<

Strong (but Easy-to-Remember) Passwords

Published on
23,482 Points
10,682 Views
33 Endorsements
Last Modified:
Awarded
DanRollins
You need passwords for many websites and you know that it's unwise to use the same password everywhere.  You have also heard that it's important to use "strong" passwords -- but they can be hard to remember.  This article describes several options that will let you use, and easily remember, a hard-to-crack password that is different for every website where you login.
 

Background

Some network security folks go overboard when they talk to users about passwords.  For instance, we hear "It must be 14 characters long" Oh, puleeeezzze!  Nobody is going to remember a 14-character password, let alone the dolts that you need to be talking to about passwords.

When you set an "impossible" criterion for a strong password, guess what?  The user will invariably write it on a post-it note and stick it to his monitor.  Then, when caught and reprimanded for doing that, he'll use his name and address -- something that he might not forget.

Both scenarios are much more dangerous than letting the user select a "weaker" password that meets reasonably-sound complexity policies.  

We also hear miscellaneous advice that sounds good, but is meaningless... "Never start your password with a digit -- they are much easier to crack (10 rather than 42 options)."  I don't know what cracking system that adviser is using, but I am certain that no log-in system on earth comes back with...

    "Incorrect login: Only the first character is correct."

Nope.  Password-cracking systems that show the first character cycling and then "locking-in" and then cycle the second character until it "locks in", and the nerdy guy says "...only five minutes until I have it..."  Well, that's TV-Trope fiction, like the exploding car and the details revealed from "enhancing" a telephoto blowup of a reflection from a wristwatch.
 

Stars in the Galaxy

Brute-force password cracking software must exhaustively try every combination.  It might start with the digits, but then it still needs to try the letters.  A specific combination of eight characters (letter, digits, symbols) comes up one in 96^8 random tries.  That's 1 in 7,213,895,789,838,336 (1 in 7.2 Quadrillion).  If the first character is a digit, and if the software happens to start with combinations beginning with digits (why?), then it will need to try only 750 Trillion combinations.  Ahem.  Don't start with "A" either, I guess.  If "A" is weak, then "B" is almost as weak... best to always start your passwords with "Z" ... right?

Any reasonable website login system won't allow more than a few consecutive failed tries, but let's imagine a TV-Trope world where it allows the cracking software to try combination after combination and it takes half of a second to respond to each try. That's 117,267,084 years to try all combinations (think: dinosaurs and fossils).  

OK... let's make it a really, really bad login system that allows you to try a million combinations per second.  It will still take over 200 years.  But BEWARE!  On average, it will need to try only half of all combinations.  So, using an 8-character password is way too risky!  Your great grandchildren are in serious danger that your password will be cracked!
 

Dictionary Attack!

However, password cracking software doesn't sequence through all combinations.  Instead, it knows that people use real words and names in their passwords.  So it does a "dictionary attack" in which it tries all of the words in the dictionary, then each word plus one digit, and so forth.  Then one digit plus each word, and so forth.  Then two words...

It can start with short words, so it won't need to cycle all 200,000+ English words and common names.  Dictionary attacks do succeed -- on login systems that allow unlimited immediate retries, but those are rare.  And you can usually foil a dictionary attack by using "mangled" words that are not in the dictionary.
 
Note: Any cracker's standard "dictionary" includes "words" like qwerty, op[], qaz, sdfsdf, and other keyboard-location mnemonics.  They also include common words and names in which a 3 has been substituted for an E and 0 (zero) has been substituted for o (oh) -- such as l33thax0r and s0rdph1sh  -- will quickly fall to a dictionary attack.  So some kinds of "mangling" are not as safe as they might seem.

Personal Data Attack!

Who hasn't seen the TV show in which the safecracker gets the loot by using somebody's birthday or wedding anniversary as the combination?   He's smart:  He knows that people use numbers that they can remember.  

Password crackers do the same thing.  They can look up all kinds of personal information about you and try variations of your Mother's maiden name, your birthday, the street where you live, your brothers and sisters, the date of your gall bladder operation, etc.  Even so, if you mangle it sufficiently, it can be easy for you to remember, and all of that personal data will be useless to the evil-doer.  If the cracking software must try every mangled variation of every name, address, ZIP code, pet name, and restaurant that you know, it's nearly as bad off as if it had to do a brute-force (all-combinations) scan.
 

