Skip to main content

There's a diary on the rec list now, providing advice on how to construct good passwords. While well intentioned and theoretically sound, I have to disagree with the most basic foundation of the approach taken here. Similarly, I think the ever popular XKCD comic about passwords is horrifically misleading.

Allow me to tell you why, quickly and succinctly.
Yahoo hack steals 400,000 passwords. Is yours on the list?
6.5 Million Encrypted LinkedIn Passwords Leaked Online [REPORT]
EHarmony Passwords Stolen By LinkedIn Hackers

The aforementioned diary contains one key piece of advice, though.

Never use the same password twice, always have different passwords for different websites/computers.
And it's that line I'm going to talk about beyond the squiggly, because in my opinion it's the ONLY advice relevant to computer security for the every-man. And it turns out that once you solve this problem properly, the issue of choosing good passwords becomes largely irrelevant.

Let's back up and talk quickly about how passwords work. A server for some website has a database which stores your user credentials, including "something" that can be used to check that you entered the correct password. IT professionals will start talking about hashes and brute force attacks and all kinds of other scary technical terms. They'll tell you that some password will take two million years to crack. The truth is, that's not how it works and hasn't been for many years. That's because the "something" used to validate your password can vary widely. Maybe they do a sophisticated encryption with salted hashes run through a GPU-resistant multi-iteration bcrypt. Or maybe they just save your password verbatim without doing anything at all. I've seen both, on major sites who advertise their security. And guess what? You have no way of knowing who's doing what.

You'd expect a company like LinkedIn to be fairly savvy when it comes to security, but that was clearly not the case. I'm referring not to the security breach, but the files that were leaked as a result. The passwords weren't stored in open text, but the format wasn't far off. (Simple unsalted SHA-1 hash.) Modern password decryption tools are much, much more powerful than most public descriptions would have you believe. In short, you must assume that by providing a password for any website, that password has immediately been compromised. The more sites get the same password, the more likely that password is to be exposed and all of the shared sites attacked. And this is a risk no matter how cryptic your passwords are.

How many passwords do you have? Most people can't keep track of more than half a dozen or so, maybe with some variations. Password decrypters can generate variations faster than you can think of them, so those variations aren't getting you as much mileage as you think. Now -- how many account logins do you have? Do you even know? I have a database of mine, and the number is north of 130 distinct sites with usernames and passwords. I can't keep 130 discrete non-variation passwords in my head, and I suspect most of you will confess that your passwords are shared widely. Except for a few savants, you cannot variation yourself out of the problems.

You really think password cracking software is not smart enough to try replacing 'a' with "@" or 'l' with "1"? Really? Take this paragraph from the original diary:

Remember, the best pass phrases make no sense and are easy to remember. "[ 0bfuscating 0ffisaur ]" sounds like Obfuscating Officer, and is easy to remember. It's also excessively hard to crack. Hell, "Obfuscating Officer" by itself is a pretty secure passphrase.
You're in for a nasty shock if you think any of those are secure passwords. Dictionary words with O->0 substitution? That will be cracked in minutes. The brackets might give you a fighting chance...for a while. On the LinkedIn database, I can test 2.3 billion passwords per second at home. I can recruit Amazon servers to run it a hundred times faster, at trivial expense. One hour of that comes to 828 trillion passwords tested.

Hopefully I've made my point. Practical password security has nothing to do with choosing smart passwords. That doesn't mean "Password1" is a safe password. It means we have to overhaul our approach completely. We need:
* A completely different password for every website.
* A reliable mechanism for creating safe passwords.
* A safe approach to storage and retrieval of passwords.

In short, we need software. Luckily, there are many great options. Here are the ones I'm aware of:
LassPass (my choice, cloud service)
KeePass (open source)
1Password (favored by a security professional friend of mine)
PasswordSafe (by security professional Bruce Schneier)

All of these applications do essentially the same thing: they remember your passwords in a safe, secure way. (Browsers can remember passwords, but they aren't secure. Don't use this feature.) They include browser plugins to automatically fill logins, generate new logins, etc. And they make it possible to safely share your passwords across computers. All you have to do is encrypt the data with a single good password, and let the manager generate ultra-long unique gibberish for every website you want. Mine just spit out "9#S!P3FW@b4X^5Bw6CF!$zu@qq&A&v". A real challenge to decode at that length, with all kinds of special symbols and no dictionary words or suffixes. And even if it is decoded, I can change the password any time with minimal effort -- and no human memory required.

I changed my Yahoo password yesterday. I have no idea what it was before, and I have no idea what it is now. But Yahoo's passwords were stolen, so I changed it. It took about a minute to do. I can access the password and Yahoo's site any time I want. Simple, direct, no wacky schemes and pass phrases and randomly placed brackets. No passwords written down anywhere to be found. And because it's mindless, I can do it consistently for every single site without fail.

Of course there is one caveat left: my LastPass login password is now one monstrous gaping hole. If someone steals that password, everything goes very badly wrong. This is a calculated risk; I am assuming that LastPass is able to keep my data adequately safe as a dedicated security company. My vulnerability is only one site wide, though, and my account is shielded by two factor authentication as an added step. It's a risk I chose to take on because of the convenience of a cloud service; KeePass requires no such faith or calculated risks, just a good backup service for the file.

For that one file or service, feel free to use something like "[ 0bfuscating 0ffisaur ]". It's a good idea there. Just don't think you can compete with dedicated hackers by tacking 1776 onto the end of your passwords here and there.

Originally posted to Element 61 on Thu Jul 12, 2012 at 09:55 PM PDT.

Also republished by Anonymous Dkos and Community Spotlight.

Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags


More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Tip Jar (169+ / 0-)
    Recommended by:
    MsGrin, Ginny in CO, Bob Love, implicate order, FG, mm201, Rosaura, statsone, elfling, twigg, old wobbly, side pocket, chuco35, KenBee, OLinda, BPARTR, Purple Priestess, greycat, kalmoth, kaliope, catly, Clive all hat no horse Rodeo, jgilhousen, Simplify, AntKat, Seneca Doane, wasatch, sockpuppet, Hopeful Skeptic, sandbox, tomephil, Joy of Fishes, GreyHawk, rmonroe, The Raven, kenboy, Desert Rose, stevej, Twoflower, Linda in Ohio, Rick Aucoin, Sagebrush Bob, DSC on the Plateau, rubyclaire, Justus, OllieGarkey, saugatojas, jam, BlueMississippi, CayceP, poliwrangler, BlackBandFedora, ladybug53, Oh Mary Oh, BayAreaKen, Creosote, ord avg guy, Thinking Fella, kharma, mkfarkus, oceanview, CuriousBoston, 2thanks, lavaughn, sunny skies, Pat K California, redlum jak, nomandates, leathersmith, pateTX, dibsa, cybersaur, stevemb, oortdust, KateCrashes, Unit Zero, congenitalefty, Yellow Canary, radical simplicity, BigOkie, el dorado gal, Robynhood too, DBunn, gizmo59, DRo, native, MRA NY, anodnhajo, SarekOfVulcan, Sandino, Palafox, Geenius at Wrok, nyceve, MJ via Chicago, FWIW, Sharon Wraight, 2laneIA, marleycat, Andrew F Cockburn, NearlyNormal, sweetsister, Joieau, Sylv, The Hindsight Times, holeworm, parker parrot, jennylind, J M F, Wolf10, nickrud, belinda ridgewood, bloomer 101, democracy inaction, subtropolis, PhilJD, Bill Roberts, tonyfv, Andrew C White, sabishi, out of left field, Possiamo, sawgrass727, citisven, tegrat, QDMacaw, mumtaznepal, factbased, The Jester, anyname, Rhysling, countwebb, skohayes, rebel ga, Sprinkles, BeninSC, suzq, Renee, blueyedace2, AgavePup, abarefootboy, Assaf, SomeStones, linkage, Ray Radlein, bumbi, filby, bnasley, NYC Sophia, urnumbersix, Anne was here, FarWestGirl, terabytes, Skennet Boch, certainot, Miggles, praying manatheist, bread, qofdisks, Denise Oliver Velez, kingneil, melo, Lujane, basquebob, kyril, carolanne, angelajean, triplepoint, NYFM, Demeter Rising
  •  I just started using 1password (14+ / 0-)

    and it seems to be working well.

    "I was a big supporter of waterboarding" - Dick Cheney 2/14/10

    by Bob Love on Thu Jul 12, 2012 at 10:09:00 PM PDT

  •  The only places I use the 'same' password (9+ / 0-)

    are ones that are pointless to hack, where anyone logging in can't really get any info that isn't already probably public, and can't do much of anything even if they take over my account for a month or more without me noticing.

    •  not good (4+ / 0-)
      Recommended by:
      sockpuppet, Creosote, KateCrashes, bumbi

      if one account is hacked, then you could easily lose control of the account.  The password can be changed on you.

      Also, once someone has control of the account, no one else knows it.  So you don't know what damage can be caused in your name.

      And if one account is in fact hacked, the password is tried everywhere.  Very scary.

      "The only person sure of himself is the man who wishes to leave things as they are, and he dreams of an impossibility" -George M. Wrong.

      by statsone on Thu Jul 12, 2012 at 10:24:13 PM PDT

      [ Parent ]

      •  So, the fact that I use the same password (4+ / 0-)
        Recommended by:
        sockpuppet, cotterperson, bumbi, Miggles

        I need for several blogs in order to make a comment is bad? Geeze, I've set up a complicated, unique password for every financial site I have. But, I thought I'd give myself a break and just keep all the blogs the same.

        For me, Mitt reminds me of Jeff Bridges in Starman. He's like an alien that hasn't read the entire manual. You know, he's going, "Nice to be in a place where the trees are the right size." -- Robin Williams on Letterman 26 Apr 2012

        by hungrycoyote on Thu Jul 12, 2012 at 10:42:41 PM PDT

        [ Parent ]

        •  That's pretty much my strategy (9+ / 0-)

          It's not the best strategy, but it's better than what most laypeople I know do: write them down on post-it notes stuck to their monitor.

          I roll my eyes every time I walk into someones office and see "Wells Fargo: Puppylov3r*"
          I was especially amused that the admin password for the entire college network wasn't changed for over 4 years - and it was on post-its all over the place...

          •  Indeed. It's tempting to just say, (8+ / 0-)

            Have a unique, randomly selected, maximum-length password for every site you go to.  But we're humans.  We have limits in our ability to memorize stuff, especally if we don't want to spend all day doing it.  That's just not going to work.  And the more you try to push that on people, the more you encourage the sticky note solution.

            The best compromise, IMHO, is to:

            A) Maintain differing levels of security.  Have a widely used throwaway password or two for things you could care less about, and then increasingly lesser-used passwords for things you increasingly care more about, culminating with single-use passwords for anything where, if compromised, it could ruin your life.  4 or 5 passwords is not unreasonable to memorize.

            2) Have a good password-forming system.  Substitutions of characters with numbers and symbols isn't a bad idea, and they do indeed increase the search space by a couple orders of magnitude, but the basics come down to having the core of your password be good.  My personal favorite way to do a password is to not think of a word, but a sentence, and have some rule for getting a letter from each word.  For example, in your post, if the sentence was:

            "I roll my eyes every time I walk into someone's office"

            The password could be, using the extremely simple rule of "take the first letter from each":


            Beyond this you can tweak it with substitution rules, irregular capitalization, punctuation, etc.  So perhaps you use rules that turn it into:


            Or something of that nature.

            Note that this is not a random password.  It's subject to lexographical analysis, in that certain letters will be more common in certain positions (the substitutions, too, are subject to analysis based on how people frequently substitute, although again, they still significantly increase the workload).  But overall, it's a heck of a lot better than having a word or group of words as the base of your password!  And is still quite easy to memorize.  You just need to memorize "I roll my eyes every time I walk into someone's office"

          •  I was amused years ago to hear (0+ / 0-)

            that the password for super expensive engineering workstation software was almost never set up by the users.  So about 90%  of all engineering software protected by password could be entered using either 'demo' or 'default'.

            Many people are SOOOO trusting.

            Real plastic here; none of that new synthetic stuff made from chicken feathers. By the morning of 9/12/2001 the people of NYC had won the War on Terror.

            by triplepoint on Mon Jul 16, 2012 at 07:44:58 AM PDT

            [ Parent ]

        •  It Depends On How Important It Is To You (4+ / 0-)
          Recommended by:
          hungrycoyote, mumtaznepal, Lujane, kyril

          If you don't care about the possibility that somebody who had it in for you might lock you out of all of those blogs, or start posting stuff that makes you look like the love child of Jim Robinson and Glenn Beck, it's not a problem. Everybody chooses what risks they will and will not accept.

          On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

          by stevemb on Fri Jul 13, 2012 at 07:13:47 AM PDT

          [ Parent ]

        •  That's what I do (9+ / 0-)

          same password for all the political blogs.

          Those stupid comments I make now and then aren't me, they're some h4XX0r.

          "When I was an alien, cultures weren't opinions" ~ Kurt Cobain, Territorial Pissings

          by Subterranean on Fri Jul 13, 2012 at 08:20:24 AM PDT

          [ Parent ]

        •  I use a single password for a throwaway (0+ / 0-)

          email account to log into websites for commenting.  It can be ditched at a moment's notice.  My 'real' email account is closely held and I don't use it for any financial dealings or in any browsing situations .  Never had a problem, but this diary offers excellent advice, and I may consider altering my strategy.

          Real plastic here; none of that new synthetic stuff made from chicken feathers. By the morning of 9/12/2001 the people of NYC had won the War on Terror.

          by triplepoint on Mon Jul 16, 2012 at 07:38:37 AM PDT

          [ Parent ]

  •  If my choice is between going nuts or (6+ / 0-)
    Recommended by:
    sockpuppet, DRo, Creosote, CuriousBoston, tle, MJB

    whatever risk of getting my password hacked, how much is the risk?  

    I have issues with passwords. I don't keep them on the computer. Autofill does a few. The rest are in an old phone directory that is hidden pretty well. And there's my low tech, 4 legged, loud mouthed household security system not likely to allow an intruder to work undistracted.

    For reasons I only can explain as my apparently distorted electromagnetic field, this computer has issues with my passwords. I type very carefully. I have the telephone log set up very legibly. At least once a day I have to send a forgot password notice because the one that should work, won't. When I get to 3 or 4, I shut off the 'puter and take a hike.

    The only account that amounts to any thing is the bank. For other reasons I am seriously thinking about getting off the online bill pay and go back to checks.

    Does the security go down if you have the program open while your on the computer or does it have to be re-opened for every password?

    This has actually been my suspicion about all the pw risks. In the hospital, they have your password linked to your employee ID. Walk up to a terminal to chart or pass a med, swipe the badge, you're in. Passwords have to be changed every 3 months - which seems like long time to me.

    "People, even more than things, have to be restored, renewed, revived, reclaimed and redeemed; never throw out anyone. " Audrey Hepburn "A Beautiful Woman"

    by Ginny in CO on Thu Jul 12, 2012 at 10:25:40 PM PDT

    •  love your (6+ / 0-)

      "low tech, 4 legged, loud mouthed household security"  

      Also, I think a lot of this is just nuts.  When  websites will look through your contact list  (how kind of them!) to get names for you and you are asked to enter you pin number in a place that is in full view and has numbers that could be read from fifty feet, I hate to tell you but there are no secrets.

      As for banking I have my on-line access limited to one account and it does not allow overdraft nor can it be linked to another.  The most they could get me for on that one is  limited.

      Be the change you want to see in the world. -Gandhi

      by DRo on Fri Jul 13, 2012 at 06:08:02 AM PDT

      [ Parent ]

      •  Oh, the pin code really gets to me. (5+ / 0-)
        Recommended by:
        DRo, sawgrass727, ER Doc, Lujane, kyril

        The other is when I am some where they need to confirm my social and/or birth date. Last week a gal did that by saying what they had on record. The birth  date was not a huge deal but I did motion to lower her voice. No, she announced my SS# to a roomful of people. So I thanked her at an even louder level.

        I guess the diarist didn't have time to hang around?

        The low tech security joke.

        Burglar opened a sliding glass door and entered a very dark room. Suddenly he heard "Jesus is watching you." He froze and tried to locate the person, almost backing out the door. Again "Jesus is watching you." Then he saw the parrot and laughed. Asks the parrot "What's your name?" "Claude"  "What fool names a parrot Claude?" "Same fool that named the rottweiler Jesus."

        Shalom is my second rottie mix dog. They have both been wonderful dogs, protective appropriately - and they scare strangers because of the rottie features. I also have a thing about single function stuff. Her prime function is emotional support animal - an official ADA status :)

        "People, even more than things, have to be restored, renewed, revived, reclaimed and redeemed; never throw out anyone. " Audrey Hepburn "A Beautiful Woman"

        by Ginny in CO on Fri Jul 13, 2012 at 10:39:13 AM PDT

        [ Parent ]

        •  Yeah, (4+ / 0-)
          Recommended by:
          Ginny in CO, bumbi, Lujane, kyril

          When they spend all the time identifying you, a lot of that is nonsense.  An identity thief would already have the answers to those questions, and why do  I have to a zip code when I want to buy gas? Don't you think if someone grabbed my credit card  or # they would have access to my zip code too?

          A lot of this is phooey.  When I see these so-called security measures it sets off my internal bull$hit detector.  

          Another thing that drives me nuts is that people seem to think that plastic is safer than carrying cash. It's the same difference.  If you are held up, you are going to tell them the pin so you might as well hand them your cash.

          Happy you have a support animal. Mine is not official and wouldn't scare a real burglar. But even a small noise might discourage someone or beckon a neighbor.

          Be the change you want to see in the world. -Gandhi

          by DRo on Fri Jul 13, 2012 at 11:21:21 AM PDT

          [ Parent ]

        •  Forgot to say, (3+ / 0-)
          Recommended by:
          bumbi, Lujane, kyril

          that's a cute joke!

          Be the change you want to see in the world. -Gandhi

          by DRo on Fri Jul 13, 2012 at 11:44:11 AM PDT

          [ Parent ]

          •  I like it because in our tech crazy (4+ / 0-)
            Recommended by:
            DRo, bumbi, Lujane, kyril

            society, we forget that low tech works just fine. The fact that some large percent of people can't use their remote controls even if someone else programs them properly says it all for me.

            So the noisy dog may discourage the burglar because a neighbor might notice.

            When we were living in an apartment in the early years, my ex had a pretty expensive bunch of tools in an enclosed back porch. The lock was ok but the door was useless. He found a 2X4 that was long enough to brace the door to the concrete foundation. One night we were awakened by a horrible bang. The door was hanging off the lock side, the 2x4 slid to one side, and no burglar...

            "People, even more than things, have to be restored, renewed, revived, reclaimed and redeemed; never throw out anyone. " Audrey Hepburn "A Beautiful Woman"

            by Ginny in CO on Fri Jul 13, 2012 at 12:21:22 PM PDT

            [ Parent ]

            •  My kind of precautions! (4+ / 0-)
              Recommended by:
              Ginny in CO, bumbi, Lujane, kyril

              I happen to have a set of copper pots (despite the cost, I never liked cooking with them).  They live as decor hanging from chains on a tall floor to ceiling window.  If anyone ever tried to get through that window, I think they would have to study it for a long time, and I doubt they could do it without a lot of noise!

              Security system? That only announces that you have something worth securing.  Folks don't know where that data is shared and thieves are better finding it and at high-tech disabling than the average homeowner is of setting one up.

              Be the change you want to see in the world. -Gandhi

              by DRo on Fri Jul 13, 2012 at 12:36:37 PM PDT

              [ Parent ]

  •  I use Roboform (4+ / 0-)

    Have for years because it also has a "form-filler".

    Love it.

    I hope that the quality of debate will improve,
    but I fear we will remain Democrats.

    by twigg on Thu Jul 12, 2012 at 10:27:16 PM PDT

    •  Me too... RoboForm is great (1+ / 0-)
      Recommended by:

      it can generate passwords of pretty much any length and complexity, and store them on the web so you can use them anywhere.

      (Of course I have wondered, from time to time, what would happen if Roboform gets hacked...)

      Barack Obama is not a secret socialist class warrior who wants to redistribute wealth in America. But I'll still vote for him, anyway.

      by looty on Fri Jul 13, 2012 at 09:08:29 AM PDT

      [ Parent ]

      •  Unlikely (0+ / 0-)

        Roboform servers store your passwords encrypted, and your master password is the only key.

        They are transmitted in an encrypted form, and only decrypted locally.

        I hope that the quality of debate will improve,
        but I fear we will remain Democrats.

        by twigg on Sat Jul 14, 2012 at 05:00:19 PM PDT

        [ Parent ]

  •  There's also (2+ / 0-)
    Recommended by:
    oortdust, bumbi I personally use 1password, but I do work for an agency that uses passpack because it's good for sharing passwords with a team.

    Strange Angels - a progressive online dating site.

    by Zackpunk on Thu Jul 12, 2012 at 10:38:13 PM PDT

  •  there is NO info on any of my computers that's (1+ / 0-)
    Recommended by:

    worth diddly for hackers. I bank in person and keep all important info on hard copy in my safe. Passwords are more of a hassle than anything else for me. I use them, but only because i have to.

    It’s one thing to be antigovernment. It’s another to be pro-stupid.

    by furriner on Thu Jul 12, 2012 at 10:45:25 PM PDT

    •  I have nothing to hide on my computers (19+ / 0-)

      So why botha with password security?

      Well...because your machines online are susceptible to casual "scatter-shot" harvesting by bot-net puppet-masters who will make your computer their bitch in the background, even if you never perceive it happened.  

      Then one day, your machine could well be activated into service, or rather, into Denial of Service attack on some network that you can hope is not a hospital or some first-responder online command machine.  Or a public utility or a nuclear power plant.  You get the picture.

