Passwords: How easy are yours? How often do you change them? - Page 2 - Tilted Forum Project Discussion Community

Fly · 02-24-2010, 06:01 AM

my password is fuckyou.........that's what i utter under my breath every time i forget my passwords.so i started using it.

hahahha

Derwood · 02-24-2010, 07:41 AM

Can you name the most used passwords of all time? - sporcle

a quiz about the most common passwords

Xerxys · 02-25-2010, 03:13 PM

Quote:

Originally Posted by Derwood

Can you name the most used passwords of all time? - sporcle

Redlemon · 02-26-2010, 07:01 PM

'Pussy'? Seriously? Never would have thought it would rank so high.

Vigilante · 02-27-2010, 12:51 AM

Quote:

Originally Posted by dksuddeth

I use incredibly complex passwords. One time, it got me fired. I was hired as the systems administrator for a very small 60 employee company. I changed the primary domain administrator account password to K@$m1rF@bric$@dm1n

They were not amused

Me too.

Notice that administrators always use insane passwords. Mine here is over 10 characters, uses capitals, lowercase, numbers and symbols. I wish anyone luck with the hack attempt of my account.

My email password is vastly more complicated. Same ruleset, but much longer. I remember them by creating sentences. example:

I got laid on the 4th of July.
This translates to:

!g0tL4!d@4THuVJuLy

It took me 5 seconds to come up with a password I can remember from day to day. All I have to do is say it in my head as I type it. Eventually as I become more comfortable with it, I say the symbols instead of the words, and now I know it for years even if I don't use it.

raptor9k · 02-27-2010, 06:59 AM

deleted

Poppinjay · 02-27-2010, 07:22 AM

Quote:

And the horse is now dead. And rotted. And the corpse has been hauled off to the dog food factory.

Can we put a stop to the jokes about the password change requirement? There was a very good reason that we asked everyone to do that (one I'm not about to discuss in a google-crawled area of the board). Yes, it was a pain in the ass. Yes, the message looked a little silly to some of you. The same joke being told in 2 different threads wore thin a while ago though.

Can't I tell it just one more time?

My password is so old it's Betty White.

But seriously folks, on our computers at work we use to edit news stories and audio, it was 123456. Corporate requires regular changes, so it is now 12345.

LazyBoy · 02-27-2010, 10:21 AM

I was just prompted to change mine after 14632 days or something like that.....so it's been awhile

-Will

Ice|Burn · 03-02-2010, 05:05 PM

Quote:

Originally Posted by Martian

The attack they're describing is a dictionary attack, and it's very common. A simple script, 20 minutes or so and if the website in question doesn't have specific measures in place to counteract it, an account can be cracked.

I do generally follow secure password policy. My only conceit is that I do reuse passwords to some extent. I have a list of them memorized and will select one more or less at random for a new account. One of the benefits of this system is that if I should forget what password goes with which account or website, I only have to guess a limited number of times before I hit on the right one. The monumental downside is that if someone were to somehow obtain a list of all my passwords they'd have access to basically everything.

The principles of a strong password have been understood for a long time. No words, mix of numbers and letters, mixed case, at least 8 characters. If more people followed these guidelines there'd be less cybercrime. It's as simple as that.

All true.

The problem with "secure" passwords is that they aren't human friendly. our brains are not wired to be able to use a completely random string of characters as anything usable. We assign meanings and use visual clues to help us along the way. We've all seen the email where the first and last letter of a word or correct but the middle is mixed around. Yet when we read it we still read it as being 'correct' because our brains complete the gap so to speak.

I would love it if everyone used the truly secure password method. However if that happened I suspect Post-it notes would become hard to find in a hurry.

Savinkov · 03-10-2010, 11:09 PM

I use passwords on a rotating basis from one of three different tiers of quality, as needed: low, medium, and high security. The p/ws themselves are usually acronyms with liberal use of numbers and other characters.

If I'm feeling feisty I'll use a fairly lengthy phrase as fodder for a long acronym; one that also includes digits here-n-there. Add a few other characters and spice to serve.

I can't see *not* changing p/ws on a reasonably frequent basis.

