HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Most of you guys are smart enough to use strong passwords but we all know people still using cr4ptacular01 passwords that should probably read this article.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Password Mistakes Hackers Hope Youll Make
- Thread starter HardOCP News
- Start date
Armenius
Extremely [H]
- Joined
- Jan 28, 2014
- Messages
- 40,128
My passwords don't follow any pattern... I think 
. At least none of the ones listed in the article. I love it when people put a number from their birthday in a password .
. At least none of the ones listed in the article. I love it when people put a number from their birthday in a password .
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,573
Keepass - randomly generated , i don't know 3/4 of my passwords for things..
but i do love sites that force you to use only 8-15 characters and only letters and numbers...sad
but i do love sites that force you to use only 8-15 characters and only letters and numbers...sad
My password strategy: Make a sentence of 5+ words I've never heard or seen any where before, e.g. "MyCatWearsPurplePants".
Swap one letter to something random, not leet-speak. -> "MyCatWe9rsPurplePants"
Easy to remember, effectively random to password crackers.
But password managers, like keepass and lastpass are probably the best bet, so I just use this for my lastpass master password nowadays.
Swap one letter to something random, not leet-speak. -> "MyCatWe9rsPurplePants"
Easy to remember, effectively random to password crackers.
But password managers, like keepass and lastpass are probably the best bet, so I just use this for my lastpass master password nowadays.
Retronym
[H]F Junkie
- Joined
- Mar 5, 2007
- Messages
- 13,605
Here you go.
I made this awhile back for convenience.
Buy flat, square authentic vegas dice.
Undrilled and no pips.
Password is the roll sequence. Fill out by hand.
Beautiful entropy.
I made this awhile back for convenience.
Buy flat, square authentic vegas dice.
Undrilled and no pips.
Password is the roll sequence. Fill out by hand.
Beautiful entropy.
viscountalpha
2[H]4U
- Joined
- Oct 16, 2011
- Messages
- 2,618
It's not the passwords themselves but what's accessible when people break into someone elses database.
Password madness needs to end, there HAS to be a better way :/
Password madness needs to end, there HAS to be a better way :/
i would avoid using tecnhology like keypass as they STORE you password somewhere which in itself is bad.
Use pwdhash instead generate as hash of password+sitename into a unique password for that site.
They don't save you password so no weak link there
www.pwdhash.com
Use pwdhash instead generate as hash of password+sitename into a unique password for that site.
They don't save you password so no weak link there
www.pwdhash.com
I prefer handsome.
Az Syndicate
Limp Gawd
- Joined
- Feb 15, 2002
- Messages
- 393
I understand the concern about technology that STORES the password. But I want to know how you expect a user to recall/remember every unique password created for sites/applications/databases?
I use lastpass. It stores my information locally but it is encrypted and the unlock key is not stored anywhere. I also like that Lastpass helps reduce risk from KeyLoggers.
info here: https://helpdesk.lastpass.com/getting-started/introduction/why-is-lastpass-safe/
westrock2000
[H]F Junkie
- Joined
- Jun 3, 2005
- Messages
- 9,418
With those lastpass keychain type apps, what happens when you need to use someone else's computer or you use a different operating system or something?
I don't know much about them.
What if I need to pull up an email at the library or on a friends phone?
I don't know much about them.
What if I need to pull up an email at the library or on a friends phone?
drescherjm
[H]F Junkie
- Joined
- Nov 19, 2008
- Messages
- 14,940
I have hundreds of accounts. There is no way I could possibly remember different strong passwords. Although I do realize lastpass is a risk. I do not use it for financial accounts but then my passwords are much weaker for those since I need to remember them. Good thing most of them have a password + security question.
drescherjm
[H]F Junkie
- Joined
- Nov 19, 2008
- Messages
- 14,940
Interesting. I assume its easy to use the addon on dozens of computers / tablets?
These days sites know when an account is being hacked by the first few attempts. And they keep track for much longer periods of time, so waiting accomplishes nothing. I'm not claiming password strength doesn't matter but it matters a whole lot less now than it used to.
LurkerLito
2[H]4U
- Joined
- Dec 5, 2007
- Messages
- 2,640
It's an interesting idea but personally I think pwdhash is just as bad as storing the password locally. It's only really better if you use a unique seed password to each site you use pwdhash on.