Some Good Advice from Microsoft

Microsoft advises the following when setting a password policy for access to a sensitive SQL Server database:
 
Don't use all or part of the username
(I'll add:  Don't use words that are in the dictionary)

It must be at least eight characters long

It must contain characters from at least three of these groups:
  -   Uppercase letters (A-Z)
  -   Lowercase letters (a-z)
  -   Digits (0-9)
  -   Special characters, such as #^$!.*()~ etc.
Cracking software has an easy time with long passwords if they contain dictionary words or repeated sequences.  Password length, by itself, is not a particularly good criterion.


Note:  Some sites won't let you use a too-short password.  A common requirement for banking logins is a minimum length of eight characters.  So size is important, if only to avoid the hassle of remembering special rules at some sites and not at others.
What you need to focus on is complexity.  You need a jumble of characters that do not spell anything, can't be guessed from your personal information, and is just long enough so that a brute-force attack will take too long to complete.

And it has to be easy to remember.  If you write it down, you'll need it to be handy (e.g., in your desk drawer or in a thinly-disguised disk file named "pswds.txt"), and someone can find it.  If you use the same password everywhere, then if you get scammed even once, then all of your secure logins are compromised -- that includes your on-line banking.
 

You Need a SYSTEM

What you need is a "mental algorithm" -- a versatile, repeatable, password-generating system.  You need a technique that generates different passwords for each website, but is easy to produce from memory when you need it.  

Here are three examples, some better than others, but this is really just to get you started thinking about your own system.
 

1. Secret Sentence

As an example at the Microsoft password advice page they suggest that you make up a long sentence -- or a string of words that you can remember.  Maybe something like:

     "My mother told me there would be days like this"

Now to generate the password, process that text with your "mental algorithm."  For instance, the most trivial example is to take the first letter of each word:

      Mmtmtwbdlt

To satisfy the "special characters" requirement, your algorithm might include some substitutions.  When you would normally type S, type 5 or %.  Or use 1 (one) instead of l (ell).  You could make every third character uppercase.  That sort of thing.  That Microsoft page shows several ways to add complexity to the password without adding a heap of mental strain to your often-overworked neurons.

2. Say the Secret [i]Woid[/i]

This is similar to the last one, but instead of a sentence, choose a word or very-short phrase that you will never forget and that you can easily visualize without writing down (never write it down).  For instance: "LADYGaga!"

Now you will use only the letters of that word in your passwords, but you will put them in various, scrambled sequences.
 
   LADYGaga!
   123456789

Open in new window

Example: You choose the order 1,3,5,7,9,2,4,1.  So your password is the first, the third, the fifth, etc. letters of your secret word:

      LDGg!AYL

That looks like it would be hard to remember.  It is!  So with this algorithm, you write it down!  You write down the website and the sequence numbers on a post-it note and stick it on your monitor.  You can decode it, but nobody else can. (Reminder to the security-impaired:  Write down the numbers, but type-in the matching letters.  Oh, and don't write the secret-word key on the back of the paper.)

3. Cook Up a Sequence

Your base password will be a combination of some (apparently) arbitrary characters, digits, and symbols that you can remember, using your own mnemonic that you never reveal.  Here, you can use personal data to help you remember the "cooked" portion, as long as it is scrambled and sautéed enough.  

For instance, here is something I'll easily remember: My cat, Chocolate Chip, was 13 years old when we lived on Quincy Avenue.

So my "root" password is:  CC13Qy
 

Adding Salt -- Per-site Uniqueness

Algorithms #1 and #3 above describe how to generate a "base" password.  But ideally, we'd like to have a password that is different for each website where we need to log in.  Different, but also easy to remember!

One possibility is to insert something at the beginning or tack something on the end... a so-called "salt" value.  I've seen the suggestion to use the first three characters of the site's domain name.  For instance, my EE login (domain name is Experts-Exchange.com) might be:

    CC13QyExp    
...or...
    MmtmtwbdltExp

That algorithm would not protect me as much as I'd like.  It's better than using the same password everywhere, but any good hacker could recognize the pattern -- if he scammed one password from me, he'd be able to figure out others.  

