# What's really important for computer security (from a security professional)



## wilbur_the_goose (Aug 16, 2006)

I am a director-level person in the information security field (ask me anything  ). I have years of experience in InfoSec.

These are what I think are the most important things you can do to keep yourself safe online (in order of importance):
1. Stay current with patches. Java and Adobe products are often the most risky, so be sure to update frequently. Same with Windows and Apple updates. 
1a. DO NOT run Windows XP. It's the worst thing for we professionals these days because it's a VERY risky OS. Same thing for Windows Server 2003 at work. 
2. Use strong passwords with significant length (over 14 characters is best). Use a password manager. I like LastPass with a YubiKey authentication token.
3. Don't use peer-to-peer networks. Many of these died with Napster, but we all know about people pirating movies.
4. Don't grant your (Windows) everyday userid administrator level access.
5. Run good anti-malware software. I use Webroot.
6. It's OK to broadcast your SSID (hackers can find it easily), but please set up a long password. MAC filtering is overkill to me, but it sure does lock down your network. 
7. Patch your systems and applications.
8. Patch your systems and applications.
9. Oh yeah - change the default userid and password on your router/modem. And make sure you're using WPA2 wireless encryption. WPA is about as secure as a unlocked screen door.

PS - Patch your systems.


----------



## trh (Nov 3, 2007)

Great information. Thanks.

And since you offered to answer questions, how does LastPass with YubiKey work with a mobile device? Neither my phone or tablet have a USB port.


----------



## sigma1914 (Sep 5, 2006)

trh said:


> Great information. Thanks.
> 
> And since you offered to answer questions, how does LastPass with YubiKey work with a mobile device? Neither my phone or tablet have a USB port.


LastPass has an Android and iOS version that has a small fee.


----------



## dpeters11 (May 30, 2007)

trh said:


> Great information. Thanks.
> 
> And since you offered to answer questions, how does LastPass with YubiKey work with a mobile device? Neither my phone or tablet have a USB port.


I can answer this one. There is one yubikey that will work with Android, they have an NFC enabled NEO. You put it against the phone, and it reads the NFC chip. This won't work with an iPhone as the ones that do support NFC are limited to Apple Pay. You can require a Yubikey for computers and not for mobile though.

I personally only have my Yubikey set up for unknown systems, plus reauthenticating my systems every 30 days. I don't have it set to require it on my personal systems every time.

One thing I'll add to Wilbur_the_goose's list is always have the most current versions of your web browsers. Even if you don't use IE, make sure your version is the most current for your OS (generally IE11). Microsoft only patches the most current one for the OS. Vista is ok on IE10 as 11 isn't supported. If you have Vista, you have a little more than a year to make a move.

I also like a program called Secunia PSI, it's a free program that helps keep track of software security updates.

Do you really need Flash and Java? If you need Java, do you really need it in the browser (Chrome does not apply)?

www.secunia.com/psi

Be careful with the Internet of Things stuff, updates may not be obvious (if available). Some models of webcams have feeds easily available on certain search engines.


----------



## Eva (Nov 8, 2013)

I have Java and Flash disabled. Especially after my hubs fixed a client's computer that got a virus from a rogue ad that used Flash. He traced it to the ad network and they replied "it happens - most people block us anyway."


----------



## wilbur_the_goose (Aug 16, 2006)

trh said:


> Great information. Thanks.
> 
> And since you offered to answer questions, how does LastPass with YubiKey work with a mobile device? Neither my phone or tablet have a USB port.


It actually doesn't. You can configure it so that it uses single-factor with an iOS device. (I sure wish Apple would add back USB support!)


----------



## wilbur_the_goose (Aug 16, 2006)

+1 on Secunia PSI. Highly recommended.

And a big thumbs up on the browser. We track incoming traffic, and we still see companies running IE5! That's about 20 years old and is completely, 100% insecure. Run IE11, or whatever is current for Chrome/Firefox/Safari/etc.


