Joe Doakes from Como Park emails:
New password standards going into effect on January 1st, no fewer than 8 characters, no more than 16, must contain numbers and special characters. Can’t be anything easy or memorable or significant to me, and can’t be written down.
In other words, my log-on password must be a complex string of gibberish that changes every month. So how am I going to remember it?
I’m guessing asdfjkl; isn’t going to cut it. How about “ihatepasswordsecurity?” Oops, forgot the 1. And the special character @.
All this to protect me from logging into my assigned computer in my own office, to access public data on a public server.
The terrorists have won.
Joe Doakes
if we could get the worlds hackers and spammers to target the terrorists, the war would be over pronto.
Joe;
For those long password requirements, try using a sentence, including spaces. Substitute a capital S with a $ sign or a capital I with an !, etc.
“no fewer than 8 characters, no more than 16, must contain numbers and special characters.”
classic state of the art 1994
does any current network security analyst really believe that there aren’t hash code dictionaries with every possibility for all permutations up to 32 characters already in existence for brute force attacks? Or that algorithmic brute force dictionaries aren’t in widespread use (examples: “!J4nu4ry-2015”, “?R4m5eyC0-012015” etc)?
min password length should be 128 (256 is better) characters then easily memorable phrases like:
“fear no more the heat o’ the sun, nor the furious winter’s rages -022015!”
could be used/reused.
You could stick a postit on your monitor that said “Cymbeline:IV:2” and let some moron security dufus try to figure out your password
take the Ignatius Donnelly approach – assume all of Shakespeare is a network of complex anagrams and use them for passwords
“Twtoantt@01-15” = 1st char of 1st 10 line of hamlet’s “To Be” speech followed by the month and year
The problem with schemes like Joe describes is that people will write the password down. Sys admins know this, but it moves the responsibility for security flawsfrom sys admins (bad policy) to users (he was told not to write it down!). We live in Dilbert world.
a quick summary:
http://xkcd.com/936/
if you have a lot of passwords to manage at multiple sites something like open source KeePass (and its spawn IKeePass and KeePassDroid) can come in very handy just don’t let the security droogs know about it or they’ll wet themselves
I think my most secure password is my gmail password. It’s the first few words of a song, 28 characters long. After I changed it, I thought “maybe I should have used the second phrase of the song instead.” Oh well.
And I was also thinking of putting up the same link Cesaire did.
Isn’t a big part of password hacking having something worth hacking?
When the Democrats group-hacked Sarah Palins’ private e-mail, I thought, c’mon Palin – you know these a-holes are out to get you. Have something more secure (although her e-mail provider didn’t help by having security questions a few google searches could answer and unlimited sign in attempts) than what some Democrat operative can spend a little time guessing. On the other hand, most low-profile people (which is most people) need nothing more than something they can remember easily that is fairly obscure like Bill C’s words of a song (byebyemissamericanpiedrovemy – eh Bill?).
Our IT director told us that until he put a ban on it, many in our company were using “password” as their password for years without any trouble.
Kel, I use KeePass, but only for my secure sites (banking, etc). I let KeePass generate essentially line noise for those. I put the lies I use for recovery questions in the notes box(what, you think I’d use my actual mother’s maiden name and not something from history? [to boot, it’s American Indian name I’m related to, and it’s well nigh impossible to spell the same way twice even if you know it and you don’t because it’s not well known]). And for banking I use an encrypted USB key fob Linux distro to boot from. Mobile banking? Hell no!
For general use sites, I like LastPass. I don’t trust them with my banking sites, but for places like shotinthedark.info it works just fine and being cloud based it follows me from browser to browser. I like the password audits and the password generator works just fine. It seems to work better for me than the KeePass plugins, although I keep the LastPass password in KeePass.
My gmail password is 26 characters of non-sense non-words that mean nothing to anyone else besides a half dozen friends from 20 years ago, and uses 2 factor authentication. I haven’t changed it in years and don’t see the need to since that password isn’t used anywhere else. If Google goes lots of stuff becomes harder, but so far Google has been pretty security pro-active.
I’m a low probability target, but it’s more like the campers and the bear: I don’t have to be faster than the bear, just faster than you. If I can make my on-line passwords harder to crack than your, then when the data breach becomes known they’ll have cracked yours before mine and I’ll have time to recover.
So wait, I shouldn’t be telling you guys this. Just forgot you saw it, ‘kay?
Bill C
Same idea. When I can use more than 12-16 characters for a password I use a line of an emily dickinson poem. Because she didn’t title her poems they are numbered by the Amherst College Trustees (and there are 1800 of them) so I can post the number in plain sight, i.e. 479, which tells me line one of poem 479 (“Because I could not stop for Death –”). 479-3 tells me line 3 of the same poem (“The Carriage held but just Ourselves –”). Its worked for me for over a decade.
nerdbert
2 things
I have one box at home that never touches the internet (no built in wifi, ethernet port filled with epoxy, only working usb port is inside the box) the drives and boot sectors are all encrypted with TrueCrypt. This is where I keep my master copy of KeePass
I use the mobile USB/thumbdrive version of KeePass like a dongle for my day to day access to outward facing systems and/or on any client machines/systems.
” I put the lies I use for recovery questions in the notes box”
yeah I do the same
http://xkcd.com/936/
All security is a compromise. A physical object (like a key card) + a password is standard in a lot of applications. Biometrics is interesting, but not ready for prime time when used alone. Thumbprint readers are easy to hack. Retinal scan is supposed to be the best, but people don’t like to stick their head into a box and have lasers shot into their eyes.
Joe:
I thought because of the NSA the terrorists of the world have learned that they had to avoid computers let alone facebook, and a few other electronic methods of communication.
Walter Hanson
Minneapolis, MN
I use a combination of Emery’s social security number and his children’s names.
His security is for shit.
“Privacy” is a vestige of 19th century white male patriarchy. It doesn’t exist any more, and it shouldn’t exist anymore. Get over it. (\>sarc<\)
Sef; Password is the most commonly used word for a password in the country. People are just too lazy to think up something different.
The new IT Director at a company that I worked for in 2004 – 05, implemented MicroSoft’s password recommendation. A couple of days into that policy, I suggested that he take a walk through any department so that he could see that his new security policy was for shit. Over 80% of the work stations had a sticky note with that users log in ID and passwords written on them and stuck to the front of their monitors. Some of the more “clever” users, at least stuck them on the least visible side of the monitor. 🙂
Sef: essentially, yes, but different song 😉
I’m not sure how smart the dictionary things they use are, but one of the words in mine is spelled incorrectly because the pronunciation is spelled incorrectly in the song. Like the Muppet Movie (1977) song “Movin’ Right Along”. No g at the end of ing.
“I use a combination of Emery’s social security number and his children’s names.”
Heh!