Some variations I've heard include: The first few letters of the domain in reverse order; the three characters at the top, rightmost corner of the login screen; the second, fourth and last letter of the domain name; some sequence of letters directly below the password input box., etc.  

You can go pretty far with this.  Most people are quite visually oriented and when you get to the login-prompt, you'll probably be instantly reminded where you "hid the salt."  

In practice, this works quite well.  It is a secret that only you know, based on an algorithm (a set of visual cues) that only you know.  Will a hacker guess that your salt was "The last character of the domain name, plus the number of letters in the word below the password input box, plus the gender (M,F or ?) of the person pictured"?   Probably not, and anyway, the salt comes into play only if a hacker gets your base password somehow.
 

Summary

Using strong passwords is important, both in business and in your personal life.  An easy-to-crack password could open up your bank account to various evil-doers who lurk in the dark, terrifying recesses of the venomous snake pit that is the Internet.  Be sure to scare your kids with that, because it might save them from being embarrassed on FaceBook.  And scare yourself (at least a little bit) because it also happens to be true.

But you don't need to make a password so complex and hard to remember that you find that you need to write it down.  Don't make it so long that you need to use personal data in order to remember it.  Eight characters (including a mix of character case and digits, etc.) are probably "strong" enough for nearly any purpose.  And it's not hard to come up with a "mental algorithm" that's easier to remember than the actual password.

I fully expect to take some heat (and "No" votes) from self-proclaimed security experts who will tell me I'm giving out bad advice and that everybody must use 14-character passwords for everything.  So, I'll reply in advance:  When your 85-year-old grandmother asks what she should use as her password, do you tell her,

   "Well, grammy, you should always use: %wE7*45#Bb[g^vJ"  

??? I doubt it -- she doesn't know what a circumflex is.  You need to give her a simple password that is easy for her to remember (so she won't write it down), but hard to guess and hard to crack.  And be sure to remind her not to use her grandchild's name!
 

Bold Caveat

No password-generating algorithm is perfect.  Any system that is trivially easy (say, appending ten Xs) will be easier to crack than a system that employs truly randomly-selected characters, but writing passwords down on paper or putting them in a file on your hard disk presents an actual, not imaginary or overblown, risk.  So work out a way to keep it in your head.
 
I heartily invite comments from everybody.  I'd especially like to hear of other "mental algorithms" that you have used or have advised others to use.  What works?  What does not work?

Related links:


Password Recovery Speeds
http://www.lockdown.co.uk/?pg=combi

SQL Server 2008 password Policy
http://msdn.microsoft.com/en-us/library/ms161959.aspx

Microsoft SQL Server Strong Password Requirements
http://support.microsoft.com/kb/965823

Strong Passwords
http://msdn.microsoft.com/en-us/library/ms161962.aspx
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If you liked this article and want to see more from this author, please click the Yes button near the:
      Was this article helpful?
label that is just below and to the right of this text.   Thanks!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
33
Comment
Author:DanRollins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
35 Comments
 
LVL 60

Expert Comment

by:Kevin Cross
Dan:
Repeat after me: "Ell Oh Ell!"
Classic!

I enjoyed reading this. I have participated in a good number conversations regarding password complexity and the importance of the system in the process (i.e., two factor authentication or other measures that support users having what are perceived as "lesser" strength passwords, not 14 characters, while maintaining full security as I not only have to steal your key but your box of treats for your pitbull too.).

A CTO I know always says: changing passwords at work is "stupid"! Bank passwords don't expire, why should those for computer systems?

Every 60-90 days my strong password becomes invalid and so I have to remember a whole new one. What most users will do is as you say pick something ridiculously easy with 01...99 at the end. Oh boy! Or simply write it down.

Anyway, he made a speech a few months ago where he started off with "I use one password". Everyone was in awe. He uses some of the mental algorithms you mentioned with suffix|prefix, but he took it a step further by tiering passwords. It is a different pattern for low level "I need to provide an e-mail and password to subscribe to this newsletter" sites than for more secure business systems than saw highest level of risk accounts like bank. This protects you from the I got your one password and now I have the keys to the kingdom. The other consequence is you can loosen the security on the bulk of sites making it easier to remember following Pareto principle there are probably 20% max of the credentials you maintain that represent 80% or more of your personal|business risk, so why waste your energy securing the other 80%.

