There are some important things to remember about passwords;
1) You should use different passwords for everything. That way, if anybody ever gets into one, that doesn't mean that they can get into everything.
2) The recovery e-mail address should be one that people will not know. For example, create an e-mail address of recovery_fm2r@whatever.com and then never use it to e-mail anyone.
3) The longer your password, the more secure our password. "passwordpasswordpassword" is more secure than "^&df%$*"
4) Nothing guessable. (dog name, house name etc. etc.)
Bearing all that in mind, may I recommend a look at Lastpass. Lastpass, for all the functionality you'll ever need is free.
The principle is this;
Lastpass is basically a username/password repository, although it dies have further functionality
lastpass itself is password protected and resides on your own computer.
Anytime you type in a username/password it will offer to remember it for you.
If yes, it will encrypt it and keep it behind your lastpass password.
If you exit your browser, then lastpass exits.
You can use long, difficult passwords for each account that will fool all but the most determined attacks, but never need to type them yourselves.
Any attack usually resides around grabbing a password fiel form somewhere, like that games site recently, and then using it to hack other accoutns that person may have. They will not have access to your computer, or your password repository, so you can have the most unique and complex passwords ever without having to rememebr them or type them.
There is only one downside; if you go to access an account from a machine other than yor own, you'll need to remember your password yourself. Althought here is functionality to work around that as well.
I use it, love it, and think it makes my information and life much mroe secure. I have no other contact or relationship with the company.
|
|
Mmmm, is this genuine? Loads of typos make me wonder........
|
What do you meen? I neevr maek tpyos.
Seriously though, whilst it is certainly full of typos, pretty much everything I write always is. I'm a lousy but fast typist that never reviews what I've write.
Last edited by: No FM2R on Wed 15 Aug 12 at 21:37
|
Lastpass website: lastpass.com/
Might give it a go.
|
|
Fair enough. Just sounded like a hacked account full of Chinese advertising blurb pushing a product.
Last edited by: Mike H on Wed 15 Aug 12 at 21:47
|
>>Chinese advertising blurb
I am hurt!! I know my typing is bad, but that's outrageous!
Swine.
|
>> >>Chinese advertising blurb
>>
>> I am hurt!! I know my typing is bad, but that's outrageous!
>>
>> Swine.
>>
Perhaps you need to change your writing style :-)
|
...Chinese advertising blurb...
Careful when mentioning Chinese - the last person on here who did that didn't get away with it. :)
|
>>Perhaps you need to change your writing style :-)
Perhaps, it does tend to be an unreviewed stream of conciousness.
|
I believe this does something similar:
www.roboform.com/
I don't know anything about it, but my middle computer-savvy brother has used it for years and reckons it's good.
|
"If you exit your browser, then lastpass exits."
Not on my copy. But I still rate it as very good.
|
It does on mine, and I think its configurable.
|
Preferences
General
Logoff when Browser logged off
|
>> 3) The longer your password, the more secure our password. "passwordpasswordpassword" is more secure than
>> "^&df%$*"
Generally speaking a longer password is more secure, but the example given is a poor one as using 3 dictionary words rather than a smaller number of random characters, makes a dictionary attack easier.
As an indication, I was quickly able to find the pre-computed SHA-1 hash for "passwordpasswordpassword" and "turtleturtleturtle" online, but not "^&df%$*".
So, yes, make password long, but avoid too much reliance on dictionary words.
As for LastPass, it's a handy tool, but I wouldn't put very important passwords into it. It is closed source, so its security is not open to scrutiny and they have already had at least one attack on their servers, after which they could not confirm that passwords hadn't been compromised.
Being a potential goldmine of passwords, they will no doubt be attacked again.
Last edited by: SteelSpark on Wed 15 Aug 12 at 23:29
|
However, a dictionary attack will look for "password". It will be a long time before it gets to "passwordpassword".
don't forget, the majority of password attacks are not on a specific user. They normally involve snaffling an ecrypted password file from somewhere, copying it remotely and then blasting it at your leisure.
In that situation the winner is the one who lasts the longest. And passwordpasswordpassword will last a very long time. Clearly though a combination of l9ong and obscure will last the longest.
However, it seems that people put too much stock in having an obscure password and then making it short. A brute force attack on a snaffled password file will have a 6 character password in seconds.
|
>> However, a dictionary attack will look for "password". It will be a long time before
>> it gets to "passwordpassword".
No, it probably won't take a long time. A dictionary attack will focus initially on commonly used words. The average vocabulary is about 8000 words.
>> don't forget, the majority of password attacks are not on a specific user. They normally
>> involve snaffling an ecrypted password file from somewhere, copying it remotely and then blasting it
>> at your leisure.