----------



## peds48 (Jan 11, 2008)

For password managers, I recommend 1Password. Although iOS comes with its own version of a password manager called Keychain, I find 1Password to be more robust and more feature filled.


Sent from my iPad Pro using Tapatalk


----------



## dpeters11 (May 30, 2007)

And don't forget t smartphone, though OS updates for anything but Apple is an issue. 

We are going to start blocking iOS lower than a particular version, and I still can't get some to update, even ones who have supported hardware. 

Sent from my Z30 using Tapatalk


----------



## lparsons21 (Mar 4, 2006)

peds48 said:


> For password managers, I recommend 1Password. Although iOS comes with its own version of a password manager called Keychain, I find 1Password to be more robust and more feature filled.
> 
> Sent from my iPad Pro using Tapatalk


I do too now that I use more than just Apple gear. But when I was all Apple there just was no reason to use something else. Especially since Keychain is for much more than just web browsers.

Sent from my iPad Pro using Tapatalk


----------



## peds48 (Jan 11, 2008)

lparsons21 said:


> I do too now that I use more than just Apple gear. But when I was all Apple there just was no reason to use something else. Especially since Keychain is for much more than just web browsers.
> 
> Sent from my iPad Pro using Tapatalk


If you think about, 1Password is a lot better than Keychain nance apps can use the 1Password API to let you log in with complex passwords, something that is not possible with Keychain. Also searching is a lot easier with 1Password.

Sent from my iPad Pro using Tapatalk


----------



## lparsons21 (Mar 4, 2006)

peds48 said:


> If you think about, 1Password is a lot better than Keychain nance apps can use the 1Password API to let you log in with complex passwords, something that is not possible with Keychain. Also searching is a lot easier with 1Password.
> 
> Sent from my iPad Pro using Tapatalk


I'll definitely give you searching, that is great, as is the "vault". But complex passwords are not an issue with keychain at all, it will even generate them if you want. The biggest downside to it is that it just keeps growing as it doesn't replace very well.
Oops! I don't use 1pass, I use LastPass. 

I use LastPass all the time as it works so well for many things and is cross platform.

Sent from my iPad Pro using Tapatalk


----------



## phrelin (Jan 18, 2007)

Ok. I'm a grumpy old guy with a high level of paranoia based on experience.

I do everything wilbur lists but run a password manager, a class of "apps" about which I have had _serious_ reservations. Up to this point, I have concluded that due diligence daily bank/credit card account monitoring and monthly credit checks will still be needed even if I were to use a password manager app.

So far, I have concluded I would need a password manager that isn't on my computers or devices and that will work using all the versions since 2010 of seven browsers on the three main operating systems - Windows, Android, and iOS. In order for me to feel it is secure, it would have to come from a company which over the past 10 years has used security comparable to the NSA - a company that Chinese hackers attack hourly without success. Otherwise, what's the point.

Here's my paranoid-afflicted thought process regarding password managers.

Fact. I've dealt with computers since 1970, and just assume a worst case scenario hardware disaster so I'm not surprised and helpless when one occurs, which they do even with today's hardware.
Fact. So far since the late 1990's when we began shopping on line, we have had credit card numbers stolen by restaurant and store employees _when we were shopping on the premises_ but never while shopping or banking on the internet using a password.
Fact. The security-conscious folks at CalPERS and Anthem Blue Cross have given us years of free monthly credit reviews because they've had their data stolen. Other major firms have sent us warnings because of stolen data. Because of them, _not problems resulting from our activity_, we monitor all our banking/credit accounts almost daily as well as review those free monthly credit checks.
Fact. In addition to Windows 10 computers, we use old Windows computers, a variety of Amazon devices and old Apple devices, none of which we replace annually.
I have puzzled for a long time about what password manager will meet my needs. Let me itemize those needs:

My first need with a password manager "app" is one which won't become unavailable when my Windows 10 computer hard drive C: fails and I have to rebuild. How do I get to my bank using, for instance, an old Windows computer that hasn't been turned on in 16 months and which I do not, under any circumstances, wish to let Microsoft update in any way including the browser?
My second need with a password manager "app" is to have those passwords readily available on all our devices. Is there a password manager that works not only on Windows but on Amazon's versions of Android, iOS 5.1.1, and iOS 7.1.x? I'm not asking for much from a company that is going to guarantee me access to my 100+ accounts. Their app should be able to run in all versions of Windows from XP on plus all versions of Android and iOS that have existed at least since 2010. That is what it would take to assure me that I will be able to use the app in 2020 without having to replace every device I own on an Apple-like-spend-thousands-every-two-years schedule. Which one offers that?
Finally, one major password app company has been hacked and had to send out warnings to their customers. To my knowledge as a lowly diligent individual who has been shopping online since the mid-1990's, I have had no known password thefts due to my online activity. I need a password manager that in the next few years will create a situation where my passwords are less likely to be stolen rather than more likely to be stolen.
I'm open to contrary thoughts.


----------



## dpeters11 (May 30, 2007)

I use Lastpass, so this is all based on it.

For Android, Lastpass requires version 2.2 or higher.

I believe an older version supports iOS 5.1.1, but not sure about iOS 4. Of course keep in mind older iOS versions don't really do encryption on their side.

For Windows, it does require IE 8 or higher, Firefox 2 or Chrome 18.

Of course they may have certain features that requires a higher OS but that is the case with anything.

Even if the data were taken from their servers, the attacker would still need to brute force your password. Encryption/decryption of your vault occurs on your local system, not on the Lastpass servers. It can also be cached locally so that if you don't have an Internet connection or if they go out of business, you still have access to your data. For a brute force attack, the attacker would have to do 5000 rounds of password iterations by default. This can be increased, though Lastpass recommends not exceeding 10,000 rounds due to potential performance issues.

My Lastpass password is approximately 30 characters, not allowed to be used outside the US or on TOR (though this isn't a primary security feature) and I have two factor with my Yubikey. I have a different password for most sites, and they have had tools for things like the big Heartbleed vulnerability, telling you when it was safe to change your password for a site among other security check tools.

There is a podcast from a few years ago that dives into the technical details. They have made several additions to it since then, such as the increased iterations etc. I think the discussion starts about an hour in.
Here's the transcript, if you search for "What LastPass users have" that will jump you to the right spot in the discussion.
https://www.grc.com/sn/sn-256.htm

I'm not a huge fan of credit monitoring myself. I set up a freeze with all the credit bureaus.
http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
http://uspirg.org/sites/pirg/files/reports/USPIRGFREEZE_0.pdf


----------



## wilbur_the_goose (Aug 16, 2006)

Actually, the password manager you use (LastPass, etc) isn't as important as using one in the first place. You want to use > 14 character passwords whenever possible. (PS - a password of aaaaaaaaaaaaaaaaaaaaaaaa is more secure than @*a83ff - do the math, and you'll see why. Oh yeah - don't use a word from the dictionary in your passwords.

@phrelin: Your old PC runinng an unpatched version of Windows is our industry's biggest fear. That PC is open to all sorts of zero-day attacks and is loved by the bad guys as a launching pad for botnets.

Your best defense is strong passwords/passphrases and multi-factor authentication. See https://twofactorauth.org/for details.


----------



## inkahauts (Nov 13, 2006)

I use Lastpass and it's great. Easy to organize and good password creation. I also make sure I try and use different long passwords for everything. And a password manager is the easiest way to do that. I generally use as long as a password as I can. I don't get why some banks allow 64 character and any kind of character and some restrict to say 12 and no special characters. But it is what it is. Two factor is great to. I use it on lots of sites and just use the basic text message as second factor.


