Password Security & Implications?

If you dont like password managers then maybe just write them down in a notebook and keep them somewhere safe in your house.

If anyone unscrupulous gets hold of them then the fact you've been burgled is likely to more upset you more than the fact someone might find out your password :D
 
I do look forward to a passwordless future. I'm hoping that I can have the following conversation with my kids/grandkids one day ...

Me - "Back when the online world was still (relatively) new, everyone had to create their own authentication credentials for services they accessed."

Person of the future - "That sounds a silly idea."

Me - "Yes, people used to just chose a word to act as a password, usually alongside their email address for identification."

Person of the future - "What? Surely that was horrendously insecure? How did services not get compromised and hacked all the time?"

Me - "They did. All the time."

Person of the future - :confused:
Click to expand...
 
Kreeeee said:
An immeasurable amount longer as dictionary attacks would no longer work.



Ah if only it was that simple.
Click to expand...

I assume this is cracking the "hash" or ehatever it is that gets stolen when a company is hacked.

As oposed to trying to log in with zero starting idea?
 
BaJ said:
I do look forward to a passwordless future. I'm hoping that I can have the following conversation with my kids/grandkids one day ...
Click to expand...

What do you plan on replacing them with?


A compomised biometric scanner would affect everything you have as oposed to say a comprimised atm only affected the pin specific card
 
markonius said:
Out of interest why do you think Password Managers are a very bad idea? Anyone with enough access to your system to see the password database when its open is probably already in a position to see what your typing anyway so you're still insecure even without the password manager.

But to answer your question, it does annoy me when sites have rules for secure passwords especially when the rules sometimes mean they ban a good password while allowing an insecure one. I generate a unique 40 character password for each site, made up of just lower and upper case letters. One site disallowed one of those passwords, but let me have "password0" because the requirement was that a password must have at least 1 number. I don't think any rules should be enforced with regards to what password you chose. Let people use whatever password they want but have notices about "We strongly advise that you pick a password with 2 symbols, 1 number" etc. Algorithms used for encryption are already standardized in industry I think, or they should be.
Click to expand...

Out of interest if you want to log in to your emails from another computer how do you do it?

In reality you don't need unique passwords for every site you visit. A unique password for important site (such as email, banking), slightly lesser important sites (like large shops and utilities that store your card details - report stolen if compromised, no issues) can start sharing lesser unique passwords, then one or two password for everything else, like forums etc.

You're more likely to remember the passwords without a password manager and you can access them whenever you want. Who gives a **** if someone manages to guess one password and can suddenly log in to the other random forums you use (for example)?

EDIT: Perhaps the most secure way would be to just mash the keyboard for all passwords other than email, then just choose password reset every time you want to log into a site. Just as useful if you're dealing with 40 letter passwords.:p
 
Last edited:
smogsy said:
because managing passwords with another piece of software seems pretty flawed to me. your securing a password with another password when you boil it down to the root.

yes you can have a master secure password,
One Extreme example

Hacking group takes over X password manager, updates it to listen to master password entry.

Next time you enter your master password, every password is affected.

yes this is an extreme example, but to me its very much like putting all your eggs in one basket to me.

lose the middleman & use your brain as your password manager? its not hard. I use Muscle Memory

i would like universal password rules though as an example

Password max of 30 Characters
Any Letter/Number/Symbol
Must have a Number
must use 2 factor authentication
Click to expand...

How do you remember dozens and dozens of passwords? If you're remembering dozens of passwords which are 30 characters long including special symbols then I'm impressed.

I use a password manager, with 2 factor authentication, and a very very complex password which I change from time to time.

It's no less risky than having a weaker password repeated on several sites.

Besides for banking most sites you have to use your card and another rsa token type of generator or TFA plus a password.

TFA is great if used correctly.
 
smogsy said:
Paypal
has max limit for 13 characters when creating a password
But using their login service Through a site to purchase an item allows 13+?
essentially locking people's accounts.
Click to expand...

No it doesn't, looking at the change password option it looks like it limits it to 20 characters (although doesn't tell you it truncates it, which is bad).

I don't think password managers are bad, they are very good at stopping password re-use which is a massive issue. A lot of people don't seem to have the ability to remember random passwords, never mine 20-30+ of them.