      So everyone needs to take responsibility to secure their machines  and networks as much as is reasonably possible, because each machine can add to the bot-net of hundreds of thousands of compromised machines all just waiting to rise up together at the same time at the command of the bot-master for whatever malicious purpose the botnet is created for.  etc. etc.

      So please, don't believe that just because your machine is basically boring to anyone else, that it's safe from any malicious interest.   If it's online with an operating system, it's of use to the Black Hats.  No kiddin'.

      "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

      by sockpuppet on Fri Jul 13, 2012 at 02:48:32 AM PDT

      [ Parent ]

      •  wow (8+ / 0-)

        thanks for the info
        had no idea
        I'm one of those who figures I'm protected by being boring

        or rather, thanks to you, I used to be one of those people

        •  Yaaaaay! One less bot for the botnets! (4+ / 0-)
          Recommended by:
          Lisa Lockwood, mumtaznepal, Lujane, kyril

          There are many of us in the cyber-security community who've been trying to sound the alert about this situation with the botnets for a decade now.   Mostly we've been marginalized to trying to secure the nation's cyberspace only by one machine at a time. ;)  

          Thankfully, now there's much more information being made publicly available in the media about cyberspace hazards and criminality.   I'm glad you're listening!  Woot!

          "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

          by sockpuppet on Fri Jul 13, 2012 at 09:43:06 AM PDT

          [ Parent ]

          •  I have AVG, SuperSpyware Pro, CCleaner, (1+ / 0-)
            Recommended by:

            Malwarebytes, and Advanced Systemcare 5 to make sure i DO NOT become infected by any virus or botnet.

            That said, I still have no info to be "harvested" by hackers.

            It’s one thing to be antigovernment. It’s another to be pro-stupid.

            by furriner on Fri Jul 13, 2012 at 09:50:11 AM PDT

            [ Parent ]

          •  well, becoming aware is the easy part (2+ / 0-)
            Recommended by:
            sockpuppet, kyril

            I've been trying to install one of those sites that let's me create the secure database of passwords and I can't get the damn thing to work or even get it off of my computer at this point.  Guess it's secure enough to lock me out already.  

            Also, since you are a cyber-knowledgeable person, I'll repeat a question I asked elsewhere in this comment thread.  When the site that I'm using to create a secure database for passwords asks me if I want to do it in Firefox or Safari, do I need to create a separate database for each browser?  Or, if I set it up in Firefox at work, can I copy it and load it on Safari at home?

            •  Which site and what does the HELP tab there say? (1+ / 0-)
              Recommended by:

              I don't use a secure password database like this.  Especially not one where the passwords are stored in The Cloud.  Because I use the "favorite saying" passphrase method (with correct punctuation, numbers and symbols added),  I can juggle all the pw's I need in my head.  

              You can KosMail me and we can sort it out, if you wish.  :)

              "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

              by sockpuppet on Fri Jul 13, 2012 at 12:32:35 PM PDT

              [ Parent ]

      •  WOW Makes me rethink even being hooked up to the (1+ / 0-)
        Recommended by:

        internet at all. Or maybe I should hook up my mini and then delete everything after every visit. Seems like so much freaking hassle that I really am beginning to reconsider its worth. Again it is  like so many arenas where there is life. Another environment with parasites,  microorganisms, prey, predators and mushrooms (all the plants who sit and get eaten by the prey animals who get eaten by the predators). Geesh who would have thought. LOL. Maybe we need some pesticide programs or traps with cheese?

        How can you tell when Rmoney is lying? His lips are moving. Fear is the Mind Killer

        by boophus on Fri Jul 13, 2012 at 11:21:06 AM PDT

        [ Parent ]

  •  This is why I think Murdoch bought myspace ... (0+ / 0-)

    to have instant access to all those myspace passwords that will work all over the place.

    Oust Walker May 8th - Vote Arthur Kohl-Riggs

    by Milhawkee on Thu Jul 12, 2012 at 11:39:20 PM PDT

  •  If someone is determined to get your password (3+ / 0-)
    Recommended by:
    sockpuppet, Rick Aucoin, DRo

    they're going to get it.  Doesn't matter if it's 14-digits and composed of numbers and characters from every alphabet and syllabary on Earth - from your keyboard through your computer, through your router, via your ISP, across however many servers, and to the database that knows what your password is, the information is out there for people of means to find it.  We are all unsafe, and I consider that a blessing - as, I imagine, would Wikileaks and the like.

    "I'm going to rub your faces in things you try to avoid." - Muad'Dib

    by Troubadour on Fri Jul 13, 2012 at 12:10:31 AM PDT

    •  The weakest link... (3+ / 0-)
      Recommended by:
      Troubadour, Ray Radlein, kyril the human link.    More so for a corporate setting, but if someone is determined to get your password, then they'll try to find a vulnerability in a clerk or secretary, et al, who unwittingly provides just enough information that a hacker can exploit further.   Most people inherently want to help, and hackers can be con artists to exploit that human nature.

      Kevin Mitnick wrote some good and fascinating books on the topic, and others exist too.

      •  Well, (0+ / 0-)

        Social engineering is probably the most effective and efficient method for most targeted attacks. If you're a business or organization, you should be most concerned about social engineering attacks. Same if you're a high-profile person.

        However, people still use software methods for indiscriminate large-scale dragnets.

        "Let’s just move on, treat everybody with firmness, fairness, dignity, compassion and respect. Let’s be Marines." - Sgt. Maj Michael Barrett on DADT repeal

        by kyril on Sat Jul 14, 2012 at 03:14:49 AM PDT

        [ Parent ]

  •  Thank you, much better advice (7+ / 0-)

    The previous (recced) diary missed the single most serious security flaw: when you have too many and to complex passwords, you have little choice but to record them.  The layperson invariably writes them down.
    You can break into some of the highest security systems in the world just by looking in the right secretaries top left desk drawer...

    I must confess nervousness about placing all my passwords into one program.  I'll consider it, though.

    •  Well both have been Rescued (9+ / 0-)

      and can be read almost side-by-side. I think they complement each other.

      Both are well written and informative.

      I hope that the quality of debate will improve,
      but I fear we will remain Democrats.

      by twigg on Fri Jul 13, 2012 at 06:03:22 AM PDT

      [ Parent ]

      •  Glad to see this got rescued too, (4+ / 0-)
        Recommended by:
        Ginny in CO, twigg, Ray Radlein, kyril

        I don't think it had been when I first commented.

        I didn't mean to slight the other diary - it certainly was well written and informative, and good cryptography.  I just found it funny that it missed the human factor.  The major problem with information security isn't cryptography, it's humans.

        •  It is rare for the Rangers (2+ / 0-)
          Recommended by:
          Ray Radlein, kyril

          to Rescue "response" Diaries.

          It is to the credit of this Diary that it is well presented and well written.

          The fact that it also complements the other Diary is a bonus :)

          I hope that the quality of debate will improve,
          but I fear we will remain Democrats.

          by twigg on Fri Jul 13, 2012 at 11:28:13 AM PDT

          [ Parent ]

    •  I thought that was an issue as stated as well, (1+ / 0-)
      Recommended by:

      and agree password managers are good for the average user.

      If you don't want to trust a password program's encryption (and I wouldn't personally, but that's just me), you can always use a text file encrypted with a 3rd party utility. (To be even safer, stick it on an encrypted disk...same if you do use a 3rd party utility with its own encrypted database.)

    •  If the secretary is out, and their computer is (1+ / 0-)
      Recommended by:

      still logged in, it's not that hard just to install a key logger, unless their computer is pretty locked down.  Even then, can probably still install a password logger for their browser, at least, as an extension.

      And if their corporate PC is too locked down, personal laptops (Or corp laptops, for that matter) are often less strongly locked down, providing another avenue for attack.

      A large number of businesses also use their own SSL keys to decrypt and then re-encrypt all external SSL traffic.  They often use old, out-dated versions of SSL to do this (Ever wonder why browsers have an option to enable SSL3 support?  That's why).  These have known security issues, and so if you have access traffic behind a company's firewall (Like, say, because you work there), you could probably wreak a lot of havok.

  •  I just don't put anything on the Internet (3+ / 0-)
    Recommended by:
    DRo, CuriousBoston, kyril

    worth hacking.  It's much simpler.  Do you want my DailyKos password?  I'm sure any half decent wardial software could hack it in a heartbeat.  And then they could post nasty comments in my name and HR everybody and I'd have to go boo hoo hoo.  I hope it's worth the effort.

    Want my Yahoo mail password?  Take my spam... PLEASE.  You'd need a sophisticated datamining algorithm to separate anything even slightly useful from all that.  I don't even try anymore.  Which reminds me... It's been about a week since I checked my email.  Gotta go!

    •  The problem with that ... (5+ / 0-) that you've probably signed up for at least one other site using that Yahoo address.

      So technically, the attack is this: you hack the easy Yahoo password, then go to more useful sites, click the "forgot password" link, and enter the hacked email address. The password reset link for your bank then gets sent to the hacker.

      (I'm not really sure how likely it is -- but it does seem worth it to me to use a fairly secure password on your email.)

  •  It's possible to "remember" an infinite number (3+ / 0-)
    Recommended by:
    GRLionsFan, sillia, kyril

    of passwords, one per web site if you apply a fixed formula. I guess all the password software you mentioned use a variation of that scheme and combine your own ID with the web site ID to create unique and infinite number of passwords for everybody on the fly.

    The formula can vary depending on the security level of the web site you visit so even if visit a crummy web site and get your password and the formula figured out, it's still not possible for the hacker to figure out the passwords for other web sites, especially for those at higher security level than the crummy one.

    Anyway, maybe things have changed but several web sites do not allow non alphanumeric characters while others require at least one non alphanumeric character. That's my biggest beef since I can't remember which web sites use which password rules to apply a consistent formula. I can't even remember the web sites I have accounts on although if I run into one which claims that I already have an account set up then I can use the formula to figure out the password I used for it.

    •  Yes, I can give my example (2+ / 0-)
      Recommended by:
      CalvinV, kyril

      For sites that aren't very important (no financial info), I have a nifty string I can remember, to which I add (either at the beginning or the end) a number corresponding to the first letter of the website's name. For example, [NiftyString]4 might be for Daily Kos. So when I need to log in somewhere it's easy to remember the password, though it's different from most of the other passwords I use. I suppose the number isn't any more secure than the letter, so you could also use [NiftyString]D for example.

      On bank sites I use a different system, unrelated passwords.

      ~On, Wisconsin! On, Wisconsin! Raise her glowing flame!~ I am proud to say three generations of my family lived in WI. Though I live elsewhere, am with you in spirit!

      by sillia on Fri Jul 13, 2012 at 07:21:42 AM PDT

      [ Parent ]

      •  Something like that :) (2+ / 0-)
        Recommended by:
        sillia, kyril

        But I also take care of the case where a hacker somehow manages to get hold of not just one but several of my passwords.

