# Largest-ever password study: We are all idiots



## Mark Holtz (Mar 23, 2002)

From Venturebeat:

*Largest-ever password study: We are all idiots*


> The largest-ever study on user-selected password security shows that no matter how old you are or what language you speak, your password probably sucks.
> 
> The study, conducted by Joseph Bonneau at the University of Cambridge, analyzed the password strength of about 70 million Yahoo users. While the data was protected with hashing and Bonneau was unable to see individual account info, he was still able to measure relative strength of passwords across various demographics like age, gender, and nationality.


FULL ARTICLE HERE

Sigh.... use a password manager like KeePass or Lastpass. Check out www.howsecureismypassword.net ....


----------



## RasputinAXP (Jan 23, 2008)

I'm not. Sure, my stupid-low-security stuff sucks but for legitimate passwords? Minimum 10 digits, numbers, mixed case and special characters. Then again it may be that I'm one of Those Guys.

edit: Wait a minute, 70 million Yahoo users??! That's not even fair. That's like saying 70 million elementary school students.


----------



## hdtvfan0001 (Jul 28, 2004)

For those of us who have over 50+ passwords to manage between work and home...passwords are a major pain in the butt period. Unfortunately, they are a necessary evil for security.

To the point of the article...in the real world...I have actually seen people use *password* as their password.


----------



## Davenlr (Sep 16, 2006)

> . He also says that businesses that make people create passwords should make users pick tougher passcodes. "A stricter password selection policy might produce distributions with significantly higher resistance to guessing," Bonneau wrote.


I find myself not creating accounts I would otherwise create for sites that do this. It totally pisses me off when I enter 5 passwords and the site tells me they arent good enough. I end up clicking off the page.

Ive always wondered why bank pins are only 4 numbers, but an internet site requires 9 characters and MUST contain at least 1 number, one upper case, one lower case, and the thumb print of your first born.


----------



## Marlin Guy (Apr 8, 2009)

Mark Holtz said:


> Check out www.howsecureismypassword.net ....


"It would take a desktop PC About 600 years to hack your password"

Thanks.


----------



## AntAltMike (Nov 21, 2004)

Now that I've given them my passwords to evaluate, how long will it take them to find out who I am and clean out my bank account?


----------



## Laxguy (Dec 2, 2010)

hdtvfan0001 said:


> For those of us who have over 50+ passwords to manage between work and home...passwords are a major pain in the butt period. Unfortunately, they are a necessary evil for security.
> 
> To the point of the article...in the real world...I have actually seen people use *password* as their password.


I prefer "secret"... heh, heh. Or maybe "user".... :sure:

I make a real distinction between PWs that if someone had it, it wouldn't bother me. Such as for a .yahoo or gmail account. And those where I could lose something of value. If someone logged in as me on, say DIRECTV®'s site and made changes or ordered movies, it'd be inconvenient but not a real hit.


----------



## kevinturcotte (Dec 19, 2006)

My WPA2 password: "It would take a desktop PC about 44 novemvigintillion years to hack your password" Whatever that means lol


----------



## Laxguy (Dec 2, 2010)

Davenlr said:


> I find myself not creating accounts I would otherwise create for sites that do this. It totally pisses me off when I enter 5 passwords and the site tells me they arent good enough. I end up clicking off the page.
> 
> Ive always wondered why bank pins are only 4 numbers, but an internet site requires 9 characters and MUST contain at least 1 number, one upper case, one lower case, and the thumb print of your first born.


Yeah, even the Nigerian "bankers" don't require that level!:hurah:

And, yeah, you really do need high security for a site you'll visit once or twice....:nono2:


----------



## Mark Holtz (Mar 23, 2002)

hdtvfan0001 said:


> For those of us who have over 50+ passwords to manage between work and home...passwords are a major pain in the butt period. Unfortunately, they are a necessary evil for security.


Wimp. I count 280 unique passwords in my collection.


----------



## Laxguy (Dec 2, 2010)

kevinturcotte said:


> My WPA2 password: "It would take a desktop PC about 44 novemvigintillion years to hack your password" Whatever that means lol


Hah! I guess that's beyond our lifetimes!

I did a bad thing. I entered a naughty word, that begins with "mother". Here's what it showed:



> Common Password: In The Top 9,800 Most Used Passwords
> Your password is very commonly used. It would be cracked almost instantly.
> Possibly A Word
> Your password looks like it could be a dictionary word or a name. If it's a name with personal significance it might be easy to guess. If it's a dictionary word it could be cracked very quickly.


I then entered another word one doesn't use in polite company, but it's in the Latin tongue so to speak. It would take 169 days to crack.

This one, that they generated, Pre|>|>ed Lander, would take 52 Trillion years, but all the times seem way too long.


