took too much time for a hacker to brute force that type password and no one will ever attempt to put some effort on hacking an active forum account. This strong password are suggested to those that has been offline for a long period of time because they are the common target of hackers.

But this password generator was very useful for exchange account password. I will definitely used it to mine. Thank you!

Security should be one of our priority when making an account and it is not that hard to make a strong one.

I also used 10 characters because I'm confident and comfortable with that and I made a password that is easy to remember for myself.

I'm always active so it is less likely for a hacker to invade my account and privacy. This thread can really enlighten someone with the risks of getting hacked to prevent themselves to become a victim. Using this password generator is somehow effective and safe but as soon as possible, take care of your account.

I already tried it and I'm satisfied and confident.

[Lucius]

I believe that most people still take seriously how important it is not to set a simple password, which some unfortunately do to make it easier to remember. Of course, there are those who want to hack someone's account out of pure malice, but this is only possible if the owner allows it - not only with a simple password, but also with some social engineering, which is usually done via e-mail.

Therefore, it is not wise to show your e-mail publicly as some members do because you are only enabling a new vector of attack. Strong password with at least 10+ letters/numbers and special characters + unique e-mail is quite enough for you to sleep peacefully. Of course, provided that you do not install a RAT or keylogger on the computer - then all of the above becomes meaningless.

[ShowOff]

I believe that most people still take seriously how important it is not to set a simple password, which some unfortunately do to make it easier to remember. Of course, there are those who want to hack someone's account out of pure malice, but this is only possible if the owner allows it - not only with a simple password, but also with some social engineering, which is usually done via e-mail.

Therefore, it is not wise to show your e-mail publicly as some members do because you are only enabling a new vector of attack. Strong password with at least 10+ letters/numbers and special characters + unique e-mail is quite enough for you to sleep peacefully. Of course, provided that you do not install a RAT or keylogger on the computer - then all of the above becomes meaningless.

You must be right, setting a simple password is an easy option to remember but vulnerable to being hacked easily by other. I think that so far most user have figured out how to secure their account by using strong password and signed message with bitcoin address. If the user has signed the message here, I think they have secured their account well even if someone hacked it.

Apart from hiding email in profile, I think user should also be careful with phishing site that are widely circulating on Google and the media. Many case of hack occur because phishing site are linked in message or email. Avoiding phishing site might be easy if we ignore message that have link both in email and on bitcointalk account.

[lovesmayfamilis]

All the above methods are certainly good, but you probably should take into account that no matter how complex the password is, it still needs to be stored somewhere. If we do not have correct and reliable storage, then all methods become not serious methods.
I found Steve Gibson's method of creating an easy-to-remember password interesting. By creating such a password, we can also secure ourselves that this password can be stored in our memory.

https://www.grc.com/haystack.htm

[Sanitough]

I believe I have used a good combination of password that is hard to hack, if there's 2fa the better but I guess signing a message using your bitcoin wallet is more than enough in case the password is hack, at least it's hard to compromise our wallet if the hacker does not have the key.

As a member, I'm open for new changes in the forum if that would make an account more secure, hopefully that hack incident before would not happen again as it would not only affect our accounts but the forum reputation's as well.