In other words, if you are going to go for the 14-character unbreakable masterpiece password then do so on the absolute last thing you would want to lose and use summer10 on all your 100 other web sites that if compromised mean nothing in the scheme of your life or the world.

Anyway, nicely presented, you have my Yes vote above.

Thank you!!
0
 
LVL 49

Author Comment

by:DanRollins
Thanks,  I'm glad you liked it.

The idea of "tiered passwords" makes sense.  You go to some discussion forum and type-in your "regular password." That site might record your password rather than using the normal hash-and-compare ritual.  Now you are a low-hanging fruit:  The neferious site owners only need to figure out where you do your online banking and your username at the bank.

So you took a risk by using your "regular password"  -- a small risk, but one with a huge downside (you lose your house and your retirement fund) if actualized.  Now compare the risk if you had instead used a password of "password" at that discussion forum.   Worst case scenario:  Somebody might post in that forum under your name.  That is, there was no tangible, real-world danger to using a weak (even the weakest possible) password in some situations.  But there is a risk to using the same password everywhere.
0
 
LVL 23

Expert Comment

by:Justin Durrant
Good read!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 75

Expert Comment

by:Michel Plungjan
I had a card reader from my bank. I entered my physical bank pass and the ATM pin into it and it responds with a number I had to type in
I know have a usb connected card reader. I only need the card and my pin now.
That is secure enough for me. But yeah, one should not have an algorithm that makes the site you signed up for once to make a forum comment able to access all other sites you have ever signed up to :)
0
 
LVL 45

Expert Comment

by:aikimark
1. use non-English words and phrases.

2. always use https (secure) login pages -- I wish EE offered this

3. never use the same password for your email as you use for highly secure (financial) log-ins.

4. use a nonsensical phrase, such as Don't touch my moustache

5. Many passwords can be weak.  For instance, if you have an ID to access articles on a site, you can use a weak password, such as pwd.  Using strong passwords for all sites is not necessary.
0
 
LVL 38

Expert Comment

by:PaulHews
Good article, and useful.  I have a lot of passwords and all different, but rather than write them down, I use a password safe.  I like this open source one: http://keepass.info/  It's a well designed interface and I feel confident about the security when carry passwords on a USB key, as long as the master password is of sufficient complexity.

I'll usually use the random generator.  But I've actually run into problems when using long passwords on some poorly coded sites.  
0
 
LVL 49

Author Comment

by:DanRollins
I thought about mentioning "password-handling software" in the article, but decided it was outside of the focus.    Another popular one is here: http://passwordsafe.sourceforge.net/ 

Of course, your web browser can also act as your "password safe"  and it is integrated into Windows so that when you boot up and log in, all of your saved passwords are instantly available.

In both situations (password handling software and browser password handling), you are vulnerable to three problems:  

1) There is one key password you must remember, and because you may need it often, you might tend to use a weak one.  That means that if somebody can access your desktop (physically or remotely), your 20-character ultra-hardened randomly-created banking passwords are really all as weak as your login password.

2) What do you do when you are away from your desk?  E.g., when you are on the road and need to check your webmail?  Your herculean password, that gets angry and turns green and easily throws humvees around for fun, is now preventing you from accessing things you need to access -- because you don't know the password itself.

3) The local password that is used to "unlock the safe" might well be more susceptible to dictionary and brute-force attacks.  The software (or Windows itself) can be bombarded with login retries, while most websites keep track of retries and foil the cracking software by inserting manditory delays between retries.

None of these are showstoppers, but IMHO, they add up to another good reason to use a "mental algorithm" rather than a password-management tool.
0
 
LVL 23

Expert Comment

by:Justin Durrant
For those looking for an Enterprise solution for service accounts and whatnot check out www.cyberark.com. :)
0
 
LVL 45

Expert Comment

by:aikimark
Physical security is mandatory.  If someone has physical access to your system,  security flies out the window.  You might go for full disk encryption.  Maybe it would be enough to remove the hard drive and place it into a hardened and secure location.