----------



## Laxguy (Dec 2, 2010)

Mark Holtz said:


> Wimp. I count 280 unique passwords in my collection.


How do you keep track, and what's the security on that?


----------



## billsharpe (Jan 25, 2007)

hdtvfan0001 said:


> For those of us who have over 50+ passwords to manage between work and home...passwords are a major pain in the butt period. Unfortunately, they are a necessary evil for security.
> 
> To the point of the article...in the real world...I have actually seen people use *password* as their password.


How about eight asterisks in a row? Then you can see your password as you type it in...


----------



## dpeters11 (May 30, 2007)

I do highly recommend LastPass, but at least padding a password is a good start. Even if you take the base password of "Password", making it something like {{{<<<Password!>>>}}} helps.

What irritates me is when various sites have varying requirements. Can't use that password, too long. Thy don't allow that character etc.

Myself, I use LastPass and have it set to require my Yubikey if it's not a previously known system. One of my strongest passwords is for my primary email, since that's where "I forgot my password" emails go to.


----------



## spartanstew (Nov 16, 2005)

Marlin Guy said:


> "It would take a desktop PC About 600 years to hack your password"
> 
> Thanks.


I use the same password when ever I can (currently use it for about 50 sites) and a secondary that I use when I can't (another 20 sites or so).

Not the smartest thing, but it only takes me a couple of attempts on any site to figure out what my password is.

For the record, it's mixture of letters and numbers, including some capitalization and the link above states it would take a PC 106 years to crack it, so that's good enough for me.


----------



## Shades228 (Mar 18, 2008)

There are some good methods out there for making different passwords for each site you can't forget. 

Most of them tell you to pick a date and then pick something from the name of the site you're on. Then you mix it up in a manner that you use consistantly for every site. This way you never have a repeat password but cannot forget them.

Those calculators are usually based on brute force methods which are rarely used due to most systems having detection and prevention methods for that. Hash cracking is the most common and effective.


----------



## dennisj00 (Sep 27, 2007)

Davenlr said:


> I find myself not creating accounts I would otherwise create for sites that do this. It totally pisses me off when I enter 5 passwords and the site tells me they arent good enough. I end up clicking off the page.
> 
> Ive always wondered why bank pins are only 4 numbers, but an internet site requires 9 characters and MUST contain at least 1 number, one upper case, one lower case, and the thumb print of your first born.


Possibly because there's a video camera involved?!!


----------



## BubblePuppy (Nov 3, 2006)

From Hacker News:


> Post Mortem: Today's Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself.
> This morning a hacker was able to access a customer's account on CloudFlare and change that customer's DNS records. The attack was the result a compromise of Google's account security procedures that allowed the hacker to eventually access to my CloudFlare.com email addresses, which runs on Google Apps. While we are still working with Google to investigate the details, we wanted to highlight it here to make people aware that they too may be vulnerable to similar attacks and provide a full accounting of what happened.


http://blog.cloudflare.com/post-mortem-todays-attack-apparent-google-app


----------



## dpeters11 (May 30, 2007)

Supposedly the inventor was going to go with a 6 digit number, but his wife said she would only be able to remember 4. I wish it had been at least 5, 4 is too easy to just use a birthdate.


----------



## James Long (Apr 17, 2003)

A work password: About 32 billion years.
My work password: About 8 seconds.
My oldest living password: About 8 seconds.
My favorite password: About 3 days.

I don't trust the estimate completely. For example, my name comes up as "About 6 Hours" but with a space it shows as "About 4 Years". Capitalizing the last name makes it "About 128 Days" and both the capitalizing and the space makes it "About 412 years". My birthday as 8 digits is 0.4 seconds. Spelled out "About 25 million years". The estimate would be completely different if the cracker knew anything about the person they were attacking.


----------



## spartanstew (Nov 16, 2005)

In a previous job, most of the employees were field based and had laptops. The company's security required everyone to change their password every 60 days (with no repeats). 90% of the employees would write their current password on a piece of tape that they adhered to the bottom of their laptop (or right below the keyboard). Quite a security system.


----------



## James Long (Apr 17, 2003)

spartanstew said:


> In a previous job, most of the employees were field based and had laptops. The company's security required everyone to change their password every 60 days (with no repeats). 90% of the employees would write their current password on a piece of tape that they adhered to the bottom of their laptop (or right below the keyboard). Quite a security system.


While changing your password occasionally is a good idea I hate forced change systems because they do lead to written passwords or passwords saved in files on computers where cracking the PC password (or having admin rights) could expose all passwords quickly.


----------



## Steve (Aug 22, 2006)

Some interesting password advice by the guys at GRC can be found here.



> Which of the following two passwords is stronger, more secure, and more difficult to crack?
> 
> *D0g.....................*
> 
> ...


