Nothings really safe: yet what kind of password

[jim2112]

With the full knowledge that a major part of my personal economic history and info are already out "there" the question comes to mind:

What kind of password is the safest to use? What about user names?

If we have a multitude of passwords and usernames, is it stored on paper?, Disk? CD, DVD,? Memorizing is obivious but not to dependable for those of us who are short on memory brain cells.

Im just looking for honest opinions. I know the longer the better, but is longer the safest?

thanks
Jim

[SpywareDr]

Longer is safer because it takes longer to decode.

[shiva_42]

There are many, MANY long and detailed dissertations about the whole password length/selection/security debate, so I'll not rehash the whole enchilada. Try a search for "password recommendations" on google or dogpile to start.

Just some general guidelines to help you:

1) Yes, length is one method of attaining higher security. The longer the password, the harder it is to guess, especially if you follow the other guidelines and recommendations. The only downside is that the longer, more complex, and more difficult to remember, the more likely it is for you to write it down, which is one of the cardinal sins of password security management. In my last step, I'll recommend one method for managing this issue.

2) It should NEVER be your birthday, child's name, address, pet's name, wedding anniversary, (in any of the various permutations) that anyone with inside knowledge about your or your family might easily guess.

3) It should not be a simple word, no matter how obscure, that could be looked up in a dictionary (brute force password breaking).

4) It should contain both letters and numbers (but once again, nothing too obvious, like your name and birthday combined.

5) Try using a phrase, with no spaces in between words, instead of just one word.

One method I employ often is to think of a phrase that is meaningful to the environment I'm currently working in, then obscure that password by shifting my hands on the keyboard, then pretending to type the phrase normally just by touch-typing.

For example, if the password "accounting system" would be an easy password phrase to remember on a CPA's system (without the space), but you wanted to truly obscure it, type "accountingsystem" on the keyboard, but first move your hands one key to the right... which would make your password "svvpimyomhdudyr,". This appears to be an absolute nonsense phrase, impossible to just guess. If you also moved your hands up one row, you'd end up with a combination of letters AND numbers.

This method allows you to pick easily remembered passwords, which don't need to be written down, but that can be obscured totally to outsiders.

Hope this helps!

[jim2112]

Actually the info does help. It just confirms what everyone should be thinking anyway. Thanks for the thoughts and input.
I tell all that i know about this site for the last 5 years or so and it has never let me down.

have a great weekend
and say a prayer for those Londoners, too.

[SpywareDr]

Langa Letter: How To Build Better Passwords

Stronger passwords don't have to be hard to create or use, Fred Langa says. Here are tools and tips that can help.

By Fred Langa, InformationWeek
June 20, 2005
URL: http://www.informationweek.com/story...leID=164303537

Good passwords are essential for PC security. Even the world's strongest encryption algorithms or logon procedures won't protect you if you use the wrong kind of password.

And even if you once were safe, you may not be today: Passwords that were fine even just a few years ago may now be vulnerable to attack because of huge advances in hardware and software: Malicious hackers have tools that can make hundreds to thousands of guesses in seconds. Passwords that might once have taken months or years to crack can now be cracked in minutes or hours.

It takes very little skill to mount a password attack. The simplest form of attack is based on dictionary lists: The cracking software simply tries every possible word listed in an online dictionary. Any password found in the dictionary will thus soon be discovered. This type of software is extremely simple to create because no deep analysis or cryptographic skill is needed. It's high-school level stuff, and yet it can defeat many passwords!

Similarly, passwords based on common phrases are very weak. A malicious hacker can use a dictionary of famous quotations in much the same way as using a dictionary of individual words: Any password based on familiar quotes is likewise easily discovered.

It's only a little more complicated for a malicious hacker also to cover the most common permutations of words and phrases. For example, some people choose a password or phrase, and then touch-type that word or phrase, but shift their hands one character to the right, left, up, or down from the normal typing position. The resulting output looks like gibberish, but really isn't: It retains a regular pattern that a computer easily can sniff out.

So-called "elite" or "l33t" speak was once a useful way of increasing a password's complexity, but the rules of "l33t" substitution are now well known. Similarly, taking a common word or phrase and trying to make it more complex through random capitalization and by appending numbers does little to add real security: For example, a lowly P3 PC running a widely available cracking tool at just 500 MHz was able to guess the password "ChEcK12" in only 26 seconds; and today's top-of-the-line PCs could perform the same crack almost instantly. (For more examples of just how quickly simple password techniques like this can be bypassed, see this page from McMaster University). It's scary stuff.

What Makes A Good Password?
So, what makes a better password? There are three major factors: length, complexity, and randomness. We've already touched on randomness. A good password will be a truly unique combination of characters, and that means that the password should not appear in any form in any dictionary, book of quotations, and so on. The password also should not be based on simple substitutions or transpositions of common words or phrases: If any underlying pattern remains -- the less truly random a password is -- the easier it is to be cracked.

