| SitePoint Sponsor |
Came across this little cartoon comparing the relative security of a long (yet fairly easy to remember) password comprised of common words and a shorter (yet more difficult to remember) password comprised of a mixture of upper and lower case letters, numbers and punctuation.
I thought it made an interesting point. What do you think?
xkcd: Password Strength
The cartoon makes a good point (as backed up by security gurus, like Mikko Hypponen).
me too, i don't memorize every passwords i use and i dont have too coz of password managers like roboform or lastpass.Originally Posted by Stormrider
LinkChannels Web Directory - Human-edited web directory.
ArticleWheel - Article Submission Directory
And what about passwords that are used to unlock password manager?
Ever since my password manager screwed up on me I have resorted to a series of passwords that are a logical sequence to me and my wife, but irrational to anybody else.
I don't think I am that important that anybody will waste 3 days of valuable computer time to crack my passwords.
Aleksejs: How many of those would we have? I have just one master password, not counting the password to my computer (so yes, this means I'm one password away from losing my life).
Though, I do remember my passwords as well as use encrypted storage... that's for JustInCaseIForget.
One of my banks uses this horrible setup with random combinations of images (what do I do if I can't see?), words, passwords, and "security questions" which are made up of publicly-available information. Only way those are "secure" is if I totally make crap up instead of using real answers (like if I say my mother's maiden name, which was the name she went by anyway, was Tr0ub4dor&3 :)
Another of my banks uses a password and then a little device that needs my bank card to send and receive randomly-generated numbers. The site and the device have to match. Transaction authentication rather than user authentication (userAuth is only used once, to initiate). Nice, tho I have no idea what those little Readers cost.
@abacusgnus
They won't bother with yours, but they'll go after... oh... Gawker's servers (or, some server you have an account on), grab your pw from there and then hope you're dumb enough to have used it everywhere else. Since enough people are, attackers get something useful.
By the way, any sysadmin who lets anyone attempt 1000 guesses a second deserves horrible things.
Off Topic:
Aleksejs:
I'm at Riga Congress Center M-W next week... I WILL see those Cat House cats!!
Good topic. My office recently switched from a 8 character pw length to a 12 character length, and they expire monthly. As a result, you can find most people's passwords written down on a post-it note hidden under their keyboards (or sometimes even stuck to their desks or monitors).
I think you get to a point of diminishing returns on pw length, since something like ^0Ley$j2 is likely stronger than something like Aaaaaaaaaa1!
<cfset myblog = "http://cydewaze.org/">
Given any decent system should lock out the account after 3 guesses, yeah.
I've found it frustrating that some banking websites limit the number of characters of passwords to 6-8 characters. I find it very frustrating since, well, shorter passwords tend not to be as secure. Especially when there is no lockout mechanism in place for incorrectly guessed passwords.
Visit The Blog | Follow On Twitter
301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
Can be hosted on and utilize your own domain
My car insurance company used to not allow any special characters at all in passwords. They also had a list of "security" questions, but had a minimum number of characters that the answer could be. One of the questions was "name of your first pet" and it had to be at least 6 characters. But what if your first dog's name was Rex?
<cfset myblog = "http://cydewaze.org/">
Enter it twice?
Visit The Blog | Follow On Twitter
301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
Can be hosted on and utilize your own domain
I too use password manager (KeePass if anyone is interrested).
I use another technique as well (for instance to get master password or to mount encrypted disk volume). I use really cheap, truly "hardware" password generator.
I carry with me (in my wallet) small piece of paper, that has a substitution table similar that you can generate here:
Password Chart
Only my table has for each letter/digit sequence of three randomly generated letters/symbols/numbers. Example (do not use, generate one yourself if you like - you can use this to generate trigrams from characterset of your choice):
Now using that chart the simple password simplething becomes mS>W!jAD:zKOf}rvfYzOK:,sW!jX4C\8:
A: 4pH B: $&b C: D6} D: ,<7
E: vfY F: bJj G: \8: H: :,s
I: W!j J: G#a K: T@4 L: f}r
M: AD: N: X4C O: Li( P: zKO
Q: d?B R: G,s S: mS> T: zOK
U: OL> V: bqu W: >|G X: (T\
Y: z=A Z: _\= 0: 5?P 1: c%]
2: bx& 3: ^Ty 4: 0UV 5: -KY
6: UMu 7: <E> 8: OM> 9: Q3F
Of course you can create such table for all characters found on keyboard not just for letters and digits, but for me this is enough.
GPass here, but the disadvantage of it (unless they've changed this) is it's stuck on my machine. Can't keep an encrypted copy on a USB or anything.I too use password manager (KeePass if anyone is interrested).
Which means I have a piece of paper somewhere for when catastrophe hits this machine. Meaning I need to find another Linux passmanager :(
I really think some pressure needs to come down on banks and similar groups about the "security questions". They really bother me. Apparently that's how Sarah Palin's AOL (gosh didn't know that still existed!) email was broken into. They asked her her High School. Public record (and nowadays everyone blabs it on their spacebook). Stupid question.
