Increase your password security

Discussion in 'Computer Security' started by JK2447, Jul 15, 2009.

  1. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    A dictionary attack IS a brute force attack. Adding substitution variations really *doesn't* increase security. Dictionary attacks take relatively little time... adding in a variation where e's are 3's only makes it take twice as long. Considering the increases in processor ability, this becomes easier and easier to hack over time.

    Yes, it's MORE secure... but that doesn't mean it's secure.

    Keep in mind that I was a codebreaker 20 years ago... ;)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  2. JK2447
    Highly Decorated Member Award 500 Likes Award

    JK2447 Petabyte Poster Administrator Premium Member

    Top Poster
    of the Month

    7,191
    945
    318
    A great philosophy to have, thanks :D
     
    Certifications: VCP4, 5, 6, 6.5, 6.7, 7, 8, VCAP DCV Design, VMConAWS Skill, Google Cloud Digital Leader, BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, CCA (XenApp6.5), MCSA 2012, VSP, VTSP
    WIP: Google Cloud Certs
  3. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    More on long pass phrases vs. complex passwords, from Microsoft (bolding added for emphasis):

    Certainly longer is better... but it's just as important to intelligently create those passwords. Use what you will... I simply give the warning that a long passphrase, with or without leetspeak, isn't necessarily the answer.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  4. dazza786

    dazza786 Megabyte Poster

    758
    30
    67
    yea sorry I thought I typed progressive

    morse code guru :p:p:p
     
    Certifications: MCP (271, 272, 270, 290, 291, 621, 681, 685), MCDST, MCTS, MCITP, MCSA, Security+, CCA(XA6.5)
  5. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Actually, I wanted to learn it, but never did. I worked mostly with the voice intercept guys, not the "ditty-bops" (Morse intercept guys). My job involved frequency pattern cracking and codebreaking/cryptanalysis.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  6. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    And keep in mind strong passwords are almost useless if the password recovery mechanism requires only access to your email account, or knowing your mother's maiden name.

    While I agree with BM that passphrases have lower entropy per character, and poor passphrases are weak, it should be noted that the quote above from Microsoft is in some ways not very realistic, as the analysis is based on a passphrase with a basic 300 word dictionary. With a realistic vocabulary passphrases work very well and will be harder to brute force than an 8 character string.

    As a little experiment I once had some techs at the office compose random strings for passwords. I then generated some (psuedo)random strings by computer, and mixed them together in a list. When we looked at the list is was obvious which strings were made by people. The point being that people are very poor at creating "random" strings, and brute force attacks will be optimized to take advantage of that.

    Passphrases have the benefit of being easier to remember, and avoid the repeat pattern effect. Password amplifiers are also a possible solution, but every password scheme has drawbacks.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  7. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    How about the old classic p@55w0rd? Nice and secure, no really! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  8. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,292
    265
    329
    I have my system set to maximum security if only it would destroy the people who may attempt to hack into it.
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  9. JK2447
    Highly Decorated Member Award 500 Likes Award

    JK2447 Petabyte Poster Administrator Premium Member

    Top Poster
    of the Month

    7,191
    945
    318
    Oh mate don't tempt the naughty kids :lol:
     
    Certifications: VCP4, 5, 6, 6.5, 6.7, 7, 8, VCAP DCV Design, VMConAWS Skill, Google Cloud Digital Leader, BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, CCA (XenApp6.5), MCSA 2012, VSP, VTSP
    WIP: Google Cloud Certs
  10. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,292
    265
    329
    ha ha, I would trace any attempt on me any how then I'd get the old baseball bat out and pay them a visit :D
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  11. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Simply trying to illustrate that any word can be dictionaried... even strings of words and/or leetspeaked translations. As long as I've helped people to realize what is and isn't secure, then my mission is complete, regardless of which method is chosen. :)

    Personally, I'm a fan of acronymized pass phrases, provided they're at least 8 characters in length.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  12. Arroryn

    Arroryn we're all dooooooomed Moderator

    4,015
    193
    209
    Don't forget the oft-underestimated hacking method of shoulder-surfing too.

    Your 15 character, alpha-numerical symbol-blattered beauty of a password may be fantastically secure if you're typing it in the lonesomeness of your own home, study or whatever.

    But if you use that password at work, on a laptop in public, or in any other scenario where sneaky peeps are about, you'd better as damned make sure you can type that password confidently and quickly, otherwise someone will just watch exactly what you type, and then who cares how mixed up the characters are?

    I personally (now) rotate around a whole bunch of book characters (not my own, I might add!) interspersing names with symbols and numbers. Hopefully secure, but I do rotate the passwords and numbers / symbols around. Especially at work!
     
    Certifications: A+, N+, MCDST, 70-410, 70-411
    WIP: Modern Languages BA
  13. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Agreed, too many people think "p455w0rd" must be more secure then "password".

    Me too - I find acronymized pass phrases passwords a good compromise, easy to remember, and not as susceptible to attack as a short pass phrase. Full (long) pass phrases I usually use for something like a truecypt volume on a laptop.

    Spice Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.