The program generates a predictable password given 2 inputs a site URL and a seed password you give. So most using pwdhash would use the same seed password for all sites. So if someone breached a site that stored their user/pass file as plain text, and determines a user there uses pwdhash. You can dictionary attack a reverse engineered pwdhash function to speed things up to see if you can generate the one in the plain text user/pass file they obtained. Once done, they get access to every site that user ever used pwdhash to generate a password to. So it effectively is about the same as a locally stored encrypted database program, but it is a bit more inconvenient for the user if a site they go to gets breached as they will then have to use a new different seed password to make a new generated password to any site that gets breached. Also it would be harder to determine if all your sites were breached with pwdhash unless a site that was breached told the user and they often don't do that very fast. At least with locally stored, you know if you've lost the file and can take steps to change the majority of the important account passwords as soon as you realize it.
So if you plan on using pwdhash it would be better for you to use a 2 password system. Use something like keepass to generate and store seed passwords for sites. Then use pwdhash to generate the actual site password. That would make for a more secure system though it is more inconvenient.
I hate it when people misuse the term entropy. Entropy is unrecoverable heat energy. This means heat was disappated to a lower termperature and there's no available even lower temperature pool to tranfer the heat into to make it do useful work. The Sci-Fi twist on it that believes it means chaos is gernally incorrect, as something made hotter is also more chaotic on an atomic level, but that's recoverable. The Sci-Fi extention of the idea that it means the Universe is moving to a lifeless dead state, it generally correct. Lifeless hardly inspires a notion of unpredictable.
There's a cartoon somewhere that praises this methode more or less. It makes one bad assumption. That people will use the full dictionary. People's vocabulary is 99.999% time all of 300-500 words. So instead of each word being a faction of 30,000 or whatever, its really a factor of 500. So the number of likely combinations is far less than the cartoon purports. If you want to make it work you need to use an expanded vocabulary like a rare proper name or some very uncommon word, preferrably at least twice.
Retronym
[H]F Junkie
- Joined
- Mar 5, 2007
- Messages
- 13,605
ok.
well, whatever it is, i like it.
the NSA can't perfectly model an unknown human tossing an unknown die.
I will never trust a software random number generator.
chockomonkey
[H]F Junkie
- Joined
- Oct 11, 2003
- Messages
- 8,326
After reading this comic I also ditched my old password methods and started using passphrases where applicable. I make sure to use words that I never use online, but mostly just a random gathering of words. The comic is right though, at least about the easier to remember part
I still throw in a weird character from the number row somewhere for good measure, but I too prefer the bottom method.
After reading this comic I also ditched my old password methods and started using passphrases where applicable. I make sure to use words that I never use online, but mostly just a random gathering of words. The comic is right though, at least about the easier to remember part
Cargo!pantsKangaroo
I've also used the pass-phrase insane rambling method with some characters translated with a cypher, sort of like leet speak but not exactly since it's not as simple as replacing e with something that looks similar. The cypher doesn't have to be particularly complex if you've got a random pattern, I used alternating here just for a demo which is easy to assume and probably not wise to use in real life. Someone might recognize what cypher I used for this example.
C2r4o!7a6t7K2n4a7o6
Kaspersky says that'll hold for 10,000+ centuries against automated guessing.
Parja
[H]F Junkie
- Joined
- Oct 4, 2002
- Messages
- 12,670
I've seen the cartoon before, and you're exactly right, which is why I said "change one letter to something random". While the sentence can be brute forced with a small dictionary, changing one letter to something random defeats this and is still about as easy to remember.
chockomonkey
[H]F Junkie
- Joined
- Oct 11, 2003
- Messages
- 8,326
proper nouns work too as they'll have to include a lot more dictionaries to catch em all =P
D
Deleted member 12106
Guest
!Password2014dec
sfsuphysics
[H]F Junkie
- Joined
- Jan 14, 2007
- Messages
- 15,889
Then one day after going months and months of letting your internet browser remember your password you have to change it, forget the phrase, or forget which letter you randomly changed, and your "easy to remember" becomes a pain in the butt.
What password isn't in that case? "12345"?
How about: Create a strong password. make a list of all your places where you need strong passwords. Number them. Now take your strong password and insert the number at particular places within the strong password. So if bloomingdales is say, #27 on my list, and my password is 3q*ww06T^_jIt, the password might become 3q*w2w067^_jIt shorter or longer, with more or less stuff in it. Each password is the same with the added digits in particular places in the sequence, or perhaps in progressive spots in the sequence. You only have to remember one strong password, and have access to your list, and your rule of where the numbers go to figure out any of the passwords. If you're really paranoid you can move the top oh, three items in your list to the bottom to change the sequence to anyone looking at it.