----------



## dennisj00 (Sep 27, 2007)

The other thing to remember is when answering the two or three 'security' questions - 'What is your Mother's maiden name, what high school did you go to, what was your first car', answer them with wrong answers that nothing in your bio history could answer.

Of course, you need to remember what you answered!


----------



## swyman18 (Jan 12, 2009)

Interesting thread... It's made me check out that LastPass program which seems like gets a lot of positive reviews. But help me out here... isn't it a bad idea to basically have all your passwords stored with one cloud based service? What if their servers get hacked? I suppose there is always a risk with anything like that, it just seems like you are putting an awful lot of trust in them to store and manage your passwords for you.


----------



## dennisj00 (Sep 27, 2007)

Steve, without reading your more. . . . dog. . . . .


----------



## spartanstew (Nov 16, 2005)

dennisj00 said:


> The other thing to remember is when answering the two or three 'security' questions - 'What is your Mother's maiden name, what high school did you go to, what was your first car', answer them with wrong answers that nothing in your bio history could answer.
> 
> Of course, you need to remember what you answered!


Man, I hate those questions. So many sites have a selection of questions that I don't have a specific answer to.

Favorite Actor (don't have one)
Street you grew up on (grew up on about 15)
Favorite Teacher (had many)
Etc.


----------



## dennisj00 (Sep 27, 2007)

spartanstew said:


> Man, I hate those questions. So many sites have a selection of questions that I don't have a specific answer to.
> 
> Favorite Actor (don't have one)
> Street you grew up on (grew up on about 15)
> ...


That's my point. Don't give the answer that anyone would connect.

Favorite teacher, Ms. Crabapple, street you grew up on . . . easystreet . .

Nothing that google or anybody could figure out.


----------



## Steve (Aug 22, 2006)

dennisj00 said:


> Steve, without reading your more. . . . dog. . . . .


Yup. Because it's a character longer, it's twice as strong as the other one, according to that "howsecureismypassword" link.

Size matters with passwords too.


----------



## spartanstew (Nov 16, 2005)

dennisj00 said:


> That's my point. Don't give the answer that anyone would connect.
> 
> Favorite teacher, Ms. Crabapple, street you grew up on . . . easystreet . .
> 
> Nothing that google or anybody could figure out.


I would never remember them either.


----------



## dpeters11 (May 30, 2007)

swyman18 said:


> Interesting thread... It's made me check out that LastPass program which seems like gets a lot of positive reviews. But help me out here... isn't it a bad idea to basically have all your passwords stored with one cloud based service? What if their servers get hacked? I suppose there is always a risk with anything like that, it just seems like you are putting an awful lot of trust in them to store and manage your passwords for you.


The beauty of their system, you don't have to trust them. Everything is encrypted, but they don't have the decryption key.

This goes into detail. This is the text version, the audio is also available. I think the discussion starts at about the hour mark. They dive deep into the security.
http://www.grc.com/sn/sn-256.htm

They do support multi-factor encryption. Some requires their paid ($12 a year) service, but there are some they support for free.


----------



## dennisj00 (Sep 27, 2007)

spartanstew said:


> I would never remember them either.


I put these in a wierd Contact Notes in Outlook that my PC would have to be hacked to find out.


----------



## James Long (Apr 17, 2003)

dennisj00 said:


> Steve, without reading your more. . . . dog. . . . .


Isn't the password capital D zero g?


----------



## Steve (Aug 22, 2006)

James Long said:


> Isn't the password capital D zero g?


+ the 20 periods.


----------



## swyman18 (Jan 12, 2009)

"dpeters11" said:


> The beauty of their system, you don't have to trust them. Everything is encrypted, but they don't have the decryption key.
> 
> This goes into detail. This is the text version, the audio is also available. I think the discussion starts at about the hour mark. They dive deep into the security.
> http://www.grc.com/sn/sn-256.htm
> ...


Interesting, thank you!


----------



## dennisj00 (Sep 27, 2007)

James Long said:


> Isn't the password capital D zero g?


Y, I was just typing quickly verses the other one that I would have never typed correctly!


----------



## dennisj00 (Sep 27, 2007)

Actually, dog. . . . . . . . . . . . (not sure how . many I counted) is pretty secure!


----------



## James Long (Apr 17, 2003)

Steve said:


> James Long said:
> 
> 
> > Isn't the password capital D zero g?
> ...


I'll have to remember that trick ... and not use it here. :lol:


----------



## Shades228 (Mar 18, 2008)

Best way to create a unique password is just spell the word wrong. If you have to change passwords just add a 3 digit number to it and add 1 each time.

Since we're talking security you can keep a list of them in an encrypted file that you only know the password to. This is similiar to having like passkey except you don't have to have internet access.

