You Are Asking To Be Pwned (a diatribe on passwords)

[zapseo]

Nah.

changed my mind.

I'm feeling less stressed now.

But for you, here's the bottomline.

This was prompted by downloading a file of usernames and passwords hacked from a well-known marketer's site.

(No, I'm not interested in breaking into your site. Last I checked, that's highly illegal here in the US, you can get thrown into jail and have your computer taken away from you. And banned from using them for some period of time. I like my freedom, and I REALLY love playing with computers.)

I'm kind of a security wonk, is why I downloaded it.

I was SHOCKED at the passwords people were using. I don't know. Maybe it was a free site or something, so having a secure password didn't matter so much.

If you use a password that can be found in a dictionary, your site can be hacked in extremely short order.

Good password hygiene:
1. don't use a password that can be found in a dictionary. ANY dictionary.
2. use BOTH upper and lowercase letters.
3. use a number or 2, or 3 (or more. Knock yourself out!)
4. if the site allows it, use special characters. (Emphasis on the "s").
5. Make your password at least 8 characters long.
edited to add:
6. Make them unique: each site should get its own unique password.

A few years' back I offered security audits on certain kinds of sites. No one seemed to be interested. All they wanted to do was MAKE MONEY.
This is a good goal. But once you make it, don't you want to KEEP IT?

identity theft is a horrible and miserable thing. I've only been exposed to the tip of the iceberg (had my CC# stolen.) And it still cost me time and effort, preventing me from doing things that were far more enjoyable.

Oh, and if you use or create software -- make sure that the software encrypts the passwords in the database.

(yes, this really IS the shorter version, LOL.)

If you use insecure passwords and you get hacked, you have no one to blame but yourself.

Live JoyFully!

Judy

[Scott Ames]

Good reminder. If you use RoboForm it will generate passwords for you. I know it's hard sometimes to invent passwords to use.

Here are some other online password generators you can use:

Security Guide for Windows - Random Password Generator

Make Password: Online Password Creator

Secure Password Creator

Where to keep them? The best place is in your head, but not everyone can remember them all. You really shouldn't use the same password for everything, but be honest, how many of us do that? Since RoboForm I no longer need to use the same password for everything and it helps me to be more secure.

You can put them in a notebook, keep it in a safe, keep them in some secure password software, or put them in a document that is zipped with a password or secure.

[zapseo]

RoboForm is preferred.
I wrote a report sometime back -- don't know where it is, and it needs to be updated, anyway -- on getting the best deal on RF. Part of what was included in the report was the conclusions of my research comparing RF to other solutions out at the time (about 2 years ago.)

While there are password creators/keepers out there that are free, at the time, they all tapped into the keyboard driver. This you do not want (although it does give you the potential to capture passwords in more places, like FileZilla, for instance.)

Why? Well, if your password keeper taps into the keyboard driver, it means that the passwords, when used -- even though you did not physically type them in -- can be picked up by a keylogger.

With RF, a keylogger still doesn't get your passwords.

Scott, is that your response to the FTC hoopla, there in your sig ?

Live JoyFully!

Judy

Copywriter, Geek and General all-around professional curmudgeon.

[Scott Ames]

Quote:

Originally Posted by zapseo

Scott, is that your response to the FTC hoopla, there in your sig ?

Ha ha... I never thought of that, but it well could be!

[George Wright]

Great Advice Judy,

One thing more, Concerning PayPal USE THE SECURITY KEY which is $5 or the Cell Phone Security Key which is free.

If you use one of the above you could publish your password online and in the news papers and people still could not break in to your paypal account.

George Wright

[zapseo]

LOL, I hadn't read it, but subsequently discovered that the folks at gmail had been thinking about password security too:

Official Gmail Blog: Choosing a smart password

[phil.wheatley]

Thanks for that, good point.

It's also easy to fall into the trap of using the same password across different acounts, bad habbit but easily done. I now keep mine in a spreadsheet, each tab relating to whethere it is email passwords, forum passwords etc

Phil

[JohnMcCabe]

Can't remember where I saw it (Wired, maybe?), but a company put out a paper on this same subject. Seems they were getting hacked regularly.

A security company did an audit and founf that many employees had the same password - "password". The next most popular was "1234", followed by the company name.

After the audit, employees no longer got to pick their own passwords. The admin for the company assigned passwords based on the security company's recommendation, and they changed every month.

Having acquired a healthy paranoia, they made putting your password on a sticky note on your monitor a serious offense.

Maybe the security experts can comment, but it seems like dictionary attacks can be thwarted to some extent by using two or more words that are unrelated or unlikely to be put together. For example, how likely is it that someone using a dictionary attack would pick up "cowboyflowerpot" as a word?

Edit: I just noticed that my example could be read as 2, 3 or 4 words...

[actionplanbiz]

how is the firefox password reminder? is it secure

[Ghalt]

I heard a good tip about passwords:

Come up with a sentence that is easily remembered, and use the first letter from each word.

Something like "The Warrior Forum is 10 times better than Digital Point."

That would be: twfi10tbtdp

I look at that password and never could remember it, except the sentence is pretty easy to remember.

Or:

My wife likes to plant flowers in her garden -- mwl2pfihg

substituting a '2' for 'to'...clever, no?

You get the idea.

[whateverpedia]

Quote:

Originally Posted by JohnMcCabe

"cowboyflowerpot"

Damn, there goes my password!

[zapseo]

Two stories.

I worked for a public networking company before there was a really public Internet -- by the name of ...well, I worked for Tymshare and the network was named Tymnet. Due to regulatory issues, there was Tymnet the company, a wholly owned subsidiary of Tymshare.

There was a pdp (a brand name of a computer mfr, for a line of computersl) guru in another part of the company (we sold, after all, "timesharing services" -- which actually came before Tymnet) who performed the first dictionary attack I'd ever heard of. He simply encrypted the dictionary (no, I don't know where he found a digital copy of the dictionary -- this was back in ... probably the early 80s.) He didn't have a hard time finding the algo we used to encrypt passwords, so he just took the algo and used it to encrypt the dictionary. Whammo! Yes, tons of very weak and easily guessible passwords. (Anyone remember the movie "War Games" ?) Some guy who was in Georgia, his password was Augusta. Hmmmm....

I worked on the Sun Microcomputer "campus" whhile working for a joint venture between Sun & Thomson of France (later to become the public company OpenTV.). We had a ton of French Ph.D.'s in our tiny "company." (about 50 people.) They had the root password to nearly every Sun machine in our area set to the same password. Had Sun known -- they would have had a fit, LOL. (I, however, changed the root password on the machines for which I was responsible -- because of the sensitive nature of what I did.)

But that password was known -- easily -- by every Frenchman (don't recall any French women, come to think of it. We had women, women engineers, women Ph.D. engineers -- just not French women Ph.D. engineers. Go figure.). It consisted of alternating upper and lower case initials to the name of a popular French movie. (no, don't remember the password, and never really knew the name of the movie. It wasn't a recent movie -- i guess some sort of classic.)

As for multiple word names ... I know less about this, but my brief forays into places where security is a topic (both good guys and bad guys) suggests that multi-words do not protect you that much. Certainly not anything like using special characters, numbers and upper and lower characters. Check out the numbers in the Gmail blog article.

Live JoyFully!

Judy

PS It's so dang simple -- though at times annoying and inconvenient -- to use a complex password, compared to other forms of security measures you could take.

PPS Why not use multi-words AND all of the above, too. Certainly c0wb04f10w3rp07 would be more secure than just c0wb04 -- and not just because it's longer, either.