Broadband Tech > Security > Security > The perfect password?

The perfect password?

What I had read elsewhere was to make a easy to remember sentence and use the first letters as the digits in the password.
My Very Educated Mother Just Served Us Nine Pickles. = mvemjsu9p
Dave Has 3 Computers Online. = dh3co

reply to Digital
I believe that it is generally accepted that you want to use an alpha numeric password combo where the letter and number have no meaning or resembalance to names birthdates, etc. For example "s23fd56X4CM9" would be much better than "freddy41360"

reply to Digital
Some good tips at »nativeintelligence.com/awareness···tion.asp

reply to Digital
The general rule is to mix words, punctuation, and numbers. Words are nice because they are easy to remember. Don't pick words that are easily associated with you, such as names of family members, pets, cars etc.

The other keys to strong password use is length and frequent change.

reply to Digital
Also for those of us that are less fortunate than others Blonde and Old....we find using "password" as a good alternative....Sorry ....must be the mood I'm in !

Now back to the seriousness of this question

Remember your Valentine ?
OZ
--
Genuine Wisdom is knowing what you are talking about but deciding to keep your mouth shut.

reply to Digital
Pick a phrase of some kind, and then substitute numbers for letters. For instance:

I am going to the mall

becomes

1mgoing2thema11

Maybe a bad example, but you get the idea. For an extra benefit, if the program is case-sensitive, alternate the cases, but don't do 1-2-1-2, try 1-3-2-1-3-2 or something so:

not aBcDeFgHiJkL

but abCdEfgHiJkl
--
Many thanks to SAM, Inc.for the use of their computers to support Folding@Home

Not to be too picky, but what I've read says to avoid the numbers 1, 2, and 4 as simple common word separators (such as "go4food") because they are commonly used to mimic their English word counterparts. Just another two cents in the kitty.

yah, that's true, but mainly because so many people pick "common" passwords. If the phrase or word is long enough, the subs should be harmless, especially if lower and upper case are alternated. In general, the longer the password, the better it is.
--
Many thanks to SAM, Inc.for the use of their computers to support Folding@Home

reply to Digital

Re: The perfect password?

reply to Digital

Safe.zip 1,275 bytes (Safe.txt)

almost any password with proper tools.

Now we get to the part of what a password should look like. As I mentioned they should be 14 characters. Passwords like 14John20 are one of the easiest ones to break as most password crackers are designed to look for those patterns. Anything that you can see in a dictionary is a no no. All good password crackers come with a dictionary and that's the first thing they do ( they call it Brute force ) and it will take a few minutes to go through the whole dictionary ( usually less than 5 minutes).

The next thing the software does is to go through all possible characters such as Alphabet, numeric, extra characters such as @#%$*,"|[~! etc... at the rate of about 1.5 million characters per second. The more of those characters you have the more time it will take for the software to crack the password. A 14 character password with all those characters may take too long to make it worth the time for a hacker to attempt specially against a home user.

Last but not least there are certain magical characters that are still very hard or next to impossible to crack ( at least the password crackers haven't caught up yet to upgrade their software). Those are Alt characters but not all of them. Only certain Alt characters are almost unbreakable. The way to do it is to press alt and at the same time using the numeric pad only type the 3 or 4 digits for that particular Alt character. That will create a character on the password screen ( or Notepad in that matter if you want to try to play with them) that are mostly not possible to create using the keyboard.

The safe Alt characters are attached as a text file for your pleasure.
--
You can catch the Devil, but you can't hold him long.

[text was edited by author 2001-11-21 08:56:36]

Just out of curiosity how many people here have actually been hacked?? I see all the emphasis on security and passwords but what do we have that a hacker would really want to spend the time trying to figure out a 14 character password?? I could see maybe a bank, business, etc, but the normal person? Seems like a big waste of good hacking time to me!!!
--
You are not really crazy until you have to hold on to the grass to keep from falling off the earth....

reply to Wildcatboy
Wildcatboy - Whew! I'm glad you're on our side.
Thanks.

reply to Wildcatboy
Wildcatboy

I see no one has made any mention of any after market software Password Creators. I have been Using Password Safe by Counter Pane for a while now. It generates a alpha-numeric upper/lower case random 8 digit password for any program you may want one for. And then remembers them all in a password protected encrypted "Safe". Am I to infer that you would not recommend such programs? ( I am fully aware and do indeed intend to mean that I am asking your opinion only, and not your personal recommendation for any product) I realize that the week link in the chain is the password to get into the "Safe" and once that is cracked everything else will be open. But is it really practical to try and remember any number of randomly generated 14 character passwords that I would have to write down somewhere if there was any chance at all that this old brain was ever going to be able to use those password protected programs ever again? I'm having trouble remembering what happened last Monday. Once again, I respect your opinion and that is what I am asking for.
--
bb2
Since I've given up hope I feel much better.

reply to Digital
Thanks Everyone.

