PolarBear
The bear formerly known as aaron8301
Premium
join:2005-01-03
 ·CableOne
| reply to alanhdsl
Re: Stupid User Tricks: Password Selection - "WORD1"
But it's VERY hard for a MySpace phishing bot to get the password from the yellow sticky note on the side of your monitor. Or any hacker, for that matter. All you have to worry about is the FBI raiding your house, and your evil little sister...
--
A computer lets you make more mistakes faster than any other invention, with the possible exceptions of handguns and Tequilla. -- Mitch Ratcliffe |
|
AB
Premium
join:2006-04-04
Leesburg, VA
1 edit | reply to alanhdsl
said by alanhdsl  :Those may be good passwords, but now you're inviting a yellow sticky note with "3REfrure" written on it. The challenge is that good passwords are hard to remember, so people either pick simple ones and/or write them down. I'm not sure there's a good solution. Actually, the only challenge is to use something that's complicated, unique, and easy to remember-- or to discover if forgotten.
Sound tough? Not so! (Provided long passwords are allowed, at any rate.)
An example: #MoM:(555)893-12743215#
This is my mother's phone number (obviously not really) followed by her street address number.
All I have to remember, besides the phone number and street address, is that I use a lower case 'o' (or upper case 'm's) at the beginning along with a colon, and surround it with 'pound' signs.
Or I could put 'MoM' at the end instead of the beginning if I wanted to.
And of course my mother's phone number & street address are things that I'm likely to have memorized anyway. As well as that they are easily recovered should I forget them.
The point is that this is a very complicated password that's also not very difficult to remember, therefore negating any need to write it down.
All of my important passwords are structured similarly, and are written down nowhere-- certainly not as passwords, at any rate.
I've always found this to be a quite workable solution.
For stuff like logging into newspaper sites, it's 123 or whatever, because who cares?
Now, getting someone to actually spend the 5 or 10 minutes it takes to come up with a decent password is an issue of it's own.  |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| The problem with long passwords, and especially all those numbers, is that you can't see what you are typing. Way too easy to transpose numbers. I'd probably type that a dozen times and never get it right and some sites only allow three attempts. I only use complex passwords for banking sites and didn't do it for them until recently.
There is no reason to x out passwords on the screen if the user isn't somewhere that others look over his shoulder or take photos from a distance. I always have wondered why that is done. That should be something that a user turns on if they need it otherwise what you are typing should show up on the screen. I'm always mistyping a password, even one that is not complicated and that I have typed many times, and it irritates me that I can't tell what I am typing.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
RARPSL
join:1999-12-08
Suffern, NY
| reply to 8744675
said by 8744675 :Somewhere I heard that the most commonly used password is 'password', and I believe it. There are two reasons. First it is easy to remember for those who use it. Second, and I think an even more important reason - The user is not that sophisticated/computer-literate and when the computer asks for the password (by saying "Enter Password"), the user thinks it is telling him/her to enter "PASSWORD" so they do  . |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
 ·WebBand
| reply to Mele20
I use "normal" length and complexity passwords on the average sites, althought I don't use anything less than 8 chars and mixedcase with numbers.
I have a textfile for the really long ones like banking and Paypal.
Those ones are mixed-case alphanumeric with symbols and over 12 chars long. (one is over 32chars)
I Copy/Paste 'em, so no worries. 
-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein
Need an Avatar? Check out Wafen's Avatar Pages |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to C DM
said by C DM :So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)? *I* was not running a phishing site...the malware, the botnet, and the miscreant were...I only allowed it to be active for a short period of time....the only reason I let it run for 12 hours was I thought it wasn't doing anything.
My goals are not "research" oriented...unfortunately, I can't elaborate on that point.
I agree that these tactics push the envelope but believe they are essential to countering cybercrime.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| reply to Mele20
The problem with long passwords, and especially all those numbers, is that you can't see what you are typing. My most important passwords are, I hope, hard to guess but easy enough for me to remember. There are very few of these.
