Password generators

Joined
May 7, 2007
Messages
1,818
Location
Canadian Prairies
Some unfortunate events recently to family involving online fraud has triggered me to start changing all my passwords more frequently).
I know the first and most effective logic of choosing passwords is to avoid: actual words, dates, and short strings. Obviously, expanding the number of combinations is the most fool proof (upper and lower case, numerical, alpha, punctuation, and random). But it gets to a point where one has to actually carry a hardcopy list of passwords and keep updating it constantly, which I think poses a greater risk by losing that list and/or/along_with a portable device. Plus keying in passwords while reading the list, changing case and pecking around for punctuation etc is lame. I noticed that I tend to favor some keys and combinations even when I attempt to make them random.
What are y'all thoughts about passwords?
 
Joined
Dec 26, 2010
Messages
5,725
Location
Annapolis
Some unfortunate events recently to family involving online fraud has triggered me to start changing all my passwords more frequently).
I know the first and most effective logic of choosing passwords is to avoid: actual words, dates, and short strings. Obviously, expanding the number of combinations is the most fool proof (upper and lower case, numerical, alpha, punctuation, and random). But it gets to a point where one has to actually carry a hardcopy list of passwords and keep updating it constantly, which I think poses a greater risk by losing that list and/or/along_with a portable device. Plus keying in passwords while reading the list, changing case and pecking around for punctuation etc is lame. I noticed that I tend to favor some keys and combinations even when I attempt to make them random.
What are y'all thoughts about passwords?


It's all a crock of crap, just pick simple passwords that you can remember. The issue is you can generate highly secure passwords that you will have to write down, which destroys security. Had the same simple passwords with an ISP I had since 1999 and was never compromised.

If you want to be really anal about passwords just download an MD5 generator. Google it and you will see many to chose from.

What is compromising your security is not using SSL when checking e-mail.
 
Joined
Aug 12, 2005
Messages
2,228
Location
Broussard, LA, USA
Besides, using punctuation marks is what REALLY complicates and multiplies the possible password combinations. A tilde or a plus sign, comma or a dollar sign and a number or three added to your password makes it a few million times harder to figure out. However, you are probably compromised somewhere else, like Kingfisher said.
 

Rob Zijlstra

A Koffie Drinker
Joined
Nov 5, 2008
Messages
999
Location
Netherlands
I strongly disagree with the notion you could use some simple password. The problem is of course how to get a strong one without the need to write it down.
One solution is simple; titfdotrml_19082060 is probably not good, but can serve as an example:
it is just the first letters of the phrase 'This Is The First Day Of The Rest Of My Life' followed by an underscore and your birthday + 100 years. Schemes like this are simple to remember. You then should add the website itself to prevent the same pw everywhere. So for the Nikon Cafe it could be titfdotrml_19082060_NC etc etc.

I use 'something' like this for every site that I must register on. Of course for real important sites (banking!) you should do something more complicated, but as long as you can easily remember how you construct the pw, it's really quite simple.

And if you don't think its important, imagine your whole private life and your banking accounts visible to everyone...
 

Rob Zijlstra

A Koffie Drinker
Joined
Nov 5, 2008
Messages
999
Location
Netherlands
Tom,
We used the RSA SecurID which generates a 'new' pw every 30 seconds or so for logging into company website. What's your opinion about such a scheme?
 
Joined
Feb 7, 2005
Messages
1,027
Location
Annandale, VA
When I worked for the government we were required to change our passwords regularly. Unfortunately with several systems I had to keep track of several passwords. I used the London Tube system map to work from. I took the blue line starting with Heathrow and used each succeeding stop whenever I needed a new password. You couldn't use a lot of words outright and needed other symbols but that wasn't difficult to adapt. I used different lines for other applications. Pick a map of a town or a bus/transit system and work your way down a route. This way you don't need to write anything down. You could store the map in with a box full and have ready access to it. It worked for ten years. :biggrin:

Now I use 1Password. I use it to generate different random strings for every web site I visit. It uses a single master password and syncs between all my computers and tablets/smartphone through dropbox. You can have it generate very long strings. I'm not saying it's as secure a system as the one Tom describes, but I would argue there isn't much need for that extreme a system for personal family security. My need is for safeguarding our family's personal and financial information. Only one password is necessary for someone like my spouse or an executor in the case of both our deaths to gain access to data on our computers. Our family attorney can retain possession of the master password and release it should it be necessary.
 
Joined
May 27, 2006
Messages
7,412
Location
Greater Yellowstone Ecosystem
Ahem.....

password_strength.png
Subscribe to see EXIF info for this image (if available)


http://xkcd.com/936/
 

Growltiger

Administrator
Administrator
Joined
Apr 26, 2008
Messages
13,615
Location
Up in the hills, Gloucestershire, UK
Tom - The problem with such good security is that it is then easier to kidnap you and torture you to reveal the information than it is to crack it. So it might be better to be less secure so you stay alive.
 
Joined
Dec 26, 2010
Messages
5,725
Location
Annapolis
Tom,
We used the RSA SecurID which generates a 'new' pw every 30 seconds or so for logging into company website. What's your opinion about such a scheme?

The wife had one of those with a laptop given to her by the government. Between the rotating seed and encrypted harddrive the laptop was all but unusable. Took 20+ minutes to boot up providing you were able to enter your password in the first three minute, then it gets locked. Of course one can use the other 15 minutes for a coffee break while leaving the laptop unattended which really does wonders for security.:rolleyes:
 
Joined
May 27, 2013
Messages
3,189
Location
Cornpatch
The ability to crack a password depends a lot on the software that's written to accept it.