I'm against lockout after three. I like what SitePoint does: after 5 tries you have to wait 15 minutes. You can do any kind of mix of wait-times and add a lockout at the end if you need to.Given any decent system should lock out the account after 3 guesses, yeah.
I've also been a fan of the idea that the input type="password" should only show stars if the user chooses that. Especially when people are filling in new passwords. It is in fact extremely possible to mistype a new password twice: I've done it several times actually. I've had to resort to opening a text file, typing what I want (so, in plain view of anyone looking over my shoulder anyway) and then pasting twice. Since that defeats the purpose, it should be something users can turn off.
There was an article here on sitepoint last year about implementing that with JS
Better Passwords #2: “Show Password” » SitePoint
Which I started my own thread at about the same time on improving:
http://www.sitepoint.com/forums/java...rd-691123.html
But yeah, it would be great if it was something browsers implemented all on their own -- should be something even the site coder shouldn't have to think about as that really should be a user agent behavior.
One of our systems at work changes every 3 months and you can not use the same password twice.and they expire monthly
Do not tell our IT department this but I got so pissed off with it after a while my password started off at qqqqqqqq and I am slowly working along my keyboard
It is irritating that all passwords are different in that some you need a minimium of 8 characters and others you do not. Some insist on having numbers and punctuations but others will not allow numbers and punctuations etc.
I worked at a bank. To log into our Windows NT computers, we used passwords that:
1) minimum of 10 characters
2) at least one capital letter
3) at least one lowercase letter
4) at least one number
5) at least one punctuation mark
6) changed every month
7) may not be the same or even similar to passwords used within the last 12 months
Nice.
Even nicer, when we implemented our online banking and brokerage service, which used a full blown PKI solution for signing transactions we had a 'key ceremony' (it's the official term) during which we generated the CA certificate for the bank (which is sort of the root certificate, the core of the entire security setup, one of those things stored on a tamper-proof hardware module which destroys itself violently if it's moved or tilted more than 5 degrees or so).
During this ceremony I had to make up passwords and PIN-codes for about 20 different systems, subsystems and keypads etc. I wrote them all down (as dictated in the key ceremony's plan), popped them into an envelope which was then stored in the bank's vault. These passwords were all very difficult and impossible to remember, as we'd never need them anyway (according to the vendor of the PKI stuff).
Of course, within a month it turned out we'd need those passwords almost every day to restart the system and whatnot, so we ended up carrying a piece of paper around with all the passwords on it
How's that for ultra-secure! :|
A system I set up has a 30 second lock each time an incorrect password is entered - the system rejects any attempt to log in during 30 seconds after an invalid attempt. Since it unlocks again automatically when there have been no invalid passwords entered in the last 30 seconds it effectively locks any automated attempt to break in after the first attempt and stays locked until they stop trying while not providing any lock out on the account for the account owner provided that they wait a short while after having mistyped their password before they try again. Even if someone realised the delay was there and set up an automated process to wait that long between tries they can now only try one password every 30 seconds and not thousands every second and so you will have easily detect that someone is trying to break into your account due to the fact that your correct password doesn't work even though it did a thousand years earlier the last time you used the account and definitely hasn't been changed since.
As for those password managers where you need to remember the master password - the main benefit in those is that most of the passwords you store in them will be used on the web and so you want complicated hard to remember passwords for security there. The password manager itself sits on your computer and so the master password never gets sent anywhere - to steal your master password someone would need to break into your computer and not just visit a web site where you have an account.
Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
I think complicated passwords are actuly making it happen more and more.so we ended up carrying a piece of paper around with all the passwords on it
The only problem is you can not log into your own system as somebody is effectivaly blocking you outsomeone is trying to break into your account
I remember my college years, lecturers use to recommend us to remember our passwords, unless you have the same password for everything then you're unlikely to remember it. Without giving too much away I don't really change my password. I fidn that the main cause of password stealing is down to use not having the proper security on our machines, otherwise, unless my mother or younger brother was interested, nobody would really come on my desk and scour for passwords.
Can't stand banks security. In fact I want to be part of online banking, but giving me a 11+ digit subscribing number, alongside with a changing secret pin derived from some calculator-like gizmo which requires my actual PIN to work. Followed naturally by some silly questions, just puts me off the whole idea. My solution is to get in the car and drive to the bank, which half of the times, they don't even ask for ID, knowing me or otherwise. :P Just illustrates how fearful banks are. I don't know why they just can't operate like PayPal.I really think some pressure needs to come down on banks and similar groups about the "security questions". They really bother me. Apparently that's how Sarah Palin's AOL (gosh didn't know that still existed!) email was broken into. They asked her her High School. Public record (and nowadays everyone blabs it on their spacebook). Stupid question.
Preston Web Design | follow me on ayyelo
Posting Permissions
Bookmarks