Are your passwords as "secure" as you think?

[MrKowz]

I came across this interesting article about how passwords are cracked, and what you can do, as a user, to make your password even tougher to crack (without making it something like Nhsd923!!pz, which you KNOW will inevitebly end up on a sticky note, attached to your monitor, in plain view of everyone... thus making it insecure)

http://www.baekdal.com/tips/password-security-usability

Basically, the article states that "...it is 10 times more secure to use "this is fun" as your password, than "J4fS<2"." By adding just two spaces to a password, it effectively completely destroys any realistic possibility that someone can "brute force" hack your password. Also, since it has more characters, that makes it harder to hack, and since it is easy to remember and type, it won't have to go on a sticky note!

I'd recommend taking a look at the entire article, as it has some really good information!

 

[JamesW]

What if sites/programs don't allow spaces (I know of about 10 that I use off that don't allow spaces).

Interesting read though.

I've always felt that you should be able to enter anything you want as a password rather than being forced to have a minimum of 20 characters with at least 2 capitals, 3 numbers, 10 punctuation marks and the batman symbol. It's your own fault if your password is "password".

 

[gsistek]

I've always felt that you should be able to enter anything you want as a password rather than being forced to have a minimum of 20 characters with at least 2 capitals, 3 numbers, 10 punctuation marks and the batman symbol.

I completely agree. I understand that companies use that method to force peopleto use more secure passwords, but wouldn't having those restrictions (especially the companies that have almost 10 restrictions) give narrower parameters to hackers? They now that the password is x to y characters long and has z numeric values and each character can only be repeated once etc etc. Doesn't that actually make things easier for a hacker?

 

[Norie]

I don't quite see how adding spaces in particular would break any 'brute force' method.

If it's something to do with the length of the password perhaps it would slow things down, but so would any character.

 

[xenou]

T'would be even stronger with a punctuation mark and some caps:

This Is Fun!

If there's (I'm guessing) 100,000 common words in the English language then three words is 100,000 ^ 3 = 999,999 trillion possible three word combinations.

I don't see why you wouldn't smash it into a single word and use some substitution and casing:

th1sizFUN_!


Funny but I've never used a space in a password so this suggestion is interesting. I'm not sure that spaces are allowed though all the time as part of a password (but again, I think it makes no difference to the strength of the password - I agree with Norie's point - just the three word combination already makes it stronger against dictionary attacks and brute force tries)

 

[Norie]

Does it really matter that much these days the strength of the password when there's stuff happening like the PS3 fiasco?

 

[sous2817]

Does it really matter that much these days the strength of the password when there's stuff happening like the PS3 fiasco?

The author addresses this in his article (or his response...forgot which). But basically he blasts the system designers for requiring users to have complex passwords, but then skimp on their own protections. No amount of user password complexity can save it from a DB that gets hacked.

Also, regarding the difference between This Is Fun! and th1sizFUN_! is the ease in remembering. His point is, he can't remember which letter he capitalized, which he switched to a number, etc. In terms of password strength, they're probably comparable (although I think he claims the simple password is actually stronger).

Really it seems the bulk of the "protecting the end users password from being hacked" revolves around a relatively simple password along w/ some basic db protection and log in attempt provisions (only allow X per hour, or Y number of attempts before a lockout, etc).

Either way, I thought the article linked and the author's followup were great reads. Thanks for sharing!

 

[shg]

Another way to create passwords is to use a phrase; say FabledMuchJoking-- that's 16 different characters drawn from set of 52 (or more).

Each password can then be a hex string that selects characters 1 to 16. For example, you can put in your wallet lists of passwords like 8EC4AD56, which translates to cnkeJidM, which is pretty random.

 

[Norie]

I once worked in a place where one of the main IT guys had a text file saved on his desktop with all his passwords in it.

So, according to him, he only had to remember one password - his logon, and the name of the file - MyPasswords.txt.

 

[diddi]

i do a fair bit of tech work where, for whatever reason the customer no longer remembers or never knew a password for some particular application. eg previous employee set it up and has left etc. There are very few passwords that cannot be cracked instantly no matter what characters or what length they are.

from my experience, winrar passwords are one of the very few PC based passwords that are Very difficult to crack, requiring 'brute force' where every combination of a password is checked 1 at a time. its very slow. a 6 character password requires about 26,500,000,000 combinations (assuming 80 usable characters from keyboard)