If there's no limit (both time and number of attempts) to how many tries are available, then simple brute force will easily crack ANY password. However, if you only get so many tries before you must wait a certain time before entering again, then that makes a simply password far more difficult to crack.

So a simple password of hello may be much more difficult to hack if you only get 3 tries per 15 minutes, while 3jf9g~Rr19f_()Y1 could be hacked within a couple hours.
 
Joined
Dec 26, 2010
Messages
5,725
Location
Annapolis
I strongly disagree with the notion you could use some simple password. The problem is of course how to get a strong one without the need to write it down.

Why? Most incursions are a result of being sniffed over the network or on your computer at work because your IT department is watching your screen and ever move you make with programs like WinVNC. Put in a 40 digit password will give you the same results as one that is 6 characters. The password isn't the problem, it is the interface between the keyboard and chair.
 
Joined
Feb 7, 2005
Messages
1,027
Location
Annandale, VA
Rich,
exactly, but the vulnerability of using a password safe is only as secure as the master password is. Ironically the secure issue still exist - but now in a different environment.
In german this situation is described "Extort the devil with the Belzebub".


saludos redondos
tom

The original issue is:

Some unfortunate events recently to family involving online fraud has triggered me to start changing all my passwords more frequently.
..not a discussion of the theory of statical probabilities of password detection....hitting a fly with a sledge hammer. The user needs a practical scheme for changing passwords more often. I believe a password safe, as you call it, provides a more reasonable solution to the problem. Clearly an insuffienctly simple master password invalidates the whole idea. No one was suggesting this.
 
Joined
Jul 28, 2012
Messages
325
Location
Melbourne, Australia
Interesting conversation to which I don't thing there is a definitive correct answer.

To me the first question about how secure a password needs to be would be to consider what you are trying to protect. I go to far greater lengths to protect my banking passwords than I do my password to this forum for example.

Next is the question of the other half of the key... a password alone gets you no where - you normally need a username as well. In the case of a forum, that is obviously public, but again using my online banking, I'm careful to keep the username as private as possible (Don't save it in your browser.)

Rob Zijlstra mentions a very effective way of creating more complex passwords that are not too hard to remember, but I would highly recommend in addition to this using different phrases for every site that you share usernames (Which security wise is a bad habit that most of us do.) I use something similar, and the result is a password system that is easy for me to remember and unique to every site I use it on. [Sites that need extra strong security like my online banking get treated with their own unique system.]

tomTom is technically 100% correct about how easily passwords can be cracked now-days if the attacker has the skills and wants to invest the time, that's exactly why I think it depends what you are protecting as to how seriously you need to approach this. Unlikely someone is going to set up to attack my 14+ character complex password to get access to my forum details.:wink: - and if they did - what have I really lost?

Password safes are an interesting one, as Tom again points out, they do have the down side of all your eggs in one basket - they obviously need to have their own VERY secure password, changed regularly.

However they do have an upside i have not seen mentioned here. They are nice protection against key-logger programs. In most cases when you use a password safe, you copy and paste passwords into sites. As a result a key-logger will only see a copy paste action and not the actual password.

Lastly, the weakest point in most IT security systems is the user... In many cases of online fraud, the problem is caused either by the user responding to a fishing email or by allowing their machine to be compromised by some sort of malware. Healthy skepticism of email and good system housekeeping will protect you as much as anything...
 
Joined
May 12, 2006
Messages
2,288
Location
Edmonton, Alberta
I seem to recall recently a well known tech savvy/it guru internet blogger (whose name escapes me) was hacked not long ago. (it was on 20/20 or similar) He had used the multi digit, symbol - bla bla bla password set up. He was hacked simply by some one phoning the operator - say ebay, and was able to get the email for that acct changed over the phone and then from there was able to generate a new password. (I am not saying Ebay was the company just using the name for example) Anyway, what was supposed to be very good security practices was easily undone and it happened with more than one company/website.

It always comes back to - if you dont what it out there - then dont do it on the net.
 
Joined
May 27, 2006
Messages
7,412
Location
Greater Yellowstone Ecosystem
I seem to recall recently a well known tech savvy/it guru internet blogger (whose name escapes me) was hacked not long ago. (it was on 20/20 or similar) He had used the multi digit, symbol - bla bla bla password set up. He was hacked simply by some one phoning the operator - say ebay, and was able to get the email for that acct changed over the phone and then from there was able to generate a new password. (I am not saying Ebay was the company just using the name for example) Anyway, what was supposed to be very good security practices was easily undone and it happened with more than one company/website.

It always comes back to - if you dont what it out there - then dont do it on the net.

This guy, right?

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Sean
 
Joined
Dec 26, 2010
Messages
5,725
Location
Annapolis
It always comes back to - if you dont what it out there - then dont do it on the net.

Thank you!

Always use your computer like you are being watched, because you most likely are. If it is connected to the net you no longer have privacy. Funny how people voluntarily flush their privacy on Facebook and other social media sites and wonder why they are the victim.
 
Joined
Apr 12, 2006
Messages
12,206
Location
Central Georgia, USA
What is wrong with a familiar line form a book you like, with spaces caps and numbers. While I do not understand what Tom has outlined, I do my best for my banking with a 19 character/space /cap code. It is very easy for me to remember, and my folder for banking has a simple 2 character reminder in the name of the institution. I guess if they want it, they will get it one way or another..
 

Latest threads

Links on this page may be to our affiliates. Sales through affiliate links may benefit this site.
Nikon Cafe is a fan site and not associated with Nikon Corporation.
Forum post reactions by Twemoji: https://github.com/twitter/twemoji
Forum GIFs powered by GIPHY: https://giphy.com/
Copyright © Amin Forums, LLC
Top Bottom