SitePoint Sponsor

User Tag List

Page 1 of 3 123 LastLast
Results 1 to 25 of 67
  1. #1
    SitePoint Zealot
    Join Date
    Apr 2003
    Location
    New Zealand
    Posts
    168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Password Strength

    Came across this little cartoon comparing the relative security of a long (yet fairly easy to remember) password comprised of common words and a shorter (yet more difficult to remember) password comprised of a mixture of upper and lower case letters, numbers and punctuation.

    I thought it made an interesting point. What do you think?

    xkcd: Password Strength

  2. #2
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The cartoon makes a good point (as backed up by security gurus, like Mikko Hypponen).

  3. #3
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I use totally random characters for mine, 20 characters or so when the website allows. I don't actually know what any of them are... I use a password manager to generate and then store them.

  4. #4
    SitePoint Member
    Join Date
    Jun 2006
    Location
    LinkChannels.com
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stormrider View Post
    I use totally random characters for mine, 20 characters or so when the website allows. I don't actually know what any of them are... I use a password manager to generate and then store them.
    me too, i don't memorize every passwords i use and i dont have too coz of password managers like roboform or lastpass.
    LinkChannels Web Directory - Human-edited web directory.
    ArticleWheel - Article Submission Directory

  5. #5
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And what about passwords that are used to unlock password manager?

  6. #6
    SitePoint Member
    Join Date
    Aug 2011
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Wink

    Ever since my password manager screwed up on me I have resorted to a series of passwords that are a logical sequence to me and my wife, but irrational to anybody else.

    I don't think I am that important that anybody will waste 3 days of valuable computer time to crack my passwords.

  7. #7
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,278
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    Aleksejs: How many of those would we have? I have just one master password, not counting the password to my computer (so yes, this means I'm one password away from losing my life).

    Though, I do remember my passwords as well as use encrypted storage... that's for JustInCaseIForget.

    One of my banks uses this horrible setup with random combinations of images (what do I do if I can't see?), words, passwords, and "security questions" which are made up of publicly-available information. Only way those are "secure" is if I totally make crap up instead of using real answers (like if I say my mother's maiden name, which was the name she went by anyway, was Tr0ub4dor&3 :)

    Another of my banks uses a password and then a little device that needs my bank card to send and receive randomly-generated numbers. The site and the device have to match. Transaction authentication rather than user authentication (userAuth is only used once, to initiate). Nice, tho I have no idea what those little Readers cost.

    @abacusgnus
    They won't bother with yours, but they'll go after... oh... Gawker's servers (or, some server you have an account on), grab your pw from there and then hope you're dumb enough to have used it everywhere else. Since enough people are, attackers get something useful.

    By the way, any sysadmin who lets anyone attempt 1000 guesses a second deserves horrible things.

    Off Topic:

    Aleksejs:
    I'm at Riga Congress Center M-W next week... I WILL see those Cat House cats!!

  8. #8
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,096
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Good topic. My office recently switched from a 8 character pw length to a 12 character length, and they expire monthly. As a result, you can find most people's passwords written down on a post-it note hidden under their keyboards (or sometimes even stuck to their desks or monitors).

    I think you get to a point of diminishing returns on pw length, since something like ^0Ley$j2 is likely stronger than something like Aaaaaaaaaa1!
    <cfset myblog = "http://cydewaze.org/">

  9. #9
    Non-Member bronze trophy
    Join Date
    Nov 2009
    Location
    Keene, NH
    Posts
    3,760
    Mentioned
    23 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    By the way, any sysadmin who lets anyone attempt 1000 guesses a second deserves horrible things.
    Given any decent system should lock out the account after 3 guesses, yeah.

  10. #10
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    I've found it frustrating that some banking websites limit the number of characters of passwords to 6-8 characters. I find it very frustrating since, well, shorter passwords tend not to be as secure. Especially when there is no lockout mechanism in place for incorrectly guessed passwords.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  11. #11
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,096
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    I've found it frustrating that some banking websites limit the number of characters of passwords to 6-8 characters.
    My car insurance company used to not allow any special characters at all in passwords. They also had a list of "security" questions, but had a minimum number of characters that the answer could be. One of the questions was "name of your first pet" and it had to be at least 6 characters. But what if your first dog's name was Rex?
    <cfset myblog = "http://cydewaze.org/">

  12. #12
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by cydewaze View Post
    But what if your first dog's name was Rex?
    Enter it twice?
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  13. #13
    SitePoint Zealot
    Join Date
    Jun 2005
    Location
    Sparks, NV, USA
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  14. #14
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I too use password manager (KeePass if anyone is interrested).