Windows CardSpace was supposed to be a solution, but I'm not sure it has lived up to its promises.
0
 
LVL 38

Expert Comment

by:PaulHews
> There is one key password you must remember, and because you may need it often, you might tend to use a weak one.

There is always a tension between convenience and security.  If it's really convenient, it probably isn't very secure and vice versa.  I know it's a pain typing in long passwords in fields that are obscured from view... One typo and you have to start all over (after the anti-brute force delay.)  

Another drawback with my system is that there are many remote desktop systems that don't allow cut and paste.  I once got in trouble setting a long password in the web interface, and then being unable to paste it into the RD login screen, and there was something goofy with the password reset.  Just try retyping IK0wzW:^BQLaas5IYENl into an obscured password box.  :-)
0
 
LVL 49

Author Comment

by:DanRollins
So what one might do... type the complicated lengthy password into the username field so you can make sure that it is correct, then cut and paste it into the password field.   Now anyone looking over your shoulder knows your password.  And if you leave your desk for a moment, they sneak in and press Ctrl+V to capture a clear-text copy of your banking password from the clipboard.  

Everything about a complicated password seems to make it more likely to get compromised.  A simple/weak password is only vulnerable to a brute-force or dictionary attack, while a complex/strong password is vulnerable to many human-related problems.
0
 
LVL 3

Expert Comment

by:baldrick
Hurrah for this article! A victory for common sense.

Here's an amusing one: At the last couple of organisations where I've "worked", these blasted "password complexity" rules have been enforced in conjunction with a "password expiration policy". Every 30, or 42 (or whatever) days, I am forced to change my password to log on to a windows domain. The policy doesn't allow me to re-use any historical passwords, so invariably...

January's password is r1NgP1ecE#1
February's password is r1NgP1ecE#2
March's password is r1NgP1ecE#3
...
Which seems to be accepted. As soon as Microsoft add a sequence checker to "toughen up" the default password policy checker, then I'm well and truly rhubarbed and will resort to clearly marking my username and password on a post-it note attached to the monitor on general principle.

Now, here's a notion that gived me a warm tingly sensation in the underpants: Detecting integer sequences is most unlikely to happen. Most password validation routines don't compare the password you typed to a stored version of the correct password. Oh no. That would imply that there is a password file or maybe a column in a SQL table that contains unencrypted passwords. If compromised, that's the entire system security down the toilet.

So, most authentication systems store a hash of the password. Good hashing algorithms are algorithmic mincemeat machines: They convert a string like "t0iL3t1" into a numeric value (eg. 984313218). Any change to the input string, no matter how minor, will render a completely different number:
t0iL3t1 maps to 984313218
t0iL3t2 maps to 324257577
By comparing the hash of an input password to the stored hash we can determine if the input password was correct, and there is no way that any actual user's password can be coerced from the system. Great!

Consequently, historical password integrity rule checking must work by storing a history of these password hashes. Since there is no correlation between hashes and their inputs, it is impossible to determine if a sequence is being employed in the creation of passwords.

Finally, I'd like to draw everyone's attention to "Star Trek 3: The search for Spock". If I remember rightly, the ship's auto-destruct sequence was the less-than-secure "zero zero zero zero". Khan would have paid top dollar for that information. Oh, and allegedly, the secret access code to the computer controls of the U.S. nuclear-tipped missile arsenal between 1968 and 1976 was the equally secure code "00000000" (Source: Harper's Index ( http://harpers.org/index/2004/9/39 ).
0
 
LVL 49

Author Comment

by:DanRollins
As long as we are talking about StarTrek, don't forget the TNG scene
   http://www.youtube.com/watch?v=oNrWgjh9tnU
where Commander Data sets his password to:
   173467321476 Charlie 32789777643 Tango 732 Victor 731171888732476789764376
0
 
LVL 45

Expert Comment

by:aikimark
fails the Benford test. :-)
0
 
LVL 57

Expert Comment

by:Jim Dettman (Microsoft MVP/ EE MVE)
Very nice article Dan.   A couple of things I'd toss and usually advise clients to do:

Pick a topic or theme (for eample, a movie title, choose the first letter of each word, toss in a special character or # at some point, and capitalize the last letter and/or the letters before any special characters or numbers.

