Reader Comments

Subscribe: RSS

View by: Time | Thread

• 

  Jeffrey Nonken (profile), 13 Nov 2014 @ 5:24pm

  
  

  Keepass + BtSync FTW.

  [ link to this | view in chronology ]

• 

  Lawrence D’Oliveiro, 13 Nov 2014 @ 5:51pm

  
  

  Longer Is Better Than More Characters

  8 random characters, uppercase only → 37.6 bits of entropy
  8 random characters, uppercase + lowercase + digits → 47.6 bits
  10 random characters, uppercase only → 47.0 bits
  12 random characters, uppercase only → 56.4 bits
  
  In other words, don’t sweat the special characters, go for password length.

  [ link to this | view in chronology ]

  • 

    Chronno S. Trigger (profile), 13 Nov 2014 @ 6:55pm

    
    

    Re: Longer Is Better Than More Characters

    I don't understand this rainbow tables and entropy. If I can have a password that's 8 character mixed case alphanumeric with specials, how is having an 8 character all lowercase password faster to crack?
    
    I really only understand brute force. The only reason lower case is faster to brute force is because lower case is usually tried first.

    [ link to this | view in chronology ]

    • 

      monkyyy, 13 Nov 2014 @ 9:47pm

      
      

      Re: Re: Longer Is Better Than More Characters

      You run the pure wordlist before you add the fuzz
      
      "sex" is a password you check before "s3x"

      [ link to this | view in chronology ]

      • 

        Chronno S. Trigger (profile), 14 Nov 2014 @ 6:27am

        
        

        Re: Re: Re: Longer Is Better Than More Characters

        So this rainbow tables and entropy stuff doesn't mean crap? We just have to social engineer our passwords.
        
        If "sex" is checked first because it's a real word then "s3x" because it's a real word with a number replacing a letter, then "kmk" would be more secure because it will be checked last since it's just random lettering.

        [ link to this | view in chronology ]

        • 

          Anonymous Coward, 14 Nov 2014 @ 7:43am

          
          

          Re: Re: Re: Re: Longer Is Better Than More Characters

          "kmk" ... [is] just random lettering.

          
          But "kmk" is a keyboard walk, at least on a QWERTY keyboard. The "k" key is diagonally-adjacent to the "m" key. Not good.
          
          On the plus side, you did include a repeated character. I notice that people attempting to create random sequences tend to include fewer repeats than expected from a uniform distribution. That is, they pick some random character, and then feel biased against it. Indeed, I'm always slightly surprised at the number of repeated characters I find in sequences drawn from a flat distribution.

          [ link to this | view in chronology ]

• 

  Christopher (profile), 13 Nov 2014 @ 6:07pm

  
  

  Bits of entropy

  but only if your "Entropic" character string isn't in a dictionary. Twelve characters in a dictionary is not the same as twelve non-word characters -- in any language. Dump a dictionary in English and then next four most used languages into your rainbow tables and you're still more successful than not.
  
  -C

  [ link to this | view in chronology ]

  • 

    Lawrence D’Oliveiro, 14 Nov 2014 @ 7:06pm

    
    

    Re: Bits of entropy

    I did say “random”, didn’t I?

    [ link to this | view in chronology ]

• 

  ChurchHatesTucker (profile), 13 Nov 2014 @ 6:22pm

  
  

  Less so than you'd think

  "correct battery horse staple" (which is probably a very insecure password now)
  
  Amusingly that was supposed to be easy to remember.

  [ link to this | view in chronology ]

• 

  Anonymous Coward, 13 Nov 2014 @ 6:52pm

  
  

  2 Factor Authenticate or Bust

  https://twofactorauth.org/
  
  Best list I've found of sites that support 2-factor authentication. If you aren't using 2-factor for your sensitive accounts... your stupid.

  [ link to this | view in chronology ]

  • 

    Chronno S. Trigger (profile), 13 Nov 2014 @ 7:00pm

    
    

    Re: 2 Factor Authenticate or Bust

    and for all that you're worth, do not reinstall the software that controls your second factor. I had to spend half an hour on the phone with Blizzard after I factory wiped my phone thinking that it was all controlled by hardware address, not a random install code.

    [ link to this | view in chronology ]

    • 

      Anonymous Coward, 14 Nov 2014 @ 3:59am

      
      

      Re: Re: 2 Factor Authenticate or Bust

      If you're worried about that you can always save a screenshot of the QR code or print it out. As long as you keep it safe (encrypted volume or locked cabinet) the risks to your security are minimal.

      [ link to this | view in chronology ]

  • 

    John Fenderson (profile), 14 Nov 2014 @ 8:33am

    
    

    Re: 2 Factor Authenticate or Bust

    The problem with 2 factor authentication is that you need to trust a third party with some sort of sensitive information. That's a no-go for me.
    
    My preferred method is to use randomly generated passwords that get changed very frequently and to use a password keeper to keep track of them.