    I use another technique as well (for instance to get master password or to mount encrypted disk volume). I use really cheap, truly "hardware" password generator.
    I carry with me (in my wallet) small piece of paper, that has a substitution table similar that you can generate here:
    Password Chart
    Only my table has for each letter/digit sequence of three randomly generated letters/symbols/numbers. Example (do not use, generate one yourself if you like - you can use this to generate trigrams from characterset of your choice):

    A: 4pH B: $&b C: D6} D: ,<7
    E: vfY F: bJj G: \8: H: :,s
    I: W!j J: G#a K: T@4 L: f}r
    M: AD: N: X4C O: Li( P: zKO
    Q: d?B R: G,s S: mS> T: zOK
    U: OL> V: bqu W: >|G X: (T\
    Y: z=A Z: _\= 0: 5?P 1: c%]
    2: bx& 3: ^Ty 4: 0UV 5: -KY
    6: UMu 7: <E> 8: OM> 9: Q3F
    Now using that chart the simple password simplething becomes mS>W!jAD:zKOf}rvfYzOK:,sW!jX4C\8:
    Of course you can create such table for all characters found on keyboard not just for letters and digits, but for me this is enough.

  15. #15
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,278
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    I too use password manager (KeePass if anyone is interrested).
    GPass here, but the disadvantage of it (unless they've changed this) is it's stuck on my machine. Can't keep an encrypted copy on a USB or anything.

    Which means I have a piece of paper somewhere for when catastrophe hits this machine. Meaning I need to find another Linux passmanager :(

    I really think some pressure needs to come down on banks and similar groups about the "security questions". They really bother me. Apparently that's how Sarah Palin's AOL (gosh didn't know that still existed!) email was broken into. They asked her her High School. Public record (and nowadays everyone blabs it on their spacebook). Stupid question.

    Given any decent system should lock out the account after 3 guesses, yeah.
    I'm against lockout after three. I like what SitePoint does: after 5 tries you have to wait 15 minutes. You can do any kind of mix of wait-times and add a lockout at the end if you need to.

    I've also been a fan of the idea that the input type="password" should only show stars if the user chooses that. Especially when people are filling in new passwords. It is in fact extremely possible to mistype a new password twice: I've done it several times actually. I've had to resort to opening a text file, typing what I want (so, in plain view of anyone looking over my shoulder anyway) and then pasting twice. Since that defeats the purpose, it should be something users can turn off.

  16. #16
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Aleksejs View Post
    And what about passwords that are used to unlock password manager?
    Also just as secure, and I memorise it. Easy to memorise one set of characters

  17. #17
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    I've also been a fan of the idea that the input type="password" should only show stars if the user chooses that. Especially when people are filling in new passwords. It is in fact extremely possible to mistype a new password twice: I've done it several times actually. I've had to resort to opening a text file, typing what I want (so, in plain view of anyone looking over my shoulder anyway) and then pasting twice. Since that defeats the purpose, it should be something users can turn off.
    I like the idea of it, but it should be something browsers build in as part of the password control.

  18. #18
    Non-Member bronze trophy
    Join Date
    Nov 2009
    Location
    Keene, NH
    Posts
    3,760
    Mentioned
    23 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stormrider View Post
    I like the idea of it, but it should be something browsers build in as part of the password control.
    There was an article here on sitepoint last year about implementing that with JS

    Better Passwords #2: “Show Password” SitePoint

    Which I started my own thread at about the same time on improving:

    http://www.sitepoint.com/forums/java...rd-691123.html

    But yeah, it would be great if it was something browsers implemented all on their own -- should be something even the site coder shouldn't have to think about as that really should be a user agent behavior.

  19. #19
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,407
    Mentioned
    81 Post(s)
    Tagged
    3 Thread(s)
    and they expire monthly
    One of our systems at work changes every 3 months and you can not use the same password twice.
    Do not tell our IT department this but I got so pissed off with it after a while my password started off at qqqqqqqq and I am slowly working along my keyboard

    It is irritating that all passwords are different in that some you need a minimium of 8 characters and others you do not. Some insist on having numbers and punctuations but others will not allow numbers and punctuations etc.

