dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
566
share rss forum feed


BHNtechXpert
BHN Staff
Premium,VIP
join:2006-02-16
Saint Petersburg, FL
kudos:147

[Internet] BHN Users How Strong Are Your Online Passwords?

Click for full size
Let’s face it, managing your online life is becoming more and more complicated every day. Every site we visit requires a login and password and if you are like me I always struggle with ways to create new, unique and yet secure (or strong) passwords that I can commit to memory.

In light of recent events involving compromised email and other passwords involving web service accounts let’s talk a bit about passwords and what constitutes a STRONG password, easy ways you can commit them to memory so you aren’t constantly playing the recover password game and ensuring that your accounts remain secure.

Many folks don’t realize there are a number of common techniques used to crack passwords and plenty of ways we make our accounts vulnerable due to simple, widely used and even well known passwords.

Here are some of the most common ways hackers obtain your passwords:

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research. When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: Don't use personal information such as your name, age, birth date, child's name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

Brute Force Cracking: Is when the hacker uses his computer to try every possible password combination until they succeed. This can take time considerable time but that time is greatly reduced when you utilize weak or commonly used passwords.

The Basics:
While you can’t prevent hackers from trying to obtain your password you can certainly make it difficult for them to obtain it through traditional means. When creating your password there are a couple of rules that you need to follow…

1.Password Length: Passwords should be at least 8 characters in length. The more characters in your password the better and if you can still remember who you are each day consider going with at least 10 characters. Every character added increases the effort a would be cracker must use to break your password.

2.Password Complexity: Each password should contact at least one character from each of the following character categories

a.Lower case letters
b.Upper case letters
c.Numbers
d.Special Characters (like - !@#$%^&*())

Some examples of strong passwords might be:

•586Ym87= - -(Remember it by: 5 8 6 YANKEE mike 8 7 = )
•81jO3k2v*5 - -(Remember it by: 8 1 juliet OSCAR 3 kilo 2 victor * 5 )
•TmT8,+8;P"P - - (Remember it by: TANGO mike TANGO 8 , + 8 ; PAPA " PAPA )

Following these guidelines will instantly make your password much stronger and extremely difficult for a would-be cracker should they focus their sights on you. If your current banking or any personally/financially sensitive passwords don’t match the guidelines above I strongly encourage you to stop what you are doing right now and change them immediately.

Tips for avoiding weak passwords:

Avoid the following items when creating your passwords and when I say avoid I mean NEVER use them.

1.Any password that is the same as your username or part of your username
2.Names of family members, friends or pets no matter how unusual or complicated
3.Personal information about yourself or family members and this includes the generic stuff that can obtained about you very easily, such as birth date, phone number, license plate number, street name etc.
4.Sequences or consecutive letters, numbers or keys on the keyboard. For example: abcdef12345, qwert, I think you get the idea.
5.Words found in the dictionary with a number or character in front or back
6.Words found in the dictionary substituting a number for letter look alike. For example: Replacing the letter O with number 0 in a word like passw0rd

Password Common Sense:

1.Always create a unique password for every site where you are registered
2.Change your passwords at regular intervals not exceeding every 6 months
3.Never write down your passwords
4.Don’t share your passwords with anyone
5.Never use the same password for multiple sites
6.Never send your password to others via email
7.Change your passwords immediately if you receive notice of possible compromise
8.Never use the “Remember Password” feature built into most browsers
9.Don’t login to personal sites on a computer that does not belong to you
10.Never type your password when someone is looking over your shoulder
11.Avoid logging into personal sites while using public wifi locations
--
~All truth goes through three phases. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as self-evident. - Arthur Schopenhauer ~



tlg
Premium
join:2001-08-23
Melbourne, FL

I use lastpass. It's installed on all my devices (windows desktop, linux server, mac laptop, ipad, android phone). I allow it to generate and store all my passwords, and my master password is very complex and over 15 characters.

For $12 / year (or free) it's a great product.
--
twitter.com/tgaume



JeffMD

join:2002-08-16
Edgewater, FL
kudos:1
reply to BHNtechXpert

For many years now I stick with a 2 part password. The first part (which can come last or first) is a name, this is a name you will never forget and it will be in every password you generate. It is also important that no one can find out this name. Don't use peoples names, maybe a technical term in your fav hobby you would never forget. The second part is the initials of the site in question. For instance this site would be BB, or DR for those oldskool readers .

