Password security

[FranzB]

There is a discussion at www.sevenforums.com/system-security/179818-w-7-security.html about safe (strong) passwords but the thread is marked as solved. So I post my reply I wanted to give in a new thread here.
All these rules for composing safe passwords are rather bothersome. The whole problem of a safe password can be solved in an easier way than composing one yourself by sticking to a whole set of rules, then obtaining its safety rating with one of the many password testers and possibly having to compose a safer password if the first one was miserable. And one thing about those password testers. Very often different testers give different safety ratings for the same password. So then what? It's all a bit too much in practice.
An easier way is to get a password online (don't frown) from Gibson Research Corp at **Home of Gibson Research Corporation**. Click on "Services" when you have downloaded their site and have a look at the sub-sections referring to passwords. Read it. Everything is secure and it is a very reputable company. One of the sub-sections referring to passwords generates a unique password just once for you and never again. 64 Characters but you can take a string out of that and cut down the length. You can then always test it with one of the password testers, preferably 2 or 3 to see whether or not the safety ratings are the same. It is easy but do some work and read what Gibson is writing about this whole issue. There are also some videos you can watch. Have fun.

 

[seth500]

Yes Gibson Research is a good way to generate your passwords and I use it myself thank you Franz..

 

[JMH]

Nice reminder.
Thanks.

 

[boohbah]

excellent link to gibson ,thank you.

 

[bigcitycat]

I use keepass for windows. It's free and it generates passwords if you want them. It also save an encrypted keepass file that you can put on a zip drive so you always have your passwords. Great open source program. Downloads - KeePass

 

[A Guy]

A Guy

 

[Corrine]

FranzB changed all his passwords to 'incorrect'...

So whenever he forgets, the computer will remind him,"Your password is ... incorrect".



Having a complex password is just the first step. Having a different password for each site, especially banking, credit card, bill payment, e-mail, etc. is just also important.

What I like about the GRC https://www.grc.com/haystack.htm and Password Strength Checker is the ability to create a strong password that is something I can actually remember and type correctly! In one environment, we had to change passwords every 30 days. A password cracker was used to ensure we used strong passwords. More often than I liked, it took me two or three times to get the password right.

 

[FranzB]

I did some fiddling around with passwords and checking them with Microsoft's
password checker and the password strength checker mentioned above by Corrine (maybe the one by Microsoft is safer since it uses an https connection but let's not become totally paranoid).
I took Gibson Research's password generator and took strings of 11-12 characters out of the generated passwords. Then i took passwords easy to remember, e.g. 1?(timpfi)2 being this is my password for internet. Amazingly enough the latter are just as secure as the strings taken from the password generator when tested for strength and of course much easier to remember without having to look them up and then type them. It makes you wonder. Even !(NoNonsense)? was a strong password.

 

[Golden]

Interesting discussion.

My employer uses strict criteria for our logon passwords : minimum of 12 characters, 8 alphanumeric, 4 numeric, at least one instance of upper or lowercase etc. etc. etc., and you can't use the same password for 26 consecutive password changes. Its so complex, people end up scribbling them down on post-it notes and sticking them on their monitors - go figure :sarc:

 

[Corrine]

Hi, FranzB.

What I find the Password Strength Checker good for is illustrating how increased character variety (i.e., 1?(timpfi)2 penalized -10 for having too many consecutive lowercase Letters). Even though those sites don't retain the information, personally, I use them for general password testing, not for my actual passwords.

You are very correct about using something easy to remember. Look how easy this is to remember: *1C@tAnd2D0g$*. It is "very strong" at the Password Strength Checker, would take 1.57 thousand trillion centuries for an online attack according to GRC but, due to length, is only rated "strong" at the Microsoft Password Checker.

Add a few characters and *W3haveIh1C@tAnd2D0g$* becomes Best at Microsoft and Online cracking would supposedly take 10.40 million trillion trillion centuries according to GRC.

 

[FranzB]

Just something about these billions of centuries that are calculated for cracking a password. Do not forget that it only means that the password can be cracked with a certainty of 100% in that time.
If a certain password can be cracked in 1,000 years and another one in 1,000
centuries it does not mean that the former is always cracked faster. It could be that the latter is cracked after 15 seconds when you are running the program and are lucky.
It is a misunderstanding of statistics as so often. When it is calculated that the possibilty of an accident taking place is once in a million years it says nothing about when the accident will take place. It could be after 2 years.