les wrote:
My master password is 21 characters upper case lower case numbers and symbols based on numberplates from the past 40 years.
This is considered insecure, as someone out to target you, will most likely try to use any and all personal information they have/can obtain, as many use personal information, as it's easier to remember, in their passwords. If you want to talk about generating secure passwords, using your personal information in them is at the bottom of the list.
While some of what you say is accurate, plenty of it is all incorrect. The problem with teaching people the step above the most simplistic, is they'll often go about implementing it in an incorrect way.
les wrote:
Explain why ghe957p is not random. And can be entered as GHE(%&P.
I can't explain why it's not random, given I don't know how it was generated. Assuming you generated it just by typing what you perceived to be randomly, with enough of you typing "randomly" patterns emerge, whether you notice or mean then to or not. Randomness is measured by entropy and someone just aimlessly hitting a keyboard has been shown to not have nearly the entropy levels we all would assume it would.
The entering of your surname on a public computer means very little in the grand scheme of things. Assumptions about passwords/critical data aside, a surname in and of itself on a public computer does not equal any large risk, especially with certain surnames, like nguyen in Vietnam,
les wrote:
The most dangerous thing is to use the same simple password for your email as the sites where that email is a login detail.
This is almost correct. The actual issue isn't anything to do with your email. It's the reuse of passwords/patterned passwords across multiple entities. The issue with this is simple, data breaches occur. Someone either capturing an unsecured wifi signals and your password passed in plaintext by a site, or a website being infiltrated and password dumps recovered, the end is the same. The attacker gains a password. Now say they gained my milovana password and it was XXXXXXXmilo then they might assume I reused the password and my Facebook password was XXXXXXXface and so on. Reused passwords, are a security risk as one compromised login, leads to more and more of them compromised.
les wrote:
If you want security use a typewriter not a computer and destroy the ribbons daily.
Write on a pad with a sheet of plastic to prevent impressions passing through to the underlying sheet/s.
Never use a telephone and only talk to one another under a running power shower.
There are various levels of security my comments were a simple way to lift out of the worse than useless.
This is nonsense. It's not only impractical, but I can show the security of an airgapped encrypted machine pretty easily in mathematical terms and computing time required to decrypt. Your suggestions offer little security in and of themselves, mostly simply inconvenience.
les wrote: If somebody is after cracking your password they do not start with a full on brute force attack. They start with common known passwords then obscure then dictionary then maybe brute force using a computer with high end graphics cards as they are fastest.
This is entirely situational. If I were to be cracking a dump of an encrypted file for passwords, or an offline backup, brute force and letting it run might well be my first goto. It's fairly quick if done all locally on a machine, and there's no risk of lockouts, and with the average person's password 10 characters or less, and those being standard ASCII it'd not take too long. Much faster than me programming in specific information about someone
