<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Strong Passwords

Published on
4,343 Points
1,243 Views
1 Endorsement
Last Modified:
Randy Downs
Randy Downs dba Downs Consulting Services is a verified Veteran-owned small business (VOSB)
Veteran business database www.vip.vetbiz.gov

Passwords

In the wake of Heartbleed we need to consider stronger unique passwords. We advise our clients to change all their passwords regularly and use strong unique passwords for each site.

We want unique passwords so that a compromised site won’t give away the keys to all our sites. The worst password is something that’s guessable with a dictionary search in any language. One of the most abused passwords is “Password”. If you must use something you can remember then substitute special characters for letters.

Example:
Use | (pipe – above the \ key) or 1 (number 1) or ! (Exclamation)  for L
Use the number 3 for the letter e (imagine the 3 flipped vertically)
Use @ for a
Use the number 5 for the letter s
Here’s more Leet dictionaries references
 

Password Management

A Password Management tool like Last Pass will ease the pain of keeping track of multiple passwords, changing them and tracking their history. With a management tool you can create secure passwords like zC69*&pEa0EsZ@BM

That’s not something anyone is likely to guess but it’s not easy to remember either. The Password Management tools remember these for you and even fill the credentials in for you on most sites. The management tools also make it easier to generate new passwords and remember them. Last Pass also has a Security check that will advise you on which passwords should be changed and how strong they are.

Last Pass is free for PC and laptop use but you pay a nominal fee to use it on your mobile devices (e.g. phone).
1
Comment
Author:Randy Downs
7 Comments
 

Administrative Comment

by:Eric AKA Netminder
Congratulations; your article has been published.

ericpete
Page Editor
0
LVL 4

Expert Comment

by:Bob McCoy
Humans continue to be the greatest risk in password management.  And password reuse is a continual issue.  And if a hacker can scoop your credentials, password reuse opens all sorts of possibilities.
0
LVL 30

Author Comment

by:Randy Downs
I am in complete agreement radioeng that's why I support applications like LastPass. You can have as many passwords as you want and make them extremely complex. That means you only have to remember one password for the application and you can make it complex but memorable by using Leet speech.
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

LVL 75

Expert Comment

by:käµfm³d 👽
If you must use something you can remember then substitute special characters for letters.
This advice is relatviely meaningless these days. There are tools available that will take all such special characters into account when generating a brute-force word list. A popular suggestion is to take the first letter of a series words in a song lyric or book quote.

Also, I'm not sure why Heartbleed was mentioned in this article. Heartbleed has nothing to do with passwords other than the fact that an attacker could potentially sniff passwords out of packets that were assumed to be encrypted. At that point, it doesn't matter how complex your password is!
0
LVL 30

Author Comment

by:Randy Downs
My advice for Leet character for those that insist on a password they can remember. By far the best bet is a random password with as many special characters as your service will support. Last Pass will let you generate 100 character passwords with special characters like the following.

RU#QBvQxzxzu227gFKWzUr6!YgO99eWU$Q!OfEn5PG9t$#0Oq*eu3xYImTsL8JaRk7Yk!GiZf98*&6T%nxHLEYGX1ck&RcuDRr8U

Constantly changing passwords on a Key FOB and other two factor schemes are even better.

Other passwords like TANSTHAAFL (i.e., There Ain't No Such Thing As A free Lunch) are probably easily solved these days.

Regardless of what your password routine is it's much better to do something than to use easily guessed passwords like "password" for all your services. Brute force will eventually guess most passwords but hopefully your server will not allow that sort of attack.

I mentioned Heartbleed because most folks realize that all there passwords have been potentially compromised for the last 2 years. Consequently many are in security mode and starting to adhere to some semblance of security.
0
LVL 38

Expert Comment

by:Rich Rumble
I audit passwords for a living, and I am an active member in olcHashcat/JohntheRipper and InsidePro communities. The best advice is simply this, long password that you can remember, and it not easily guessed by man or machine. (I know, duh right?)
Those passwords can be derived from popular sources, but they should be altered in such a way that is not easily guessed. Misspellings, typo's and abbreviations are very good ways of doing this.
eyekancount2tin (I can count to ten)
^^are4rabbitz (Carrots are for rabbits)
daalaskin|line (the Alaskan pipe line)
u!dodatonteavee (you can't do that on tv)
If you are 1337'ing words that are found in various dictionaries, computers will crack it in short order.
3=e, 0=o, s=5|$, a=4|@, i=!|1, l=||1, g=9, B=8, c=(|[|{, t=7|+, x=*|+
That is easy for a computer to do, and even humans for that matter. Note that bruteforcing hashes is different than bruteforcing logins, like those on a web page or app. There is typically less speed when BF'ing a login as opposed to and offline attack against a hash.
Rather than hijack the article, I'll write up my own. Take aways are however that length trumps "complexity" 99.% of the time, especially when you can't easily source the base the password is from. It's also why "nofatebutwhatwemake" is a good example of and easily sourced base yet is very long.
http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/ 
-rich
0
LVL 30

Author Comment

by:Randy Downs
That's good advice richrumble, My recommendation is to use unique strong passwords for each site that are created & remembered by a utility. The leet passwords are for those that don't want to use a utility.

I actually was crypto technician in the USN and we had "random noise" that helped encrypt our signals. Even at that we only expected the cipher to be unbreakable for a length of time. Our encryption codes were only used for a day but that likely has changed since I got out of the USN a long time ago.

By the way, LastPass will also create pronounceable passwords.
0

Featured Post

Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Join & Write a Comment

We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month