For the rest, the passwords are in an encrypted file (actually an encrypted email to myself). I can decrypt, then cut and paste, to be sure I type it in correctly. The encryption pass phrase is one of those "most important passwords."
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4 |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| Gee, mine are all in two different folders. One for banking and another for all other passwords. All passwords for the past more than 8 years are there...lots and lots of them. It is quite irritating to have to go look up a password every time I have login somewhere. The one for here is the only one I remember. I wish a fingerprint thingy worked with Fx...I think those still work only with IE.
I never have understood why I can't turn offthe hiding of the password I type. There is no one here to see it so why can't I turn that off? I should be able to do that. It should be turned off by default for home users seems to me.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
natedj
Elected
Premium
join:2001-06-06
Columbia, SC
·Earthlink Cable Mo..
2 edits | reply to NetWatchMan
To me passwords are a headache, but it is even more so if not used. So to simplify my passwords I use a line in a song, a favorite movie line or a bible verse.
E.g.. Movie quote "My name is Bond, James Bond" = password MNIBJB. If an alpha-numeric password is required, I'll add something pertinent to the phrase ... like 007
That way you can never forget it, its not found in the dictionary and it can be really long too, if you know the lyrics to a favorite song, or whatever you choose.
--
Good judgement comes with experience...Experience comes after bad judgements |
|
Owlbet
Ignite the Ice
Premium,MVM
join:2002-09-24
Palmer, AK
clubs:
·MTA Online
| reply to PolarBear
said by PolarBear :But it's VERY hard for a MySpace phishing bot to get the password from the yellow sticky note on the side of your monitor. Silly move on my part but done out of convenience for another adult member of my household: I wrote the user name and password for our router on the top of the router.
I recently had DTV installed. The first thing I did after the installer left was change the password on the router and black out the information I had previously written on it.
The other adult member now carries a laminated business card in his wallet with the router information on it. |
|
angussf
Premium
join:2002-01-11
Tucson, AZ
| reply to caffeinator
said by caffeinator :I have a textfile for the really long ones like banking and Paypal. IIWY I would get some sort of encrypted password store instead of a text file. I use a Palm device, so I use YAPS with the YAPSviewer program on my desktop that allows me to cut-and-paste from the datastore. There are other packages, including OSS ones like KeePass Password Safe
»keepass.info/ so cost shouldn't be a concern here. That way you memorize ONE long complex password (to the password database) and look up all the rest, yet if someone steals your computer / laptop / PIM device, you haven't lost anything. |
|
technick
Premium
join:2000-12-16
Loganville, GA
| reply to Doctor Four
said by Doctor Four :The MySpace crowd aren't really all that security savvy to begin with. So encountering this is not surprising in the least. Well yea, you didn't get the memo? Facebook is where the smart people hang out at...
--
"Our greatest glory consists not in never falling, but in rising everytime we fall." - Confucius
Bellsouth Free Since 10/05 - To Hell With Bellsouth
Advocatus Diaboli
Streamfire.net |
|
technick
Premium
join:2000-12-16
Loganville, GA
| reply to David
said by David :Well if I may offer this little diblet this is the best password generator I have seen and seems to work rather well. » www.pctools.com/guides/password/Now there is no excuse as to why the myspace croud can't create a more complex password. I use this on the fly for my users, works well and most of them are easy enough to remember.
At one point a few years ago before I found the above website, I used a program called pwgen, I believe it was in the debian apt repos.
--
"Our greatest glory consists not in never falling, but in rising everytime we fall." - Confucius
Bellsouth Free Since 10/05 - To Hell With Bellsouth
Advocatus Diaboli
Streamfire.net |
|
technick
Premium
join:2000-12-16
Loganville, GA
| reply to NetWatchMan
said by NetWatchMan :*I* was not running a phishing site...the malware, the botnet, and the miscreant were...I only allowed it to be active for a short period of time....the only reason I let it run for 12 hours was I thought it wasn't doing anything. My goals are not "research" oriented...unfortunately, I can't elaborate on that point. I agree that these tactics push the envelope but believe they are essential to countering cybercrime. I couldn't agree more, the only way to be secure is to know all the possible angles of attack and how to counter them efficiently while moving forward.
