Password Mistakes Hackers Hope You’ll Make

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Most of you guys are smart enough to use strong passwords but we all know people still using cr4ptacular01 passwords that should probably read this article.

In a 2013 study for DARPA (the Federal Defense Advanced Research Projects Agency) called Pathwell, security consulting company KoreLogic found that, among the thousands of users within an unnamed Fortune 100 company, roughly half had relied on just five patterns to compose their passwords and 85 percent had relied on just 100 patterns. (KoreLogic found similar predictability within a variety of other companies).
 

Armenius

Extremely [H]
Joined
Jan 28, 2014
Messages
34,459
My passwords don't follow any pattern... I think :p. At least none of the ones listed in the article. I love it when people put a number from their birthday in a password :cool:.
 

Eulogy

2[H]4U
Joined
Nov 9, 2005
Messages
2,837
The best part are websites that allow you 12 characters total, and allow you few or no special characters.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,886
Keepass - randomly generated , i don't know 3/4 of my passwords for things..

but i do love sites that force you to use only 8-15 characters and only letters and numbers...sad
 

devil22

2[H]4U
Joined
Jan 1, 2003
Messages
3,837
My password strategy: Make a sentence of 5+ words I've never heard or seen any where before, e.g. "MyCatWearsPurplePants".
Swap one letter to something random, not leet-speak. -> "MyCatWe9rsPurplePants"
Easy to remember, effectively random to password crackers.
But password managers, like keepass and lastpass are probably the best bet, so I just use this for my lastpass master password nowadays.
 

Retronym

[H]F Junkie
Joined
Mar 5, 2007
Messages
13,608
Here you go.
I made this awhile back for convenience.

Buy flat, square authentic vegas dice.
Undrilled and no pips.

Password is the roll sequence. Fill out by hand.

Beautiful entropy.
 

viscountalpha

2[H]4U
Joined
Oct 16, 2011
Messages
2,618
It's not the passwords themselves but what's accessible when people break into someone elses database.

Password madness needs to end, there HAS to be a better way :/
 

SvenBent

2[H]4U
Joined
Sep 13, 2008
Messages
3,319
i would avoid using tecnhology like keypass as they STORE you password somewhere which in itself is bad.

Use pwdhash instead generate as hash of password+sitename into a unique password for that site.
They don't save you password so no weak link there

www.pwdhash.com
 

Az Syndicate

Limp Gawd
Joined
Feb 15, 2002
Messages
393
i would avoid using tecnhology like keypass as they STORE you password somewhere which in itself is bad.

Use pwdhash instead generate as hash of password+sitename into a unique password for that site.
They don't save you password so no weak link there

www.pwdhash.com

I understand the concern about technology that STORES the password. But I want to know how you expect a user to recall/remember every unique password created for sites/applications/databases?

I use lastpass. It stores my information locally but it is encrypted and the unlock key is not stored anywhere. I also like that Lastpass helps reduce risk from KeyLoggers.
info here: https://helpdesk.lastpass.com/getting-started/introduction/why-is-lastpass-safe/
 

westrock2000

[H]F Junkie
Joined
Jun 3, 2005
Messages
9,360
With those lastpass keychain type apps, what happens when you need to use someone else's computer or you use a different operating system or something?

I don't know much about them.

What if I need to pull up an email at the library or on a friends phone?
 

Eulogy

2[H]4U
Joined
Nov 9, 2005
Messages
2,837
I just plain never log into a website (even forums) from a computer that isn't my own, and I don't put the password db on a phone or anything else. If I "had" to for some reason, most of the important passwords I have memorized.
 

drescherjm

[H]F Junkie
Joined
Nov 19, 2008
Messages
14,938
I understand the concern about technology that STORES the password. But I want to know how you expect a user to recall/remember every unique password created for sites/applications/databases?

I have hundreds of accounts. There is no way I could possibly remember different strong passwords. Although I do realize lastpass is a risk. I do not use it for financial accounts but then my passwords are much weaker for those since I need to remember them. Good thing most of them have a password + security question.
 

drescherjm

[H]F Junkie
Joined
Nov 19, 2008
Messages
14,938
i would avoid using tecnhology like keypass as they STORE you password somewhere which in itself is bad.

