|
Passwords: How easy are yours? How often do you change them?
Quote:
For email, I use a very robust password since that is the nexus of someone being able to gain access to all your other accounts. It's long, has upper and lowercase, and has a number. I'm just missing the symbol and it would be the "perfect" password according to security folks. Are you the person in the article with the easy to guess password? Why? Why not? |
The attack they're describing is a dictionary attack, and it's very common. A simple script, 20 minutes or so and if the website in question doesn't have specific measures in place to counteract it, an account can be cracked.
I do generally follow secure password policy. My only conceit is that I do reuse passwords to some extent. I have a list of them memorized and will select one more or less at random for a new account. One of the benefits of this system is that if I should forget what password goes with which account or website, I only have to guess a limited number of times before I hit on the right one. The monumental downside is that if someone were to somehow obtain a list of all my passwords they'd have access to basically everything. The principles of a strong password have been understood for a long time. No words, mix of numbers and letters, mixed case, at least 8 characters. If more people followed these guidelines there'd be less cybercrime. It's as simple as that. |
Mine aren't very hard to figure out.
I figure if you take the time to hack into anything of mine, you're an idiot and didn't do much homework/background work on me. I have no money, all my credit cards are maxed out, and I don't own anything. So even if you managed to steal my identity or what have you... You can't do fuck all with it. |
My solution is simple use an address which is familiar to you for example Tony Hancocks address in Hancocks half hour:
23 Railway cuttings or pick one from somewhere you have visited like a bed and breakfast place: 38 marine drive They are not likely to pick that out of the blue |
The way I do it, so that they're easy to remember for me, but hard to figure out, is;
I have 3 bases which may or may not be real words. Then I have three strings of numbers which have significance to me but not obvious (not even close to my birthday or license plate). I then take those and mix them up for each new account I need secured. There are more common ones which I use for things in which I need less security. And rarer/longer password combos which might actually be cracked (like MMO accounts). So if I forget, I first ask myself the security level, which narrows it down, then usually remember the letter string associated with the account, then its only 3 choices on the number string. So I almost never forget my passwords, yet I have 9 standard + ~3 bonus varying in complexity all the way up to 12 characters. Yes, I'm quite pleased with myself :D |
I used to use passwords, but now I don't anymore.
I either use the same standard (unconventional) letter+number+symbol string, that may or may not also be my favorite titlepiece, or I comes up with a random 21 character key that I promptly 'wand'. If it should ever break (it has happened once), I just use the original e-mail address I provided to obtain a new password. Besides the above, I shift usernames (and specific throwaway e-mail addys) instead of passwords. No sense in letting one cracked accounted become the gateway to multiples. |
I have a long one with Caps and numbers.
I use different ones for different sites. I can't believe people still use things like password or 123456. |
It doesn't matter if you have a 100 digit password, a keylogger with steal in an instant. :)
I just try to keep my passwords long enough and random enough to avoid dictionary and brute force attacks. I change my passwords fairly often even though I probably have far less to lose than other people. I think the only thing connected to my email is my World of Warcraft account and a ton of newsletters which I didn't subscribe to. I don't log into my email and stuff from any computer other than my own because I don't know if they're secure. If I do have to log into one of my accounts from another computer, I change my password when I get home.. It just bugs me if I don't change it. |
Type a word you're familiar wit and can touch type
password As anyone can tell you, that's a terrible password. Move your hands over one row of keys to the right [sddeptf Now add a number to the end to make brute forcing a bit harder [sddeptf0 Now double it [sddeptf0[sddeptf0 Good luck guessing that. Mix it up, only move your right hand over and leave your left in place; move your right hand up a row, move your left hand over to the left so "a" becomes capslock and makes it even more difficult to brute force. 0AAQ9ES In a way it's like an old Caesar cypher, but without knowing the 12 letter phrase I use and what permutation of hand position, it makes encryption a lot stronger. |
My passwords for important items are usually a variation very tight, for stupid online things i always make it one generic word/number that would be easily guessable if you really wanted to post as me on some online places...go nuts.
What shocks me is the a lot of those people who keep those same strong password, then write them down near there computer. We did a consulting job once found a top level access guy had a freaking Rolex on his desk of all his passwords...even personal bank stuff...he worked for a major company. brutal. |
My password's very, very easy. So easy I can't get away with on it on most sites these days...