This creates a password that is easy for YOU to remember (You just need to remember the one word, and dont mess up your methodology on which initials of a site you use) and yet creates a password that a dictionary attack won't crack. A dictionary attack may crack "test", but not "testbb".

Now is testbb uncrackable? not in the least, lower case only and letters, it would be the easiest brute force crack ever.. except that the attacker does not know this and if he for some reason did want to attack your password, then he would probably use a more complex alpha numeric attack which would take much longer.

But that isn't oing to happen, not to password you generate for a forum. Unless the site is stupid and stores your password in plaintext (in which case nothing will protect you) then there is nothing valuable enough in your forum account to warrant a lengthy brute force attack. For one, remote password attacks arn't going to happen. Between bandwidth and latency and the fact that most sites have lockouts for bad password attempts, remote password attacks are not feasable. That leaves downloading the entire user database in which you are one of hundreds of thousands of users on the site.. and he would be bruteforcing all their passwords. The amount of cpu work needed here is beyond the reach of the %99.9 of crackers.

The thing is... you just need to protect yourself against simple password attacks. Single word passwords that can be found in the most advanced word list (You may think you have come up with a rare word.. or even one that is not english, but this is the digital age. Someone has already done the work of making the mother of all dictionary list and everyone and his grandma has access to download it). Beyond that, compromised accounts come from either social engineering (fooling customer support, or the user in giving up the password), direct attack (trojans, fishing web sites), local access to the computer (and post it notes with logon and password info nearby) and lately attacking and posting password list to sites that stupidly leave passwords stored in plain text.

The only few exceptions are banks, which usualy require some pretty awful and secure passwords, and large online games like world of warcraft. And again, world of warcraft, %99.9 of account compromises are due to the computer being compromised by either a key logger, or a local user (not the owner) with access to the account due to knowing the logon prexhisting. You can't just flood the logon servers with a dictionary attack for one user without 10 alarms going off.

In the end, just create a password algorithm that is simple enough to remember so you don't need to write them down, and keep your pc secure. Updating to windows 7/vista (UAC is easily one of the single best advancements to preventing rogue programs from executing) is a big step, and keeping a well known Antivirus around like AVG/Avast/Kaspersky (the idea is for the AV is to snag the common trojan delivery packages. Unless you troll infested file sites, you will probably never see a new strain of virus that requires you get an expensive AV packages with an advanced heuristics scanner.) up to date. Oh yea and windows updated of course too.



BHNtechXpert
BHN Staff
Premium,VIP
join:2006-02-16
Saint Petersburg, FL
kudos:147

said by JeffMD:

For many years now I stick with a 2 part password. The first part (which can come last or first) is a name, this is a name you will never forget and it will be in every password you generate. It is also important that no one can find out this name. Don't use peoples names, maybe a technical term in your fav hobby you would never forget. The second part is the initials of the site in question. For instance this site would be BB, or DR for those oldskool readers .

This creates a password that is easy for YOU to remember (You just need to remember the one word, and dont mess up your methodology on which initials of a site you use) and yet creates a password that a dictionary attack won't crack. A dictionary attack may crack "test", but not "testbb".

Now is testbb uncrackable? not in the least, lower case only and letters, it would be the easiest brute force crack ever.. except that the attacker does not know this and if he for some reason did want to attack your password, then he would probably use a more complex alpha numeric attack which would take much longer.

But that isn't oing to happen, not to password you generate for a forum. Unless the site is stupid and stores your password in plaintext (in which case nothing will protect you) then there is nothing valuable enough in your forum account to warrant a lengthy brute force attack. For one, remote password attacks arn't going to happen. Between bandwidth and latency and the fact that most sites have lockouts for bad password attempts, remote password attacks are not feasable. That leaves downloading the entire user database in which you are one of hundreds of thousands of users on the site.. and he would be bruteforcing all their passwords. The amount of cpu work needed here is beyond the reach of the %99.9 of crackers.

The thing is... you just need to protect yourself against simple password attacks. Single word passwords that can be found in the most advanced word list (You may think you have come up with a rare word.. or even one that is not english, but this is the digital age. Someone has already done the work of making the mother of all dictionary list and everyone and his grandma has access to download it). Beyond that, compromised accounts come from either social engineering (fooling customer support, or the user in giving up the password), direct attack (trojans, fishing web sites), local access to the computer (and post it notes with logon and password info nearby) and lately attacking and posting password list to sites that stupidly leave passwords stored in plain text.