  Sounds complicated, but after you try it a few times, it's simple to remember and always generates a very stong password.

Thanks again for another article (author of the year AGAIN?)

JimD.

0
 
LVL 23

Expert Comment

by:Rajkumar Gs
Thanks for this excellent article!

My habit is to use complicated passwords - which is good, right ? But there happened many times I forgot the newly changed 'complicated' password. I have already used my bank's forgot password option twice.

Your tips is really good to keep the complicated passwords in memory!

Thanks
Raj
0
 
LVL 12

Expert Comment

by:splait
This article is excellent!  Thank you!  I needed a way to describe these processes to my clients, and yours seems as good as I've seen.

One comment - If you use some algorithm that incorporates words on the login screen, you might be in trouble if and when the login screen changes, which happens often enough.
0
 
LVL 49

Author Comment

by:DanRollins
True.  I didn't feel great about that when I wrote it.  

So what will not change?  Probably just the top-level domain name (e.g., wachovia.com or citibank.com).  I suppose that a scrambled piece of the domain name might be a reasonably good bet.   Another possible "mental algorithm" might be to remember something about the site -- say, CASH, or BANK, or 401k... something like that; scramble it up (in a methodical way) so it's not a dictionary word and use that as the 'password salt' for that site.

Another option for the salt is to write it down, along with your ID... but write it as a hint to yourself.  For instance, write "yoga" to remind yourself that the salt is "as@n@" or "jean" to remember a salt of "246o1"
0
 
LVL 12

Expert Comment

by:splait
That's too complicated for my clients (homeowners and micro-business people).  I'll think about it and get back to you.  I've just posted 2 of 4 articles on my blog on this topic for my clients, and the third installment is about how to make each password unique from the core they create, so I have to come up with a solution anyway.

I'll let you know.
0
 
LVL 58

Expert Comment

by:tigermatt

A nice read. I already use some of the techniques discussed here, but not to the same extent. Figuring out a way to form secure passwords has frequently been a concern for me. I will definitely be refining what I do and adopting some of the other methods discussed above.

Voted "yes". Thanks for taking the time to put this together!
0
 
LVL 12

Expert Comment

by:splait
Dan -

I abandoned the five-part article I wrote.  It's just too complex for my readers/clients.  What I am going to do is post about keepass and RoboForm and tell them to  make up one super-terrific password and use the password generator to create new ones.

To speak directly to a question you asked above, both of the password managers I mentioned have the ability to run from a USB drive or on your smartphone, so portability is not really an issue.

Unfortunately, like your grandmother, most of the people I know just can't do algorithms in their heads, so they won't follow your process.
0
 
LVL 9

Expert Comment

by:Red-King
I'd like to add some food for thought to this as presented by the guy who does the xkcd web comic,

http://www.xkcd.com/936/

I had to read up on entropy
http://en.wikipedia.org/wiki/Entropy_(information_theory)

0
 
LVL 75

Expert Comment

by:Michel Plungjan
Yeah, I still remembered "correct horse battery stable" after several months ;)
0
 
LVL 49

Author Comment

by:DanRollins
A little addendum for mobile / smartphone users:

Thumbing a complex password (with a mixture of uppercase, lowercase, digits, and/or special characters adds) has its own set of complications: shift keys and input-mode changes.  That makes it increasingly likely to enter the password incorrectly.  And if you are standing in a crowded bus entering and re-entering your password, you increase your chances of acquiring a shoulder surfer.

If you decide to choose an all-lowercase password, then you need to increase the length.  You can shake it up a bit by adding a single mode-shift partway through; for instance jeanVALJEAN
0
 
LVL 75

Expert Comment

by:Michel Plungjan
Where is the caps lock on an iDevice ?
0
 
LVL 49

Author Comment

by:DanRollins
it is the key marked "CAPSLOCK"
0
 
LVL 18

Expert Comment

by:WaterStreet
Great article and user comments.  I frequent many non-technical sites, and it's not often I find a quality and well-written article like this.
0
 
LVL 49

Author Comment

by:DanRollins
Thank you, WaterStreet.  I enjoyed most of the decade I spent here at EE.  Were it not for the shamefully biased and ridiculously harsh treatment I received at the hands of a few power-tripping EE administrators, I might have continued contributing.
0
 
LVL 57

Expert Comment

by:Jim Dettman (Microsoft MVP/ EE MVE)
Just saw a recent joke floating around.   Picture of two older ladies sitting on a park bench with:

"You know Mildred, I love talking to my children through the computer, but I could never remember it and the computer was never very helpful.  Now it's very helpful, because I set my password to 'incorrect'.  