All other viewpoints I harbour on this subject are [[REDACTED]]

SoulStealer · 03-18-2010, 10:43 PM

I use a "weak" password for a lot of the stuff I don't care all that much about just because its quick and easy to remember since I share it across many accounts. I then use much stronger passwords for things such as my primary email, bank accounts, accounts with CC info etc...

Cynthetiq · 03-31-2010, 06:24 PM

Quote:

How I’d Hack Your Weak Passwords

Posted on Mar 26, 2007 - 2:17am by John P. in Computing, Security

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?
Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
The last 4 digits of your social security number.
123 or 1234 or 123456.
“password”
Your city, or college, football team name.
Date of birth – yours, your partner’s or your child’s.
“god”
“letmein”
“money”
“love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)
One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.
So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

You probably use the same password for lots of stuff right?
Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.
Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.
Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?
Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.
Here are some password tips:

Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
Randomly throw in capital letters (i.e. – Mod3lTF0rd)
Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Tutorial. Hope it helps…
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?
Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!
Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.
I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.
Please, be safe. It’s a jungle out there.

Check out the matrix of how many letters and how fast it is to crack them.

personally I'm warm and fuzzy by not following any of the conventions that he's touting.

Shauk · 03-31-2010, 07:25 PM

I contest that the password has always been a small part of the hacking process.

it is a hell of a lot easier to have the site itself try to hand you access to the account via their weak attempts to be user friendly to people who forget their passwords.

Seriously, what do they want to know before they're like "durf, ok here you go?"

some of them only require an email address. Getting your intended target's email address isn't hard. getting access to it tends to open up the world to all the other accounts.

Out of all of your accounts, your email is the most important, the end.
Every account you have on a forum, with a bank, on your porn sites, whatever it is you do online, generally will have your email address associated with it in some way.

Take hotmail, say you want to hack bob who lives across the street, his dog has been shitting on your lawn. You see him checking his mail, you know bob has kids, tell him you need his email address for a petition you're working on to have old cartoons brought back to public television to expose our children to classics instead of modern garbage, I dunno be creative.

he gives you bob@hotmail.com

you wander on over to the site and whats this? all you need to change the password is his state/city/zip and the name of the city he was born in?

well you can guess all the major cities around where you live, and if that doesn't work, well next time he checks his mail you can just make casual conversation, Man, schools these days just don't cut it do they, why my school from 20 years ago back in Washington could kick the pants of these locals, where did you grow up? xyz response, "oh really, were you born there?" "Oh nooo I was born in wichita kansas"

/cinch

Your security questions are by far a bigger weakness than your password.

by far.

Thats why when someone asks me where I was born, my 1st dogs name, my mothers maiden name, casual conversation or not, they can just shut the fuck up.

I do tell people where I was born though so I just stopped answering that one online.

Cynthetiq · 04-01-2010, 10:23 AM

Quote:

Originally Posted by Shauk

Your security questions are by far a bigger weakness than your password.

by far.

Thats why when someone asks me where I was born, my 1st dogs name, my mothers maiden name, casual conversation or not, they can just shut the fuck up

I understood that from the first time I got asked a security challenge question. I made it not my mother's maiden name or my pet's name, but decided to use my friend's maiden name or my friend's pet name.

Xerxys · 04-01-2010, 10:53 AM

My password here was 123456 for a very long time.

The article posted above by cynth is merely fear mongering. Sure "cracking" a password may be easy but HACKING is hard. I want anyone here (you are stupid if you do this) to attempt downloading any of the software posted in the article and try hacking or breaking into ANY site worth it's water like facebook, hotmail, google, yahoo or even TFP.

Until people stop throwing around the word "hacking" and grasp the efforts web masters have gone through to implement simple security measures, then you're still a luddite in my mind.

Ace_O_Spades · 04-03-2010, 05:20 AM

I use two levels of password

One: is a short, easily remembered placeholder I use for forums and bullshit things I need to sign up for

Two: is a 12+ character alpha-numeric combination of CAPS, lowercase, numbers (0-9), and characters (!*$). I use this for my e-mail accounts, work loginID, blog, anything I don't want anyone accessing.