I use http://www.truecrypt.org/ and have it create an encrypted file which I keep all my financial documents in as well. Each person in my house has one and it contains a list of all their passwords and anything else they need for personal reasons that we wouldn't want anyone to have access to. It also makes it easier to make backups into the cloud and hard medium without having to worry about adding and removing directories or having that information lost/stolen.


----------



## wilbur_the_goose (Aug 16, 2006)

spartanstew said:


> Man, I hate those questions. So many sites have a selection of questions that I don't have a specific answer to.
> 
> Favorite Actor (don't have one)
> Street you grew up on (grew up on about 15)
> ...


These challenge questions are required by the US Government (FFIEC) for banking websites.

By the way, the password "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" is many times more complex to crack than "8F&@kkla"

PS - While we're talking password security - PLEASE make sure your wireless router uses WPA2 encryption with a long key. WEP is as good as no protection at all.


----------



## dpeters11 (May 30, 2007)

And turn off WPS if it actually lets you.


----------



## Laxguy (Dec 2, 2010)

wilbur_the_goose said:


> These challenge questions are required by the US Government (FFIEC) for banking websites.
> 
> By the way, the password "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" is many times more complex to crack than "8F&@kkla"
> 
> PS - While we're talking password security - PLEASE make sure your wireless router uses WPA2 encryption with a long key. WEP is as good as no protection at all.


For an encryption challenged user, can you 'splain why WEP is no good? I use WPA2-PSK [AES], with about 19 chars and numbers, but can you teach me how to get into a WEP system when I need to?


----------



## Shades228 (Mar 18, 2008)

Laxguy said:


> For an encryption challenged user, can you 'splain why WEP is no good? I use WPA2-PSK [AES], with about 19 chars and numbers, but can you teach me how to get into a WEP system when I need to?


Normally I would PM this however it's more to show why WEP sucks than it is to show someone how to hack.

WEP keys are broadcast as part of the network. With the correct applications running you will eventually just sniff out the key. It takes about 5-10 minutes at the most.

If you want to test how easy it is setup a WEP key and then use a computer not connected with http://www.aircrack-ng.org/doku.php (Linux Based)


----------



## phrelin (Jan 18, 2007)

Problem is, I keep readin' about thieves accessing personal data from sites protected by "some of them there fancy encryption and firewall systems" because some moron working for the company downloads data to his laptop and leaves it at a Starbucks.

Limits to my ability to remember and manage several hundred passwords seem to be growing as I age. There are a large number of sites on which I use a relatively simple password. There's nothing there to be gained by signing in as me. For instance, you could post here as me.

Yes, there are a relatively small number of sites on which I use more sophisticated passwords. One could gain something by signing in as me. Daily monitoring bank, credit, and other financial account activity still seems like the best protection.


----------



## Mark Holtz (Mar 23, 2002)

Laxguy said:


> How do you keep track, and what's the security on that?


I use the KeePass pasword manager. THe password file is stored on a USB stick, and backed up to a hard drive AND my dropbox.


----------



## dmspen (Dec 1, 2006)

When I was given access to a NASA network, our pass PHRASE had to be a minimum of 52 characters. No other requirements such as upper/lower case, numbers, etc.

Most people had phrases like, "I hate typing in this very stupid and long pass phrase into the computer"

Running through a standard cyclic algorithm, this phrase would take a VERY long time to guess, in fact...26.65 million trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries.


----------



## Nick (Apr 23, 2002)

I don't think we have that much time left.


----------



## Steve (Aug 22, 2006)

dmspen said:


> Running through a standard cyclic algorithm, this phrase would take a VERY long time to guess, in fact...26.65 million trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries.





Nick said:


> I don't think we have that much time left.


Don't discount Moore's law, Nick. In 2 years, it'll only take half that time to crack it!


----------



## Mark Holtz (Mar 23, 2002)

There are enough people out there that think that Fluffy1956! is a secure password. 

Now, to convince battle.net that 14 characters is too short of a password.... and that case sensitivity DOES matter.


----------



## dpeters11 (May 30, 2007)

"Mark Holtz" said:


> There are enough people out there that think that Fluffy1956! is a secure password.
> 
> Now, to convince battle.net that 14 characters is too short of a password.... and that case sensitivity DOES matter.


One of the experts like Wilbur can confirm or tell me I'm wrong, but I'm always afraid that if a site only allows that length of password, or strips out case, that they don't store it encrypted. If they hashed it with sha-256 (or something similar), what I use as a password shouldn't matter. They'd store 256 characters of "garbage".


----------



## James Long (Apr 17, 2003)

The less one knows about the password the better.
A set length or maximum length makes it easier to figure out.

One thing not mentioned so far is the lockout of accounts if bad passwords are used. That "million year" password hunt stretches out if people are locked out after a certain number of bad attempts. Of course, that does open up the person being attacked to personal denial of service attacks.