        Two things can be done so he could not figure out all other passwords (at least not too easily anyway :)) and access my financial accounts:

        1) make the [NiftyString] not all the same nifty string but slightly mangled depending on the current web site.

        2) make it much harder for the hacker to figure out that the additional characters come from the name of the web site.

        3) intersperse the nifty string with the formulated name for the web site so the two don't sit in two distinct lumps and make it easy for anybody to recognize the pattern.

        Let's demonstrate point (2) for the web site dailykos. Let's say I want to identify the web site password by using the first two and last two characters of the web site name.

        So I get four characters d, a, o, s somewhere in the password for dailykos.

        That's semi-decent but once a hacker figures out the "nifty string" pattern then it's not hard to guess where those four characters come from.

        So, I might want to map two of those characters to their position in the alphabet and get:

        4 a o 19

        That's better. Now, let's say you apply a numeric security level to that and give dailykos web site the security level 1. And you use a formula which means the first two characters are added by 1 and the last two subtracted by 1.

        You will end up with:

        5 b n 18

        Point (3): usually, you want to lump the alphabetic characters together and the numeric characters together to make it harder to people to break them down into decipherable code words. So you probably have 'b' and 'n' scattered somewhere in your "NiftyString" and the number 518 somewhere in the password, maybe mingled with your other digits in the "NiftyString". Maybe something like 1518114 which is really your wife's birthday with dailykos formulated digits in the middle.

        So, how many people can read the password and figure out that bn518 scattered within the password is really the name for dailykos ?

        For you it's not that hard to remember since it's just the same formula you use everyday based on stuff like you wife's birthday and your dog's name (and mangle them too if you want extra security).

        I wish all web sites allow non alphanumeric characters though, then it will be easy to use formulas that will be impossible for any hackers to figure out. If they can't figure out the formula and have to go by brute force then it will take them forever and they don't usually have forever to spare :).

        •  Cool. (1+ / 0-)
          Recommended by:

          Appeals to my inner geek!
          (goes off muttering and calculating...)

          ~On, Wisconsin! On, Wisconsin! Raise her glowing flame!~ I am proud to say three generations of my family lived in WI. Though I live elsewhere, am with you in spirit!

          by sillia on Fri Jul 13, 2012 at 02:12:30 PM PDT

          [ Parent ]

  •  Will someone steal my identity, please? (6+ / 0-)

    Pay the bills, take the phone calls, etc.?

    You can't make this stuff up.

    by David54 on Fri Jul 13, 2012 at 04:33:50 AM PDT

    •  That's what I said (3+ / 0-)
      Recommended by:
      CuriousBoston, tle, kyril

      Then I found out that they just add more deadbeats onto my already deadbeat self. Does anyone know if there is an absolute zero to a FICO score? Never mind. I think I'll find out.

      Oh, and forget #Occupy. What we really need is #Alsatia or #TheMint.

      Every reductio ad absurdum will seem like a good idea to some fool or another.

      by The Geogre on Fri Jul 13, 2012 at 04:56:24 AM PDT

      [ Parent ]

      •  Ya got me. (2+ / 0-)
        Recommended by:
        The Geogre, kyril

        Tricked into learning a little history by that link.  Not that I'm anxious to go to a place anything like the original Mint:

        The Mint was hardly a debtor's holiday. Those who went to the Mint would frequently die of malnutrition or murder before raising enough money to escape their debts. Furthermore, the Mint's geography was a factor in its poor living standard, as it was below the river's level and therefore was a breeding ground for sewage- and water-borne maladies.
        Too bad such things never make it into the history that's taught in U.S. schools.

        I am become Man, the destroyer of worlds

        by tle on Fri Jul 13, 2012 at 06:58:14 AM PDT

        [ Parent ]

        •  Blush (5+ / 0-)

          I wrote the original article at Wikipedia. I was always fascinated by The Mint. It's such a weird story by itself -- a gap in manorial to municipal government -- and then the life inside of it and how it became sort of like living in a place .. . welll....

          Imagine having Payday loan, Car title lenders, Health insurance for $10 a year, Buy here pay here car lots, and people who demand vast interest rates for any transaction, and you've got life in The Mint, or life in today's urban centers. We've replicated all the worst of it, except for the beatings, and we've made it borderless, and we've also given the residents of our Mint guns and drugs.

          Every reductio ad absurdum will seem like a good idea to some fool or another.

          by The Geogre on Fri Jul 13, 2012 at 07:03:55 AM PDT

          [ Parent ]

          •  Then you're due a hearty THANK YOU. (2+ / 0-)
            Recommended by:
            The Geogre, kyril

            I am so thankful for all the work that people have done on Wikipedia. Not only is it very useful, it's full of interesting info.  Put there by you and people like you.

            I think it's about time for me to send a little more money to Wiki.  It's certainly well worth it.

            I am become Man, the destroyer of worlds

            by tle on Fri Jul 13, 2012 at 08:26:58 AM PDT

            [ Parent ]

            •  I. Must. Not. Comment. (2+ / 0-)
              Recommended by:
              charliestl, tle

              Let's just say that the people responsible for the content that users of the site enjoy and depend upon are at least at some variance with, if not openly scorned by, the people who have come to believe that they are most important to Wikipedia. It's a sad tale of human psychology and socializing and what happens when people are self-appointed.

              I don't mean the contributors. Those self-appointed people police one another, largely, and the malicious are generally easy to spot. I mean the self-appointed guardians and stewards and the like. Anyone who really, really wants power probably shouldn't have it.

              Every reductio ad absurdum will seem like a good idea to some fool or another.

              by The Geogre on Fri Jul 13, 2012 at 11:17:59 AM PDT

              [ Parent ]

    •  But consider another jerk move by banks... (0+ / 0-)

      You're never the victim of identity theft.  The bank is a victim of a bank robbery and wants to make you take the blame for it.

  •  Good diary. (14+ / 0-)

    Republished to Anonymous Dkos.

    My thinking is: if a dedicated hacker wants your information, there's really nothing you can do to stop them.

    Keeping out the script kiddies and cyberstalkers though is the direction I wanted to move with passwords, but this is good advice too.

    That's why I threw in the multiple passwords thing.

    I like your insight, though, do you want to write some more internet security diaries for us?

    An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

    by OllieGarkey on Fri Jul 13, 2012 at 05:36:27 AM PDT

    •  And just so you know, (8+ / 0-)

      When I compile a list of security diaries that have been written, this one's going on the list.

      An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

      by OllieGarkey on Fri Jul 13, 2012 at 05:37:20 AM PDT

      [ Parent ]

      •  Glad to hear it (6+ / 0-)

        I was a little worried, throwing this together at 1am, that it would be taken as antagonistic. I'm glad to see that's not the case. I just don't agree with the idea that the problem is choosing your passwords. It was sort of timely to see that diary; this past week, a few people I know were affected by the LinkedIn break-in. They had moderately good passwords (~10 characters with special, numbers, upper and lower). But that password got shared, and the sharing led to disaster.

        The lay person has been told that they'll be okay if they choose a good password and they shouldn't share. But in reality that advice is difficult to follow routinely. Very difficult. Everybody I know falls back on a Word/text document or heavy sharing, in the end. My take is that the key to security for the average user is, take it off their mind. Let the software think about it, make it an automatic thoughtless part of your browsing, and you're much farther along the path to consistent, long term safety.

        I would like to write more security diaries; two factor authentication probably deserves much more attention, as does externalized auth (OpenID/FB Connect/Twitter).

    •  Request: glossary at the start of the diaries. (0+ / 0-)

      I've been involved with computers since '68, with my first programming class. The jargon now reflects the huge growth in the field. Like medicine, even acronyms can have different meanings depending on what specialty you are in.

      There are some terms I know, others I don't. Heck, I was really happy someone asked in another thread the other day what ct means. (Had only seen it a few times and it didn't seem important. :)

      "People, even more than things, have to be restored, renewed, revived, reclaimed and redeemed; never throw out anyone. " Audrey Hepburn "A Beautiful Woman"

      by Ginny in CO on Fri Jul 13, 2012 at 12:07:39 PM PDT

      [ Parent ]

  •  Apropos to the discussion (5+ / 0-)

    The worst passwords you could ever choose exposed by Yahoo Voices hack

    Repeat after me.

    "A password of 'password' isn't actually a password."

    And neither is "123456" or "welcome" or "qwerty" going to prove anything of a challenge to a hacker.

    The fact is that every time password lists are stolen and published on the internet, hackers add them to their own databases for their password crackers to try next time they want to break into an account or crack a hashed password.

    Your passwords need to be unique, and hard-to-crack. That means not using dictionary words anymore, and not imagining that no-one else in the world has thought of "qwertyuiop" or "password1234".

    The typical response from the average internet user is "But how will I remember all these different, complicated passwords?"

    Simple. Use a decent password management program.

    “The probability that we may fail in the struggle ought not to deter us from the support of a cause we believe to be just.” – Abraham Lincoln

    by Sagebrush Bob on Fri Jul 13, 2012 at 05:45:04 AM PDT

  •  Why sweat a password for bullshit like LinkedIn? (4+ / 0-)
    Recommended by:
    DRo, raster44, KateCrashes, Miggles

    What a useless site.
    To paraphrase Jack Donaghy (sp?) on LinkedIn, it's like you're already dead and don't know it.

    I'm the plowman in the valley - with my face full of mud

    by labradog on Fri Jul 13, 2012 at 05:57:28 AM PDT

    •  How long ago did you use it? (0+ / 0-)

      The county workforce center here has all kinds of workshops and seminars on all kinds of ways to get a job. I recently attended one on Linkedin and the instructors (county employees) explained the FUBAR. Which has been addressed.

      The rest of the presentation was impressive. 80% of jobs are not advertised. Given the scanning software that has been developed for HR departments to scan applications and throw out the ones missing certain words without any human reading it, every means of getting your resume where HR people and folks you network with can access it, can be the difference between a job and more job hunting.

      The career specialists there are frequently contacted by someone who found a candidate on Linkedin, the HR folks especially have started using it. This is Jefferson county just west of Denver. Large, lots of people going through multiple workforce centers.

      I was bemoaning not getting on it at least 2 years ago and was told they didn't really get it functional until about 18 months ago. Due to other issues, I am still trying to finish the profile and my situation is difficult, so I will probably have problems.

      "People, even more than things, have to be restored, renewed, revived, reclaimed and redeemed; never throw out anyone. " Audrey Hepburn "A Beautiful Woman"

      by Ginny in CO on Fri Jul 13, 2012 at 11:46:45 AM PDT

      [ Parent ]

  •  How do these password "sites"... (1+ / 0-)
    Recommended by:

    work with multiple devices?

    I've known for years that I'm running a dangerous game with my passwords (although I'm probably a bit better than most, what with using different passwords on different sites), but I don't understand how a cloud based system will work when you're logging on from your work computer, your home computer, your spouse's computer, your smart phone, from your laptop when you're on holiday, and your new tablet that you got as a gift.  Do these password services tackle that issue?

    Good diary.  Thanks for posting it.

    •  We're back to calculated risk (2+ / 0-)
      Recommended by:
      KateCrashes, JanetT in MD

      One thing I maybe didn't cover in enough detail is, what exactly are we protecting against? If you're a criminal trying to hide from the FBI who might seize your computers, none of this will work. If your estranged ex-spouse hires a PI to break into your house, none of this will work. I haven't tried to cover the problem of direct physical access to your devices and personalized attacks, because that battlefield is rare and far, far more involved.

      So at some point here, you have to make a calculated assessment: which of my computing devices is able to decrypt my passwords? My iPhone and iPad are able to access LastPass, though it is set to require password re-entry. That's my only line of defense if the device is stolen or lost. (Well, that and iCloud's remote lock.) My office machine at work is able to get into LastPass, as is my laptop. My defenses are not designed to resist direct local assault. They're only meant to resist robotic attack by a Russian hacker who breaks some website where I have a user account.

      LastPass has a reasonable number of options -- two factor authentication, required password re-entry, etc are reasonable buffers against casual attempts to get into my stuff directly. But I'm definitely not laid out for war on home turf.

    •  That's The Whole Point Of A Cloud-Based System (0+ / 0-)

      If something is in the cloud, you can get to it from anywhere that has net access. There might be a speed bump if the service doesn't have a client app for a given machine's operating system, but even then you can log on via browser and access the passwords (you might have to copy-and-paste instead of autofilling in that case).

      The downside is that you can't access stuff in the cloud if you lose net access. Obviously, this isn't an issue for Internet site passwords (if you don't have net access, you can't log onto them anyway), but it's a problem if you also store other data (like application passwords or software reg codes).

      On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

      by stevemb on Fri Jul 13, 2012 at 07:24:29 AM PDT

      [ Parent ]

  •  with a cloud service, (1+ / 0-)
    Recommended by:

    aren't you dependent on their servers being up? If they go down, you can't get in anywhere b/c you don't know your passwords.

    Mitt Romney = Draco Malfoy

    by ubertar on Fri Jul 13, 2012 at 06:34:10 AM PDT

    •  Pretty much. (1+ / 0-)
      Recommended by:

      That's the risk you take with cloud services for anything. LastPass lets you download an offline version of the database to save (which I do periodically), or you can stick with something like KeePass as a strictly local file-based solution, and use Dropbox to handle the sync.

      •  I just tried keepass, and it immediately froze. (1+ / 0-)
        Recommended by:
        Ginny in CO

        It didn't freeze the whole computer, but the program itself froze on first run. So I uninstalled it. I like the idea, but I need something reliable. Does reliable and free exist?

        Mitt Romney = Draco Malfoy

        by ubertar on Fri Jul 13, 2012 at 08:32:32 AM PDT

        [ Parent ]

        •  I wonder what happened? (0+ / 0-)

          I've been using Keepass since the very first version.  Before that I used Password Prompter.  I've never had any problems with either one of the locking up and I use them on Windows, Linux and Android.  Synchronization thru Dropbox is simple and fast.

    •  Not to mention, *YOUR PASSWORDS* are stored (1+ / 0-)
      Recommended by:

      on the cloud service. Do you want all of your passwords off on random disks in some random datacenter? I sure don't.

      Any password app will encrypt your passwords, of course, before sticking them up in "the cloud." Supposedly, at least. Trusting it to actually do so, and with proper encryption, is a security risk that can be avoided.

  •  My husband uses (or is it used?) (3+ / 0-)
    Recommended by:
    tle, 2thanks, DRo

    one of this listed password software, but he couldn't get into his account without being on his computer or having a flash drive or something. My crappy passwords were at least memorable. Of course them some damned hacker got into the supermarket card database and my hotmail account got hacked.

    I hate the password problem. There's no easy answer. Maybe I'll have one of my fingers turned into a flash drive.

    "The object of persecution is persecution. The object of torture is torture. The object of power is power. Now do you begin to understand me?" ~Orwell, "1984"

    by Lily O Lady on Fri Jul 13, 2012 at 06:34:21 AM PDT

    •  It's a legitimate problem (1+ / 0-)
      Recommended by:
      Lily O Lady

      The trouble is this: if it's easy for you to log into an account, it's probably easy for someone else too. If it's difficult, then you don't want to do it and security fails.

      I recommend this software because I find it to be a good balance of the two for common usage. I can access my LastPass account and stored passwords from a few computers that I've authorized. My iPhone also has an app that can get the passwords (they charge me $1/month for this convenience).

      More generally speaking, security researchers have felt that the password approach is fundamentally flawed for decades. Trouble is, no one has come up with a particularly reliable alternative.

      •  Thank you Element 61. My husband (0+ / 0-)

        has gently informed that my comment is (to paraphrase) full of crap. His solution is, if I understand, similar to yours. He mocks my haphazard system of password paper scraps. I appreciate your analysis, especially concerning the problems with passwords in general.

        "The object of persecution is persecution. The object of torture is torture. The object of power is power. Now do you begin to understand me?" ~Orwell, "1984"

        by Lily O Lady on Fri Jul 13, 2012 at 07:32:07 AM PDT

        [ Parent ]

      •  No reason for the supermarket (1+ / 0-)
        Recommended by:

        to have you email and password.  If they require email, give a fake one.  They already track what you eat, what medications you take, and when you shop, why give them more data?

        "When I was an alien, cultures weren't opinions" ~ Kurt Cobain, Territorial Pissings

        by Subterranean on Fri Jul 13, 2012 at 08:46:27 AM PDT

        [ Parent ]

  •  Good advice (2+ / 0-)
    Recommended by:
    CuriousBoston, oortdust

    I used to use passphrases, such as ecltec (economic competition leads to environmental catastrophe), but I now create passwords by banging away randomly on the keyboard, making sure to include a few numbers.  For example, here's one of my (obsolete) passwords:  E7ba8dGy.  Then I store what I typed in a text file.  That means that, if someone gets into my computer, I'm screwed, but I at least try to prevent that.  I'm using the technique of

    Put all your eggs in one basket.  Then watch the basket.

    I am become Man, the destroyer of worlds

    by tle on Fri Jul 13, 2012 at 06:43:15 AM PDT

    •  KeePass is fairly similar and simple (3+ / 0-)
      Recommended by:
      oortdust, KateCrashes, Subterranean

      Instead of a text file, you get a nice little interface, and the passwords are now encrypted instead of in a text file. As long as you don't lose/forget your encryption password, it's practically what you're already doing, just safer.

      •  Just Be Sure To Keep Backups (2+ / 0-)
        Recommended by:
        Element 61, Subterranean

        I have my KeePass database set to autosync with a Dropbox copy. That also keeps everything up to date -- if I add or change a password on one machine, it progagates to the others as soon as I open or save the corresponding password database there.

        On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

        by stevemb on Fri Jul 13, 2012 at 07:27:27 AM PDT

        [ Parent ]

  •  question (0+ / 0-)

    I use Firefox at work.
    At home, my Macbook uses Safari.

    Do I set up duplicate databases for both browsers?

    •  That's Another Advantage Of A Password Manager (1+ / 0-)
      Recommended by:

      If you use a manager that's separate from the browser, you can switch back and forth between browsers and use the same password database (if the manager plays nice with both, which it probably will).

      On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

      by stevemb on Fri Jul 13, 2012 at 07:28:55 AM PDT

      [ Parent ]

      •  Well, I ask because (0+ / 0-)

        when I go to password management sites, they ask which browser to set them for.  That's why I wondered.  If the site obliges me to choose between setting it up in Firefox or Safari, will the browser I don't use still read it?

  •  ok, why does WOW have better security (0+ / 0-)

    then BofA?  I was convinced to purchase an authorization device for World of Warcraft (sync'd random number generator) to protect my account after someone hacked it.
    I remember hardware dongles for various security keys to allow software to run, not to mention the key of having known imbedded security codes in software disks, but all these types of devices have not found their way into any of the financial accounts, why is that?
    why can't I buy extra security for my accounts? hmmmm (thinks of starting a new business)

  •  great information, thanks for posting this! (1+ / 0-)
    Recommended by:

    While I am pretty religious about security and secure passwords (my passwords are always 8+ characters, NEVER spell out dictionary words, and always involve non-alphanumeric characters in them), I've yet to embrace a cloud or app password manager for the same reason I often call close friends and family by dialing manually rather than relying on my address book. I never want to forget the important ones...

    My internet security better half constantly teases me about my method of keeping passwords in a little book - it has lots of other random writings and notes in it too. However, they are written in a short-hand that really only makes sense to me. I am also a developer and may have 50+ passwords to keep track of at any given time.

    He, on the other hand is completely addicted to his password managing software, cannot commit them to memory, and does not even remember the passwords to his own website... ;-)

    Of course, the bottom line is that you are only as secure as the sites you sign up for allow and, as the Linked-in debacle showed, even secure hard to crack passwords are useless if the database can be hacked and exposed. Not salting their passwords was practically criminal, since they do keep financial data on hand for premium customers...

    who doesn't want to wear the ribbon?!?

    by redacted stew on Fri Jul 13, 2012 at 07:16:13 AM PDT

  •  How, in this day and age, can companies still be (1+ / 0-)
    Recommended by:
    Calamity Jean

    so utterly brain-dead as to send out emails crammed with info? I recently rented a storage bin and was told I could get an e-mail reminder of rent due. Sure!....and then it arrived: My name, street address, phone, etc. Why not just include my charge card number for completeness?

    I also have had people handling my security paperwork send me files in the clear--files containing my signature, SSN, etc. This after I painstakingly scanned the printed docs, encrypted them, and CALLED (not e-mailed) with the password. Their carelessness is indefensible, especially when one considers that they're handling classified info. Ay, caramba.

  •  Point taken... (0+ / 0-)

    I will check into those services - sounds like a good idea.

    I have two sets of passwords -

    one for blogs/silly websites which, were they hacked, would be annoying but no big deal.  Every blog I know is one of three passwords.  

    Another scheme I concocted which I can pretty much keep track of for work e-mail, banking, Kos, you know - important stuff - all different but in a pattern ONLY I would know.  It works fairly well.  

    But the online service is tempting.

    The object of persecution is persecution. The object of torture is torture. The object of power is power. --George Orwell

    by jgkojak on Fri Jul 13, 2012 at 07:44:29 AM PDT

  •  hotlisted. thanks. n/t (0+ / 0-)

    "Don't Bet Against Us" - President Barack Obama

    by MRA NY on Fri Jul 13, 2012 at 07:49:13 AM PDT

  •  Passwords are the "Bain" of humanity. . . (1+ / 0-)
    Recommended by:

    . . .If they are so complicated or numerous that you have to write them down, you lose. And I don't care who you are, most humans will not remember all of them, particularly if, as the author says, you must have a unique password for each application. (I exclude software engineers and programmers who actually like that stuff.  My sister is a software engineer and I have to tell you that I do not believe we came from the same womb.)

    You would think that someone would come up with a way to avoid the thirty or so passwords some of us have to carry around.  That some people are forced to spend a good portion of their waking hours thinking about them is huge expenditure of resources. The fact that we have this long thread discussing them is a sure sign of the concept's failure.  

    Paging Bud Fox, paging Bud Fox! Mitt Gekko is waiting for you in Central Park!

    by waztec on Fri Jul 13, 2012 at 07:56:46 AM PDT

  •  I disagree with this diarist. (0+ / 0-)

    Even using a very efficient GPU based cracker, a 7 character pw with upper,lower and number or special symbol (pick 3 out of 4) would take almost 20 hours. 8 characters adds more time to the crack. That's still effective protection.

    (a GPU cracker like Cain and Abel will take almost a year with 7)

    different passwords for each account and password safes are fine for the diligent, but how many of us are..?

    An 8 character password, with three out of four as above is still good protection.

    Way more important: Keep your machines free of malware. Patch your machines automatically. Get rid of Java if it is not needed. Scan your machines once each week with Malwarebytes, a free antimalware tool.

    Re-elect Barack Obama and elect Elizabeth Warren

    by al23 on Fri Jul 13, 2012 at 08:01:51 AM PDT

    •  Two passwords, (not including work) (0+ / 0-)

      are probably sufficient.  One for Dailykos or the newspaper and one, 8 characters minimum, as above, will work for banking sites, etc. and not drive you insane.


      Re-elect Barack Obama and elect Elizabeth Warren

      by al23 on Fri Jul 13, 2012 at 08:16:40 AM PDT

      [ Parent ]

  •  It's all about "easy for YOU to remember"... (0+ / 0-)

    ...but "not so easy to crack."  My friends/colleagues have used the following schemes:

    * Names with numbers between the syllables, e.g. "cin39dy", "Da48vid"  (but NOT your own name!)

    * The "common saying" technique described in an earlier comment, e.g. "A stitch in time saves nine = asits9"

    * Cars they've owned, with the year in the middle, e.g. "fair88mont", "cava86lier"

    Some really BAD schemes, that password hackers are sure to attack and almost certain to defeat:

    * Passwords including the name of the service, e.g. "hotmail39483" or "3948yahoo"

    * Variations on your own name

    * Bible verses, e.g. "john316"

    * Any variations of the word "password" or "login"

    * Any 'common word/name + number', e.g. "kitty49", "caboose483", "cindy40349"

    * Passwords that refer to the specific service, e.g. "email394" for Yahoo/Hotmail or "mypictures99" for Flickr

    No scheme is infallible; even a brute-force attack will eventually break your password(s).  So, the "sweet spot" is a scheme that yields passwords that "take too long to break".  The key points are: don't reuse them, change them fairly frequently (my recommendation?  At least every 180 days), and don't use the same password on multiple sites.  It's really that simple.

    (What scheme do I use?  You're kidding me, right?)

  •  Thanks for the 1Password props! (1+ / 0-)
    Recommended by:
    Ginny in CO

    I'm a website developer myself; with over 90 clients, that means I'm responsible for several thousand passwords--databases, control panel logins, FTP access, email accounts, etc etc.

    1Password is awesome.

    However, for actually generating the passwords, I prefer the free utility called, simply, RPG, since it gives you more control over the password specifications:


    •  That RPG link eventually goes to a site (1+ / 0-)
      Recommended by:

      in German.  Any comparable program for PC since mac died and I had to go to the dark side?  

      It makes a lot of sense to have the generator that can be adapted for what the password requirements and restrictions are.  

      I just love when those are not spelled out until I enter a password and have to redo it because non alphanumeric characters are not allowed. This of course is after I've filled the whole thing, including the confirmation pw, and some actually wipe all the fields. :(

      "People, even more than things, have to be restored, renewed, revived, reclaimed and redeemed; never throw out anyone. " Audrey Hepburn "A Beautiful Woman"

      by Ginny in CO on Fri Jul 13, 2012 at 11:29:57 AM PDT

      [ Parent ]

  •  1Password rocks (0+ / 0-)

    I've been using it for years.  Seamless integration with browsers, and I don't have my passwords stored offsite on the internets.  

    Remember to back up the data file regularly, or you'll be in a world of hurt.

    "When I was an alien, cultures weren't opinions" ~ Kurt Cobain, Territorial Pissings

    by Subterranean on Fri Jul 13, 2012 at 08:15:29 AM PDT

  •  don't use English words (0+ / 0-)

    I'm everyone knows at least a few words in another language.  Start there, then mess with it.

    Recommended by:
    holeworm, certainot

    Remember - the criminal isn't interested in your Hotmail/Yahoo/Gmail account (unless they plan to use it to send spam, which does happen...).  They're far more interested in what OTHER activities you have linked to that email address; they want to get to your online banking, PayPal, online casino accounts, store accounts, etc.  They're looking for a quick way to make money, pull off an identity theft, or obtain merchandise.

    One of the simplest steps you can take to protect your online security/privacy is this:

    1) Establish a "real" email identity.  Use this for banking, credit cards, store accounts...anything that ties into the "real world."

    1a) When setting up accounts with banks/stores/etc., don't use your email address as your username if at all possible.

    2) Establish a "throwaway" email identity.  Use this for blogs, online contests, social networks like Facebook/Twitter/Flickr, etc.

    3) It's best if these two identities exist on different services, e.g. one on Gmail and one on Hotmail.

    4) NEVER, EVER LET THE TWO IDENTITIES MEET.  Don't even "send mail to yourself" between the two identities; keep them completely separate.  Leave no traces connecting the two.

    •  Also, you can use unique suffixes to addresses (0+ / 0-)

      E.g., if you're "", then "" will also go to you. (Not all email services support this.)

      A human looking at the account might figure that out (or attackers might be smart enough to parse those out if they become used widely.) But that lets you have a different email address associated with every site as well.

      So, if a site is compromised, your account info will have that +something stuck in it and not be useful on any other site, as far as automated testing of cracked accounts goes.

  •  Your Age+Initials+Lower Case Letters+Year (0+ / 0-)

    the lower case letters can be context specific, like if its your google account use "g"

    This is a strong password, and it will change over time.

    Also just put them in a text file on your desktop and don't put the word "password" or "ID" anywhere in the file.  it's not a place malware would look like in browser files.

    There’s always free cheddar in a mousetrap, baby

    by bernardpliers on Fri Jul 13, 2012 at 08:55:45 AM PDT

    •  That's not a strong password if I know who you are (0+ / 0-)

      If I did, you basically just gave me the tools to easily break any of your passwords, if I have the encrypted version. Since the only things that need to be guessed are the lower case letters. Brute-forcing a few lowercase letters is trivial.

      It's not a strong password in general, either. Using just letters and numbers is a very bad idea. You need to use the full range of characters available.

      •  No Code Is Strong If Someone Tells You The Key (0+ / 0-)

        My favorite goof in "Watchmen" was when then break into the computer of Ozymandius (the smartest man in the world) because the password is the title of the book on his desk.

        Wouldn't the smartest man in the world be using the natural log of pi or something? He can't remember a password?

        There’s always free cheddar in a mousetrap, baby

        by bernardpliers on Fri Jul 13, 2012 at 01:34:00 PM PDT

        [ Parent ]

        •  You don't even need the key. (0+ / 0-)

          If I happen to have your password in unencrypted form and just know your name, the format can be deduced from that. (Including an age and year could make it even easier to deduce the format, say if I got your password twice, a year apart. The two parts with numbers that just increment by 1 would be obvious.)

          Saying that this is a "strong password" is fallacious. Incorporating personal data, especially simple things like dates, initials, etc, just makes it even easier for a potential attacker. Using basic "seed" information that changes yearly on a fixed schedule is not secure.

          And putting it in a file on your desktop? That part's fine, but I hope you're encrypting that file. Why wouldn't malware look there? Malware certainly has the ability to scan for things that look like logins, etc. You shouldn't assume that malware won't do, well, basically anything.

          Sorry if I come off harsh, but these are NOT good password measures that you are suggesting. Having your own "code" to generate a password is fine and all (I do that myself for some unimportant sites), but that doesn't make the password strong. In this case, your described method generates very weak passwords.

          ...and the smartest man in the world would be using lengthy random strings. :) ln(π) is actually bad since it's not random at all! (Yeah, I hate seeing passwords being "hacked" in movies too, especially when it's just stupid guessing or someone implausibly writing it down, or whatever.)

  •  Random is absolutely best , however... (0+ / 0-)

    it's hard enough to get people to not just use their spouse's birthday or cat's name or whatever.

    Long phrases with junk inserted into them (and yes, not those simple substitutions as you point out), are much better than "bob99" or whatever. They might not be the MOST secure passwords, but they're easier to handle than random strings for average users.

    I use a combination of simple passwords and random ones myself. (More complex than "bob99", but not long phrases.) Unimportant sites get simpler passwords. Important sites get longer fully-randomized passwords as you mention.

    (And yeah, don't do simple "obvious" substitution. Symbols are good. Using them for substitution is not good.)

    Telling the average user to use "9#S!P3FW@b4X^5Bw6CF!$zu@qq&A&v" and a password manager is problematic, even if it's absolutely what everyone should be doing. In the interim, if people ARE still remembering passwords, at least we can help them remember better passwords.

  •  XKCD (0+ / 0-)
    I think the ever popular XKCD comic about passwords is horrifically misleading.
    How come?

    Absolute power corrupts absolutely.

    by Buckeye Hamburger on Fri Jul 13, 2012 at 09:09:58 AM PDT

    •  Dictionary words (0+ / 0-)

      If I use a particular hash to secure passwords (encryption), then the first attempt to crack passwords is to encrypt dictionary word and compare those characters to the characters in a password.  So, if $$2355gh is the encrypted equivalent of "horse", my cracker will see that sequence within your encrypted password.  So, I'll keep adding other words until I have the entire sequence.

      "Sometimes paranoia's just having all the facts." William S. Burroughs

      by SaltWaterCroc on Fri Jul 13, 2012 at 09:49:40 AM PDT

      [ Parent ]

      •  Whoa, missing the point! (0+ / 0-)
        So, I'll keep adding other words until I have the entire sequence.
        ... and if I have enough words in the passphrase, then "keep adding other words" becomes computationally infeasible.

        XKCD/Randall suggests that there are 11 bits of entropy in a randomly chosen common word, i.e. that a dictionary of common words has about 2^11 entries. Probably about right, maybe give or take a bit or two. Adding words to the passphrase adds the entropy, as long as each word is truly chosen at random. So, following XKCD, a four-word passphrase has 44 bits of entropy, and on his calculation, the breezy remark "I'll keep adding other words" means that you'll have to muster 550 years of computing effort. He could be off, of course, maybe you can get it done ten times as fast; so what.

