Not really relevant, but I had to share this.
Nick Helm has won an award for the funniest joke at the Edinburgh Fringe with "I needed a password eight characters long, so I picked Snow White and the Seven Dwarfs".
I choose passwords based on the sensitivity of the information they protect. For most website such as forums, I typically use 1 of about 3 passwords. At most, if I haven't visited a site in a long time, I know it's going to be one of those 3. The passwords aren't easy to guess, but they're optimized for convenient typing. That doesn't mean I choose seqential keys, but rather I limit the amount of hand movements and contorting wrist twists I have to perform to type the password.
For more sensitive stuff like bank, paypal, web facing servers, domain registration, etc, I always use a slightly longer and harder to guess password, and only ever use the password for that single service. I can remember most of my passwords off the top of my head, but I do keep a copy of them in case I ever forget one.
I also use a password generator. and sometimes I use simple passwords and replace some of the letters with numbers for examble a 2 instead of Z, 5 instead of S and so on.
Do you guys think that makes any different? I don't know much about password security
The cartoon is almost complete and offers a good clue on how to set up your password but don't forget if you have a good dictionary you may broke that very easy.
The cartoon points out that replacing letters with numbers isn't very secure - it's easy to try variations on dictionary words in this manner that it isn't really suitable IMO. I use totally randomly generated passwords with letters, numbers and special characters.
The most important factor in password security is length. The second most important is using different types of character - eg symbols, number, lower and uppercase letters. After that I guess its making sure it isn't based on a dictionary words.
It pisses me off everytime I have to sign up for a site and found out my long password which can be between 32 and 64 (by default) is too long, or some of the characters are invalid. That is bad, very bad!
If one is handling passwords correctly, length and characters contained with the password should be a non-issue. Example, a password should be able ot have an SQL injection attack within, but handled right it won't do a darn thing.
Code php:<?php $username = some_db_escape( $_POST['username'] ); $password = hash( $_POST['password'] ); # Secured! $sql = some_db_query( 'SELECT WHERE username=$username AND password=$password' );
After hashing, the password will be a fixed length and the default encoding hexadecimal contains a fixed set of characters. The value is no longer a security threat to your application.
Logic without the fatal effects.
All code snippets are licensed under WTFPL.
And if you were properly using your DB with prepared/parameterized queries, you would never have this sql injection vector.
Also, in 2011, most sites really don't need to hold passwords at all -- OpenID is here. Why would you want to take on the onus of owning the credentials?
Simple rules I use. Take first three numbers of your birth date, and last three number of the year for example. And in the middle put some sentence which you will remember for sure like "you will never guess this pass". So your password would look like f.e. 056you will never guess this pass979 for someone who is born on 05. 06. 1979. I guess you get the point...
The characters must be between 12 to 16 and that must be settled in a way so it could be different and unique in a way so it should be difficult to be theft.
I also use a mixture of special characters, numbers and upper and lower case letters . It is easy to remember if you make passwords from the words that you remember easily. One should not use the complete word , which they oftenly use . But ,use some part of it in their passwords .