PS: Use Chrome, it is by far the most secure browser.

Oh, forgot to say how often I change them... Not often for my less secure one. I change my strong passwords about as often as I change my toothbrush, once every 3-5 months.

Thrombatic Pyle · 04-03-2010, 07:00 AM

I use the same password for most Message Board Stuff, otherwise I'd have to have a notebook full of passwords.

SlowJoeCrow · 04-12-2010, 06:21 PM

I am simply amazed by that sporcle quiz. Mankind's top 5 concerns: pussy, dragons, 69, mustangs, and baseball?

Taralynn · 04-12-2010, 08:29 PM

My passwords are all the same. I have no creativity. No memory. The only thing I retain on a regular basis is water.

Martian · 12-15-2010, 07:53 PM

I thought with the recent issues due to Gawker, this thread deserved a bump.

The whole Gawker thing highlights (yet again) various security vulnerabilities.

We can talk about Gawker's failures (storing passwords using DES encryption, of all things), but the user failures and how this impacts the wider internet is more interesting to me.

The Wall Street Journal has a fun article that breaks down the most popular passwords in a few different ways. The usual suspects show up with the usual prevalence, but some of the others seem as though they're almost attempts at being secure. "trustno1" for example, seems almost like an effort at choosing something truly secure -- it fails the test, but it seems to indicate that some users are at least thinking about password security.

On the other hand, apparently only ~30% are using passwords of 8 characters or more, which is generally considered to be the bare minimum to prevent simple brute force cracking.

In one of life's grand ironies, Lifehacker has an article about creating secure passwords that actually isn't that bad. Mind you, none of their methods are preferred (they have a tendency to generate passwords that are too short and/or not random enough) but the basic method of generating secure passwords using an easy-to-remember method rather than using easy-to-remember passwords (or worse, one password) is sound.

One thing that shocks me is when sites themselves prevent one from using a secure password. Financial institutions seem to be fond of this, and they of all institutions should know better, as it were. Magpie's bank only allows passwords of up to 6 characters in length -- including all letters (upper and lower case) and all numbers, that provides a grand total of just shy of 57 billion possibilities. Granted that may seem like a big number, but keep in mind that big numbers are what computers do best and that even modest household PCs today typically possess 2-3 GHz of processing power and that not including the graphics chipset.

So how has the Gawker thing affected you? Has it caused you to think about security more, or to take password security more seriously? Have you changed any of your passwords as a response?

My prior method of password selection was reasonably secure, but lately I've found it's gotten a bit unwieldy. I was getting into a position where I was having to make a choice between using my passwords in too many different places, causing potential insecurity, or trying to remember too many different passwords, causing me inconvenience. As a result and because I honestly can't remember whether or not I've ever signed up for a Gawker site, I took this as a prompt to change my own password policy.

One thing that I've noticed is that password managers have more or less taken over my logins. This means that for anything other than local systems I can safely move to a more secure/less convenient password without making my life that much more difficult. Granted, this introduces a new form of insecurity in that anyone with access to one of my usual machines will have the ability to access everything, but access to my local machines implies much bigger problems anyway (aside from which, they would have to first break into any computer of mine they had access to -- all of them use secure passwords and all of them are set to lock automatically after a short period of inactivity).

I won't divulge my current method of generating passwords, but I will say that it generates passwords of up to 32 characters, random alphanumeric. I can be a bit paranoid sometimes, but I think that's probably good enough.

02-24-2010, 06:01 AM	#41 (permalink)
Fly see the links to my music? Location: Beautiful British Columbia	my password is fuckyou.........that's what i utter under my breath every time i forget my passwords.so i started using it. hahahha __________________ BASTARD SterlingStudios

02-24-2010, 07:41 AM	#42 (permalink)
Derwood Who You Crappin? Location: Everywhere and Nowhere	Can you name the most used passwords of all time? - sporcle a quiz about the most common passwords __________________ "You can't shoot a country until it becomes a democracy." - Willravel

02-26-2010, 07:01 PM	#44 (permalink)
Redlemon Devoted Donor Location: New England	'Pussy'? Seriously? Never would have thought it would rank so high. __________________ I can't read your signature. Sorry.