----------



## dpeters11 (May 30, 2007)

wilbur_the_goose said:


> Actually, the password manager you use (LastPass, etc) isn't as important as using one in the first place. You want to use > 14 character passwords whenever possible. (PS - a password of aaaaaaaaaaaaaaaaaaaaaaaa is more secure than @*a83ff - do the math, and you'll see why. Oh yeah - don't use a word from the dictionary in your passwords.
> 
> @phrelin: Your old PC runinng an unpatched version of Windows is our industry's biggest fear. That PC is open to all sorts of zero-day attacks and is loved by the bad guys as a launching pad for botnets.
> 
> Your best defense is strong passwords/passphrases and multi-factor authentication. See https://twofactorauth.org/for details.


Just wait until Dude111 shows up in the thread, a Windows 98 SE user (by choice) 

I have a friend that got an email from his IT guy that they're going to start requiring 14 character domain passwords. One of our guys got dinged on an audit at his old company for requiring too high of a minimum.

I have a hard enough time getting users to update their iOS.


----------



## wilbur_the_goose (Aug 16, 2006)

A real person can never remember long and strong passwords. That's the reason for a password manager. 

Funny about the Win98 user. I have a copy of Windows magazine from 1997 where they were previewing Win 98 and IE 5. They were fine back then, but pose a risk to the rest of us, and especially Mr Dude


----------



## James Long (Apr 17, 2003)

wilbur_the_goose said:


> A real person can never remember long and strong passwords.


It depends on the alogarithm.
Arpcnrlasp.123

Crack that in 4 billion years. Or remember it by alogrithm.

aaaaaaaaaaaaaaaaaaa is 6 billion years, but would not be allowed by many rule based systems.


----------



## phrelin (Jan 18, 2007)

wilbur_the_goose said:


> Actually, the password manager you use (LastPass, etc) isn't as important as using one in the first place. You want to use > 14 character passwords whenever possible. (PS - a password of aaaaaaaaaaaaaaaaaaaaaaaa is more secure than @*a83ff - do the math, and you'll see why. Oh yeah - don't use a word from the dictionary in your passwords.
> 
> @phrelin: Your old PC runinng an unpatched version of Windows is our industry's biggest fear. That PC is open to all sorts of zero-day attacks and is loved by the bad guys as a launching pad for botnets.
> 
> Your best defense is strong passwords/passphrases and multi-factor authentication. See https://twofactorauth.org/for details.


I have no problem using a long password for things involving money. But when I sign on to comment on an article on the Washington Post, they have no personal information that isn't readily available on the internet. I've never figured out what the risk is using a not very good password on a site like that.

Regarding a PC running an old version of Windows, I keep them around because there is a lot of software I love that never made it to later versions and have no real equivalent. I don't use them on line, and probably would never have to.



wilbur_the_goose said:


> A real person can never remember long and strong passwords. That's the reason for a password manager.


No quarrel there. That's why I have my cheat sheet.

As I understand them, online passwords keep someone else from signing into my account at the bank or DBSTalk. Is there some additional purpose I don't understand?

Maybe I should stop using my brain to generate passwords and use some password generator, but since hackers seemingly use tools that don't necessarily associate with who I am, I'm not sure if that would just be overkill. It helps to type in the password if it makes some kind of sense to me.



dpeters11 said:


> I use Lastpass, so this is all based on it. .


You're very persuasive so I'll take another look at Lastpass.


----------



## dpeters11 (May 30, 2007)

What really got me using a password manager in the beginning was the various stupid criteria for passwords. Nope, can't use that one, too long. Can't use that other one because it has invalid symbols, etc.

In terms of various sites to login to comment etc, for me it's I don't want someone logging into my account and making inappropriate posts. They may get deleted, but I could get blocked or they could come back against me.

Particularly for the two main DirecTV forums I'm on, I consider it protecting what reputation I have.


----------



## dpeters11 (May 30, 2007)

wilbur_the_goose said:


> A real person can never remember long and strong passwords. That's the reason for a password manager.
> 
> Funny about the Win98 user. I have a copy of Windows magazine from 1997 where they were previewing Win 98 and IE 5. They were fine back then, but pose a risk to the rest of us, and especially Mr Dude


My friend forwarded the response he got from their IT guy. I got the impression he was an XKCD fan, though he didn't use the "correct horse battery staple" example.


----------



## inkahauts (Nov 13, 2006)

dpeters11 said:


> What really got me using a password manager in the beginning was the various stupid criteria for passwords. Nope, can't use that one, too long. Can't use that other one because it has invalid symbols, etc.
> 
> In terms of various sites to login to comment etc, for me it's I don't want someone logging into my account and making inappropriate posts. They may get deleted, but I could get blocked or they could come back against me.
> 
> Particularly for the two main DirecTV forums I'm on, I consider it protecting what reputation I have.


Lastpass sure makes that part easy. The only thing it doesn't do that I have seen is allow you to automatically include or exclude certain subsets of special characters for generating passwords which a few sites do. Why I have no idea. I just hit the refresh button till ingest one that meets the needs in those couple instances.


----------



## wilbur_the_goose (Aug 16, 2006)

^^^

Some sites use goofy password requirements. They make zero sense, and were probably implemented by somebody who didn't know what they were doing.


PS - If you're interested in how passwords are stored on a website, Google "Hashing". Unless a site is utterly amateur, every password is hashed. Even better, they should be salted.


----------



## Mark Holtz (Mar 23, 2002)

As someone who has been playing with computers since 1980 and earning a paycheck with one since 1999, I thought I would go through your list. One assumption that one has to make is that anytime your computer interfaces with the outside world, it is at risk. As a computer user, it is your job to minimize the risk.



wilbur_the_goose said:


> 1. Stay current with patches. Java and Adobe products are often the most risky, so be sure to update frequently. Same with Windows and Apple updates.
> 1a. DO NOT run Windows XP. It's the worst thing for we professionals these days because it's a VERY risky OS. Same thing for Windows Server 2003 at work.


Microsoft have ceased all patches for Windows XP as of April, 2014. In addition, support is disappearing for the programs on XP.

Also, not only current patches, but current program versions as well.


wilbur_the_goose said:


> 2. Use strong passwords with significant length (over 14 characters is best). Use a password manager. I like LastPass with a YubiKey authentication token.


While I do use Lastpass, that is my secondary password manager which is a small subset of my main password. My primary password manager is KeePass for all of my passwords, plus, as a bonus, I also store all of my registration codes for my software as well. For the times that Keepass/Lastpass is not available (like logging into my workstation), I use a Password card via a my Android device. (Yes, a iPhone app is also available.)

When I started out, we were told to never write down a password and to make a complex password. What inevitably happened is that we only used two or three passwords for all of the websites. If you check How Secure Is My Password, the password that I used could be cracked in less than 11 minutes. (oops). By using a unique, randomly generated password, it makes it harder for the crooks. My biggest complaint, though, is I can use a long, more complex password on hobbyist-type board than on sites where security is very important such as financial/health care sites. If you convert the password to a MD5/SHA1/SHA256 hash, then it should not matter which characters are being used or how long the password is. (Of course, that hash should be salted as well to prevent a rainbow table attack.)

Of course, I cannot emphasize enough the two-factor authentication. While I do use Authy on my phone, I also use WinAuth as a backup code generator as well.


wilbur_the_goose said:


> 5. Run good anti-malware software. I use Webroot.


Run a good anti-virus AND anti-malware software.

One thing that I don't see you mentioning is having backups. As an example, about two weeks ago, I got a Lenovo THINKCENTRE M53 Tiny Desktop, Intel J2900 Quad-Core 2.41GHz as a special from Woot. While it is not a powerful computer, it is what I needed for a specific purpose. It took several hours to download and install all of the patches for Windows 7, then upgrade to Windows 10, then install all of my favorite programs. After the completion of all patches for Windows 7, and again after Windows 10 install, I made a full image backup using True Image. That way, if something goes wrong, it only takes a few minutes to restore a backup image verses wasting hours reinstalling everything. I also use TrueImage to backup my main computer three days a week, then copy those images to a external hard drive.

For my USB drives (1 for personal stuff, 1 for all of my utilities), I use FreeFileSync to perform the backup the changed files. It takes only a minute or two.