Use pwdhash instead generate as hash of password+sitename into a unique password for that site.
They don't save you password so no weak link there

www.pwdhash.com

Interesting. I assume its easy to use the addon on dozens of computers / tablets?
 

JeffDC

Gawd
Joined
Jul 19, 2006
Messages
775
These days sites know when an account is being hacked by the first few attempts. And they keep track for much longer periods of time, so waiting accomplishes nothing. I'm not claiming password strength doesn't matter but it matters a whole lot less now than it used to.
 

LurkerLito

2[H]4U
Joined
Dec 5, 2007
Messages
2,505
It's an interesting idea but personally I think pwdhash is just as bad as storing the password locally. It's only really better if you use a unique seed password to each site you use pwdhash on.

The program generates a predictable password given 2 inputs a site URL and a seed password you give. So most using pwdhash would use the same seed password for all sites. So if someone breached a site that stored their user/pass file as plain text, and determines a user there uses pwdhash. You can dictionary attack a reverse engineered pwdhash function to speed things up to see if you can generate the one in the plain text user/pass file they obtained. Once done, they get access to every site that user ever used pwdhash to generate a password to. So it effectively is about the same as a locally stored encrypted database program, but it is a bit more inconvenient for the user if a site they go to gets breached as they will then have to use a new different seed password to make a new generated password to any site that gets breached. Also it would be harder to determine if all your sites were breached with pwdhash unless a site that was breached told the user and they often don't do that very fast. At least with locally stored, you know if you've lost the file and can take steps to change the majority of the important account passwords as soon as you realize it.

So if you plan on using pwdhash it would be better for you to use a 2 password system. Use something like keepass to generate and store seed passwords for sites. Then use pwdhash to generate the actual site password. That would make for a more secure system though it is more inconvenient.
 

Jagger100

Supreme [H]ardness
Joined
Oct 31, 2004
Messages
7,710
Here you go.
I made this awhile back for convenience.

Buy flat, square authentic vegas dice.
Undrilled and no pips.

Password is the roll sequence. Fill out by hand.

Beautiful entropy.

I hate it when people misuse the term entropy. Entropy is unrecoverable heat energy. This means heat was disappated to a lower termperature and there's no available even lower temperature pool to tranfer the heat into to make it do useful work. The Sci-Fi twist on it that believes it means chaos is gernally incorrect, as something made hotter is also more chaotic on an atomic level, but that's recoverable. The Sci-Fi extention of the idea that it means the Universe is moving to a lifeless dead state, it generally correct. Lifeless hardly inspires a notion of unpredictable.
 

Jagger100

Supreme [H]ardness
Joined
Oct 31, 2004
Messages
7,710
My password strategy: Make a sentence of 5+ words I've never heard or seen any where before, e.g. "MyCatWearsPurplePants".
Swap one letter to something random, not leet-speak. -> "MyCatWe9rsPurplePants"
Easy to remember, effectively random to password crackers.
But password managers, like keepass and lastpass are probably the best bet, so I just use this for my lastpass master password nowadays.

There's a cartoon somewhere that praises this methode more or less. It makes one bad assumption. That people will use the full dictionary. People's vocabulary is 99.999% time all of 300-500 words. So instead of each word being a faction of 30,000 or whatever, its really a factor of 500. So the number of likely combinations is far less than the cartoon purports. If you want to make it work you need to use an expanded vocabulary like a rare proper name or some very uncommon word, preferrably at least twice.
 

Retronym

[H]F Junkie
Joined
Mar 5, 2007
Messages
13,608
I hate it when people misuse the term entropy. Entropy is unrecoverable heat energy. This means heat was disappated to a lower termperature and there's no available even lower temperature pool to tranfer the heat into to make it do useful work. The Sci-Fi twist on it that believes it means chaos is gernally incorrect, as something made hotter is also more chaotic on an atomic level, but that's recoverable. The Sci-Fi extention of the idea that it means the Universe is moving to a lifeless dead state, it generally correct. Lifeless hardly inspires a notion of unpredictable.

ok.

well, whatever it is, i like it.

the NSA can't perfectly model an unknown human tossing an unknown die.