I don't really care. I don't store private info on the intrawebz. |
I used to use v1o9l6k4s which comes from:confused:
v o l k s 1 9 6 4 I used lbc for a hint, which stands for the "little blue car" that I learned how to drive in. LBC hint changes the case of the letters in the password. I don't use that pw any more. Obviously works with any five letter word and four digit number. Lindy |
I have aset of passwords that I change depending on the site i"m on, I need to change all of them again as I have a similar password on a lot of sites now. I should think about that today.
My boss sets all the admin passwords for his servers he sets up as 1Password. It's sad. |
I use the measurements of former lovers, myself.
|
Quote:
I don't worry so much about forums or social networking sites but I've got one email account that I guard pretty rigorously and several disposable accounts that forward everything sent and received back into that one account. All the passwords are different and so nothing is really lost in the event that one becomes compromised. But even then, it's not like I really need an archive of my emails. |
I have a "safe" password I use permutations of, and an easy one for all my nonimportant online activities. The safe password is in the form of 593epd (random numbers and letters), then I add the initials of the website and perhaps an "index" if I need to change my password frequently. If I was working for KFC and was required to change my password often it could be 593epdKFCg. Easy for me, but hard to bruteforce.
At high school I had a 26 character password built with parts of a long phrase translated to leet-speak. Needed a tough one as we tried to hack eachother all the time. I won by creating a program imitating the log on prompt, checking the username and then either steal the password or call the real password prompt if allready snatched. The user got a "Invalid password" message once, then every thing worked fine. Later I collected the hidden files containing usernames and passwords :) Good times! |
I use incredibly complex passwords. One time, it got me fired. I was hired as the systems administrator for a very small 60 employee company. I changed the primary domain administrator account password to K@$m1rF@bric$@dm1n
They were not amused |
"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"
Some of mine are easy, some are more difficult. It depends on what they are for. |
Quote:
And in the case of this article, it doesn't matter what your password was because they were storing them in plain text. |
I have two different passwords that I use, but both are about the same. One has numbers, the other doesn't.
Is it possible the hack number is so high in the study because some people made an account with a simple, one time use password just to fool around or maybe for some other reason? |
Quote:
|
Like the US state department of intelligence in the movies, I have a text file with all my passwords saved locally in a password protected .ZIP. I am Jason Bourne.
|
My password is hunter2. I use it for everything. See how it's starred out so none of you can see it?
|
^^ Yeah, mine is gigolo2sxy4ya ... it's also starred out so none o' y'all can see jack sh*t.
|
My password is six asterisks. That way I can see it when I type it in.
|
hunter2 reference was actually from QDB: Quote #244321, kinda one of those interweb memes. In other words, totally irrelevant to most people.
|
^^ Oh, so we weren't coming up with convoluted ways of making up a password then?
Ahh, bummer. |
I paid attention to this thread because I got the "your password is 14,000+ days old" message and was curious what prompted the forced password change.
I have several standard passwords, one for things I don't have to keep protected (TFP) one for banking, and one for things I intend to keep really secure. The last two I rotate. |
Quote:
|
Like World's King & pan, I am,
without the wherewithal to worry nor any need for secrets. I find changing passwords confusing & annoying. |
>How often do you change it?
Got this message on TFP today: Your password is 14663 days old, and has therefore expired. That's my oldest password so far. (It's 40.15 years old - older than me and most of the World Wide Web) |
It doesn't matter - The Mentalist or any CSI team can guess it just by looking around your room.
|
Heheheh....I work with an IT major dweeb ( a friend who looks a lot like my favorite high school BF!) and this dude makes us change ours every 4 weeks, on the job. So my newest game is to continually devise the longest & most diversified PW ever. He thinks it's a game and hasn't "broKen it" yet.
Luckily we are very good buds. (I know his deepest darkest secrets!!!) /Gottya create fun wherever you are!!/Yes! |
Quote:
|
My point is that it's as secure as it can be within reason on my end. I can't control how it's kept safe otherwise, which is why I never use the same password in two places anymore.
Anyway, this is a forum so the worst thing that could happen if someone did access my TFP is maybe some trolling or something, maybe deleting some of my old posts or changing settings. I'd be more worried about my online banking and shopping, but those are generally pretty damned secure. |
The difficulty of my password goes down the more often I have to change it. And I would trade convenience over security (If LifeLock can monitor stuff, so can my bank without charging me. I think it is a scam), like I get full credit card statements in the mail that has no security, but I have to log in and jump through a bunch of hoops because I use random networks to access my account. My e-mail is far more secure at least for the basic statement.