I use a schema.
Website URL + date of first visit + Special Character.
It'll always be unique, and tied to only 1 place then.
For example Google120414*
Secure, maybe not, but its unique, and easy to constantly recall in a sense, cause its words, dates and one of 10-15 special characters.
After 3-4 entries its memorized.
Website URL + date of first visit + Special Character.
It'll always be unique, and tied to only 1 place then.
For example Google120414*
Secure, maybe not, but its unique, and easy to constantly recall in a sense, cause its words, dates and one of 10-15 special characters.
After 3-4 entries its memorized.
I am starting to move towards a more old school method of password rememberance: Pen and Paper.
Beats remembering it by miles, and I don't like having my last line of defence being something that is connected to the internet. EG I am still using the old Authenticator for my BNet account, because the new app one has to be installed on a smart device, which usually has the ability to go on the net, the old authenticator doesn't have that issue.
Of course, there is the risk of losing the paper, or if someone else finds it. I can't say much about the former, but the latter I have a catch: I don't write my username, nor what the passwords are for on that piece of paper. To any randomer who decides to pick up that piece of paper, it'll be worthless to them. If my house gets broken in, I doubt the would be robber would have taken the time to find a piece of paper with password on it.
Lastly, I put a quite simple cypher on the password itself, so whoever in person wants to get into the account, would have to break it first. Sounds like a lot of work? I find it easier to recognise a password and learning the simple cypher than it is to learn a random-y password.
Beats remembering it by miles, and I don't like having my last line of defence being something that is connected to the internet. EG I am still using the old Authenticator for my BNet account, because the new app one has to be installed on a smart device, which usually has the ability to go on the net, the old authenticator doesn't have that issue.
Of course, there is the risk of losing the paper, or if someone else finds it. I can't say much about the former, but the latter I have a catch: I don't write my username, nor what the passwords are for on that piece of paper. To any randomer who decides to pick up that piece of paper, it'll be worthless to them. If my house gets broken in, I doubt the would be robber would have taken the time to find a piece of paper with password on it.
Lastly, I put a quite simple cypher on the password itself, so whoever in person wants to get into the account, would have to break it first. Sounds like a lot of work? I find it easier to recognise a password and learning the simple cypher than it is to learn a random-y password.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
I have a couple passwords I memorize for stuff I have to use all the time that is not that important like forums. They're not THAT strong but still random enough that they'd be hard to crack. The really important stuff like banking or domain registrars use more complex passwords which I need to use a password manager for. Any site that has my credit card number uses a really strong password too.
One thing to also keep in mind that one service can often give access to another. For example, your email and domain registrar is probably the two most important things to protect. If someone gains access to your email they can do a password reset on pretty much anything. If someone gains access to your domain registrar they can change to another DNS server and change MX records and take over your email that way. They can also take control of your sites, and even initiate transfers and steal your domains.
One thing to also keep in mind that one service can often give access to another. For example, your email and domain registrar is probably the two most important things to protect. If someone gains access to your email they can do a password reset on pretty much anything. If someone gains access to your domain registrar they can change to another DNS server and change MX records and take over your email that way. They can also take control of your sites, and even initiate transfers and steal your domains.
Retronym
[H]F Junkie
- Joined
- Mar 5, 2007
- Messages
- 13,605
i recycle spent bitcoin private keys for passwords now.
and add a symbol or two if the website supports it.
51 characters or more.
and add a symbol or two if the website supports it.
51 characters or more.
I tend to use complex patterns on the keyboard rather than actual words, and mix in shift presses. A very simple example would be: !Q2w#E although I get a LOT more complicated than that, and often 20+ characters long. There are a effectively millions of different combinations of patterns that would be difficult to programatically guess because they don't make any sense otherwise. My brain seems to remember long complex patterns quite well, although I have to say, typing some passwords into a phone or a something with a non standard querty keyboard is a HUGE pain in the ass!
sfsuphysics
[H]F Junkie
- Joined
- Jan 14, 2007
- Messages
- 15,889
Yes it was totally worth bumping this 5 month old thread for this gem of information that was swirling around your mind.