----------



## dpeters11 (May 30, 2007)

The lockout time only helps with online attacks.


----------



## Renard (Jun 21, 2007)

Couldn't resist


----------



## Mark Holtz (Mar 23, 2002)

The funny part is that I also have a password card on my cell phone for the times when I can't use KeePass (like logging into my computer at work).

Oh well, here is a file of amusement.... the 10,000 most commonly used password.


----------



## phrelin (Jan 18, 2007)

I've never figured out why all sites for both sign-in names and passwords don't accept the full combination of keyboard upper and lower case letters plus numbers and symbols effectively distinguishing between upper and lower case.

And then there's all those sites that require you to use your email address as your sign in....


----------



## dpeters11 (May 30, 2007)

Some of it I think may be reducing calls to support. Having a person answer the phone and asking a customer if their caps lock is on is expensive.


----------



## Stewart Vernon (Jan 7, 2005)

I've seen several programs about people who are hired to hack into companies to discover their security breaches and report back to them... and in almost all cases the guys find minimal security implementation to be more than sufficient... BUT they usually end up hacking the system by calling a secretary or something and saying "Bob, your boss, told me to ask you for the password" or by walking by someone's desk if they have building access and reading it off a sticky note or something.

The point being... the age old... "only as strong as the weakest link" always applies.

Install state of the art security, but leave the window open and it is all for naught.

I also note how it keeps being banks losing credit information and not me... and it is banks giving out accounts to people with stolen identities that the bank fails to verify... again, not me failing to follow protocol... but the big secret-keepers.

I also agree with the notion of odd answers to security questions. If you really want to have some fun, put something naughty as your security answer and listen to the person when they ask you to answer your security question 

The most secure answers, in all seriousness, are the random ones.

"What is your favorite color" --> "Tuesday"
"Where were you born" --> "Abracadabra"

I just made those up on the spot... never used them... but odd answers are difficult for someone to pick without going through the dictionary-style hack.


----------



## wilbur_the_goose (Aug 16, 2006)

Correct - people are without a doubt the weakest link in IT security.

For the challenge questions: You'll soon see "red herring" questions introduced - this will be a question you don't provide an answer to. If an attacker guesses "where were you born" with "New York" (or anything), the login will fail.

Social engineering is a huge risk. News came out last week that the huge credit card breach was a social engineering attack on the president of the company.

As far as SHA-256 goes - SHA = Secure Hashing Algorithm. A hashing algorithm will take any string and "hash" it into a string of nonsense characters which are stored on the system. Hashes are cool because (in theory) they're one-way - you can encrypt to a hash, but you can't decrypt back. The best way to make hashes secure is to add a unique salt to each thing being encrypted. The salt is added by the password management system, not the user.

By the way, the #1 way to screw yourself is to download something you didn't plan on downloading. If you didn't start thinking "I really want to download this", DON'T.

The #2 way to mess yourself up is to not keep your system and software up to date. The two biggest problems are Java and Adobe products. Windows XP is also quite vulnerable (as a security pro, I recommend moving from XP to Windows 7 if you can)

Lastly, Macs are no longer immune to attack. Because they're more popular, organized crime has targeted Macs today. Please make sure you're running a good anti-malware program on your Mac.

(Mobile is another issue!)

PS - If you're interested in this stuff, check out my favorite blog: http://krebsonsecurity.com/


----------



## dpeters11 (May 30, 2007)

The security updates is my biggest pain at work. They don't reliably patch systems, I ran into one that had Java update 16 installed. Of course when a system gets a virus, they immediately blame my product, AV like it's the only needed process to protect systems. No, it's only one component.


----------



## wilbur_the_goose (Aug 16, 2006)

Amen - A/V is just one part of the defense posture you need. Tell your boos that you need a _Layered Security Strategy_


----------



## Herdfan (Mar 18, 2006)

hdtvfan0001 said:


> To the point of the article...in the real world...I have actually seen people use *password* as their password.


I had my daughter at a local Dr. for her checkup and the nurse got called away to go log the Dr. into one of the computers because he couldn't remember the password. As she was apologizing for the delay, she commented about how hard it was to remember the password. And then she says it. It was the name of their office. :eek2:

For important secure passwords, I have a couple of sentences that I use the first letter of each word and a number for the period depending on what number the sentence is. For example: The grass is green1 And the sky is blue2 becomes _Tgig1Atsib2_ Let someone try and guess.


----------



## wilbur_the_goose (Aug 16, 2006)

Herdfan - great passwords - no dictionary words in there.

Check out https://www.grc.com/haystack.htm if the subject of password strength is of interest.


----------



## The Merg (Jun 24, 2007)

One thing to look at it with regard to any password... If someone is using a computer to hack your password, it really doesn't matter what it is.