02-27-2010, 06:59 AM	#46 (permalink)
raptor9k Crazy Location: Earth	deleted Last edited by raptor9k; 09-07-2021 at 02:13 PM..

02-27-2010, 10:21 AM	#48 (permalink)
LazyBoy Insane Location: Memphis Area	I was just prompted to change mine after 14632 days or something like that.....so it's been awhile -Will __________________ Life is nothing, everything.....and something in between...

03-10-2010, 11:09 PM	#50 (permalink)
Savinkov Upright Location: the Rust Belt	I use passwords on a rotating basis from one of three different tiers of quality, as needed: low, medium, and high security. The p/ws themselves are usually acronyms with liberal use of numbers and other characters. If I'm feeling feisty I'll use a fairly lengthy phrase as fodder for a long acronym; one that also includes digits here-n-there. Add a few other characters and spice to serve. I can't see not changing p/ws on a reasonably frequent basis. All other viewpoints I harbour on this subject are [[REDACTED]] __________________ "What is the thing we crave most in life? The sense that someone somewhere remembers and loves us. Even better if we love them in return. Anything can be endured if that idea holds fast." -- Martin Cruz Smith, RED SQUARE

03-18-2010, 10:43 PM	#51 (permalink)
SoulStealer Upright	I use a "weak" password for a lot of the stuff I don't care all that much about just because its quick and easy to remember since I share it across many accounts. I then use much stronger passwords for things such as my primary email, bank accounts, accounts with CC info etc...

03-31-2010, 07:25 PM	#53 (permalink)
Shauk Confused Adult Location: Spokane, WA	I contest that the password has always been a small part of the hacking process. it is a hell of a lot easier to have the site itself try to hand you access to the account via their weak attempts to be user friendly to people who forget their passwords. Seriously, what do they want to know before they're like "durf, ok here you go?" some of them only require an email address. Getting your intended target's email address isn't hard. getting access to it tends to open up the world to all the other accounts. Out of all of your accounts, your email is the most important, the end. Every account you have on a forum, with a bank, on your porn sites, whatever it is you do online, generally will have your email address associated with it in some way. Take hotmail, say you want to hack bob who lives across the street, his dog has been shitting on your lawn. You see him checking his mail, you know bob has kids, tell him you need his email address for a petition you're working on to have old cartoons brought back to public television to expose our children to classics instead of modern garbage, I dunno be creative. he gives you bob@hotmail.com you wander on over to the site and whats this? all you need to change the password is his state/city/zip and the name of the city he was born in? well you can guess all the major cities around where you live, and if that doesn't work, well next time he checks his mail you can just make casual conversation, Man, schools these days just don't cut it do they, why my school from 20 years ago back in Washington could kick the pants of these locals, where did you grow up? xyz response, "oh really, were you born there?" "Oh nooo I was born in wichita kansas" /cinch Your security questions are by far a bigger weakness than your password. by far. Thats why when someone asks me where I was born, my 1st dogs name, my mothers maiden name, casual conversation or not, they can just shut the fuck up. I do tell people where I was born though so I just stopped answering that one online. Last edited by Shauk; 04-01-2010 at 10:54 AM..

04-01-2010, 10:53 AM	#55 (permalink)
Xerxys Junkie Location: My head.	My password here was 123456 for a very long time. The article posted above by cynth is merely fear mongering. Sure "cracking" a password may be easy but HACKING is hard. I want anyone here (you are stupid if you do this) to attempt downloading any of the software posted in the article and try hacking or breaking into ANY site worth it's water like facebook, hotmail, google, yahoo or even TFP. Until people stop throwing around the word "hacking" and grasp the efforts web masters have gone through to implement simple security measures, then you're still a luddite in my mind.