The only few exceptions are banks, which usualy require some pretty awful and secure passwords, and large online games like world of warcraft. And again, world of warcraft, %99.9 of account compromises are due to the computer being compromised by either a key logger, or a local user (not the owner) with access to the account due to knowing the logon prexhisting. You can't just flood the logon servers with a dictionary attack for one user without 10 alarms going off.

In the end, just create a password algorithm that is simple enough to remember so you don't need to write them down, and keep your pc secure. Updating to windows 7/vista (UAC is easily one of the single best advancements to preventing rogue programs from executing) is a big step, and keeping a well known Antivirus around like AVG/Avast/Kaspersky (the idea is for the AV is to snag the common trojan delivery packages. Unless you troll infested file sites, you will probably never see a new strain of virus that requires you get an expensive AV packages with an advanced heuristics scanner.) up to date. Oh yea and windows updated of course too.

Very well said JeffMD. Good to see you again BTW....you really shouldn't be so scarce
--
~All truth goes through three phases. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as self-evident. - Arthur Schopenhauer ~



wjim

@bhn.net

A question I just had a service call and noticed my email pass word was type out on the service order is this necessary if I must be home for the service call could sign in if needed. Just asking



JeffMD

join:2002-08-16
Edgewater, FL
kudos:1

I noticed that password as well, and I have never used it for anything. I guess I may have a bright house mail box? but both the bill pay site and account settings sites are on different passwords.



BHNtechXpert
BHN Staff
Premium,VIP
join:2006-02-16
Saint Petersburg, FL
kudos:147
reply to wjim

said by wjim :

A question I just had a service call and noticed my email pass word was type out on the service order is this necessary if I must be home for the service call could sign in if needed. Just asking

Sorry I don't understand the question.
--
~All truth goes through three phases. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as self-evident. - Arthur Schopenhauer ~


rebus9

join:2002-03-26
Tampa Bay
Reviews:
·Verizon FiOS
·Bright House

1 edit
reply to BHNtechXpert

Or.... keep the link to an MD5 or SHA1 generator on your desktop and digest ("hash") your passwords.

I use a different password for each service and site I use, but with a method of differentiation that's easy for me to remember. (a method to my madness) Make up a password (or a phrase, sentence, paragraph, or even a binary file) run it through MD5 or SHA1, and you'll get a 32 or 40 character hex string that's an exceptionally strong password.

Keep it in a spreadsheet or txt file if you want. If you ever lose it, and assuming you remember the original password, just run it back through the digest generator and you've got it again.

Sure it's more trouble than remembering some 8 character cutesy word. But IMO, it's worth it for the things you really want to protect.



BHNtechXpert
BHN Staff
Premium,VIP
join:2006-02-16
Saint Petersburg, FL
kudos:147

said by rebus9:

Or.... keep the link to an MD5 or SHA1 generator on your desktop and digest ("hash") your passwords.

I use a different password for each service and site I use, but with a method of differentiation that's easy for me to remember. (a method to my madness) Make up a password (or a phrase, sentence, paragraph, or even a binary file) run it through MD5 or SHA1, and you'll get a 32 or 40 character hex string that's an exceptionally strong password.

Keep it in a spreadsheet or txt file if you want. If you ever lose it, and assuming you remember the original password, just run it back through the digest generator and you've got it again.

Sure it's more trouble than remembering some 8 character cutesy word. But IMO, it's worth it for the things you really want to protect.

Um yea....thats a bit insane for me Good seeing you Rebus!
--
~All truth goes through three phases. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as self-evident. - Arthur Schopenhauer ~


rebus9

join:2002-03-26
Tampa Bay
Reviews:
·Verizon FiOS
·Bright House

said by BHNtechXpert:

Um yea....thats a bit insane for me Good seeing you Rebus!

Ditto.

Yeah, it's cumbersome so its use is selective. Like online banking and such, where the cost of a hack would be high-- if not in dollars (due to account protections) at least in personal time spent getting it straightened out. Or identity theft. Or some horrible thing that would last for years or more.

I confess to not using it at sites like DSLR, where account hackage wouldn't net the miscreants much more than my email address. But done enough times it becomes second-nature, nonetheless.