For example: "1234567" would be cracked in the same amount of time as "7#<!jd^" and "password" would be harder to crack than "7#<!jd^"

For computers, the time to crack a password is really only based on how many characters the password is. The more characters, the longer it would take.

Now, if someone is manually trying to crack your password, that is where not using a common word or biographical data would be beneficial.

- Merg


----------



## James Long (Apr 17, 2003)

The Merg said:


> For computers, the time to crack a password is really only based on how many characters the password is.


Starting with a list of commonly used passwords helps. If the social engineering information (name, dates, children, cats) is known a computer could use that input to seed the search.


----------



## dpeters11 (May 30, 2007)

Most decent cracking programs doesn't start off with a brute force attack. That's not if a dictionary attack, including using "133t" speak, like passw0rd or [email protected] doesn't work along with a few other common items like appending a number.


----------



## dmspen (Dec 1, 2006)

In my place of employ, computer security is taken extremely seriously. During our security briefings, they tell us that the only true way to secure your computer is to have it physically separate from others.

Of course this is nearly impossible, so passwords are extremely important.


----------



## dpeters11 (May 30, 2007)

Physically separated with no external drives or ports really. Look at Stuxnet. If that can destroy up to 1000 Iranian centrifuges, given enough resources, you can pretty much infect anything.


----------



## Mike Bertelson (Jan 24, 2007)

At work our desktops require a new password every 90 days...a real pain.

On our more secure systems the same 90 requirement is in place but there is a password generator and we have to choose from that list. I actually like this better. It requires less thought on my part. :grin:

Mike


----------



## djlong (Jul 8, 2002)

Yes - and the more you require the user to have more and different passwords (especially when you have a rule stating that none of your last 12 or so passwords can be used), the more likely you are to cause him or her to WRITE THEM DOWN.

I've had THREE 'master passwords' in my life (First was in simpler days, second was when you could have more than 6 letters, third was because I got divorced and my ex knew my password schema). The same base for everything and rules for a prefix/suffix based on the name of the website. 

I've been on the Internet since it was the ARPAnet. I've yet to be hacked.


----------



## hdtvfan0001 (Jul 28, 2004)

Mike Bertelson said:


> *At work our desktops require a new password every 90 days...a real pain*.
> 
> On our more secure systems the same 90 requirement is in place but there is a password generator and we have to choose from that list. I actually like this better. It requires less thought on my part. :grin:
> 
> Mike


Agree its a pain.

I have 3 different secure access points with that requirement...so it triples the pain. 

We also have all our hard drives encrypted...so if one gets lost...unless you know the 2 layers of password security...the entire drive full of data is useless. We also have passwords for systems, VPN, Aircards, e-mail, and company website section access.

Security R Us.


----------



## dmspen (Dec 1, 2006)

> At work our desktops require a new password every 90 days...a real pain.


64 days here with daily reminders going out 15 days prior until you change it. And we have secure sharepoint sites, and databases, and document storage web sites, etc all requiring passwords. Some of them have different expiry durations.

The company provided a password safe piece of software which only works on your local PC.


----------



## Laxguy (Dec 2, 2010)

I wonder if one could use a schema derived from this site, such as
http://www.dbstalk.com/showthread.php?t=205599

Where your key would be a bookmark that only you knew also served as a PW. Be easy to change when needed. No writing down.


----------



## Mark Holtz (Mar 23, 2002)

Sigh.... this just in.... Use LinkedIn? Time to Change Your Password


> Reports are now circulating that LinkedIn user accounts may have been compromised, after nearly 6.5 million encrypted passwords were reportedly uploaded to a Russian hacker forum.
> 
> The popular business networking site has responded that they are looking into these reports, but we highly recommend updating the password for your LinkedIn account.


I just updated my password then. It appears that they used unsalted SHA1 (oops).


----------



## hdtvfan0001 (Jul 28, 2004)

Mark Holtz said:


> Sigh.... this just in.... Use LinkedIn? Time to Change Your PasswordI just updated my password then. It appears that they used unsalted SHA1 (oops).


There was also a Linked-In e-mail spam/scam a number of months ago unrelated to this. What looked like a legit e-mail from Linked In was actually a bogus site that deposited your login name (but not password). That led to a distribution of all sorts of junk e-mails.


----------



## dpeters11 (May 30, 2007)

Mark Holtz said:


> Sigh.... this just in.... Use LinkedIn? Time to Change Your PasswordI just updated my password then. It appears that they used unsalted SHA1 (oops).


People have been downloading the rar files and searching for their passwords. I haven't looked yet, but might for curiosity sake. Fortunately, the password I used there was unique. Another benefit of LastPass, it can tell you all the sites that use the same password.


