Are your passwords as "secure" as you think?

[xenou]

from my experience, winrar passwords are one of the very few PC based passwords that are Very difficult to crack, requiring 'brute force' where every combination of a password is checked 1 at a time. its very slow. a 6 character password requires about 26,500,000,000 combinations (assuming 80 usable characters from keyboard)

Apropos this thread, what about a 12 character password made up of all letters (assuming the average combination of common word has 4 letters in it and we have three of them - or 14 if you include two spaces).

I can't agree that all passwords are instantly crackable. When you say brute forcing 26 billion combinations is slow, how slow is it? I've really no idea - the link from the OP says 219 years (which doesn't qualify it as a strong password but is very far from being instantly cracked - I would in any case consider 8 characters the minimum for any password).

 

[arkusM]

I once worked in a place where one of the main IT guys had a text file saved on his desktop with all his passwords in it.

So, according to him, he only had to remember one password - his logon, and the name of the file - MyPasswords.txt.

. Guilty. Bwahahahaha.
Though according to one of our IT guys there are other easy ways into out network...

 

[schielrn]

I just stick to passwords like:

myBankPassword
myE-mailPassword
myMrExcelPassword

They are all typically at least 14 characters and capitalize each new word. And then add a number as needed. I can't give away my lucky number though, then everyone would know my passwords.

 

[sous2817]

I just stick to passwords like:

myBankPassword
myE-mailPassword
myMrExcelPassword

They are all typically at least 14 characters and capitalize each new word. And then add a number as needed. I can't give away my lucky number though, then everyone would know my passwords.

That seems like as good idea as any...maybe I should switch my password methodology...

 

[JamesW]

I don't quite see how adding spaces in particular would break any 'brute force' method.

If it's something to do with the length of the password perhaps it would slow things down, but so would any character.

I'm guessing because a password that has no spaces means you are checking for 26 characters (lets say the alphabet is all that is here) + another 26 for all those capitalised.

Adding a space means you are searching for 1 more character anywhere in the password - I'm rubbish at maths but I know it's alot harder to crack with a space (1 extra character that people don't use much).

 

[schielrn]

The thing that puzzles me, is some major US Banks still do not care about case-sensitive passwords, because I can type my password in any case I want.

And a different bank I was with set up my initialy username as my social security number and never forced me to change it?

These are just an example of 2 different bank accounts I have had, but it goes back to should the bank (company) require such stringent passwords or leave it up to the user to make it as secure as you want it to be.

 

[MrKowz]

The thing that puzzles me, is some major US Banks still do not care about case-sensitive passwords, because I can type my password in any case I want.

And a different bank I was with set up my initialy username as my social security number and never forced me to change it?

These are just an example of 2 different bank accounts I have had, but it goes back to should the bank (company) require such stringent passwords or leave it up to the user to make it as secure as you want it to be.

I think it is up to both. The institution should force their clients/users to have a certain level of security to protect their own good. It is akin to laws; laws are there for our protection because there can be dire consequences if they aren't followed (in this case, identity theft). Also, forcing a certain level of security protects the user who truly doesn't understand network security. Take your average senior citizen who is just getting into online banking: they usually don't understand what identity theft is, why it is dangerous to have a "weak" password, etc. Without forcing them to have a decently strong password, their password usually is something like "pass", "123456", or even their name!

I am a fan of security that forces a password of at least 6 characters in length, allowing letters, numbers, are case sensitive, and require at least one capital letter. Without forcing the capital letter, most users would use just lowercase (which hackers can target first with the brute-force method). By forcing an uppercase, that at least forces the hackers to check the first character 26 more times, since most users will only capitalize the first letter.

What I like to do with passwords is incorporate "leet-speak", which is the coined name for substituting numbers for letters. For example:

• 1=L
• 3=E
• 4=A
• 5=S
• 6=G
• 7=T
• 8=B
• 9=Y
• 0=O

By using this, a simple word like "Guinness" (our favorite brew), can easily be made into 6uiNN355, or 6UinN355, etc...

 

[xenou]

Another strategy for creating a strong password is to use the first letter of a favorite phrase:

But I have that within which passeth show;
These but the trappings and the suits of woe."

bihtwwpstbttatsow

If a number and a special character are required (as more often are now):

b!htwwpstbttats0w

Something like this is a good candidate for a master password as it can be very long but also easy to recall (I use one such that is 30 characters long). There are some good password managers that would work well this way - you remember your master password and it handles creating and managing any number of very strong passwords for you.

 

[MrKowz]

I like that, xenou!

"Four score and seven years ago, our fathers brought fouth on this continent a new nation, conceived in liberty and dedicated to the proposition that all men are created equal"

fsasyaofbfotcannciladttptamace

or

4sa7yaofbfotcannciladttptamac=

As far as password managers... I never trust a program to manage my passwords for me, as all that takes is a single hack (or datamining or keylogging) to get ALL of my passwords.

 

[Joe4]

I just stick to passwords like:

myBankPassword
myE-mailPassword
myMrExcelPassword

They are all typically at least 14 characters and capitalize each new word. And then add a number as needed. I can't give away my lucky number though, then everyone would know my passwords.

I use something similar to this (though a formula). Using the same password for multiple things can be dangerous (especially with financial institutions), as if they crack one, they can get into your other accounts.

The nice thing about this method is you have a different password for every program (but only have to remember one formula). So if someone is lucky enough to hack one password, they can't break into anything else with that.