I will never trust a software random number generator.
 

chockomonkey

[H]F Junkie
Joined
Oct 11, 2003
Messages
8,300
There's a cartoon somewhere that praises this methode more or less. It makes one bad assumption. That people will use the full dictionary. People's vocabulary is 99.999% time all of 300-500 words. So instead of each word being a faction of 30,000 or whatever, its really a factor of 500. So the number of likely combinations is far less than the cartoon purports. If you want to make it work you need to use an expanded vocabulary like a rare proper name or some very uncommon word, preferrably at least twice.

password_strength.png


After reading this comic I also ditched my old password methods and started using passphrases where applicable. I make sure to use words that I never use online, but mostly just a random gathering of words. The comic is right though, at least about the easier to remember part :)
 

Draxanoth

Gawd
Joined
Aug 30, 2011
Messages
567
password_strength.png


After reading this comic I also ditched my old password methods and started using passphrases where applicable. I make sure to use words that I never use online, but mostly just a random gathering of words. The comic is right though, at least about the easier to remember part :)
I still throw in a weird character from the number row somewhere for good measure, but I too prefer the bottom method.

Cargo!pantsKangaroo

I've also used the pass-phrase insane rambling method with some characters translated with a cypher, sort of like leet speak but not exactly since it's not as simple as replacing e with something that looks similar. The cypher doesn't have to be particularly complex if you've got a random pattern, I used alternating here just for a demo which is easy to assume and probably not wise to use in real life. Someone might recognize what cypher I used for this example. :D

C2r4o!7a6t7K2n4a7o6

Kaspersky says that'll hold for 10,000+ centuries against automated guessing. :cool:
 

Parja

[H]F Junkie
Joined
Oct 4, 2002
Messages
12,671
There's a cartoon somewhere that praises this methode more or less. It makes one bad assumption. That people will use the full dictionary. People's vocabulary is 99.999% time all of 300-500 words. So instead of each word being a faction of 30,000 or whatever, its really a factor of 500. So the number of likely combinations is far less than the cartoon purports. If you want to make it work you need to use an expanded vocabulary like a rare proper name or some very uncommon word, preferrably at least twice.

VerilyDothRachmaninoffImbibeHooch

Don't use that! That one's mine!
 

devil22

2[H]4U
Joined
Jan 1, 2003
Messages
3,837
There's a cartoon somewhere that praises this methode more or less. It makes one bad assumption. That people will use the full dictionary. People's vocabulary is 99.999% time all of 300-500 words. So instead of each word being a faction of 30,000 or whatever, its really a factor of 500. So the number of likely combinations is far less than the cartoon purports. If you want to make it work you need to use an expanded vocabulary like a rare proper name or some very uncommon word, preferrably at least twice.

I've seen the cartoon before, and you're exactly right, which is why I said "change one letter to something random". While the sentence can be brute forced with a small dictionary, changing one letter to something random defeats this and is still about as easy to remember.
 

chockomonkey

[H]F Junkie
Joined
Oct 11, 2003
Messages
8,300
I've seen the cartoon before, and you're exactly right, which is why I said "change one letter to something random". While the sentence can be brute forced with a small dictionary, changing one letter to something random defeats this and is still about as easy to remember.

proper nouns work too as they'll have to include a lot more dictionaries to catch em all =P
 

sfsuphysics

[H]F Junkie
Joined
Jan 14, 2007
Messages
15,460
My password strategy: Make a sentence of 5+ words I've never heard or seen any where before, e.g. "MyCatWearsPurplePants".
Swap one letter to something random, not leet-speak. -> "MyCatWe9rsPurplePants"
Easy to remember, effectively random to password crackers.
Then one day after going months and months of letting your internet browser remember your password you have to change it, forget the phrase, or forget which letter you randomly changed, and your "easy to remember" becomes a pain in the butt.
 

devil22

2[H]4U
Joined
Jan 1, 2003
Messages
3,837
Then one day after going months and months of letting your internet browser remember your password you have to change it, forget the phrase, or forget which letter you randomly changed, and your "easy to remember" becomes a pain in the butt.