----------



## wilbur_the_goose (Aug 16, 2006)

Good non-copyrighted info from the ESET blog today:
-----------------

At a time when password breaches like the one at LinkedIn are once more making the news, there's plenty of good advice around about how to select a strong password as opposed to the sort of stereotyped easy-to-remember-but-stupendously-easy-to-guess password that turns up again and again in dumped lists of hacked passwords. So if your favourite, much-used password (or something very like it) is in the following list, it might be a good idea to stop reading this now, go to the link on how to select a strong password and use it as a basis for changing all your passwords to something safer (then come back and think about the PINs you use). The list is abstracted from one compiled by Mark Burnett, representing the most-used passwords in a data set of around 6 million:
1.	password
2.	123456
3.	12345678
4.	1234
5.	qwerty
6.	12345
7.	dragon
8.	pussy
9.	baseball
10.	football
11.	letmein
12.	monkey
13.	696969
14.	abc123
15.	mustang
16.	michael
17.	shadow
18.	master
19.	jennifer
20.	111111
21.	2000
22.	jordan
23.	superman
24.	harley
25.	1234567
I've included the top 25 because it amused me to see my own name at number 24. I suspect, though, that has more to do with motorcycles than my own superstar status. 
However, it's worth remembering that even the humble all-digit PIN (Personal Identification Number) has its issues with selecting a string of digits that isn't too easy to guess, Think about the number of times you might use a short PIN (four or even three digits) in your daily life:
• ATM/Cashpoint keypad
•	Chip & PIN Scanner
•	Digital locks with keypads
•	Handheld authentication devices like an RSA or Digipass token, or a software implementation on a mobile device: authentication via laptops, netbooks tablets and smartphones
In some contexts, a thief would get very little chance to try guessing your PIN: for instance, some ATMs will actually decline to return your card after three incorrect PIN entries. In other contexts, however, the thief gets a lot more chances. I originally discussed a data set of common PINs compiled by Daniel Amitay in a Virus Bulletin article called Hearing a PIN drop, published last year. And at this year's EICAR conference I presented a paper on the strategies people use to choose and memorize PINs: PIN Holes: Passcode Selection Strategies, especially four-digit PINs. The Amitay data set is quite a lot smaller (204,508), but still large enough to give us a reasonable idea of the most commonly-used PINs, and to speculate about the ways in which they were chosen. Here's the top 25 from those data:
1.	1234
2.	0000
3.	2580
4.	1111
5.	5555
6.	5683
7.	0852
8.	2222
9.	1212
10.	1998
11.	6969
12.	1379
13.	1997
14.	2468
15.	9999
16.	7777
17.	1996
18.	2011
19.	3333
20.	1999
21.	8888
22.	1995
23.	2525
24.	1590
25.	1235
You can probably make an educated guess already at the strategies behind many of these choices of PIN, and the paper makes some explicit suggestions. (I'll be coming back to that topic in an upcoming blog series.) But you might in any case want to check the list simply to see if your favourite PIN is in there. If it is, change it: it turns out that the top ten choices accounted for 15% of Amitay’s sample set, which means that if a thief has ten opportunities to guess the PIN for a stolen card or device, he has a pretty good chance of getting it right.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow


----------



## Laxguy (Dec 2, 2010)

OK, let's assume my PW was among those revealed at LinkedIn. What should be be chary of? (I use that site very passively, i.e., not for business, and only when people ask me to link.)


----------



## kevinturcotte (Dec 19, 2006)

Laxguy said:


> OK, let's assume my PW was among those revealed at LinkedIn. What should be be chary of? (I use that site very passively, i.e., not for business, and only when people ask me to link.)


Do you use that same password at other sites? Other sites that have sensitive information, like your email, your bank?


----------



## Laxguy (Dec 2, 2010)

kevinturcotte said:


> Do you use that same password at other sites? Other sites that have sensitive information, like your email, your bank?


Certainly not any financial institution. Yes for one or two e-mail accounts. How are "they" going to match it up? What can they do with my e-mail that'd really hurt? Send nasty e-mails to good friends?


----------



## kevinturcotte (Dec 19, 2006)

Laxguy said:


> Certainly not any financial institution. Yes for one or two e-mail accounts. How are "they" going to match it up? What can they do with my e-mail that'd really hurt? Send nasty e-mails to good friends?


No, it's nothing MAJOR, but if they can match it up (If the email account is the same one that's registered with LinkedIn), they could hack your account and use it to start sending bulk spam out (And if it's the account you have with your ISP, that could cause problems).


----------



## Mark Holtz (Mar 23, 2002)

Laxguy said:


> Certainly not any financial institution. Yes for one or two e-mail accounts. How are "they" going to match it up? What can they do with my e-mail that'd really hurt? Send nasty e-mails to good friends?


They will take your e-mail address and password and try to log into your e-mail service. If they are successful, they will try the "Forgot password" for every financial institution (bank, brokerage) and shopping site to see which ones generate a password reset e-mail. They would then reset the password to their password, and try to purchase everything and drain your financial accounts.