+2 for wildcatboy.

reply to bluebaron2
I remember a very famous company operating an important web site while back that claimed they had an iron clad security when it came to the way they the stored and protected their data from intruders. One day they came to work only to find out that someone had broken in to their company and had loaded all their servers in to a truck and left.

Your security as you mentioned is always as good as your weakest link. I'm not saying that hackers are sitting out there and waiting to break your password. To most good hackers your system is not worthy to break in to because your data is not worthy to steal. But there are good hackers out there that view your system as a valuable slave to be used for DoS attacks or simply to be used to do their scanning of the Internet for other slaves without having to worry about getting caught. Also there are lots of script kiddies out there who would like to use your computer for practice. The only gain they are looking for is the experience itself and they don't care about anything else. Those kids can cause a lot of damage if you make it easy for them

The issue of passwords is a broad issue and it depends on where in your system that password is and what it is used for. For example if you are using the password for your shared folders then you don't necessarily need to use a 14 character password. There are other ways around it such as binding your NetBios to NetBeui or even easier choosing a scope ID. All you have to do is to choose a 14 character scope ID ( which by the way you can forget the next minute since you are never going to use it ) and then choose an 8 character password for your share. Now even if they find your password, they still can't get in unless their workgroup has the same scope ID.

Again there are several ways to secure your system and passwords are not the only one. You can always compensate for a not very perfect password by other means. But then again as you said the weakest chain issue always applies so why not make sure everything is perfect.

As for the software that you mentioned there are several of them in the market that create 14 character passwords and as many of them as you want. They are great but I wouldn't use their save option. I'd personally like to remember them. Anything stored on your computer can be accessed and the weaker their encryption is the easier it is to crack.

But remember one thing, the question was "The Perfect Password" and I tried to explain what it would be, however how far a home user would want to go and how far a company ought to go are totally different. You don't have to memorize a 14 character password at home if you don't want to. Just use a sticky note because if anyone breaks in to your house the sticky note is the last thing they will look at. They'll take your computer with them and chances are they are not going to sit there and watch your family album.

Again you need to decide how important the whole issue is, what are the chances that someone might be interested in your computer and how much will you lose if someone breaks in to it. Based on that you can decide how far you are willing to go. Frankly a good firewall will go a longer way to protect you from password crackers than any good password will.
--
You can catch the Devil, but you can't hold him long.

reply to bluebaron2
You've identified the risk. Software snooping your system could capture the encrypted file and crack it at their leisure.

Some kind of protected storage is better protection, like a Smart Card. But that requires addition hardware and protecting the PIN is difficult unless a user interface is built into the reader itself.

That said the risk of someone cracking your all in one password file is offset by the use of much stronger passwords. So on balance you are probably much more secure then those of us that manually manage a bunch of passphrases.

reply to Wildcatboy
Wildcatboy & tscmidt thank you both for your reply.

Wildcatboy: I agree with you wholeheartedly that password protection is only a part of a security strategy. Any one that believes they are safe on the Internet behind some Passwords is indeed living in a fools paradise. (No offense intended to any paradise living fools who have internet access ) Any password , no matter how strong or how many are not enough. I, use a firewall, an anti-virus, an anti-trojan, an anti-spyware, a cookie blocker, I have unbinded ( unbundled ? ) my network sharing ( don't have one by the way, network that is )and I use the above mentioned software to store and randomly generate my many passwords. And yet I am fully aware that I am not unhackable. Having said all that however, one can't do anything in this life without some risks. It is a constant balancing act. I have chosen to take the risk of not having an ultimate password protection and not memorizing them all. ( Which believe me at my advanced stage of geriatrics would be nigh on impossible to do anyway). I balance that risk by trying to keep all the other barriers up to date and functioning correctly. Because on a personal level, the risk of being hacked through my many barriers is to me less of a problem then the giant PITA of 'losing' a program because I couldn't remember what the password to access the program was. As you said "Frankly a good firewall will go a longer way to protect you from password crackers than any good password will." I agree with you 100%.

tschmidt:

quote:

---

Some kind of protected storage is better protection, like a Smart Card.

---

Even better than copying your passwords to floppy and "burying" it within your other disks is to burn them to CD or floppy and lock them away in a fireproof safe/lockbox. The small type of fireproof lockboxes only cost about $20, and they provide enough room for financial documents, disks, and other things you would not want to be without should something happen to your home.
--
"Except for Cain and Abel, and the Hunchback of Notre Dame.....everyone was either making love or else expecting rain."

While your at it, put your computer in a separate fire safe... but don't have the same combinations on 'em.