    [ link to this | view in chronology ]

• 

  Spaceman Spiff (profile), 13 Nov 2014 @ 8:42pm

  
  

  Secret decoder ring

  Myself, I like passwords from 2000 year dead languages that are only relevant to myself, unguessable, and seeded with non-alphabetic characters. The chances of them being broken in a period shorter than that via a brute-force attack is unlikely. However, they are easy for me to remember, and the only way that they can be captured is if my system has had a key-logger installed that I don't know about. Given that all of my systems are not Windows-based, and have serious major anti-malware software and LAN hardware firewalls installed, the chances of that is pretty low...

  [ link to this | view in chronology ]

  • 

    Togashi (profile), 13 Nov 2014 @ 9:16pm

    
    

    Re: Secret decoder ring

    Since I'm using LastPass, even a keylogger wouldn't get my passwords. I don't even know any of them, I just let LastPass generate as long a password as they'll let me with as many character classes as possible, then I move on with my life knowing I won't have to remember it.

    [ link to this | view in chronology ]

    • 

      Ninja (profile), 14 Nov 2014 @ 2:26am

      
      

      Re: Re: Secret decoder ring

      God bless LastPass indeed. I even log into computers I don't trust with those one use master passwords! And it has multi-factor authentication too. I'm using Google Authenticator and I'm thinking of getting a Yubikey too. Password issues are a problem of the past.

      [ link to this | view in chronology ]

  • 

    Anonymous Coward, 14 Nov 2014 @ 8:26am

    
    

    Re: Secret decoder ring

    The chances ... is unlikely.

    
    Either you can calculate a min entropy, or you can't.

    [ link to this | view in chronology ]

• 

  Anonymous Coward, 13 Nov 2014 @ 10:15pm

  
  

  No need to remember anything

  http://www.passwordcard.org/

  [ link to this | view in chronology ]

  • 

    Anonymous Coward, 14 Nov 2014 @ 9:06am

    
    

    Re: No need to remember anything

    http://www.passwordcard.org/

    
    Did you notice that the card can be "regenerated" from a 16-hexadecimal digit identifier?
    

    Number
    
    This is the number of your card. Store it somewhere safe! If you want to regenerate a card you lost, type the number here and press Enter:
    
    f2c4a95cb6809779

    
    Further, the sample card has 8 rows and 29 columns. Then there are four cardinal and four intercardinal directions from any starting position.

    [ link to this | view in chronology ]

  • 

    John Fenderson (profile), 14 Nov 2014 @ 11:23am

    
    

    Re: No need to remember anything

    Good lord, that thing seems like the worst of all worlds.

    [ link to this | view in chronology ]

    • 

      Anonymous Coward, 14 Nov 2014 @ 11:30am

      
      

      Re: Re: No need to remember anything

      Good lord, that thing seems like the worst of all worlds.

      
      Well, on the surface, the (16*2^4) identifier space indicates that the sequences on the card are generated by some rule.
      
      How would you backdoor the card-generation rule so that the 8 row * 29 column starting position loses some of its surprisal?

      [ link to this | view in chronology ]

• 

  Zoleen (profile), 13 Nov 2014 @ 10:50pm

  
  

  Since I always forget my password, I write it in my notepad with date.

  [ link to this | view in chronology ]

  • 

    art guerrilla (profile), 14 Nov 2014 @ 8:59am

    
    

    Re:

    with your social security number and signature, too ? ? ?
    hee hee hee
    
    i'll mention again my 'system' for NON-CRITICAL passwords:
    make a prefix (say, 3f) make a suffix (say, u9), then take the website 'name' (or organization, or whatever) and append those...
    so, if this were for techdirt "3ftechdirtu9"...
    works for me...
    (AGAIN, NON-CRITICAL sites, for 'real' important sites, i use the random type stuff that is written down in my little black book...)

    [ link to this | view in chronology ]

• 

  Gracey (profile), 14 Nov 2014 @ 2:08am

  
  

  I have an index card for each site I have a password for (a real paper one, not digital). I store them in a most unlikely place. Where they're stored is written in a letter and kept with my will. That's for my 2 girls (hopefully, long into the future).
  
  Unfortunately, it does mean I have to remember them but then, I don't have passwords for hundreds of sites either. I have only a dozen sites I use regularly where I need a password.
  
  I don't sign up for membership and a lot of random sites. If you can't read or visit a site without signing up, I'll find somewhere else to get the information I need.
  
  When it gets to the point that I can't remember a dozen or so passwords, I'll turn in my computer.

  [ link to this | view in chronology ]

• 

  Anonymous Coward, 14 Nov 2014 @ 2:21am

  
  

  I tend to use a handful for the serious stuff. For banks I use a generated high entropy password of maximum allowable length. Really, I'd prefer it if my bank account could be set to operate on public private key pairs SSH-style.

