This is the thread for discussing password security, password management, articles like this one, etc.
Password managers:
* LastPass
* KeePass
* 1Password
* RoboForm
Two-factor Authentication:
* Yubiko (Yubikey)
Previous discussion: LastPass *possibly* Hacked
You should add RoboForm to the list of password managers. I believe it was one of the earliest password managers, as it was released in 1999. It's a mature product with excellent support, and I've been using it for 7 or 8 years now. I couldn't live without it!
/tagged Thanks *Legion*
Will post my questions later.
I haven't used a password manager before, but it might be something I do in the future. I generally pick mostly unique passwords, although, I will admit I reuse some with a few "unimportant" things.
I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.
As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."
That password is up for grabs if anyone wants it. Just let me know if you decide to use it.
YubiKey? Explain to me, as you would a child!
It appears to require the authenticating service to support their auth stubs or something? Not sure.
Password Safe was originally written by Bruce Schneier and has since become an open source project. The Java version is a bit clunky, but it's still the best password manager I've found. The others all have too much interface to deal with.
I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.
As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."
That password is up for grabs if anyone wants it. Just let me know if you decide to use it. ;)
That's what I do as well. To make them site specific, I'll add something somewhere in there to remind me of the site name that I'll remember.
Why does no one make a non-system dependent Yubikey?
From what i understand of it, it's like one of those bank decoder key generation thingies.
So why can't you have your individual key "decoder" thing. If you know your password word, say stored on Lastpass, and then input it into the decoder and it shunts out a random string of 8-10 alphanumerics (plus special characters), you should be golden and not require the system in question to support the hardware. Your "password" would never be compromised from just storing it electronically or even on paper because no one but you would have the key and correct encryption algorithm...
I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.
As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."
Reminds me of one of mine (offline): bugs bunny ate 6 carrots for money before leaving, which translates to:
bb@6^4$b4leaving
then i added my standard 4 digit pin to the end of that.
I get your point. But it requires that the middle man service A) exists, B)is supported by every website you want to go on and C)doesn't go out of business or is working at the time you wish to use it.
What i was suggesting is a way of having a simple password generate a complex one. You remember the simple password, say, Dog for GWJ (ideally it'd be different for every site), and the scrambler puts out E12#pica*chu.
You could even have it so that you enter the URL/website name with the password and so there's two factors to encrypt/scramble there.
Let's face it. It doesn't matter if a particular site in question is hacked anyway as they'll still have the password to that particular site. What i'm talking about is being able to remember easy passwords - have them stored easily on something like Lastpass and without them actually being compromised if that service is hacked.
You could even use the same password for every site but when combined with the site name it spews out a unique password for that site.
The point is that you can store your passwords on Lastpass without them becoming compromised if lastpass is hacked because lastpass isn't actually storing the passwords you use.
As i said above, if a particular site is hacked it doesn't matter if you've got two-factor authentication because they've already got access to the system. They don't need to log in as you - they already have your information.
[edit]
To make it clearer:
You store "Dog" on Lastpass (note i've not used it so i'm not sure if services like lastpass are just lockers for password storage or if they feed into individual sites so you can log-in via the service. I'm assuming it's just a locker).
In order to log-in, you input "Dog" in your encrypter/scrambler with GWJ (the site name) and it comes out with a string which is based on and unique to the scrambler code in your unit.
You read the scrambled code off the display and input it into the password field of the website you want to log in at.
I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.
As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."
I read a research paper recently that showed that password security was directly linked to the number of characters in the password, not in the use of punctuation or anything like that. One of the problems seems to be that people think "password" implies a single word, while it could be a sentence. For example, "i like frogs" is tremendously more secure than "Ap9$%@" even though it's just a sequence of actual words.
tuffalobuffalo wrote:I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.
As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."
I read a research paper recently that showed that password security was directly linked to the number of characters in the password, not in the use of punctuation or anything like that. One of the problems seems to be that people think "password" implies a single word, while it could be a sentence. For example, "i like frogs" is tremendously more secure than "Ap9$%@" even though it's just a sequence of actual words.
That's definitely true. *Legion* brings up some good points against those types of passwords, though. I'm not sure where I stand on that issue.
Eezy_Bordone wrote:Just keep in mind that spear-phishing can beat any system. RSA (similar to yubikey) is being phased out in the DoD right now because of their recent hacking of.
I expect the DoD will find or cook up something better.