--
"Our greatest glory consists not in never falling, but in rising everytime we fall." - Confucius
Bellsouth Free Since 10/05 - To Hell With Bellsouth
Advocatus Diaboli
Streamfire.net |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
| reply to angussf
said by angussf :IIWY I would get some sort of encrypted password store instead of a text file. I use a Palm device, so I use YAPS with the YAPSviewer program on my desktop that allows me to cut-and-paste from the datastore. There are other packages, including OSS ones like KeePass Password Safe » keepass.info/ so cost shouldn't be a concern here. That way you memorize ONE long complex password (to the password database) and look up all the rest, yet if someone steals your computer / laptop / PIM device, you haven't lost anything. Yeah, that's true..I should try that at some time.
In my situation, it's not much of a risk, as nobody else is ever here, and it's only a couple passwords. Also, they're not easily identified as such, just a couple lines amongst 100's of lines of other text.
I know what line it is, but others wouldn't.
Most all of my website passwords are kept in Opera's Wand.
(yeah, I know it's only MD5 hashed and can be recovered easy enough, but the chance of anyone getting to my computer three flights up in a locked security building is slim.)
Could my system be penetrated?
Maybe, but it hasn't happened yet in 15 years.
Besides, I have no money in the bank to take, no CC's, no credit, Nada. GL with stealing my identity..it'd be of no use to anyone. The only time I ever worried was when I got my wallet stolen awhile ago...much more bothersome than worrying over computer passwords IMO.
Simply put, I don't live like "normal" folks, so a lot of those rules aren't needed for me.
Thanks for mentioning it though.
-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein
Need an Avatar? Check out Wafen's Avatar Pages |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
| reply to NetWatchMan
If everyone ran a bot for research, would there be any hackers?
Be careful, there are laws that say what your did was illegal, depending on where you were located, and a "Paris Hilton" defense these days, won't help much, and you did get real logons and passwords
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
Drunkula
Premium
join:2000-06-12
Denton, TX
·Verizon FIOS
| reply to EGeezer
ROT-13? ROT-26? Not very secure at all! Actually I never heard of ROT-26 but wouldn't that be the same as not encoding it at all? If there are 26 characters in the English alphabet and you 'rotate' to the character 26 ahead don't you end back right where you started from (it is a rotate and not a shift)? 
--
Go away or I will replace you with a very small shell script. |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
1 edit | said by EGeezer :I'm thinking about using dictionary passwords, but encrypted in ROT-26. Twice as secure as ROT-13 ... Oh, JFYI, here's an online tool to encrypt/decrypt a piece of text according to the algorithms ROT5, ROT13, ROT18 or ROT47
»netzreport.googlepages.com/onlin···_47.html
-CaFF |
|
Krispy
Premium,VIP
join:2001-12-11
the stix
| reply to ZOverLord
said by ZOverLord :If everyone ran a bot for research, would there be any hackers? Be careful, there are laws that say what your did was illegal, depending on where you were located, and a "Paris Hilton" defense these days, won't help much, and you did get real logons and passwords I wouldn't worry about NetWatchMan, he knows what he's doing and what legalities are involved.
--
you can lead a horse to the water but you cannot make him drink...you can put a man through school but you cannot make him think --ben harper
|
|
av8r
I'd Rather Be Flying
Premium
join:2002-06-14
Boca Raton, FL
clubs:
| reply to Drunkula
said by Drunkula :Actually I never heard of ROT-26 but wouldn't that be the same as not encoding it at all? Sorry - neglected the [sarcasm] tags
--
If I am not for myself, Who will be for me? If I am only for myself, What am I? If not now, When? -- Hillel |
|