An encrypted file will typically be attacked first using rainbow tables. As I mentioned I could find the SHA-1 hash for "passwordpasswordpassword" very easily, so I could break your password immediately, because it has already been pre-computed.
>> In that situation the winner is the one who lasts the longest. And passwordpasswordpassword will
>> last a very long time. Clearly though a combination of l9ong and obscure will last
>> the longest.
As I mentioned above, it is already pre-computed and available online, so no it probably wouldn't (depending upon whether the passwords are salted).
Assuming a dictionary of 8000 common words (which is probably too big), then "passwordpasswordpassword" gives you 8000 ^ 3 combinations (512 billion).
All of the characters on the standard keyboard are about 66, so a 7 character password would be 66 ^ 7 (about 5 trillion). If you include uppercase and lowercase letters, that goes to around 92 ^ 7 , which I reckon is about 55 trillion combinations.
|
True, but you are considering the situation where all the effort is put against one password. That's not what typically happens. More usual is that an entire file of goodness knows how many passwords is attacked at the same time.
So let us assume that all passwords had only the character "1". 1111 would be cracked before "11111". And "111111111111111111111" would be ages later.
Consequently, whilst passwordpasswordpassword would be cracked before "£$%$ if it were the only password being attacked, it would be cracked much later in an automated attack since the number of characters would protect it.
Because the program would assume a range of characters possible for each unit of the password. Let us assume that it was just the 26 lowercase. It would try every combination for 6 character passwords, then 7 character passwords etc. etc.
For it to attack passwordpasswordpassword before a 6 character password it would be taking the wild stab that there is more likely to be success with multiple dictionary words than there would be with a shorter random work. That would be 512 billion wild ass guesses. Which is just not the approach taken for a mass attack, although it may very well be for a targetted attack.
And in any case, the point is that obscure is insufficient. You should aim for obscure, long and different for every account. And each account should have a different recovery email account. Which you can use google for, as just one example, since you are entitled to many sub-acounts which will all route to your main account.
|
>> For it to attack passwordpasswordpassword before a 6 character password it would be taking the
>> wild stab that there is more likely to be success with multiple dictionary words than
>> there would be with a shorter random work. That would be 512 billion wild ass
>> guesses. Which is just not the approach taken for a mass attack, although it may
>> very well be for a targetted attack.
The problem with this theory is that it assumes that a longer password is encrypted to a longer hash, so that the cracking program could choose to attack the shorter passwords first.
If the passwords are hashed, then all of those hashes will be the same length, so you will not be able to tell which original password is shorter.
You might want to have a look at the website I linked to in my reply below. It suggests that, the combinations required to hit "passwordpasswordpassword" are actually very small.
This is probably because the most common used words are a much smaller subset of the usual 8000 word vocabulary.
|
You might also find this interesting.
nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/
passfault.appspot.com/password_strength.html#menu
It suggests that using common techniques "passwordpasswordpassword" would need less than a day, and "^&df%$*" would need 3 months and 21 days (assuming the same computing power is applied to both).
^&df%$*" would need 7 trillion guesses and "passwordpasswordpassword" only 27,000.
|
From your first link....
"That points not to a flaw in Graham's technique, of course, but rather a confirmation of Carnegie-Mellon's 2011 study (PDF) that concluded that length was the only thing that really influences password strength."
However, I'd say we've taken this quite far enough. The truth is that using any technique would be better than what most people do.
|
>> From your first link....
>>
>> "That points not to a flaw in Graham's technique, of course, but rather a confirmation
>> of Carnegie-Mellon's 2011 study (PDF) that concluded that length was the only thing that really
>> influences password strength."
You really need to read that study. In fact it suggests that the only "password policy" that leads to stronger passwords is forcing users to make them longer (because, yes, on the whole longer is more secure, and users ignore other guidance such as using random symbols).
It just means that, for example, some users will always choose dictionary words, so the only effective way to force them to make them more secure is to force them to make them longer.
That does not mean that a longer password is always more secure than a shorter password, especially if the longer password is just three common words.
The tool I linked shows this. Requiring trillions of attempts to crack your short random password, but only thousands to crack "passwordpasswordpassword" (which is already pre-computed online anyway).
Last edited by: SteelSpark on Thu 16 Aug 12 at 00:32
|
|
oh do let it go. It was your link I quoted, and it doesn't really matter anyway.
|
That sounded rude, sorry. These days I'm trying to only be rude when I mean to be, and I didn't.
However, it really is enough and whilst much that you say is extremely valid, given the cross-section of users we're dealing with, I'd rather long and simple than short and complex; even though long and complex is best.
|
>> That sounded rude, sorry. These days I'm trying to only be rude when I mean
>> to be, and I didn't.
Hey, no probs.
I found it a very interesting discussion last night, and certainly made me think.
We did drag it out a bit though, eh? ;)
|
>> lastpass itself is password protected and resides on your own computer. >>
>> They will not have access to your computer, or your password repository, so you can have the most unique and complex passwords ever without having to rememebr them or type them. >>
I haven't read through all the details, but can someone in the know tell me
1. whether "resides on your own computer" and "access to your computer, or your password repository" means that there is NO online backup repository kept by the lastpass server?
2. If you back up your computer on external media, is it possible to include the lastpass repository there?
3. Otherwise, how do you recover lastpass repository if you suffer a hard-disk failure?
|
>> 3. Otherwise, how do you recover lastpass repository if you suffer a hard-disk failure?
As far as I am aware your passwords are encrypted locally and then stored on the LastPass servers, which is why you can access them from any location.
As I mentioned above, LastPass seems to be closed source, so there is no public review of the code and any potential security holes.
|
>> As far as I am aware your passwords are encrypted locally and then stored on
>> the LastPass servers, which is why you can access them from any location.
>>
>>
Thanks. I was unable to locate that info from their website.
Next question is:
Does anyone know if the ability to access from any location is restricted only to those who pay, or is it part of the free package?
|
>> Does anyone know if the ability to access from any location is restricted only to
>> those who pay, or is it part of the free package?
That's free John. As far as I can see, the premium package extends the functionality to mobile devices, removes ads, provides phone support and includes the ability to include a physical security device for authentication.
|
2) The recovery e-mail address should be one that people will not know. For example, create an e-mail address of recovery_fm2r@whatever.com and then never use it to e-mail anyone.
Obvious, but I hadn't thought of it - or read it anywhere else.
|
I'm writing this quietly so that SteelSpark doesn't hear....
Lastpass is not the be all and end all to account security. You can be more secure than that, and as with anything some risks exist.
However, without driving yourself nuts there are things you can do to make yourself more secure, and part of that is understanding the most likely attacks and the real world we live in.
If somebody is coming after you personally and has access to a machine you use, you're screwed. Get over it, there's nothing you can do. However, that's nto what happens.
Foreget computers and consider your car. Leave it in a multi-storey car park. I don't care what you do to secure it, if someone wants specifically your car, then its gone.
But what happens actually is that someone walks aroudn the car park trying to find a car they can steal, any car. So if yours is too difficult to get into, or it will take longer than the window they think they have, then your car will be safe and somebody else's will go instead.
So, for your car to be safe in the real world you need very few things;
--Hope that someone else's is easier to steal
--Make stealing yours difficult
--Don't leave an incentive on display (wallet, phone, whatever).
--And if there is somewhere with a spare key, don't leave their name and address on the windscreen.
Treat your accounts the same way;
--*know* that millions of people have accounts which are easier to break into than yours
--make your password difficult to guess, and make sure that if they get one they don't get all
--don't make it obvious that the account exists and that there's millions in the account
--don't make the recovery e-mail obvious
For me, I find that lastpass enables me to increase security in the real world without wasting half my life on it.
--Different and long passwords for everything
--no logic to different passwords
--different recovery e-mail addresses
--nothing guessable or note that are findable
You need to make your own decision.
And yes, there are more secure approaches to passwords and password storage if you dedicate more of your life to it. (you can tell SteelSpark I said that bit).
And long passwords are better than short, obscure passwords. (don't tell him I said that bit).
|
>>different recovery e-mail addresses
I thought you said that you do have these?
|
|
I do. Based upon a gmail account. Did I contradict myself?
|
Oh yeah, I kind of did.
Sorry about that.
|
There's an edit button these days....
So do you, or don't you?!
|
I do.
There is at least one free e-mail domain that allows you to have multiple sub-email addresses, yet routes them all to the same main e-mail box.
Let us say I have set up an email box called recover@bloggs.com.
For each account I wish to protect I will use the appropriate recovery address. So for hotmail that might be hotmail+recover@bloggs.com.
To recover my account you must know that I've used hotmail+recover@bloggs.com, since if you try to use simply recovery@bloggs.com the hotmail people will not recognise it and therefore you'll gain nothing.
In addition I never e-mail from it so there's nothing to really make it known.
Mind you, for accounts that don't matter, I don't bother too much. But hell'd freeze over before you worked out passwords or recovery e-mail addresses for my bank account, even if you knew the same for every other account I had.
Of course, if you get the password for that email account I would have issues. But you won't.
|
Password Programs
Very interesting thread. Learnt a lot playing with the 'tester'.
I have been using 7 zip, which creates a Name.7z folder containing the file. Anyone know how secure that is ? Can it be hacked? Perhaps I should have Googled that.
|
|
A look with Google says one must use version 4.57 (also number 920) or later. That is what I am using.
Last edited by: busbee on Sat 25 Aug 12 at 18:38
|
Passwords - Mike H