        I quite agree with the diary about using an encrypted database of passwords, but then the database has to be protected with a strong passphrase, and sensitive applications will need to have strong passwords stored in the database. For my own password database, I use a passphrase composed of seven words randomly chosen from a list (I made up my own version of a Diceware list, for six dice instead of five, and rolled dice; yes, for something like this, I really am that anal). So the passphrase is provably worth about 126 bits of entropy; I defy you to break that with a dictionary attack.

        I think XKCD is right, we can make our lives vastly simpler with passphrases that are fairly easy to remember but long enough to eliminate brute force as a threat. We still need password databases nevertheless, as the diary argues, to be able to use different passwords everywhere; XKCD's method (which is really just like Diceware) is a good guide for a passphrase to protect the database.

        Absolute power corrupts absolutely.

        by Buckeye Hamburger on Sat Jul 14, 2012 at 04:59:36 AM PDT

        [ Parent ]

  •  My work domain password (2+ / 0-)
    Recommended by:
    darlalalala, mskitty

    has to be 14 characters long, at minimum.  I find this so frustrating I've taken to making the password out of what I would like to tell our sysadmin about it.

    E.g. (an expired password): "ThisIsAnnoying!"

    Maybe not super secure but easy to remember.

    Barack Obama is not a secret socialist class warrior who wants to redistribute wealth in America. But I'll still vote for him, anyway.

    by looty on Fri Jul 13, 2012 at 09:11:10 AM PDT

  •  I use Lastpass. However, here is an alternative: (0+ / 0-)

    I used to make up password phrases for each financial site and put mnemonics in the names of files containing random garbage.

    An even better idea is to use pictures as mnemonics- for example, if your password for your bank is "MydogSpot" take a picture of Spot and name the file Banksy. Someone who found the file would first think that it is a picture of your dog "Banksy" and even if he figured out it was the password for your bank he would have to know your dog's real name.

  •  For extra security, keep your password DB (0+ / 0-)

    ...on an encrypted disk.

    This reduces the risk of your system being compromised in general, of course. (And makes it useless to any thief.)

    Modern systems can encrypt and decrypt fast enough that it's reasonable to turn on whole-disk encryption if your system isn't more than a few years old. I'd expect to see it become default with some OSes in the future.

    For now, just enable it yourself. :) (And if you do, don't forget to make sure your backups are encrypted as well!)

    On Macs, you can encrypt your disk from Preferences->Security. Microsoft has something called BitLocker. If you want something with even more features, TrueCrypt is popular.

    Oh, and never enable remote access (screen sharing, ssh, etc) to that machine with the remote're just asking for trouble. Even enabling file or printer sharing might be a bad idea.

  •  What about the OS/X Keychain app? (2+ / 0-)
    Recommended by:
    holeworm, Miggles

    I'm curious about this. It seems like a reasonably good idea. Perhaps there is an application that uses the Keychain to store automatically generated passwords/passphrases? That would be useful.

    Another thing: what about sites that restrict the character set allowed for passwords? Many disallow spaces, for example; I've seen some that disallow all punctuation, or just some punctuation. Those surely must make the job of automating passwords more complicated.

    •  Oh, and what about passphrases? (1+ / 0-)
      Recommended by:

      For a long time now, I've been using a program I wrote to look up words randomly in dict/words and put them together with punctuation, like:

      The set is constrained to use upper and lower case, and to insert either a digit or a punctuation mark between the words.

      The other kind of passphrase I have used is to randomly select a line from a randomly chose book on my shelf. For example:

      you can think of many more. The result looks a bit like listing 12.9. I say a bit, because I did not
      How are those in terms of crackability, compared to unreadable random gobbledygook?
      •  I would consider most to be fairly strong... (0+ / 0-)

        As far as "phrase"-type passwords go, those are much better than some of the other suggestions I've seen. The chances of something like "Delia4cand:jink" or "Mason;gobi=cly" being cracked are essentially zero. So, those are good!

        I'd be a little more careful with something like "Egypt9Jam3conk", though. That's probably safe, but maybe modify your program to only generate passwords that have at least 1 or 2 non-alphanumerics in them, or something like that?

        Another easy way you could add entropy is by having your program randomly set the case of each letter, so things turn into random mixed case.

        At that point you might be better off just generating random stuff though. :) (I do similar, and have a script to generate my random passwords.)

        The problem with something like "you can think of many more. The result looks a bit like listing 12.9. I say a bit, because I did not" is that it may be truncated. (Some sites may only use 8 - 16 characters or so, even if you enter more. Test by entering a very long password with the last letter removed, and see if it still works.) So it could very well be hashed as just "you can think of" or something like that.

    •  Safari actually stores site passes in the Keychain (0+ / 0-)

      I think Chrome does as well, not sure about Firefox.

      The Keychain is encrypted with your login password as well, so it's a reasonably secure place to store information. (But again, relying on a single level of closed-source software for encryption is best avoided.)

      You can actually store random data in the Keychain, even; it comes with a section for "Secure Notes." Try it yourself, just open "Keychain Access" (which should be in /Applications/Utilities) and poke around.

  •  I would NEVER store my passwords in "the cloud" (0+ / 0-)

    As you point out, large companies like LinkedIn (who one would assume to have some sort of security auditing in place) still manage to mess up crap like they did.

    Do you really trust the maker of a password manager to properly encrypt, store, and exchange your passwords?

    Do you really trust them not to pull a massive fail and have their ENTIRE customer database compromised? It's bad enough when that happens with one password, it's far worse if it happens to ALL of your passwords.

    And with LastPass, it's closed-source and unauditable. At least the open-source suggestions are auditable. (Although that's less of an issue if it's just storing passwords locally, I'd say.) So I have no way to know just what they're doing in there.

    I'd recommend any of the open-source password managers. I've heard good things about 1Password too, but I would only trust its local storage functionality, not its cloud options.

    Is this a problem if you want to sync passwords across devices? Sure, but using the cloud to solve this problem doesn't seem like a very good idea.

    (Of course, remember to back up, keep a copy of that encrypted backup, or at least the most important stuff like passwords, on a USB key elsewhere or whatever, etc, etc.)

    •  Pick what you're willing to risk. (0+ / 0-)

      I could easily write up a text document or Excel sheet or something with passwords, drop it into a TrueCrypt container, and sync it with Dropbox or Spideroak. It would be objectively safer than using LastPass. But LP provides conveniences I value and encourages me to be secure consistently, 100% of the time. I value that, and I'm educated enough as a software engineer to be generally content with LastPass' implementation. It's extremely safe IF they've done the job in the way they describe.

      Your criticisms are valid, and I weighed the risks and made my choice. But I also provided four options for password databases, several of them built ENTIRELY on local files with no cloud or remote services. It's calculated risk balanced against desired convenience.

      •  Isn't there something to the joke (1+ / 0-)
        Recommended by:

        About the two guys on the savanna?  You know, the lion starts chasing them and one guys stops to put on running shoes.  The one says "you fool, you can't outrun that lion!". The other says. "I don't have to, I just have to outrun you"

        Presumably there are enough easy identities to crack that being a harder one makes you safer

        Courtesy Kos. Trying to call on the better angels of our nature.

        by Mindful Nature on Fri Jul 13, 2012 at 07:07:07 PM PDT

        [ Parent ]

  •  A shout out to Oplop, and a call of Bullshit (0+ / 0-)

    Generates random passwords, based on a master. All client-side, so there's nothing for hackers to steal.

    That said, your claim that "[ 0bfuscating 0ffisaur ]" isn't secure is uninformed. It's not dictionary crackable, using any approach I'm familiar with, and would require 137,631,662,444,739,620,180,985,657,505,119,541,518,410,760
    guesses with brute forcing.

    At one hundred trillion guesses per second, it would take:
    4.38 hundred million trillion centuries
    to crack.


    The President is what we have instead of genuine politics, instead of genuine democracy.

    by Passive on Fri Jul 13, 2012 at 09:41:56 AM PDT

    •  no one guesses (0+ / 0-)

      they crack the database and steal hundreds of thousands at a time.

      Bad is never good until worse happens

      by dark daze on Fri Jul 13, 2012 at 11:08:41 AM PDT

      [ Parent ]

    •  Assuming a victim didn't simply store it plaintext (0+ / 0-)

      Hash-attack systems are constantly improving, GPUs are getting faster, and I may only need to generate a collision rather than find the original password.

      Or maybe the website actually stores passwords plaintext. It happens. I've seen it.

      That is why the variety of the passwords is much more important than the actual password for any non-trivial case.

  •  As a security geek.... (2+ / 0-)
    Recommended by:
    Lisa Lockwood, Miggles

    I have worked with password crackers for years, and someday I'll do psych profiles on people and the passwords they choose (if that is a girl's name, and it isn't his wife or daughter's, whose is it?).

    I break my web sites down as follows: social (LinkedIn, Facebook, etc), shopping (Amazon, etc), financial (banks, 401(k)), and news (dKos, other papers).  First, the great thing about the web is identity - thanks to hundreds of sites, you can have multiple identities and emails all forward back to an Outlook or other client.  Never, ever use the same identity across groups (what you are on news sites should never be your identity on social sites).  And only use your true identity when you have to.  First, it makes it easy for hackers.  Second, it makes it easy for background checks (and more than social media is included in a lot of those checks).  

    I can use the same, fairly complex password for media sites and for social sites; only the ID changes.  Who is going to try and associate the password for Bob11 with Sam32 on a different site?  And do I care if my LinkedIn password is hacked, since that identity only exists on a few web sites?  And folks can post as me on the Dallas Times Herald to their heart's content, because it isn't me, just another identity.

    For financial and medical sites, I change my password every quarter.  It doesn't have to be very complex, just something I can remember.  For shopping sites, separate identity and password changes every 6 months.  The only time I didn't do this, I ran into an issue with PayPal.  Live and learn (and learn something new every day).  

    I have avoided being hacked (except once) for many years using these simple rules.  On the web, no one should know who you are.  If they do, get a new identity.  Unlike Voter ID, these identities are easy to acquire, fun, and safe.  Get an email address for those identities, and you can see which sites are selling your information and cut them off pretty quick.  Hope this helps.

    "Sometimes paranoia's just having all the facts." William S. Burroughs

    by SaltWaterCroc on Fri Jul 13, 2012 at 09:42:27 AM PDT

    •  and one other thing on email... (0+ / 0-)

      Although this should be obvious, email should not contain any identity information either, even on financial sites.  firstname.lastname at is a very, very bad idea.

      "Sometimes paranoia's just having all the facts." William S. Burroughs

      by SaltWaterCroc on Fri Jul 13, 2012 at 09:45:50 AM PDT

      [ Parent ]

  •  how about a password of: (0+ / 0-)


    that's right, when someone asks you the password, tell them "the password is a secret"

    "A recent study reveals Americans' heads are larger than they were 150 years ago but sadly there is no indication that the extra room is used for anything." - entlord

    by AlyoshaKaramazov on Fri Jul 13, 2012 at 10:15:19 AM PDT

  •  Do these softwares... (0+ / 0-)

    ...come with Android (or iPhone) apps? I would hate to try tippy tap typing "9#S!P3FW@b4X^5Bw6CF!$zu@qq&A&v" out on my phone when I change my Facebook password.

    May 9, 2012 - Evolution Day

    by cooper888 on Fri Jul 13, 2012 at 10:24:45 AM PDT

  •  Excellent advice (0+ / 0-)

    I end up writing something like this on various forums every 6 months or so when someone's information is compromised. Sure, it's a bit of a hassle to set up initially. It requires some time investment to get the program set up (I use Password Depot myself) but once it's done... it's done. Generating complex passwords and having them stored/inputted automatically only takes a few seconds and provides exponentially better security.

    And of course when one of your favorite websites is compromised, you only have to change one password on one website instead of that one password you used for everything on dozens of sites.

    Some say we need a third party. I wish we had a second party. -- Jim Hightower

    by joe m on Fri Jul 13, 2012 at 10:57:13 AM PDT

  •  LassPass? (0+ / 0-)

    What?  Put all your passwords in the cloud in one place with convenient information about what accounts they apply to?  That's seems crazy to me.

  •  but as you say (0+ / 0-)

    the real thieves are out there cracking the database, so even using these software and their crazy passwords are of little use.  They steal 400,000 passwords doesnt matter , copy and paste doesnt care about non nonsensical alphanumerics.

    Now sure you should try to avoid using the same password on more than one site but beyond that these softwares offer little extra protection.

    Real criminals arent out there trying to crack one password at a time.  They are going after the databases, and we the little guy have very little to do with defending them.

    I always tell people use ONE credit card and one credit card only for ALL your internet purchases. That way its easy to track and easy to fix things if your card number is stolen or account compromised.
     Never ever use your debit card on the internet..ever.  They could wipe out your account and cause all sorts of havoc in your life.

    I see many banks have better safety than most sites, my bank site you have one chance to enter your password, you enter wrong, its locked for 24 hours,  you have to call to get info.

    anyway, database security needs to be upgraded, its 2012 and we are still suing the most basic user name/password stuff.

    Bad is never good until worse happens

    by dark daze on Fri Jul 13, 2012 at 11:06:11 AM PDT

  •  Two levels would help.... (0+ / 0-)

    ... if your Last Pass password app on your PC were to require another level of security, perhaps having to enter a number from one of those Security Dongles like World of Warcraft players have employed to stop account theft, on your desk, whenever it is called upon to produce a password.

    The key thing for nationwide computer security is to come up with something that is solid and uniform and available to all citizens. We all all hurt not just by our own malfeasance, but also that of others who can compromise systems we are assuming are secure.

    It is something mankind is going to have to tackle considering we will only be getting more and more dependent on technology and communications into the future.

  •  I'm an IT security expert, and... (2+ / 0-)
    Recommended by:
    CalvinV, certainot

    There is a lot of good advice here.  However, things are not as bleak as they seem.  

    For example, any reasonably secure site like a bank, a retirement account, or even gmail, will not allow you to try 823 trillion password attempts.  In fact, after even a few bad attempts the account will be locked, either permanently or for a few minutes.  

    So actually if you use a "reasonably" secure password, and a different one at each site, you can reasonably assume that nobody can hack into your financial or important accounts, even though you are not using military grade passwords.

    So for most people a "typable" password using letters and numbers, is secure as long as you use a different one of each site.

    Now the bad news is, increasingly, hackers don't have to try 823 trillion passwords.  They just make sure your computer has a virus, which transmits your passwords as you type them to a third world country. :-(

    •  No, but a computer will allow you to, on hashes (0+ / 0-)

      The case is if you have the hashed password file from the site in question.

      That's what the diarist is talking about when referring to "testing" 823 trillion passwords. Brute-forcing against a hashed password file, to try to determine the cleartext.

      Not trying to log into a site 823 trillion times...

    •  Well, at first I thought like you did (0+ / 0-)

      but then I read the original thread again and it assumes that your enscripted password has already been known (by a radio packet sniffer at a local Starbuck, say) and the descripter program just tries all the combos on the home PC until it hits one that produces the same enscripted password. Then that person only needs to type it in once to access your bank account.

      You're right that almost all sites will lock you out after a few attempts though.

      About the keylogger virus I have an amusing story to tell. I bought an Acer laptop for my 9-year-old daughter. One day, her laptop suddenly stopped working when doing certain things (i.e. did not fail all the time). When it failed all keyboard entries got mapped to sequential digits 1234567890123.....

      Even my PC repair shop had no idea what happened then I googled and found that all Acer laptops of the same model failed on the same day after a Microsoft update.

      It turned out for that particular model, Acer had a factory-installed security program which was supposed to prevent the keylogger viruses. After the automated Microsoft update, the program didn't work any more and I guess it scrambled the keyboard entries for the wrong reason. Fixed the problem by uninstalling it :).

      •  To clarify, you wouldn't be trying this against (0+ / 0-)

        passwords that you caught off a wireless network. Trying to decode SSL streams and the like is a separate issue, and a potential concern in its own right... Most passwords pulled off wireless networks are just ones sent in cleartext, with no encryption.

        (You don't need any special hardware to do that by the way; no special packet sniffer radio. Most wireless chipsets can be configured to sniff unencrypted traffic.)

        The case given is that the hashed passwords are known, such as by breaking into a site and stealing their database contents; e.g., as happened with LinkedIn in the example used.

        By the way, just to be a pain and nitpick at the terminology: the passwords are referred to as hashed, and not as encrypted, because you can't reverse the function to get the original data back, like you can with encryption. So you have to use various attacks to figure out what that original data was. Sometimes this does just involve trying lots of combinations, sometimes there's a flaw in the encryption itself. (In the case of LinkedIn, they made a major mistake that still required the passwords to be cracked, but made it require MUCH less computing power to do so.)

  •  I was just inspired to write a program (0+ / 0-)

    I recently had to choose some new passwords for different websites, but this diary got me thinking why I can't just create a password-making command on the Mac.

    I just hobbled together a 36-line script that I can run as a command from the terminal like so:

    % passy bank
    seed:  **
    Or if I want to specify the type of password
    % passy gmail ud
    seed:  **
    ...where the type is any subset of "ulds" (uppercase, lowercase, digit and special characters, ulds is the default).  That way if a site doesn't want special characters I can just use uld instead.  I can also add a 3rd argument for the length.

    The program then asks me for a central password, and makes a long enough SHA1 hash of the label, password and salt, converting it to the password alphabet with a simple base-n conversion.

    The downside is that I must remember the labels I use for my bank/mail/whatever.  It also doesn't let me log in on someone else's computer unless I have my passy with me, although I can probably put the code online to copy and paste if I'm using a Mac.

    The upside is that there's no service needed, and I need only trust a short program I wrote (that's probably a downside too.)

    What I should do next is find a way to translate these suckers into mnemonics, so that if absolutely necessary I can train myself to remember the 15-character monstrosity I just generated.

    My head says "No" but my heart says "Yes". And then my liver says "What?" and my butt's all like "Farrrrrrt" --jbou

    by Caj on Fri Jul 13, 2012 at 02:05:58 PM PDT

  •  hey thanks for the tip (0+ / 0-)

    started using "lastpass" (you might correct the spelling in your link tag). Goodstuff! I hate fiddling with passwords and I think for now at least I will be able to remember at least one good one....

  •  how do you handle shared passwords? (0+ / 0-)

    any good strategies for admins that are shared?

  •  Questions - (0+ / 0-)

    I use a laptop, a tablet and a smartphone. At home, these all are connected using secure wi-fi. Away from home, most likely I will use the smartphone, or the tablet tethered to my smartphone.

    I'd like to use KeyPass. How this (or other programs you suggested) app work for all my devices: do I need to download it on my laptop only, or do I need to download it on each device?

    If the first option: how are the passwords synchronized? Example- using the tablet away from home, I subscribed to a website that requires user credentials - What do I need to do to update other devices?

    If I need to download the app in to each device, how do I keep the pwds in sync for all devices?


    I stand by what I said, whatever it was

    by duende on Sat Jul 14, 2012 at 04:18:08 AM PDT

    •  It just saves a file, synchronization is on you (0+ / 0-)

      Dropbox is a popular way to store the database, since it doubles as sync and backup. Dropbox itself is not a particularly secure service, but as long as your KeePass file is protected with a good password it should be fine.

deminva, Pat K California, Renee, paradox, Sylv, vicki, dwellscho, Sean Robertson, Upper West, Ray Radlein, saugatojas, Brainwrap, jam, melo, kenboy, native, Geenius at Wrok, BigOkie, Bob Love, Andrew C White, chuco35, Creosote, joe m, nyceve, whenwego, Agathena, CalvinV, stevej, jaysunb, mkfarkus, slouching, oceanview, Bill Roberts, askyron, RLF, tomephil, kharma, psnyder, sockpuppet, NYC Sophia, johanus, NYFM, DSC on the Plateau, kalmoth, Kalil, KateCrashes, side pocket, TexasLefty, rmx2630, sebastianguy99, mm201, oortdust, sawgrass727, Skennet Boch, G2geek, lavaughn, bloomer 101, rini, greycat, Unit Zero, el dorado gal, blueyedace2, qofdisks, JanetT in MD, subtropolis, democracy inaction, OpherGopher, basquebob, GreyHawk, ladybug53, stevemb, BayAreaKen, Ozymandius, ord avg guy, kaliope, Ginny in CO, Lisa Lockwood, sillia, rhonstet, duckhunter, KenBee, SarekOfVulcan, twigg, gpoutney, bubbanomics, Sagebrush Bob, BlueMississippi, bumbi, Clive all hat no horse Rodeo, AntKat, Thinking Fella, tegrat, tonyfv, out of left field, BeninSC, byDesign, FWIW, ksp, linkage, aravir, jds1978, terabytes, bnasley, Seneca Doane, Librarianmom, homerun, Assaf, gizmo59, Palafox, weegeeone, bill warnick, FG, skohayes, filby, treesrock, Sharon Wraight, Lujane, triplepoint, catly, statsone, Miz Trom, Rhysling, Ran3dy, rubyclaire, J M F, Rick Aucoin, cantelow, petral, Denise Oliver Velez, Keith Pickering, 57andFemale, citisven, chambord, Broke And Unemployed, The Jester, klompendanser, CayceP, anonevent, bradams, Yasuragi, nickrud, Betty Pinson, MsGrin, boguseconomist, tgrshark13, annieli, praying manatheist, redlum jak, Dretutz, henrythefifth, anyname, FarWestGirl, marleycat, AgavePup, Wolf10, redacted stew, MRA NY, PhilJD, dibsa, poliwrangler, Andrew F Cockburn, Miggles, DRo, IowaBiologist, anodnhajo, leathersmith, dance you monster, 2thanks, peachcreek, belinda ridgewood, radical simplicity, Buckeye54, OllieGarkey, Brown Thrasher, mumtaznepal, Robynhood too, The Geogre, ForestLake, nomandates, countwebb, holeworm, MarEng, QDMacaw, Demeter Rising

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site