Complexity also is easy to understand. For example, if you limit yourself to the lower-case letters of the English alphabet, each character in your password will have only 26 possible values. Simply allowing uppercase and lowercase letters means that each character in the password can have 52 different values. Add in numbers (0-9) and you have 62 possible values; add the punctuation and symbol characters commonly found on a US-English computer keyboard, and you have a total of about 92 unique (non-repeating) possible values. Clearly, using all the kinds of characters available to you significantly increases the complexity of a password.

Length also is hugely important: A two-character password, where each character could be any of 92 possible values, affords just 8464 unique combinations. Three characters allow 778,688 possibilities; four yields 71,639,296, and so on. So clearly, longer passwords are better because the number of possible character combinations increases exponentially with length.

But note that while something like "71,639,296" password possibilities would be daunting in human terms, it's nothing to the brute strength of a PC. This online calculator lets you play with variables to see how long a "brute force" password-cracking program would have to run to defeat passwords of varying lengths and complexities. Note that the "speed -- thousands of passwords per second" figure depends not only on the speed of a given PC, but also on the efficiency of the cracking software, which is hugely variable in itself. But the calculator is seeded with an exceedingly low number, which significantly under-represents the power of today's PC's and software. For a more realistic view of contemporary threat levels, crank up the "speed" variable by several orders of magnitude. (For a hardware-based starting point, you may wish to note that the common Intel P6 is capable of processing hundreds of millions of instructions per second. Note also the real-life cracking results reported earlier by McMaster University. Passphrases And "Shocking Nonsense"
In the past, we've described several ways to generate passwords that are both hard for someone else to guess, and yet easy for you to remember. For example, back in 2003 we discussed a "passphrase" idea. While the specific examples in that article are now outmoded, the idea of using a passphrase was, and is, sound. In fact, passphrases have really caught on as a way to produce long, secure, and memorable passwords.

For one thing, passphrases can be of any arbitrary length -- even out to 20, 40, 60 characters, or more, without a lot of trouble. But, because they're made of a series of words rather than totally random characters, they're much easier to remember than conventional passwords of similar length.

But not all passphrases are created equal: As we saw earlier, phrases that are found in dictionaries and collections of quotations are particularly bad -- even a long passphrase, if based on a well-known quote, may be very easy to guess.

Likewise, passphrases that follow conventional rules of grammar provide a pattern that a clever program can exploit. So, the best passphrases do not follow normal grammar rules.

The excellent passphrase FAQ, How To Choose A Passphrase suggests a technique called "shocking nonsense."

"Shocking nonsense" means to make up a short phrase or sentence that is both nonsensical and shocking in the culture of the user, that is, it contains grossly obscene, racist, impossible or other extreme juxtaposition of ideas. This technique is permissible because the passphrase, by its nature, is never revealed to anyone with sensibilities to be offended.

In a corporate environment, of course, "shocking nonsense" would have to be employed with great care, and only under the aegis of an official, clearly outlined policy that explained the "shocking nonsense" for what it is: an attempt to circumvent dictionary-based and grammatical attacks by using words and linguistic constructs that will never be found in normal speech or references. Still, this approach may be inappropriate in today's litigious environment.

Fortunately, there are other ways to generate highly secure passphrases. Perhaps the best-known tool is the freely available Diceware created by A. G. Reinhold. His approach employs one or more many-sided die to generate truly random number sequences; you use the random number sequences to look up words from a list of some 8,000 short, easy-to-remember words and character strings. By rolling the dice and combining the resulting random words, you easily can construct a reasonably long passphrase that will be hard to crack or guess in its own right; and which can be made harder still by editing the final passphrase to include capitalization, numbers, and punctuation.

There also are several software tools listed on Reinhold's site, above, that can further automate the process; although at a cost of true randomness. For example, most passphrase software relies on a computer's pseudo-random number generator, which isn't truly random.

What If Long Passwords/Phrases Aren't Allowed?
Passphrases are a great way to achieve a high level of password strength, but amazingly, some hardware and software systems still limit you to very short passwords, perhaps as few as six or eight characters. In this case, a passphrase isn't terribly useful, so it's probably best to revert to a true, totally random password using uppercase, lowercase, numbers, and punctuation.

"PassGen2" is a free, online password-generating Java applet that's good for creating login passwords, WEP encryption keys, one-time-use pads, and many other uses.

If you'd rather keep your password-generation local and offline, the open source "PWGen for Windows" will help.

I prefer to use Roboform because it not only can generate good passwords but also can remember them for me: For example, to prevent a wireless hacker from easily accessing and changing my Wireless Access Point's security settings, I've protected the WAP-management software with a totally random 20-character password, using uppercase and lowercase letters, plus numbers and punctuation. An example of such a password (I just asked Roboform to generate a new one to show you) is: "mKz!3@$NyY$Pr*u&%#rp" The odds of anyone guessing a password like that in any reasonable length of time are tiny. Of course, the odds of me remembering that also are tiny, which is why I just let Roboform remember and store the password internally, protected by the tool's built-in triple-DES encryption. I only have to remember one password -- the master password for Roboform itself -- and it handles all the rest. It can remember a huge number of passwords, and can generate password strings up to an insanely difficult 512 random characters in length.

The downside of Roboform is that, although there's a limited-use free mode, it's really a commercial product. Because it's proprietary, copyrighted code, not all the workings of its encryption and password generation are fully revealed. That's not a problem in my own use, but in situations requiring the very highest levels of security, an open-source password tool, like PWGen (above), may be a better choice. If you go that route, two additional open source tools, Password Safe and KeePass, will help you manage and use your password with minimal hassle and confusion.

Short, Long, And Medium
As a general rule of thumb, in any situation where security really matters, I've abandoned passwords shorter than eight characters. All my passwords ranging from eight to about 20 characters are generated as random mixes of uppercase, lowercase, numbers, symbols and punctuation. The more sensitive the application, the longer and more complex the password I use.

In special cases where I need the very highest levels of security, and/or passwords longer than about 20 characters, and/or portability (where I need to be able to remember a long password on my own, without software assistance), I'll use a passphrase.

Of course, you can do things differently; I offer the above only as an example.

But the important thing is to realize that short passwords, and easily guessed longer passwords, are next to useless. If you haven't changed your approach to passwords in the last few years, this might be a good time to do just that -- and to look at the tools that make generating and using even very long, highly-secure passwords much easier.

Copyright © 2004 CMP Media LLC [/quote]

[K G G]

I personally use a PW program (KeePass) which I use to generate very complex PW's for most websites.
Only the masterPW needs to be memorized.

[K G G]

Here's the thread I started on PW Tools, there are a few options listed:
Link

[Doc]

I use Key Pass also and like it alot. It will generate and store your passwords. What is also great about it, is that it is a self contained program that can be placed on a Jump/Flash drive for true portability.

There have been many improvements with Biometrics within the past few years. Using your fingerprint or facial looks allows for one of the best (in theory) protection. These programs can limit access to your computer, files, and can be used to generate passwords for specific web sites.

Doc

[HAN]

Excellent thread! Just a few more things that might be nice to mention regarding keeping your privacy, private...

In addition to user names and passwords for web related business, don't forget the info on the computer itself. Browsers normally store browsing history, cookies and even web pages. It would be a good thing to configure the browser to minimize what it stores (my recommendation) or use a software tool (or tools) to keep these things cleaned up.

Another key thing is, don't forget the data on the PC itself. All PC's are open to outright physical theft and many are open to theft over the web. Do you keep financial data in MS Money, Quicken or even MS Excel? Are most of us aware that even if we use passwords on these programs, there are ways for someone to get inside those files in just a few minutes?

There are several things one can do to protect this data. The best, IMO, is encryption. If one uses a very safe password and then also encrypts the data used by say MS Money, then one has added an additional barrier to keep someone from gaining access to the information. A recent thread discussing encryption is here http://discussions.virtualdr.com/sho...d.php?t=189364
(BTW, always, always, always make periodic unencrypted backups of your financial data and store the backups in a safe, fire resistant location. Then if something really bad happens...

Finally, don't forget the good 'ole PDA...Palm Pilots or Pocket PCs. They are carriers of VERY personal info. But the strange thing is that most people make little or no effort to protect them. Here are some thoughts I posted last winter on PDA safety http://discussions.virtualdr.com/sho...d.php?t=179817

[Doc]

To add to what Han posted, do not forget what you have input into your cell phone. Cell phones today carry not only names, numbers and addressses, but can also store your appointments and other possibly sensitive information. Having this information taken from you can cause serious problems (just ask Paris Hilton).

Most cell phones today allow for coded entry to make a call or do other activities. It is suggested that you use one as most phones today are not equipped to encrypt the data they hold ( I would think a pda phone is an exception, but am not sure).

Doc

[shiva_42]

Keep in mind that:

1) Anyone who has the time to try a "dictionary" or "pattern-matching" brute force attack would simply steal your PC and take it with them (unless we're talking about a NSA workstation locked down to a desk).

2) *Any* password "keeper" program will incure it's own liabilities on the system.

As long as you actually follow reasonable password guidelines, and don't keep it written down in the desk the system is sitting on, no normal "civilian" PC is really in any danger of the types of attacks that actually have a chance of succeeding.

You're much better advised to be careful with your credit-card transactions and to make yourself immune to phishing attacks... everything else can be reasonably controlled by common-sense deterents.

[K G G]

...
2) *Any* password "keeper" program will incure it's own liabilities on the system...

Could you elaborate on this on Shiva?

[jerryctx]

One way to create a fairly random password you can actually remember is to take the first letter of each word in a favorite poem, song lyric, quotation, etc. Or the second letter, or ...

I disagree about not recording a password. Far more passwords are forgotten by the legitimate user than are "cracked" by hackers. Just don't put the record in an obvious location.

[shiva_42]

Could you elaborate on this on Shiva?

Sure. If security is truly a concern, anywhere you "write down" a password just provides additional resources for a hacker to attempt to break. *Not* writing down the password ANYWHERE, whether encrypted or not, is better protection than any password keeper program.

You notice I didn't suggest that nobody use such a program, just be aware of the additional liability.

[K G G]

Thanks Shiva.
And I don't have anything written down.