If you are seriously concerned about the security of your vault then you should probably look at the offline offerings you can use.

Sites should also hash passwords (using a proven mechanism and configuration) rather than encrypt them (unless there is a valid reason for the need to see the passwords, such as a password manager).
 
Last edited:
beh said:
If someone uses that exact xkcd password then it might take you half a second if you know they're a fan of that comic. Otherwise, a similar password with a decent hashing function that uses key stretching (PBKDF2/bcrypt) is going to take you a lot longer than that.
Click to expand...

Kreeeee said:
Ah if only it was that simple.
Click to expand...

Can you expand on this please, how would you go about cracking a "wordlist" password? Creating a hash table?
If a standard wordlist password was hashed with a salt would that make it header to crack?
 
Personally I think requiring capitals/numbers/symbols in 2017 is downright stupid, but then it was stupid in 2007 so not much has changed in a decade.

If your account is going to be compromised then it's going to happen because the site got hacked and the hackers got your login, or because you downloaded a keylogger or some other malware. Not because somebody brute forced your damn password, it's not 1996 anymore, any site worth it's salt has protection to stop that.

The worst thing about the recent Yahoo hack was that they made me change my password from segasega (which it had been since 1998) to something involving capitals and numbers. Which I'm sure will be loads of use the next time they get hacked >.>
 
Grrrrr said:
A good write up of why password managers are a good idea. (Or at the very least, a better idea than using your brain)
Click to expand...

I love this bit:

Let me demonstrate the problem with this based on a few recent events. Firstly we have Gawker who last December were the victims of an attack which lead to the disclosure of somewhere in the order of one million user accounts. Worse still, these accounts were posted online and readily accessible by anyone who wanted to take a look at who had signed up to the service and what their password was.

The interesting thing in the context of password strength is the prevalence of bad password choices. Take a look at these: 123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, ****you, starwars, shadow, princess, cheese
Click to expand...

How exactly can he call those bad password choices when they worked just as well as Aw3s0mePa55WorD5000 would have? lol. I think I still use sunshine for a number of passwords (no not this forum, or my OCUK acc, lol) on a couple of sites that haven't forced me to add stupid capitals or numbers yet.
 
In fact, probably the best things that you can do are:

1) Use a password manager with strong, random passwords stored unique for each service.

2) Add a unique "code" to the end of each password stored in the password manager, use some system that makes sense to you to try and remember the unique codes, but wouldn't necessarily make sense to someone else.

3) Ideally use an offline, encrypted, secure password manager - but it's still probably better to use a decent online password manager with step 2 above also implemented than not use a password manager and duplicating passwords.

4) Use multi-factor auth for your password manager and wherever else possible.

(Point 2 above really helps to increase security where a password manager is used as it means the whole password is never stored in the password manager.)
 
ubersonic said:
Personally I think requiring capitals/numbers/symbols in 2017 is downright stupid, but then it was stupid in 2007 so not much has changed in a decade.

If your account is going to be compromised then it's going to happen because the site got hacked and the hackers got your login, or because you downloaded a keylogger or some other malware. Not because somebody brute forced your damn password, it's not 1996 anymore, any site worth it's salt has protection to stop that.

The worst thing about the recent Yahoo hack was that they made me change my password from segasega (which it had been since 1998) to something involving capitals and numbers. Which I'm sure will be loads of use the next time they get hacked >.>
Click to expand...

That's not why you use a Password Manager. As you say, most sites have protection to stop someone brute forcing your password, they will lock you out after a few incorrect attempts. No, the main benefit of a password manager is not using the SAME password for everything and thus having to change EVERY password when one of the sites you are on gets hacked.

I can understand the hesitation to trust cloud based password managers, but just don't understand why someone wouldn't use an offline one. If you are worried about someone hacking into your home PC and getting to the password manager then they're probably in a position to see whatever you type anyway so even without a password manager you'd be screwed.
 
I use multiples of number plates, post codes and phone numbers plus a unique identifier per password for a very easy to remember but total gibberish password.

Edit: Just came across this website to calculate a password's entropy. I know it's irrelevant for hacking but still interesting! My above combo generates an entropy of 100-130 which is apparently overkill but it's as quick to remember/type as these last few words so meh.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom