Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Short passwords 'hopelessly inadequate', say boffins

22 Aug 2010   #31
Airbot

Windows 7 Ultimate x64 SP1
 
 

Keepass is a safe password manger.


My System SpecsSystem Spec
.
22 Aug 2010   #32
Barman58

Windows 10 Pro x64 x2 Windows 10 Enterprise x64, Ubuntu
 
 

Quote   Quote: Originally Posted by Tepid View Post
Quote   Quote: Originally Posted by EnNajmy View Post
These are some useful websites related to passwords :

1- Password Strength Checker
This website tells you how strong your password is with a detailed and easy to understand analysis .

2- How Secure Is My Password ?
This website tells the estimated time it would take to crack your password

I hope you like them
Regards
EnNajmy

Just a general note. I would not trust any website,, none, with typing in my passwords too.

You can download KeePass and get enough information about the strength of your password without sending any sensitive information across the web like that.

and it will save and protect it as well so you don't lose it and it's not out in the open.

I would not use the FF one, but KeePass I am not leary of.
The only way I would use a website check is to use a generic password template that is similar to the one I wish to check, (even shifting each charater up or down by one character), basically the same number of characters and mix of character types as the actual password to check.

Quote   Quote: Originally Posted by Airbot View Post
Keepass is a safe password manger.
I have used Keepass at times but even then make sure that the password database at a minimum is stored on a USB key or preferably use the portable version of keepass from a USB stick
My System SpecsSystem Spec
27 Aug 2010   #33
Darician

Windows 7 Ultimate x64 SP1
 
 

Working in tech support, we do support for a couple of companies. One thing I loathe is the 45/90 day password reset cycle. Every time it happens, a bunch of users e-mail and call in moaning and whining and complaining about having to change their passwords. The number one common question I get "Can't I just use the same password I had before?" Especially when supporting overseas (I'm in the US) users, it only gets worse. Luckily in most cases, we can set the same password they had before.

Is it a security risk? Of course it is. But if we don't, I know that all they're going to do is write it down on a post-it note and put it right on their monitor thereby negating the point of forcing them to change their password. As much as I want to be security conscious, I've been working tech support long enough that I've really stopped caring. It's like the company I used to work for who before laying us off, about a month before, they came up with a completely inane policy of requiring at least a 12 character password with an uppercase, lowercase, number, and special character in it. I remember walking around that day finding about at least 10 people who had post-it notes with their password written on their monitors. I just looked around and thought "hmm...somehow I saw that coming."

The way I've seen it go down is that the more security is put in, the more users will rebel. And the more users rebel, the harder it will become to lock them down because they'll always find a way around the new security measures. And I find it especially laughable how often management types (IT Director/CIO, Department Managers, VPs) don't have a clue of reality versus their numbers painted ivory tower view.

(A bit of an opinionated rant, I know but I just wanted to throw it out there)
My System SpecsSystem Spec
.

27 Aug 2010   #34
cluberti

Windows 10 Pro x64
 
 

Well, one way I've seen it worked around where I've consulted (and I've suggested it to others with success) is to allow users to write their passwords down on a post-it, but they *must* keep it in their wallet, purse, whatever, as long as it's not under the keyboard or attached to the monitor . That way, if they lose it, they call and reset the password. It's not ideal, but it was the only real concession to make to get some of the C-level execs to stop doing it (they're the worst, and the first to breathe down your neck if it all goes horribly wrong if someone's password was stolen too.... aaah, the irony), and it has the unintentional but wonderful side-effect of people actually remembering their passwords - they actually have to think about it, they see it on the paper, and then enter it - we find that in general, within about 3-5 days, everyone can remember their current password). Passwords are 8 chars, but with one special character, an upper and lower case letter, and a number. It's not the most complex, but it is still secure enough to create decent passwords. Password changes are every 45 days, and I suggest they set to remember 8 passwords (basically a year's worth).

Honestly, password security isn't the real problem anyway with this sort of risk (that part is easy to get users to agree to, almost always), it's the fact that we allow users to go more than 30 days without changing that password again (or some short arbitrary number, depending on how vulnerable you would expect to be given the type of data you'd store and the type of industry you're in). Who cares if a hacker got the AD SAM and hacked it in a few weeks? If you're doing it right, the password's already changed, and your auditing will catch the attack right away.
My System SpecsSystem Spec
27 Aug 2010   #35
Darician

Windows 7 Ultimate x64 SP1
 
 

True, C-Level execs are the worst at this. They think they're above the policy they created somehow. "Do as I say not as I do". Yeah, the password reset cycle has its purpose though I notice people will change their password to something that is so close to their previous password that only one thing changes that again negates the point but does help to a degree. I know some places have a requirement in particular that I've seen where you have to change the password to something that's at least a few characters different each time and you can't reset to the same password each time. Not exactly popular but depending on the industry, could be very important.

I'm just saying I don't think password complexity is everything though it can mitigate brute force attacks. I think two-factor authentication is a better path; for example a smart card plus a password or better yet, smart card plus a fingerprint. I think it could certainly help but then again, there is the whole "no two fingerprints are identical" idea. I've read that it's not so much that it's not possible rather that it just hasn't been found to occur so that could be a potential issue but I do believe two-factor authentication can help if practiced properly.
My System SpecsSystem Spec
27 Aug 2010   #36
Tepid

Win 7 Ultimate 32bit
 
 

Quote:
I remember walking around that day finding about at least 10 people who had post-it notes with their password written on their monitors.
The problem is, users will do that no matter what. what needs to be done is action taken. We find it posted like that, your fired.
My System SpecsSystem Spec
27 Aug 2010   #37
Darician

Windows 7 Ultimate x64 SP1
 
 

Quote   Quote: Originally Posted by Tepid View Post
Quote:
I remember walking around that day finding about at least 10 people who had post-it notes with their password written on their monitors.
The problem is, users will do that no matter what. what needs to be done is action taken. We find it posted like that, your fired.
Though technically you're right, unfortunately that company I worked for was so full of it, that they couldn't have figured out how to tie a shoe if their lives depended on it.
My System SpecsSystem Spec
27 Aug 2010   #38
Barman58

Windows 10 Pro x64 x2 Windows 10 Enterprise x64, Ubuntu
 
 

The major problem with the "you're fired" route is that the worst offenders are often to far up the greasy pole to be touched even by the IT department.

You just have to be more subtle with them - physically removing the post-it when they're off for the day is one good one
My System SpecsSystem Spec
27 Aug 2010   #39
cluberti

Windows 10 Pro x64
 
 

Quote   Quote: Originally Posted by Darician View Post
I think two-factor authentication is a better path; for example a smart card plus a password or better yet, smart card plus a fingerprint.
Yes, this is absolutely correct. Authentication should be multi-factor, specifically, what you know (username\password), plus what you have (smartcard or fingerprint). It is infinitely harder to attack something when you have to be physically present to do so - yes, I know social engineering can happen, but other than user education there's not much you can do to avoid that. You plan for the worst, and audit your network.

Quote   Quote: Originally Posted by Barman58 View Post
You just have to be more subtle with them - physically removing the post-it when they're off for the day is one good one
And the fact I never thought of that means I'm committing this one to memory right now .
My System SpecsSystem Spec
27 Aug 2010   #40
BCXtreme

Windows 7 Home Premium x64
 
 

When it comes to long complicated passwords in the corporate environment, one has to ask, which is more secure: a relatively weak password stored only in the user's brain, or a relatively strong password stored on a sticky note in plain view of everyone that passes by? I'm inclined to vote for the former.
My System SpecsSystem Spec
Reply

 Short passwords 'hopelessly inadequate', say boffins




Thread Tools




Similar help and support threads
Thread Forum
desktop short cut, log off?
how do u make desktop short cut of log off?
General Discussion
Sounds cut short
Since a recent re-install of both Win XP & Win 7 on my dual-boot system I have been having issues with sounds. I have substituted a "WELCOME TO MY CASTLE" wav for the Windows Log-On sound. However, all I hear is "WELCOME" and not much more than that. I think I recall a similar incident several...
Sound & Audio
WMP 12 - Short pause at end of MP3/WMA
I have recently installed W7 (full install on new hardware). When I play music I have a 2 second pause around 10 seconds before the end of each track, then the track carries on. This only happens when playing an album or a playlist i.e. where there is another track 'in front' of the one currently...
Music, Pictures & Video
Inadequate Hardware?
I'm buying the Windows 7 Pro x64 version and I want to make sure my Specs are on the up-in-up. Now I know that both my motherboard and cpu are capable of running x64 bit versions of Windows, but my main concern is with the small stuff. Some users find that there are small graphical errors in the...
Hardware & Devices


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:52.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App