Passwords need not be a pain

[les]

                     




                     
                     It appears yet again poor passwords have let private details become unleashed.

A simple tip makes passwords far more secure
No not replacing 1 with i or 3 with e or even o with 0
The hackers know this
But password (very commonly used )
Is not as secure as passpass
Why well Password is in most dictionarys but passpass is not.

So using small diferent words make for easily remembered secure passwords
Imagine a simple dictionary has 1000 words, using 2 words means you have a million password, 3 a billion, 4 a trillion.

another tip is to use a number plate as this is a random set of alphanumeric characters, the older the better, and more than one, one all shifted the others not.




                     
                     

[pjh776]

Beware of those "tips"

But password (very commonly used )
Is not as secure as passpass

One isn't more secure than the other: they are both terribly insecure. That "dictionary" argument is misleading. Current bruteforce methods consider not only "dictionary words" but "variations on dictionary words" as well. And "passpass" is simply "2 times the word pass".

another tip is to use a number plate as this is a random set of alphanumeric characters

This is a terrible idea. A number plate is very, very far from "random".

The only way to create a good password is to ensure it has high entropy. How much entropy? Depends on the kinds of attackers and attacks you are willing to defend yourself from.

For those willing to learn more about the issues with those tips, and how to properly create a secure password:
- http://xkcd.com/936/
- http://xkcd.com/792/
- http://security.stackexchange.com/quest ... passphrase

[Venus]

I have to agree with pjh776. Les your tips aren't that good, sorry!

Here an animated gif which beautifully explains what's important regarding passwords:

[les]

                     
                     
                     My master password is 21 characters upper case lower case numbers and symbols based on number plates from the past 40 years.

                     Explain why ghe957p is not random. And can be entered as GHE(%&P.

                     My recommendations are not perfect but they are better than the majority of the attempts by the average joe.

                     In the main I use lastpass to generate and enter passwords for me.
                     Anything critical is never entered on a public computer.
                     My surname never is.

                     The most dangerous thing is to use the same simple password for your email as the sites where that email is a login detail.

                     If you want security use a typewriter not a computer and destroy the ribbons daily.
                     Write on a pad with a sheet of plastic to prevent impressions passing through to the underlying sheet/s.
                     Never use a telephone and only talk to one another under a running power shower.

                      There are various levels of security my comments were a simple way to lift out of the worse than useless.

                     If somebody is after cracking your password they do not start with a full on brute force attack.

                     They start with common known passwords then obscure then dictionary then maybe brute force using a computer with high end graphics cards as they are fastest.
                     

[DoxysTurtle]

        
My master password is 21 characters upper case lower case numbers and symbols based on numberplates from the past 40 years.

This is considered insecure, as someone out to target you, will most likely try to use any and all personal information they have/can obtain, as many use personal information, as it's easier to remember, in their passwords. If you want to talk about generating secure passwords, using your personal information in them is at the bottom of the list.

While some of what you say is accurate, plenty of it is all incorrect. The problem with teaching people the step above the most simplistic, is they'll often go about implementing it in an incorrect way.

    
Explain why ghe957p is not random. And can be entered as GHE(%&P.

I can't explain why it's not random, given I don't know how it was generated. Assuming you generated it just by typing what you perceived to be randomly, with enough of you typing "randomly" patterns emerge, whether you notice or mean then to or not. Randomness is measured by entropy and someone just aimlessly hitting a keyboard has been shown to not have nearly the entropy levels we all would assume it would.

The entering of your surname on a public computer means very little in the grand scheme of things. Assumptions about passwords/critical data aside, a surname in and of itself on a public computer does not equal any large risk, especially with certain surnames, like nguyen in Vietnam,

    
The most dangerous thing is to use the same simple password for your email as the sites where that email is a login detail.

This is almost correct. The actual issue isn't anything to do with your email. It's the reuse of passwords/patterned passwords across multiple entities. The issue with this is simple, data breaches occur. Someone either capturing an unsecured wifi signals and your password passed in plaintext by a site, or a website being infiltrated and password dumps recovered, the end is the same. The attacker gains a password. Now say they gained my milovana password and it was XXXXXXXmilo then they might assume I reused the password and my Facebook password was XXXXXXXface and so on. Reused passwords, are a security risk as one compromised login, leads to more and more of them compromised.

    
If you want security use a typewriter not a computer and destroy the ribbons daily.
Write on a pad with a sheet of plastic to prevent impressions passing through to the underlying sheet/s.
Never use a telephone and only talk to one another under a running power shower.
There are various levels of security my comments were a simple way to lift out of the worse than useless.

This is nonsense. It's not only impractical, but I can show the security of an airgapped encrypted machine pretty easily in mathematical terms and computing time required to decrypt. Your suggestions offer little security in and of themselves, mostly simply inconvenience.

           

 If somebody is after cracking your password they do not start with a full on brute force attack. They start with common known passwords then obscure then dictionary then maybe brute force using a computer with high end graphics cards as they are fastest.

This is entirely situational. If I were to be cracking a dump of an encrypted file for passwords, or an offline backup, brute force and letting it run might well be my first goto. It's fairly quick if done all locally on a machine, and there's no risk of lockouts, and with the average person's password 10 characters or less, and those being standard ASCII it'd not take too long. Much faster than me programming in specific information about someone

[les]

                     
                     
                     For the normal domestic user how likely are their passwords cracked as opposed to a Web site hacked and their passwords harvested, in which case nothing is safe.
                     
                     

[les]

                     



                                  In the UK credit, debit, and atm cards are chip and pin.


                    If 3 attempts are made that are incorrect the card is retained.
                               and/or the transaction cancelled.

                        The same thing happens with my mobile phone


                          Why O why can't something be done so that a brute force attack will fail for the


                                         same sort of reason
                     
                     
                     

[les]

        
My master password is 21 characters upper case lower case numbers and symbols based on numberplates from the past 40 years.

This is considered insecure, as someone out to target you, will most likely try to use any and all personal information they have/can obtain, as many use personal information, as it's easier to remember, in their passwords. If you want to talk about generating secure passwords, using your personal information in them is at the bottom of the list.

While some of what you say is accurate, plenty of it is all incorrect. The problem with teaching people the step above the most simplistic, is they'll often go about implementing it in an incorrect way.

    
Explain why ghe957p is not random. And can be entered as GHE(%&P.

I can't explain why it's not random, given I don't know how it was generated. Assuming you generated it just by typing what you perceived to be randomly, with enough of you typing "randomly" patterns emerge, whether you notice or mean then to or not. Randomness is measured by entropy and someone just aimlessly hitting a keyboard has been shown to not have nearly the entropy levels we all would assume it would.

The entering of your surname on a public computer means very little in the grand scheme of things. Assumptions about passwords/critical data aside, a surname in and of itself on a public computer does not equal any large risk, especially with certain surnames, like nguyen in Vietnam,

    
The most dangerous thing is to use the same simple password for your email as the sites where that email is a login detail.

This is almost correct. The actual issue isn't anything to do with your email. It's the reuse of passwords/patterned passwords across multiple entities. The issue with this is simple, data breaches occur. Someone either capturing an unsecured wifi signals and your password passed in plaintext by a site, or a website being infiltrated and password dumps recovered, the end is the same. The attacker gains a password. Now say they gained my milovana password and it was XXXXXXXmilo then they might assume I reused the password and my Facebook password was XXXXXXXface and so on. Reused passwords, are a security risk as one compromised login, leads to more and more of them compromised.

    
If you want security use a typewriter not a computer and destroy the ribbons daily.
Write on a pad with a sheet of plastic to prevent impressions passing through to the underlying sheet/s.
Never use a telephone and only talk to one another under a running power shower.
There are various levels of security my comments were a simple way to lift out of the worse than useless.

This is nonsense. It's not only impractical, but I can show the security of an airgapped encrypted machine pretty easily in mathematical terms and computing time required to decrypt. Your suggestions offer little security in and of themselves, mostly simply inconvenience.

           

 If somebody is after cracking your password they do not start with a full on brute force attack. They start with common known passwords then obscure then dictionary then maybe brute force using a computer with high end graphics cards as they are fastest.

This is entirely situational. If I were to be cracking a dump of an encrypted file for passwords, or an offline backup, brute force and letting it run might well be my first goto. It's fairly quick if done all locally on a machine, and there's no risk of lockouts, and with the average person's password 10 characters or less, and those being standard ASCII it'd not take too long. Much faster than me programming in specific information about someone

[DoxysTurtle]

In the UK credit, debit, and atm cards are chip and pin.

If 3 attempts are made that are incorrect the card is retained and/or the transaction cancelled. The same thing happens with my mobile phone. Why O why can't something be done so that a brute force attack will fail for the
same sort of reason 

The issue is whether the attack is done offline or online for that sort of thing. Many websites provide a similar functionality is someone is trying to crack a password by brute force, and either require CAPTCHCA or similar with new entries, then outright lock the account/temporarliy ban the IP it's coming from/etc.

If I have a dumped file offline, I can make copies of it if such a system existed and just let it hit the max and then make a new copy and continue, or disable that kind of functionality. The example you give works because those are strictly closed networks/loops. So it's much easier to manage, as you know the provider of the data (not the user of the card but the store/etc) has permission to be submitting the information, and it's more a question of whether the card swiper submitted it correctly.

[Human]

- http://security.stackexchange.com/quest ... passphrase

Thanks, great read!