(Oh, my e-mail accounts are secured using two-factor authentication)


----------



## Mark Holtz (Mar 23, 2002)

If it's Tuesday, you need to reset your LinkedIn password.
If it's Wednesday, it's eHarmony.
And, if it's Thursday, it's LastFM. 
What will Friday bring?


----------



## Laxguy (Dec 2, 2010)

Thanks. So, if I see a confo. e-mail from anywhere, such as "We've reset your PW...." I'd better pay attention!


----------



## hdtvfan0001 (Jul 28, 2004)

Mark Holtz said:


> If it's Tuesday, you need to reset your LinkedIn password.
> If it's Wednesday, it's eHarmony.
> And, if it's Thursday, it's LastFM.
> *What will Friday bring*?


The weekend?


----------



## Shades228 (Mar 18, 2008)

Laxguy said:


> Certainly not any financial institution. Yes for one or two e-mail accounts. How are "they" going to match it up? What can they do with my e-mail that'd really hurt? Send nasty e-mails to good friends?


They can use the information they gain in your emails to learn more about you. This allows them more information so they can guess security questions, if you are a person who actually answers them with real answers, they can also use those emails on social media and other sites to find accounts to get more information about you. Then they search places like photbucket to see if you have any open albums or setup watchers so that if you take pictures of things like mail, sensitive documents (You wouldn't believe how many people take pictures of their DL and SS cards so they can keep the information on their phone and not carry a wallet) and then chaos can ensure.

In a nutshell using passwords for each site, with a common formula like I suggested above, making a junk email you never use for anything other than social sites that is just random letters, and NEVER use real answers to security questions will protect you from most issues even with a security breach.


----------



## Laxguy (Dec 2, 2010)

Wow, thanks again. I guess I am a bit naive as to how resourceful some thieves can be, but if someone went to a lot of trouble to research who my favorite teacher was, etc., it'd be easier to come to my house and rob me, though the chances of getting caught are much higher.


----------



## dpeters11 (May 30, 2007)

They like to stay behind a keyboard. Some even consider it less of a crime. Stealing a CD from a store is considered bad, but some of the same people don't have a problem using a torrent.


----------



## Stewart Vernon (Jan 7, 2005)

Laxguy said:


> Thanks. So, if I see a confo. e-mail from anywhere, such as "We've reset your PW...." I'd better pay attention!


You might not see it... unless you run your email client app all the time and check for email every few seconds...

IF they get your email and password, they could easily check/receive an email before you do and the damage gets done without you ever seeing that confirmation email.


----------



## wilbur_the_goose (Aug 16, 2006)

Remember, we're talking about organized crime at work here. These aren't kids trying to crash your "C" drive - these are hardened criminals.


----------



## ke3ju (Aug 18, 2006)

Marlin Guy said:


> "It would take a desktop PC About 600 years to hack your password"
> 
> Thanks.


"It would take a desktop PC About 193 trillion years to crack your password"

But then again, I write encryption algorithms...


----------



## dpeters11 (May 30, 2007)

"wilbur_the_goose" said:


> Remember, we're talking about organized crime at work here. These aren't kids trying to crash your "C" drive - these are hardened criminals.


I miss the days when a virus would do things like make the characters fall to the bottom of the screen but not do harm.

Now this is more organized crime or governments.


----------



## Shades228 (Mar 18, 2008)

Laxguy said:


> Wow, thanks again. I guess I am a bit naive as to how resourceful some thieves can be, but if someone went to a lot of trouble to research who my favorite teacher was, etc., it'd be easier to come to my house and rob me, though the chances of getting caught are much higher.





dpeters11 said:


> They like to stay behind a keyboard. Some even consider it less of a crime. Stealing a CD from a store is considered bad, but some of the same people don't have a problem using a torrent.


It's also more about bulk. They're job is to get as many accounts and passwords as possible to sell not to try and run the scams themself most of the time.

Last I saw WoW accounts were selling for more per account (around $1) than CC's ($.75) per account.


----------



## 4HiMarks (Jan 21, 2004)

I worked for an academic institution that enforced the "change password every 90 days" model. A semester is 15 weeks, i.e. about 2 weeks more than 90 days. So assuming you set your PW at the beginning of the semester, you now have to change it just before the semester ends and are then in a perfect position to forget it by the time the next semester rolls around, so you get it reset and the clock starts over. Rinse, repeat. 

They also had two systems - a campus network, accessible only from a machine on campus and an extranet, accessible from any internet-connected machine in the world. It was the network password that required changing every 90 days. The extranet PW was good forever. Guess which one is where all your employee and faculty information was (including pay stubs and the ability to issues and change grades)?


----------

