-
August 13th, 2010, 10:25 AM
#1
How long are your passwords?
According to this, you should be using passwords of at least 12 characters, as GPU processing is making shorter ones trivial to crack:
http://www.bbc.co.uk/news/technology-10963967
Nick.
-
August 13th, 2010, 02:22 PM
#2
A better alternative, he suggested, would be a 12-character combination of upper and lower case letters, symbols and digits.
- Some password systems convert all letters to the same (usually upper) case. I wouldn't rely on mixed case to add complexity.
- Some systems don't allow symbols. Even if allowed, their use can be confusing. The dollar symbol key on US keyboards, for example, produce a pound symbol on keyboards supplied in the UK. Although the symbols can be used interchangeably in passwords (they both produce the same binary code), some people may not understand.
You can trade length for complexity. If passwords longer than 12 characters are supported, I use much longer passwords, usually a quotation from a book, song, etc.
In any case, lets not get paranoid. For most purposes, 12 characters are safe enough. Unless you are protecting nuclear secrets, no one will waste the resources needed to crack 12 characters.
-
August 13th, 2010, 02:25 PM
#3
-
August 13th, 2010, 03:06 PM
#4
I have what may be a stupid question. Let us say that my password for VirtualDr is abcdef - six letters only.
A brute force attack may easily find my password, but the correctness of the password can surely be identified only after a succesful log-in. In other words, it is not just a matter of ripping through a few million permutations, but of actually testing them with an attempt to log in. Surely that would take a second or so per password? And surely sites block multiple attempts to log in from the same IP for a period of time? Or have I not understood this topic?
For what it is worth, all my passwords are words of a foreign langauge concatenated and with the digits from one of my former car registrations added - example NoordwijkZwerver626. These are memorable but (I think)uncrackable. Random sequences of letters/numbers are insecure as they cannot be remembered and have to be written down on mouse mats etc.
-
August 13th, 2010, 03:26 PM
#5
IhaveagastriculcerbecauseIforgotmypassword
VirtualDr email notices are not working.
Check back regularly for responses.
_____________________
cat lovers click here
-
August 13th, 2010, 03:28 PM
#6
Originally Posted by Philip M
I have what may be a stupid question. Let us say that my password for VirtualDr is abcdef - six letters only.
A brute force attack may easily find my password, but the correctness of the password can surely be identified only after a succesful log-in. In other words, it is not just a matter of ripping through a few million permutations, but of actually testing them with an attempt to log in. Surely that would take a second or so per password? And surely sites block multiple attempts to log in from the same IP for a period of time? Or have I not understood this topic?
For what it is worth, all my passwords are words of a foreign langauge concatenated and with the digits from one of my former car registrations added - example NoordwijkZwerver626. These are memorable but (I think)uncrackable. Random sequences of letters/numbers are insecure as they cannot be remembered and have to be written down on mouse mats etc.
Well what makes the forum more difficult to crack is that every five wrong attempts you are locked out for 15 minutes. If not for that, it would be much much easier and faster. Additionally, you will receive a forum e-mail informing you of the incorrect login attempts and the IP address from which they occurred, giving you an opportunity to change to a more complex password.
There is nothing to fear, but life itself.
-
August 13th, 2010, 06:51 PM
#7
Philip M makes a good point. Brute force attacks are often impractical. There are exceptions. For example, if your computer is stolen, brute force could be used to break the encryption key you used to protect a disk file. A programmer at your bank might use brute force running in the background to crack passwords. Why take a chance?
In any case, most people overestimate the possibility of attacks. Why would anyone try to crack my Virtual Dr password? What benefit would they derive? Even my bank password has limited value (and additional ID is required). It doesn't allow funds transfer to someone else's account. Profit would require other access (such as to set up a payment) that should be easily traceable.
As I said before, lets not get paranoiac.
-
August 13th, 2010, 09:50 PM
#8
where I can.. basic electrical formulas.. you know the one of the variations for calculating inductive reactance .. frequency etc .. where I can that include the use of ² and ³ ¹ ° ÷ § ¶ ¾ ± and friends.. but for when being paranoid is needed..
-
August 14th, 2010, 02:59 PM
#9
Brute force attacks try every possible combination of values. Use of symbols offers no additional protection against brute force. Use of symbols not on your keyboard makes typing very error prone.
-
August 15th, 2010, 02:02 AM
#10
If you live alone, as I do, NOT writing down passwords is really paranoid. If you have a great many passwords, there's no way you're going to remember more than a few complex ones. And if you live with family, there are always ways to keep them secret.
I store all the non-sensitive ones in LastPass, where they're encrypted and covered by a master password.. I agree with Jerry on that: I don't care if someone hacks my forum or file-downloading passwords. The sensitive ones are recorded elsewhere.
Last edited by foxy; August 15th, 2010 at 02:06 AM.
Win7 Ult/ 3.40 GHZ Intel Core i5-3570K /ASRock mobo Z77 Pro4 /SSD/ EUFI MS 3400 MHZ/8 GB RAM; Win 7 Ult/Verizon FIOS wired network
Waterfox Classic/Chrome / Firefox 115esr
--------------------------------------------------------------------------------
"The medium is the message." - Marshall McLuhan
-
August 15th, 2010, 05:36 AM
#11
If you're happy and you know it......it's your meds.
-
August 15th, 2010, 08:42 AM
#12
NOT writing down passwords is really paranoid
Amen. I spent years working security for a large firm. 90% of our time was spent assisting users who forgot their password.
Of course, that doesn't mean writing it on a yellow sticky and affixing to the monitor or under the keyboard. However, if you don't have the smarts to find a reasonably secure place to hide the password, how on earth did you learn to use a computer?
-
August 20th, 2010, 07:21 PM
#13
psw's are usually 18 characters or more, of course they are generated and I don't need to remember them, that is what software is for.
-
August 20th, 2010, 09:09 PM
#14
Anyone who really cares about psw security should read:
http://weis2010.econinfosec.org/pape...10_bonneau.pdf
For those who don't take the time to read it, here is a "gotcha" I had forgotten:
We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established tendency of users to re-use passwords.
In other words, if you use the same psw at multiple sites, cracking it at the site with the poorest security gives access to all of the sites.
-
August 21st, 2010, 10:29 AM
#15
And those sites with the poorest security will allow unlimited login attempts.
Nick.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|