 So now every time I get it wrong, the computer says 'Your password is incorrect'.

Jim.
0
 
LVL 75

Expert Comment

by:Michel Plungjan
0
 
LVL 65

Expert Comment

by:Jim Horn
Excellent read.  Voted Yes.
0
 
LVL 38

Expert Comment

by:PaulHews
Saw this from Bruce Schneier and thought of Dan's article:
http://boingboing.net/2014/02/25/choosing-a-secure-password.html

Granted MD5 these days is a gift to crackers, but you know lots of places must still use it. TL;DR version, the longer, more random and less word like, the better your chances of not being in the 10% of password hashes that didn't get solved.  And if some site gets breached (like Kickstarter did a few days ago) you definitely should change your password to something secure.
0
 

Expert Comment

by:tomarseneault
Many folks have mentioned Password Safe from Bruce Schneier and it's great, I've used it for years, but it has one drawback, I use multiple systems, an iPad, iPhone, Windows at work, Windows at home, iMac at home, etc.., but Password Safe is limited to a single system and does not run on Mac, or mobile devices (at lease last time i checked). I know you can copy the database around, but they can get out of sync too easy.

I personally use a cloud based solution that runs on mobile devices, mac and windows and I think there is even a Web based version for it. I was very hesitant about using a cloud based solution, who knows how the cloud is implemented and who has access, but I did a fair amount of research on the particular solution I picked (Keeper) and did not find any negative remarks (feel free to call me out if your experience is different). It has a built in password generator, I think they all do now days, where you can choose the complexity and content of the password. So now I only need to have one password and the database is synchronized over all my devices.

I have run into a problem with some sites however, they don't accept special characters. I don't know for sure but I think this is to limit possible shell exploits. Many special characters have special meaning to various shell so that if the password is passed to the shell you may be able to cause arbitrary commands to be executed. So I limit my complexity to a-zA-Z0-9, I have tired to include "-" and "_" but some sites reject even that.

Lastly some comments on a comment by aikimark from back in 2010:
1. use non-English words and phrases.

2. always use https (secure) login pages -- I wish EE offered this

3. never use the same password for your email as you use for highly secure (financial) log-ins.

4. use a nonsensical phrase, such as Don't touch my moustache

5. Many passwords can be weak.  For instance, if you have an ID to access articles on a site, you can use a weak password, such as pwd.  Using strong passwords for all sites is not necessary.

1. Many password crackers use foreign language dictionary's so do not use any legal words or phrases, even Klingon.

2. I whole heartedly agree with this. I would add to always check and don't assume that the login is secure.

3. Again I agree, but as stated in the article, you should use different passwords for all your sites so this is a given.

4. Don't trust yourself to come up with a truly nonsensical phrase. The example here "Don't touch my mustache" is actually pretty well known (at least to my generation). A truly random password generator (with a password safe type solution) is best.

5. While technically true, I would not trust myself to decide what site does not need security now and forever. A site may only give me read access today, but will that always be what I require? The information I'm reading, is it always going to be "public"? While I may only require read access, does this give an attacker a foot hold to post on my behalf?

The above are my opinions. They come from years of experience and some really stupid mistakes.  And as I stated above, if anyone has any differing opinion on cloud based solutions for a password safe I would really love to hear them.

Tom
0
 
LVL 75

Expert Comment

by:Michel Plungjan
0
 
LVL 38

Expert Comment

by:PaulHews
Nowadays I use KeePass + Google drive. There is an Android client, so I have access on my phone.
0

Featured Post

Report: Liquid Web beats Amazon, Rackspace & More

A study by performance analyst firm Cloud Spectator finds that Liquid Web beats rivals Amazon, Rackspace and DigitalOcean when it comes to website and cloud application performance.

Join & Write a Comment

Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month