  [ link to this | view in chronology ]

  • 

    Ninja (profile), 14 Nov 2014 @ 2:30am

    
    

    Re:

    My bank recently introduced fingerprints for physical use (ie: ATMs) and it has a google auth style authentication method for online banking. I can use an independent code generator, my phone or receive a sms with the code. I'm not quite comfortable with fingerprints though, the palm scanner another bank introduced seems much more secure for physical interactions.

    [ link to this | view in chronology ]

• 

  Anonymous Coward, 14 Nov 2014 @ 3:18am

  
  

  Too many sites where security is not necessary

  Bank, Professional society, the place I post my original writing: Strong password required.
  The huge number of websites where I need a password login to read articles or download a technical manual: Nope.
  
  We talk so frequently about password strength and a requirement for uniqueness. We never seem to address the proliferation of useless security. I really don't care if someone guesses my password and uses it to download extra copies of a technical manual. Most of those login systems are only in place to ensure the vendor has an email address for solicitation purposes anyway.

  [ link to this | view in chronology ]

  • 

    John85851 (profile), 14 Nov 2014 @ 7:28am

    
    

    Re: Too many sites where security is not necessary

    You're correct that tech manual sites shouldn't need a name and password, but this is exactly where security fails. Too many people will simply use their usual password so they don't have to remember yet another password for yet another site.
    Then hackers get into the tech manual site because it's not very secure- come on, who would want to break into a tech manual site? They don't even store people's credit card information.
    
    Yet once the hackers have the password, they can try it against the larger sites like Facebook, Amazon, or iTunes. And if any of the passwords match, the hackers have completely control of the account.

    [ link to this | view in chronology ]

• 

  Sheogorath (profile), 14 Nov 2014 @ 4:58am

  
  

  Better security

  F@c3b00kp@s$w0rdmyn@m3
  MTMSFY!

  [ link to this | view in chronology ]

• 

  Rikuo (profile), 14 Nov 2014 @ 8:50am

  
  

  I admit, I do have my passwords in a text document. The document is itself protected by a password and is not stored on my computer. It is instead stored on an old smartphone that is permanently disconnected from Wifi and is charged by a USB cable that plugs only into a charge socket, not into a computing device. The phone itself is encrypted.

  [ link to this | view in chronology ]

  • 

    MondoGordo (profile), 14 Nov 2014 @ 10:51am

    
    

    Re:

    that's pretty damn secure ... and not a little paranoid!
    
    Check out Steve Gibsons article on generating passwords that are memorable and hard to guess https://www.grc.com/haystack.htm
    
    my password manager password shows the following results for "crackability" using his tool and it's easy to remember, a pain in the ass to type, but easy to remember.
    
    Couple with your approach to storing pass words with his approach to generating memorable passwords and you're almost unhackable.

    [ link to this | view in chronology ]

    • 

      MondoGordo (profile), 14 Nov 2014 @ 10:52am

      
      

      Re: Re:

      Brute Force Search Space Analysis:
      Search Space Depth (Alphabet): 26+26+10+33 = 95
      Search Space Length (Characters): 26 characters
      Exact Search Space Size (Count):
      (count of all possible passwords
      with this alphabet size and up
      to this password's length) 2,663,234,997,260,162,
      196,476,097,223,547,872,
      948,519,727,017,017,120
      Search Space Size (as a power of 10): 2.66 x 1051
      Time Required to Exhaustively Search this Password's Space:
      Online Attack Scenario:
      (Assuming one thousand guesses per second) 8.47 hundred trillion trillion trillion centuries
      Offline Fast Attack Scenario:
      (Assuming one hundred billion guesses per second) 8.47 million trillion trillion centuries
      Massive Cracking Array Scenario:
      (Assuming one hundred trillion guesses per second) 8.47 thousand trillion trillion centuries

      [ link to this | view in chronology ]

      • 

        Anonymous Coward, 14 Nov 2014 @ 11:50am

        
        

        Re: Re: Re:

        When is it acceptable to calculate statistics for one distribution—and then to assume that those statistics are meaningful for a different distribution?
        
        Extra credit: When is min entropy less than Shannon entropy?

        [ link to this | view in chronology ]

• 

  JS, 14 Nov 2014 @ 9:30am

  
  

  https

  And make sure that the page you are entering your password on is https. Up until about 3 years ago, Facebook's login page wasn't.

  [ link to this | view in chronology ]

  • 

    Anonymous Coward, 14 Nov 2014 @ 9:33am

    
    

    Re: https

    And make sure that the page you are entering your password on is https.

    
    And make sure that the TLS certificate that your browser accepts is the expected one—chaining up to a trusted root CA.
    
     
    
     
    
    Oh, what?
    
     

    [ link to this | view in chronology ]

• 

  Anonymous Coward, 14 Nov 2014 @ 7:56pm

  
  

  I did say “random”, didn’t I?

  
  Dilbert: Tour of Accounting
  
  xkcd: Random Number

  [ link to this | view in chronology ]