Most DoD sites are PKI but those legacy systems that have been two-factor have now been told to move on or get turned off. Just pointing out that your trusted 3rd party can have their keys stolen too.
I don't mean to sound anti-everything. Rather as with anything on a computer now-a-days it is a judgement on the part of the operator to weigh the risk vs the convenience.
Can I make a simple algorithm that makes it harder to guess my password? Sure thing:
F*3hfow59fgwjf83hfow59 - Gamers With Jobs
F*3hfow59fsdf83hfow59 - slashdot
etc etc. But I still run the risk of if my password is found out on one site then someone can attempt to figure out my algorithm. Do I use a password similar to this for sites that I want to access from work? Sho'nuff but in reality the best thing to do is make a super hard random one for each site.
Then you've got to make notes of what you put in for secret answers because you don't want to put the real answers that just makes it easier for the criminal to get a new password sent to them.
complexmath wrote:tuffalobuffalo wrote:I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.
As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."
I read a research paper recently that showed that password security was directly linked to the number of characters in the password, not in the use of punctuation or anything like that. One of the problems seems to be that people think "password" implies a single word, while it could be a sentence. For example, "i like frogs" is tremendously more secure than "Ap9$%@" even though it's just a sequence of actual words.
That's definitely true. *Legion* brings up some good points against those types of passwords, though. I'm not sure where I stand on that issue.
I didn't know about sites truncating to 8 characters, though it makes sense. Assuming security vs. an undirected attack (ie. an automated program rather than an attack using specific knowledge of the victim), as long as the password isn't in a hacker's dictionary I don't think it matters what the contents are for a given length. Only a brute force attack will work at that point, so every character provides equivalent complexity. I think the suggestion to not use normal words is simply a guideline to help people avoid using something from that dictionary (and by "hacker's dictionary" I mean a list of popular passwords, l33t permutations of dictionary words, etc). So it's still a good rule to follow for the sake of simplicity, but not strictly necessary.
I read a research paper recently that showed that password security was directly linked to the number of characters in the password, not in the use of punctuation or anything like that.
Hmm, I don't figure it that way. Let's walk through the numbers. It's possible I'm missing something here, so jump in and correct me if I get something wrong.
For brute-force attempts, expanding the allowed possible characters does make a password harder to crack. It means that in the case of brute-force attempts, many more attempts will have to be made to cover all the possible punctuation symbols and so forth; if you get up into the actual non-typable symbols (which you can reach, on Windows, with alt+four digit code on the numeric keypad), then it expands the key search space a VERY great deal.
It's basically just math. With a short password, even purely alphanumeric, each additional digit you add multiplies the search space by 62 times (the 52 characters plus the numbers).
Adding punctuation increases search space for all the punctuation symbols for each character in your password. I'm not sure how many symbols there are, but just a quick visual count on my keyboard shows 32 symbols that are mapped onto the keyboard.
So if I have a one character password, adding a second alphanumeric digit increases the search space by 62 times, but a single-digit-plus-punctuation is 32 times harder to search. At two digits, punctuation increases it by 64 times; at 3, 96, and so on. The more digits in the password, the more rapidly the multiplier increases. You add 62 per character no matter how many characters you have in your password, but you add (roughly) 32 times per existing character if you go to punctuation.
So anywhere at 3+ characters, going to punctuation appears to be a bigger win than adding simple letters, and it very rapidly becomes MUCH MUCH larger. Going from 10 to 11 alpha is just straight 62 times harder, but going 10 alpha to 10 punctuation is 320 times harder.
But you couldn't assume "i like frogs" didn't use special characters or anything else, because it does, the space. So to a brute force it wouldn't matter, or a dictionary attack. Right?
I don't know if my workplace (a library, not exactly a high security facility) can be used as a valid example, but the IT department forcing us to use insanely complex passwords and to change them frequently just results in a LOT of passwords just sitting there in your email or written on post-it notes. So we'd probably be better off if they just let us use something like "i like frogs".
I used to think it was hilarious how in video games and movies so many passwords were just conveniently written down on a notepad or sitting in a chat window, until I started working for the state of Louisiana.
I agree, I've been using KeePass since the Gawker incident (though I didn't have an account there).
And because I work primarily with Windows, 10 Myths about Windows passwords. Some of it is out of date as you can definately set GPO's to mandate passwords longer than 14 characters.
Pages