Passwords
In the wake of Heartbleed we need to consider stronger unique passwords. We advise our clients to change all their passwords regularly and use strong unique passwords for each site.
We want unique passwords so that a compromised site won’t give away the keys to all our sites. The worst password is something that’s guessable with a dictionary search in any language. One of the most abused passwords is “Password”. If you must use something you can remember then substitute special characters for letters.
Example:
Use | (pipe – above the \ key) or 1 (number 1) or ! (Exclamation) for L
Use the number 3 for the letter e (imagine the 3 flipped vertically)
Use @ for a
Use the number 5 for the letter s
Here’s more
Leet dictionaries references
Password Management
A Password Management tool like
Last Pass will ease the pain of keeping track of multiple passwords, changing them and tracking their history. With a management tool you can create secure passwords like zC69*&pEa0EsZ@BM
That’s not something anyone is likely to guess but it’s not easy to remember either. The Password Management tools remember these for you and even fill the credentials in for you on most sites. The management tools also make it easier to generate new passwords and remember them. Last Pass also has a Security check that will advise you on which passwords should be changed and how strong they are.
Last Pass is free for PC and laptop use but you pay a nominal fee to use it on your mobile devices (e.g. phone).
Comments (6)
Author
Commented:Commented:
Also, I'm not sure why Heartbleed was mentioned in this article. Heartbleed has nothing to do with passwords other than the fact that an attacker could potentially sniff passwords out of packets that were assumed to be encrypted. At that point, it doesn't matter how complex your password is!
Author
Commented:Constantly changing passwords on a Key FOB and other two factor schemes are even better.
Other passwords like TANSTHAAFL (i.e., There Ain't No Such Thing As A free Lunch) are probably easily solved these days.
Regardless of what your password routine is it's much better to do something than to use easily guessed passwords like "password" for all your services. Brute force will eventually guess most passwords but hopefully your server will not allow that sort of attack.
I mentioned Heartbleed because most folks realize that all there passwords have been potentially compromised for the last 2 years. Consequently many are in security mode and starting to adhere to some semblance of security.
Commented:
Those passwords can be derived from popular sources, but they should be altered in such a way that is not easily guessed. Misspellings, typo's and abbreviations are very good ways of doing this.
eyekancount2tin (I can count to ten)
^^are4rabbitz (Carrots are for rabbits)
daalaskin|line (the Alaskan pipe line)
u!dodatonteavee (you can't do that on tv)
If you are 1337'ing words that are found in various dictionaries, computers will crack it in short order.
3=e, 0=o, s=5|$, a=4|@, i=!|1, l=||1, g=9, B=8, c=(|[|{, t=7|+, x=*|+
That is easy for a computer to do, and even humans for that matter. Note that bruteforcing hashes is different than bruteforcing logins, like those on a web page or app. There is typically less speed when BF'ing a login as opposed to and offline attack against a hash.
Rather than hijack the article, I'll write up my own. Take aways are however that length trumps "complexity" 99.% of the time, especially when you can't easily source the base the password is from. It's also why "nofatebutwhatwemake" is a good example of and easily sourced base yet is very long.
http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/
-rich
Author
Commented:I actually was crypto technician in the USN and we had "random noise" that helped encrypt our signals. Even at that we only expected the cipher to be unbreakable for a length of time. Our encryption codes were only used for a day but that likely has changed since I got out of the USN a long time ago.
By the way, LastPass will also create pronounceable passwords.
View More