As for my Keepass/WinAuth files (which are encrypted), I have them backed up to several online locations. Dropbox and Google Drive are great.

Of course, having a good, regular backup means that nothing should happen to me, according to Murphy.


----------



## dpeters11 (May 30, 2007)

Mark Holtz said:


> One thing that I don't see you mentioning is having backups. As an example, about two weeks ago, I got a Lenovo THINKCENTRE M53 Tiny Desktop, Intel J2900 Quad-Core 2.41GHz as a special from Woot. While it is not a powerful computer, it is what I needed for a specific purpose. It took several hours to download and install all of the patches for Windows 7, then upgrade to Windows 10, then install all of my favorite programs. After the completion of all patches for Windows 7, and again after Windows 10 install, I made a full image backup using True Image. That way, if something goes wrong, it only takes a few minutes to restore a backup image verses wasting hours reinstalling everything. I also use TrueImage to backup my main computer three days a week, then copy those images to a external hard drive.


The nice thing is, that if you ever did need to reinstall Windows 10 on the machine without a backup, you can now go straight to 10, no need to install 7 first. And since Windows 10 has cumulative patches, there's no more installing hundreds of patches, reboot install more patches and repeat. You can just redownload Windows 10 from their site, which is always the most current build then install the patches that are left.


----------



## Mark Holtz (Mar 23, 2002)

dpeters11 said:


> The nice thing is, that if you ever did need to reinstall Windows 10 on the machine without a backup, you can now go straight to 10, no need to install 7 first. And since Windows 10 has cumulative patches, there's no more installing hundreds of patches, reboot install more patches and repeat. You can just redownload Windows 10 from their site, which is always the most current build then install the patches that are left.


But, there is still the other applications that need to be installed and, of course, the customization that need to be performed. One of the first things that I install is Notepad++ and immediately perform the necessary changes to make it the default editor instead of Windows Notepad.


----------



## dpeters11 (May 30, 2007)

Mark Holtz said:


> But, there is still the other applications that need to be installed and, of course, the customization that need to be performed. One of the first things that I install is Notepad++ and immediately perform the necessary changes to make it the default editor instead of Windows Notepad.


Oh sure. I'm just glad that it's now much easier to clean install.


----------



## James Long (Apr 17, 2003)

phrelin said:


> But when I sign on to comment on an article on the Washington Post, they have no personal information that isn't readily available on the internet. I've never figured out what the risk is using a not very good password on a site like that.





dpeters11 said:


> In terms of various sites to login to comment etc, for me it's I don't want someone logging into my account and making inappropriate posts. They may get deleted, but I could get blocked or they could come back against me.
> 
> Particularly for the two main DirecTV forums I'm on, I consider it protecting what reputation I have.


It is also important to note which sites use http:// and which sites use https://. If you are using the same most secure banking password on a http:// site you are giving away your password. Different password every site ... and that is a pain.

The reputation issue is important. We occasionally get a complaint that "someone hacked my account" to post something. The last couple I have investigated managed to post from the same IP address as the person complaining. Hopefully other sites look at more than the login/password to decide if the account is worth keeping but the responsibility is on the account user to protect themselves.

FTP is probably the biggest hole I have seen. In a secure world there would be no unencrypted passwords transmitted. I set up secure FTP where the host permits.

My pet peeve for passwords is the emailed password. I have visited sites with bold warnings about keeping your password secure. After signing up I get an unencrypted email with my password in plain text. STUPID! I don't mind the emailed password with a forced change (although that leaves a door open for hijacked email) but to email a user set password in plain text? No.

I could go on ranting about passwords ... I wish criminals could be trusted so I didn't have to have them.


----------



## James Long (Apr 17, 2003)

phrelin said:


> But when I sign on to comment on an article on the Washington Post, they have no personal information that isn't readily available on the internet. I've never figured out what the risk is using a not very good password on a site like that.





dpeters11 said:


> In terms of various sites to login to comment etc, for me it's I don't want someone logging into my account and making inappropriate posts. They may get deleted, but I could get blocked or they could come back against me.
> 
> Particularly for the two main DirecTV forums I'm on, I consider it protecting what reputation I have.