  20. #20
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    I worked at a bank. To log into our Windows NT computers, we used passwords that:

    1) minimum of 10 characters
    2) at least one capital letter
    3) at least one lowercase letter
    4) at least one number
    5) at least one punctuation mark
    6) changed every month
    7) may not be the same or even similar to passwords used within the last 12 months
    Nice.

    Even nicer, when we implemented our online banking and brokerage service, which used a full blown PKI solution for signing transactions we had a 'key ceremony' (it's the official term ) during which we generated the CA certificate for the bank (which is sort of the root certificate, the core of the entire security setup, one of those things stored on a tamper-proof hardware module which destroys itself violently if it's moved or tilted more than 5 degrees or so).

    During this ceremony I had to make up passwords and PIN-codes for about 20 different systems, subsystems and keypads etc. I wrote them all down (as dictated in the key ceremony's plan), popped them into an envelope which was then stored in the bank's vault. These passwords were all very difficult and impossible to remember, as we'd never need them anyway (according to the vendor of the PKI stuff).

    Of course, within a month it turned out we'd need those passwords almost every day to restart the system and whatnot, so we ended up carrying a piece of paper around with all the passwords on it

    How's that for ultra-secure! :|

  21. #21
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,819
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by deathshadow60 View Post
    Given any decent system should lock out the account after 3 guesses, yeah.
    A system I set up has a 30 second lock each time an incorrect password is entered - the system rejects any attempt to log in during 30 seconds after an invalid attempt. Since it unlocks again automatically when there have been no invalid passwords entered in the last 30 seconds it effectively locks any automated attempt to break in after the first attempt and stays locked until they stop trying while not providing any lock out on the account for the account owner provided that they wait a short while after having mistyped their password before they try again. Even if someone realised the delay was there and set up an automated process to wait that long between tries they can now only try one password every 30 seconds and not thousands every second and so you will have easily detect that someone is trying to break into your account due to the fact that your correct password doesn't work even though it did a thousand years earlier the last time you used the account and definitely hasn't been changed since.

    As for those password managers where you need to remember the master password - the main benefit in those is that most of the passwords you store in them will be used on the web and so you want complicated hard to remember passwords for security there. The password manager itself sits on your computer and so the master password never gets sent anywhere - to steal your master password someone would need to break into your computer and not just visit a web site where you have an account.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  22. #22
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,407
    Mentioned
    81 Post(s)
    Tagged
    3 Thread(s)
    so we ended up carrying a piece of paper around with all the passwords on it
    I think complicated passwords are actuly making it happen more and more.

    someone is trying to break into your account
    The only problem is you can not log into your own system as somebody is effectivaly blocking you out

  23. #23
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Why is carrying a piece of paper around with your password on considered so bad? I'm sure there was some security expert recently who was encouraging it, because it's a lot better than the alternative (a weak password so you can remember it), and your wallet is a pretty secure place!

  24. #24
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Rubble View Post
    The only problem is you can not log into your own system as somebody is effectivaly blocking you out
    Yeh, it effectively allows a denial of service attack to happen!

  25. #25
    SitePoint Mentor silver trophybronze trophy

    Join Date
    Feb 2008
    Location
    Preston, Lancashire
    Posts
    1,378
    Mentioned
    72 Post(s)
    Tagged
    1 Thread(s)
    I remember my college years, lecturers use to recommend us to remember our passwords, unless you have the same password for everything then you're unlikely to remember it. Without giving too much away I don't really change my password. I fidn that the main cause of password stealing is down to use not having the proper security on our machines, otherwise, unless my mother or younger brother was interested, nobody would really come on my desk and scour for passwords.

    I really think some pressure needs to come down on banks and similar groups about the "security questions". They really bother me. Apparently that's how Sarah Palin's AOL (gosh didn't know that still existed!) email was broken into. They asked her her High School. Public record (and nowadays everyone blabs it on their spacebook). Stupid question.
    Can't stand banks security. In fact I want to be part of online banking, but giving me a 11+ digit subscribing number, alongside with a changing secret pin derived from some calculator-like gizmo which requires my actual PIN to work. Followed naturally by some silly questions, just puts me off the whole idea. My solution is to get in the car and drive to the bank, which half of the times, they don't even ask for ID, knowing me or otherwise. :P Just illustrates how fearful banks are. I don't know why they just can't operate like PayPal.
    follow me on ayyelo, Easy WordPress; specializing in setting up themes!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •