Password security tips
by subacati
Whenever you register an account anywhere on the Internet these days, you need to choose a password. But how do you know if your password is secure?
If we have a look at the password cracking techniques that are used, we can get a few good hints. The first thing to know is that personal information is freely available these days! Using names, dates of birth or other information that is directly associated with you is a bit like keeping the key to your front door on a keyring hanging outside that door!
Internet standards expert, CEO of web company iFusion Labs John Pozadzides wrote an article in 2007 wherein he gives a list the the 'top ten' bad choices for passwords! These are the passwords that are easy to guess and yet more common than you'd think! :insane:.
Here is that list!
1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”
Now I know that no body reading this has used any of those as their password right? right? :insane:.
Now, if that list doesn't include your password, it doesn't mean that you're safe, yet! The most common method for hacking a password is the brute force attack. Some sites will block an account or temporarily limit access from an IP address that has entered a wrong password more than three times! But many sites will allow an unlimited number of re-tries! So the would be hackers is only limited by the time it would take to 'guess' the correct password.
A brute force attack uses an automated script to try thousands of potential passwords until the correct password is found! It uses a 'dictionary' file that is filled with virtually every 'password' that the hacker can think of and then some. (hackers have been known to use actual dictionaries to load these files)
Now, if you think that using 1337 speak helps, then think again! hackers will usually incude leet speak versions in their dictionaries for this very reason!
But what if the password is not a word at all? Well then, the next stage of the brute force attack is to try every combination of letter, number and special character that is allowed in sequence. Starting with the minimum number of characters allowed for the password! This is the original brute force attack and it's guaranteed to find your password,,, eventually! :left:.
But how long will that take? well, the following graphic illustrates how long it could take, depending on how long the password is!
As you can see, the longer the password is the more time it takes. From this you can deduce that by using random mixed upper and lower case letters, Your password must still be at least eight characters long before it is 'safe'. but remember that this is calculated according to the power of a single computer in 2007 (when the original article was written)
Using modern equipment assembled into a ten node beowulf cluster, we can do that at least a thousand times faster! :insane:.
But the main point here is that longer is better! If the password is long enough, not even NASA or the CIA can crack it within one lifetime! :knight:. At least, not with a brute force attack that is! :left:.
(the original article is linked below! However, be warned that a friend of mine received dire threats and warnings from his anti-virus at that site)
http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/
subacati 
Originally posted by L2D2:
I remember her getting helluva pissed off with me for trying to defuse a futile 'discussion' between her and some other stubborn religious fanatic! :insane:.The really weird thing is that they were making virtually the same argument yet they were 'disagreeing' to agree! :confused::awww:.She locked me out of her blog at that time to! :rolleyes:.
I did have one site analyze the password I chose for them and they said it would take 14 years to hack it.
8 characters is my shortest password. Most of my passwords have 17 or more characters. And I was told that a nonsense word that just pops into your head combined with some numbers is a strong password also.I HAVE to write down my passwords. Failing to do so has caused be to be unable to unsubscribe from some emails. And I have at least 30 different passwords.
Aadil, do you remember Nitro? Helen? She has a new post after all these months and it is funny stuff about South Africa.http://my.opera.com/NitroH/blog/
:yikes: :eyes: Well, I don't know what that was all about, but she lost her husband in July and is just now back. I thought the SA questions and answers was funny.
I didn't know about that. :awww:.I agree, the questions and answers are funny though. :up:.