It is also important to note which sites use http:// and which sites use https://. If you are using the same most secure banking password on a http:// site you are giving away your password. Different password every site ... and that is a pain.

The reputation issue is important. We occasionally get a complaint that "someone hacked my account" to post something. The last couple I have investigated managed to post from the same IP address as the person complaining. Hopefully other sites look at more than the login/password to decide if the account is worth keeping but the responsibility is on the account user to protect themselves.

FTP is probably the biggest hole I have seen. In a secure world there would be no unencrypted passwords transmitted. I set up secure FTP where the host permits.

My pet peeve for passwords is the emailed password. I have visited sites with bold warnings about keeping your password secure. After signing up I get an unencrypted email with my password in plain text. STUPID! I don't mind the emailed password with a forced change (although that leaves a door open for hijacked email) but to email a user set password in plain text? No.

I could go on ranting about passwords ... I wish criminals could be trusted so I didn't have to have them.


----------



## dpeters11 (May 30, 2007)

James Long said:


> It is also important to note which sites use http:// and which sites use https://. If you are using the same most secure banking password on a http:// site you are giving away your password. Different password every site ... and that is a pain.


Even though it's not really a target, I wish DBSTalk was encrypted. SSL certs are cheap these days.


----------



## James Long (Apr 17, 2003)

dpeters11 said:


> Even though it's not really a target, I wish DBSTalk was encrypted. SSL certs are cheap these days.


There are other issues involved.


----------



## dmspen (Dec 1, 2006)

About 12 years ago I worked on a NASA project. Not NSA. To log into the operations network, you had to have a minimum 52 character pass phrase. It also had to include capitals, numbers, but no special characters.

It was a quantity not quality pass phrase. of course you couldn't see it when you entered it either.


----------



## James Long (Apr 17, 2003)

I don't mind a good passphrase. It helps if spaces are allowed so the phrase can be typed naturally.

"The first six digits of pi are 314159 The best kind of pie is French Silk"
For passwords others may see or hear me type I like to include backspaces. It adds to the keypress count.
(Even if they are polite enough to look away while a password is typed, the clicks can be counted.)


----------



## billsharpe (Jan 25, 2007)

I have been using the first letter of each word in a pass phrase for years. I had to modify a few of my passwords recently to add special characters. It's a home computer so I do not have to worry about anyone looking over my shoulder or counting clicks when I type.

The phrase you mention seems pretty safe. I don't know anyone who would pick "French Silk" as the best kind of pie. :rolling:


----------



## James Long (Apr 17, 2003)

I like chocolate!









The best part of that passphrase is nobody needs to know that it even mentions pie, or pi.
Crack it in 165 noventrigintillion years.


----------



## trh (Nov 3, 2007)

James Long said:


> Crack it in 165 noventrigintillion years.


I don't know how long 165 noventrigintillion year are, but running your password through Steve Gibson's web site (www.grc.com), with a 'Massive Cracking Array' attack (one hundred trillion guesses per second), it would take someone *7.60 trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries* to crack that password.


----------



## dpeters11 (May 30, 2007)

trh said:


> I don't know how long 165 noventrigintillion year are, but running your password through Steve Gibson's web site (www.grc.com), with a 'Massive Cracking Array' attack (one hundred trillion guesses per second), it would take someone *7.60 trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries* to crack that password.


Of course his site says that [email protected] should take 18 hours in a fast offline attack. It wouldn't take nearly that long.


----------



## trh (Nov 3, 2007)

I think any password that, at max, takes 18.62 hours to crack, is not a good choice for a password.


----------



## wilbur_the_goose (Aug 16, 2006)

Depends on the cracking algorithm. 

We need more sites to lock an ID after 3 or 5 failed login attempts. Prevents brute force attacks.


----------

