Passwords: The not to use
- Thread starter lhuser
- Start date
Yes and no. It's good because you're more likely to remember it, it's bad because if someone gets one password they've got everything.
I go for a mixture - I use one password for everything that I don't really care about, and a different password for things that I do. Import things like bank details and email accounts for me all use separate passwords. Things that I know are at risk from being stolen (unreliable forums for instance) have unique passwords. Everything else usually gets lumped with one of a few others.
Different people will tell you different things in regards to security, but in reality we're all old enough now to know that using your first name is a bad idea. Find a plan you think is sensible and stick with it.
I go for a mixture - I use one password for everything that I don't really care about, and a different password for things that I do. Import things like bank details and email accounts for me all use separate passwords. Things that I know are at risk from being stolen (unreliable forums for instance) have unique passwords. Everything else usually gets lumped with one of a few others.
Different people will tell you different things in regards to security, but in reality we're all old enough now to know that using your first name is a bad idea. Find a plan you think is sensible and stick with it.
clacker
BSOD
- Messages
- 582
Yer I probably wouldn't use it for important stuff but I use it for forums,facebook and twitter.
~Darkseeker~
Fully Optimized
- Messages
- 2,494
- Location
- Welwyn Garden City, United Kingdom
i did a bit on password policy for my MCITP prep
a mixture of alphanumeric and non-alphanumeric in capital and lower case usually makes for a strong password.
e.g. Pa$$w0rd101 instead of 'password'
a mixture of alphanumeric and non-alphanumeric in capital and lower case usually makes for a strong password.
e.g. Pa$$w0rd101 instead of 'password'
A bit of a tangent here - but many password policies in companies these days have exactly the opposite effect of what they set out to do. In theory they might produce the most secure passwords on the planet, but it's how people implement these policies that's often their downfall.
Take the classic "change your password every 28 days" example. This is forced upon you by most companies I've seen, the idea being that if anyone does find out your password they only have a shortened time window in which to do anything. In practice though, this backfires for a few reasons:
- People can't, and won't, think up different unique passwords for each month. It'll generally be something like pass, pass01, pass02, pass03 and so on. Which pretty much invalidates the whole policy (if you find out a password and it's pass05, it's not too hard to guess what the next one might be!)
- The people that do create unique passwords will likely write them down somewhere on their desk to remember them - this undermines pretty much everything if they're found by a casual passer by!
- However short the time window is for an attacker to work, they can most likely still do all the damage and retrieve all the data they like given a day or 2. So unless you make people change their password every day, this policy is pretty useless anyway.
Another point - it's true that non-alphanumeric characters and a mix of non-dictionary words make a strong password. But in practice this usually makes next-to-no difference. How come? Well, if you think about it there's a number of ways an attacker could break a password:
- He could use social engineering techniques to make a good guess at what it is
- He can find it stored somewhere unencrypted (or stored using a weak encryption algorithm)
- He could find a way to delete it and create a new one
- He could brute force it by trying every combination against a hash until he finds the right one.
Now, I'm willing to bet most passwords compromised are in the first category, and the next two also play a relatively decent role. But the chances of an attacker finding out a password via brute forcing it are pretty much 0, and unless your account is of some considerable value most won't bother. Obviously don't use dictionary passwords because they're really easy to break (they go into the second category more than the fourth.) But even using numbers is secure enough for most purposes.
I'm not trying to downplay security here at all, it's important and it's something we should all be taking note of. What I am trying to highlight is the biggest weakness - humans. It's all very well having these amazingly secure encryption algorithms, but if from a human level people take steps to circumvent them (intentionally or otherwise) then the whole thing is blown wide open. The most secure password in the world written down on a desk somewhere can suddenly become the least...
Take the classic "change your password every 28 days" example. This is forced upon you by most companies I've seen, the idea being that if anyone does find out your password they only have a shortened time window in which to do anything. In practice though, this backfires for a few reasons:
- People can't, and won't, think up different unique passwords for each month. It'll generally be something like pass, pass01, pass02, pass03 and so on. Which pretty much invalidates the whole policy (if you find out a password and it's pass05, it's not too hard to guess what the next one might be!)
- The people that do create unique passwords will likely write them down somewhere on their desk to remember them - this undermines pretty much everything if they're found by a casual passer by!
- However short the time window is for an attacker to work, they can most likely still do all the damage and retrieve all the data they like given a day or 2. So unless you make people change their password every day, this policy is pretty useless anyway.
Another point - it's true that non-alphanumeric characters and a mix of non-dictionary words make a strong password. But in practice this usually makes next-to-no difference. How come? Well, if you think about it there's a number of ways an attacker could break a password:
- He could use social engineering techniques to make a good guess at what it is
- He can find it stored somewhere unencrypted (or stored using a weak encryption algorithm)
- He could find a way to delete it and create a new one
- He could brute force it by trying every combination against a hash until he finds the right one.
Now, I'm willing to bet most passwords compromised are in the first category, and the next two also play a relatively decent role. But the chances of an attacker finding out a password via brute forcing it are pretty much 0, and unless your account is of some considerable value most won't bother. Obviously don't use dictionary passwords because they're really easy to break (they go into the second category more than the fourth.) But even using numbers is secure enough for most purposes.
I'm not trying to downplay security here at all, it's important and it's something we should all be taking note of. What I am trying to highlight is the biggest weakness - humans. It's all very well having these amazingly secure encryption algorithms, but if from a human level people take steps to circumvent them (intentionally or otherwise) then the whole thing is blown wide open. The most secure password in the world written down on a desk somewhere can suddenly become the least...
~Darkseeker~
Fully Optimized
- Messages
- 2,494
- Location
- Welwyn Garden City, United Kingdom
i heard a story of a guy who worked in a developement sector for some software company (story told by a administrator at my place of study). He sellotaped a piece of paper with his password on it underneath his keyboard, the administrators did a check after-hours one night of the office and he got fired for it.
i think this illustrates what berry said about putting passwords on desks and stuff xD
i think this illustrates what berry said about putting passwords on desks and stuff xD
clacker
BSOD
- Messages
- 582
It's also probably not the wisest move ever to announce what specific accounts share passwords
I have trust. :/
I suppose using a program such as Norton Identity Safe would be a bad idea in regards to protecting my passwords? I am having problems managing all the passwords as I have close to around 50 different passwords and probably well over 100 accounts. These range from bank accounts, work passwords, e-mail addresses, online storage passwords, passwords for forums, social networking sites and so many more. Identity Safe makes life so much easier by storing my passwords and automatically filling them out, but whether this is truly safe is the question?
thatguywhy
Baseband Member
- Messages
- 49
this is really helpful
i hate when people make really stupid passwords
i hate when people make really stupid passwords
Similar threads