:sherlock:.I'd say that "conundrum" is likely to be right up there with "letmein" as an 'obvious' password. But which is harder to crack would depend on two things, what rare the statistical frequency of either 'password' being used, and has the would be cracker taken that into account. :sherlock:.A clever cracker is probably administering a few forums of his own and taking note of what passwords people are using most frequently. :left:.This way, he has better odds ct finding the right password sooner than later. :left:.It's like the telephone system ct work. The is a feature whereby they can give each worker a code to use for making outside calls. In theory, you can use this to charge private calls to the person making them. The problem is that the code is four digits long for a theoretical ten thousand possible codes. But the system has a loophole. When you're entering the code, if you press a wrong digit, it resets to a dial tone. :doh:.So, to get the first digit of a random valid code, you just try each digit from 0 to 9 untill you find one that doesn't reset the system. Repeat this for the second, third and fourth digit, and you've hacked the system. :insane:.Needless to say, with this been inside a prison, they've disabled all the codes. :p.The point is, due to a silly flaw, it only takes a maximum of forty attempts to find a code. And that's assuming that there is only one code enabled. :rolleyes:.Cracking and phreaking is all about statistics. Running through completely sequential combinations is a last resort. So, "My dog ate my homework" is probably weaker than say, "LaQ2" in the grand scheme of things. :p.:devil:
I do have /one/ really weak password, because my father was spying on me and reset it in an attempt to get into the account he was spying on. I'd change it, but I'm afraid he'll later try to spy on me again, and if he can't get in (the reset requirements are more stringent now) he'll get mad and think I'm hiding something. And then I'll get in trouble for absolutely nothing, as once he got in he'd see there's nothing there to hide.
I'm going to make an electronic will with 25 characters! :DOriginally posted by qlue:
I don't think most people store personal information on their blog account. If somebody was to hack my MyO-account, all they would have access to is my blog – not my real name, my bank info, my e-mail etc.
Originally posted by draggysicyfire:
You keep your illegal profits in other accounts? :devil: :pOriginally posted by rose-marie:
Can Opera not send you any emails? I get notifications about certain things. Not many, but they have my email address. You'd be surprised how creative people can be in retrieving that info! And once they have your email, it's not very hard to discover the rest…
That is indeed, a decent way to secure yourself. 🙂
Originally posted by draggysicyfire:
You keep your illegal profits in other accounts? :devil: :pOriginally posted by rose-marie:
Can Opera not send you any emails? I get notifications about certain things. Not many, but they have my email address. You'd be surprised how creative people can be in retrieving that info! And once they have your email, it's not very hard to discover the rest…
I don't have notifications on, but when I did – they went to my opera mail which was only used for that particular thing and does not have any connection to the mail addresses I use daily.
Holy triple take, Batman!That's the 3rd time I've seen that advice.Confound that conundrum. :ninja: We must act swiftly. The fate of the world is at stake.THERE! I changed it. I fortified it now.I made it stronger now.I changed it to "conundrum1" :headbang: :norris: Uncrackable now, I say. The world is safe again. Nah, just kidding. I don't use something THAT simple as my Passwords. I knew "conundrum" was no stronger than "spaghetti" or "airplane." My inquiry was just in curiosity because of that person mentioning on that discussion in that other Blog that she usually used something like a particular sentence. I immediately saw at that time that while the — Sentence as a Password — obviously had a whole mess of characters, it was all comprised of pure, solid, actual words from the dictionary. So, I figured it was no doubt giving the person a false sense of security. I had been curious as to how close in weakness a 1-word Password was to a Password comprised of a sentence of solid, easy, straight out of the dictionary words.
And Mik is just teasing me because my response is full of T9s and other errors and My Opera decided to crash and burn just as I posted it. :p.Of course, modern systems allow spaces, special character and sometimes even non-printing characters. But legacy systems didn't allow spaces or any non-alphanumeric characters.. :left:.In the early nineties, I had a Beltel account. (Prestel system) the password had to be exactly six characters and only alphabetic characters were allowed. :insane:.That service is no longer running but if it was, anyone would be able to hack in with modern technology! :insane:.
Anyone was able to hack in with the tech of the day pretty easily. Not that anyone I know would have ever done anything like that because there was nothing on television and we bet each other we could make War Games happen in real life…
Originally posted by L2D2:
made up of words, and numbers and other characters.
hmmm need to update passwords:P
All mine still seem to work after all the decades I have been using them so I will leave them as is 😆
Just made me realize I need to change a couple myself.
Well, sure, DH, they still work after all the decades.That's why the Hackers keep using them.They don't have to learn new ones.
Originally posted by Suntana:
:lol:.
Oh no, they are very secure, nobody would ever guess "password" or "letmein"