04-03-2010, 05:20 AM	#56 (permalink)
Ace_O_Spades The Death Card Location: EH!?!?	I use two levels of password One: is a short, easily remembered placeholder I use for forums and bullshit things I need to sign up for Two: is a 12+ character alpha-numeric combination of CAPS, lowercase, numbers (0-9), and characters (!$). I use this for my e-mail accounts, work loginID, blog, anything I don't want anyone accessing. PS: Use Chrome, it is by far the most secure browser. Oh, forgot to say how often I change them... Not often for my less secure one. I change my strong passwords about as often as I change my toothbrush, once every 3-5 months. __________________ Feh. Last edited by Ace_O_Spades; 04-03-2010 at 05:24 AM..*

04-03-2010, 07:00 AM	#57 (permalink)
Thrombatic Pyle Upright	I use the same password for most Message Board Stuff, otherwise I'd have to have a notebook full of passwords.

04-12-2010, 06:21 PM	#58 (permalink)
SlowJoeCrow Upright Location: The Ever-Changing Chaos of Limbo	I am simply amazed by that sporcle quiz. Mankind's top 5 concerns: pussy, dragons, 69, mustangs, and baseball?

04-12-2010, 08:29 PM	#59 (permalink)
Taralynn Upright Location: The midwest	My passwords are all the same. I have no creativity. No memory. The only thing I retain on a regular basis is water.

12-15-2010, 07:53 PM	#60 (permalink)
Martian Young Crumudgeon Location: Canada	I thought with the recent issues due to Gawker, this thread deserved a bump. The whole Gawker thing highlights (yet again) various security vulnerabilities. We can talk about Gawker's failures (storing passwords using DES encryption, of all things), but the user failures and how this impacts the wider internet is more interesting to me. The Wall Street Journal has a fun article that breaks down the most popular passwords in a few different ways. The usual suspects show up with the usual prevalence, but some of the others seem as though they're almost attempts at being secure. "trustno1" for example, seems almost like an effort at choosing something truly secure -- it fails the test, but it seems to indicate that some users are at least thinking about password security. On the other hand, apparently only ~30% are using passwords of 8 characters or more, which is generally considered to be the bare minimum to prevent simple brute force cracking. In one of life's grand ironies, Lifehacker has an article about creating secure passwords that actually isn't that bad. Mind you, none of their methods are preferred (they have a tendency to generate passwords that are too short and/or not random enough) but the basic method of generating secure passwords using an easy-to-remember method rather than using easy-to-remember passwords (or worse, one password) is sound. One thing that shocks me is when sites themselves prevent one from using a secure password. Financial institutions seem to be fond of this, and they of all institutions should know better, as it were. Magpie's bank only allows passwords of up to 6 characters in length -- including all letters (upper and lower case) and all numbers, that provides a grand total of just shy of 57 billion possibilities. Granted that may seem like a big number, but keep in mind that big numbers are what computers do best and that even modest household PCs today typically possess 2-3 GHz of processing power and that not including the graphics chipset. So how has the Gawker thing affected you? Has it caused you to think about security more, or to take password security more seriously? Have you changed any of your passwords as a response? My prior method of password selection was reasonably secure, but lately I've found it's gotten a bit unwieldy. I was getting into a position where I was having to make a choice between using my passwords in too many different places, causing potential insecurity, or trying to remember too many different passwords, causing me inconvenience. As a result and because I honestly can't remember whether or not I've ever signed up for a Gawker site, I took this as a prompt to change my own password policy. One thing that I've noticed is that password managers have more or less taken over my logins. This means that for anything other than local systems I can safely move to a more secure/less convenient password without making my life that much more difficult. Granted, this introduces a new form of insecurity in that anyone with access to one of my usual machines will have the ability to access everything, but access to my local machines implies much bigger problems anyway (aside from which, they would have to first break into any computer of mine they had access to -- all of them use secure passwords and all of them are set to lock automatically after a short period of inactivity). I won't divulge my current method of generating passwords, but I will say that it generates passwords of up to 32 characters, random alphanumeric. I can be a bit paranoid sometimes, but I think that's probably good enough. __________________ I wake up in the morning more tired than before I slept I get through cryin' and I'm sadder than before I wept I get through thinkin' now, and the thoughts have left my head I get through speakin' and I can't remember, not a word that I said - Ben Harper, Show Me A Little Shame