What password isn't in that case? "12345"?
 

nightfly

2[H]4U
Joined
Jun 7, 2011
Messages
3,505
How about: Create a strong password. make a list of all your places where you need strong passwords. Number them. Now take your strong password and insert the number at particular places within the strong password. So if bloomingdales is say, #27 on my list, and my password is 3q*ww06T^_jIt, the password might become 3q*w2w067^_jIt shorter or longer, with more or less stuff in it. Each password is the same with the added digits in particular places in the sequence, or perhaps in progressive spots in the sequence. You only have to remember one strong password, and have access to your list, and your rule of where the numbers go to figure out any of the passwords. If you're really paranoid you can move the top oh, three items in your list to the bottom to change the sequence to anyone looking at it.
 

stiltner

[H]F Junkie
Joined
Mar 16, 2000
Messages
10,686
I use a schema.

Website URL + date of first visit + Special Character.

It'll always be unique, and tied to only 1 place then.

For example Google120414*

Secure, maybe not, but its unique, and easy to constantly recall in a sense, cause its words, dates and one of 10-15 special characters.

After 3-4 entries its memorized.
 

chenw

2[H]4U
Joined
Oct 26, 2014
Messages
3,977
I am starting to move towards a more old school method of password rememberance: Pen and Paper.

Beats remembering it by miles, and I don't like having my last line of defence being something that is connected to the internet. EG I am still using the old Authenticator for my BNet account, because the new app one has to be installed on a smart device, which usually has the ability to go on the net, the old authenticator doesn't have that issue.

Of course, there is the risk of losing the paper, or if someone else finds it. I can't say much about the former, but the latter I have a catch: I don't write my username, nor what the passwords are for on that piece of paper. To any randomer who decides to pick up that piece of paper, it'll be worthless to them. If my house gets broken in, I doubt the would be robber would have taken the time to find a piece of paper with password on it.

Lastly, I put a quite simple cypher on the password itself, so whoever in person wants to get into the account, would have to break it first. Sounds like a lot of work? I find it easier to recognise a password and learning the simple cypher than it is to learn a random-y password.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
I have a couple passwords I memorize for stuff I have to use all the time that is not that important like forums. They're not THAT strong but still random enough that they'd be hard to crack. The really important stuff like banking or domain registrars use more complex passwords which I need to use a password manager for. Any site that has my credit card number uses a really strong password too.

One thing to also keep in mind that one service can often give access to another. For example, your email and domain registrar is probably the two most important things to protect. If someone gains access to your email they can do a password reset on pretty much anything. If someone gains access to your domain registrar they can change to another DNS server and change MX records and take over your email that way. They can also take control of your sites, and even initiate transfers and steal your domains.
 

ironforge

[H]ard|Gawd
Joined
Feb 7, 2006
Messages
1,235
My favorite password:

Necropost!

I usually go for sentences, with odd characters thrown in.
FerrariWithIceCreamSpilled^InFrontSeat
 

Retronym

[H]F Junkie
Joined
Mar 5, 2007
Messages
13,608
i recycle spent bitcoin private keys for passwords now.
and add a symbol or two if the website supports it.

51 characters or more.
 

ZenDragon

[H]ard|Gawd
Joined
Oct 22, 2000
Messages
1,698
I tend to use complex patterns on the keyboard rather than actual words, and mix in shift presses. A very simple example would be: !Q2w#E although I get a LOT more complicated than that, and often 20+ characters long. There are a effectively millions of different combinations of patterns that would be difficult to programatically guess because they don't make any sense otherwise. My brain seems to remember long complex patterns quite well, although I have to say, typing some passwords into a phone or a something with a non standard querty keyboard is a HUGE pain in the ass!
 

sfsuphysics

[H]F Junkie
Joined
Jan 14, 2007
Messages
15,460
My favorite password:

Necropost!

I usually go for sentences, with odd characters thrown in.
FerrariWithIceCreamSpilled^InFrontSeat

Yes it was totally worth bumping this 5 month old thread for this gem of information that was swirling around your mind.
 
Top