It would be impossible for me to create new passwords for every bank, credit card, e-mail account, forum, paypal, on-line retailer, and computer every few months and keep them all straight. |
i have a couple of passwords I use interchangeably on different sites, but neither are real words and are completely nonsensical to anyone but me.
|
Quote:
|
1 Attachment(s)
|
And the horse is now dead. And rotted. And the corpse has been hauled off to the dog food factory.
Can we put a stop to the jokes about the password change requirement? There was a very good reason that we asked everyone to do that (one I'm not about to discuss in a google-crawled area of the board). Yes, it was a pain in the ass. Yes, the message looked a little silly to some of you. The same joke being told in 2 different threads wore thin a while ago though. |
my password is fuckyou.........that's what i utter under my breath every time i forget my passwords.so i started using it.
hahahha |
|
Quote:
|
'Pussy'? Seriously? Never would have thought it would rank so high.
|
Quote:
Notice that administrators always use insane passwords. Mine here is over 10 characters, uses capitals, lowercase, numbers and symbols. I wish anyone luck with the hack attempt of my account. My email password is vastly more complicated. Same ruleset, but much longer. I remember them by creating sentences. example: I got laid on the 4th of July. This translates to: !g0tL4!d@4THuVJuLy It took me 5 seconds to come up with a password I can remember from day to day. All I have to do is say it in my head as I type it. Eventually as I become more comfortable with it, I say the symbols instead of the words, and now I know it for years even if I don't use it. |
deleted
|
Quote:
My password is so old it's Betty White. But seriously folks, on our computers at work we use to edit news stories and audio, it was 123456. Corporate requires regular changes, so it is now 12345. |
I was just prompted to change mine after 14632 days or something like that.....so it's been awhile
-Will |
Quote:
The problem with "secure" passwords is that they aren't human friendly. our brains are not wired to be able to use a completely random string of characters as anything usable. We assign meanings and use visual clues to help us along the way. We've all seen the email where the first and last letter of a word or correct but the middle is mixed around. Yet when we read it we still read it as being 'correct' because our brains complete the gap so to speak. I would love it if everyone used the truly secure password method. However if that happened I suspect Post-it notes would become hard to find in a hurry. |
I use passwords on a rotating basis from one of three different tiers of quality, as needed: low, medium, and high security. The p/ws themselves are usually acronyms with liberal use of numbers and other characters.
If I'm feeling feisty I'll use a fairly lengthy phrase as fodder for a long acronym; one that also includes digits here-n-there. Add a few other characters and spice to serve. I can't see *not* changing p/ws on a reasonably frequent basis. All other viewpoints I harbour on this subject are [[REDACTED]] :cool: |
I use a "weak" password for a lot of the stuff I don't care all that much about just because its quick and easy to remember since I share it across many accounts. I then use much stronger passwords for things such as my primary email, bank accounts, accounts with CC info etc...
|
Quote:
personally I'm warm and fuzzy by not following any of the conventions that he's touting. |
I contest that the password has always been a small part of the hacking process.
it is a hell of a lot easier to have the site itself try to hand you access to the account via their weak attempts to be user friendly to people who forget their passwords. Seriously, what do they want to know before they're like "durf, ok here you go?" some of them only require an email address. Getting your intended target's email address isn't hard. getting access to it tends to open up the world to all the other accounts. Out of all of your accounts, your email is the most important, the end. Every account you have on a forum, with a bank, on your porn sites, whatever it is you do online, generally will have your email address associated with it in some way. Take hotmail, say you want to hack bob who lives across the street, his dog has been shitting on your lawn. You see him checking his mail, you know bob has kids, tell him you need his email address for a petition you're working on to have old cartoons brought back to public television to expose our children to classics instead of modern garbage, I dunno be creative. he gives you bob@hotmail.com you wander on over to the site and whats this? all you need to change the password is his state/city/zip and the name of the city he was born in? well you can guess all the major cities around where you live, and if that doesn't work, well next time he checks his mail you can just make casual conversation, Man, schools these days just don't cut it do they, why my school from 20 years ago back in Washington could kick the pants of these locals, where did you grow up? xyz response, "oh really, were you born there?" "Oh nooo I was born in wichita kansas" /cinch Your security questions are by far a bigger weakness than your password. by far. Thats why when someone asks me where I was born, my 1st dogs name, my mothers maiden name, casual conversation or not, they can just shut the fuck up. I do tell people where I was born though so I just stopped answering that one online. |
Quote:
|
My password here was 123456 for a very long time. :)
The article posted above by cynth is merely fear mongering. Sure "cracking" a password may be easy but HACKING is hard. I want anyone here (you are stupid if you do this) to attempt downloading any of the software posted in the article and try hacking or breaking into ANY site worth it's water like facebook, hotmail, google, yahoo or even TFP. Until people stop throwing around the word "hacking" and grasp the efforts web masters have gone through to implement simple security measures, then you're still a luddite in my mind. |
I use two levels of password
One: is a short, easily remembered placeholder I use for forums and bullshit things I need to sign up for Two: is a 12+ character alpha-numeric combination of CAPS, lowercase, numbers (0-9), and characters (!*$). I use this for my e-mail accounts, work loginID, blog, anything I don't want anyone accessing. PS: Use Chrome, it is by far the most secure browser. Oh, forgot to say how often I change them... Not often for my less secure one. I change my strong passwords about as often as I change my toothbrush, once every 3-5 months. |
I use the same password for most Message Board Stuff, otherwise I'd have to have a notebook full of passwords.
|
I am simply amazed by that sporcle quiz. Mankind's top 5 concerns: pussy, dragons, 69, mustangs, and baseball? :shakehead:
|
My passwords are all the same. I have no creativity. No memory. The only thing I retain on a regular basis is water. :(
|
I thought with the recent issues due to Gawker, this thread deserved a bump.
The whole Gawker thing highlights (yet again) various security vulnerabilities. We can talk about Gawker's failures (storing passwords using DES encryption, of all things), but the user failures and how this impacts the wider internet is more interesting to me. The Wall Street Journal has a fun article that breaks down the most popular passwords in a few different ways. The usual suspects show up with the usual prevalence, but some of the others seem as though they're almost attempts at being secure. "trustno1" for example, seems almost like an effort at choosing something truly secure -- it fails the test, but it seems to indicate that some users are at least thinking about password security. On the other hand, apparently only ~30% are using passwords of 8 characters or more, which is generally considered to be the bare minimum to prevent simple brute force cracking. In one of life's grand ironies, Lifehacker has an article about creating secure passwords that actually isn't that bad. Mind you, none of their methods are preferred (they have a tendency to generate passwords that are too short and/or not random enough) but the basic method of generating secure passwords using an easy-to-remember method rather than using easy-to-remember passwords (or worse, one password) is sound. One thing that shocks me is when sites themselves prevent one from using a secure password. Financial institutions seem to be fond of this, and they of all institutions should know better, as it were. Magpie's bank only allows passwords of up to 6 characters in length -- including all letters (upper and lower case) and all numbers, that provides a grand total of just shy of 57 billion possibilities. Granted that may seem like a big number, but keep in mind that big numbers are what computers do best and that even modest household PCs today typically possess 2-3 GHz of processing power and that not including the graphics chipset. So how has the Gawker thing affected you? Has it caused you to think about security more, or to take password security more seriously? Have you changed any of your passwords as a response? My prior method of password selection was reasonably secure, but lately I've found it's gotten a bit unwieldy. I was getting into a position where I was having to make a choice between using my passwords in too many different places, causing potential insecurity, or trying to remember too many different passwords, causing me inconvenience. As a result and because I honestly can't remember whether or not I've ever signed up for a Gawker site, I took this as a prompt to change my own password policy. One thing that I've noticed is that password managers have more or less taken over my logins. This means that for anything other than local systems I can safely move to a more secure/less convenient password without making my life that much more difficult. Granted, this introduces a new form of insecurity in that anyone with access to one of my usual machines will have the ability to access everything, but access to my local machines implies much bigger problems anyway (aside from which, they would have to first break into any computer of mine they had access to -- all of them use secure passwords and all of them are set to lock automatically after a short period of inactivity). I won't divulge my current method of generating passwords, but I will say that it generates passwords of up to 32 characters, random alphanumeric. I can be a bit paranoid sometimes, but I think that's probably good enough. |
| All times are GMT -8. The time now is 04:03 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project