paper: Basic Password Security

[DonRotolo]

Thread created automatically to discuss a document in CD-Media.

Basic Password Security by Don Rotolo

[Jeff Rodriguez]

Good topic.
You may also want to listen to episode 4 of Security Now. They discuss this same topic and coming up with a personal password policy.
Edit: They talk more in episode 5 also.

Admittedly, I use about 3 or 4 passwords for all my different accounts. I'm going to try and come up with a good password policy.

[vivek16]

brings up some good points. i personally have a weak password for all the sites that do not matter as much but i have a stronger form of it (using capitalization and numbers) for the websites like my email and stuff like that. i think i will change them.

thanks, vivek

[GaryVoshol]

The problem of having a basic password with variations based on the site, account, etc is that some sites have their own rules for passwords. It must be exactly X characters long or some other such restriction. I like the concept though - I sure have difficulty remembering all my passwords when I go to pay my monthly bills online.

[Pavan Dave]

Quote:

Originally Posted by GaryV1188

The problem of having a basic password with variations based on the site, account, etc is that some sites have their own rules for passwords. It must be exactly X characters long or some other such restriction. I like the concept though - I sure have difficulty remembering all my passwords when I go to pay my monthly bills online.

I've been using the same password since I started the internet and my father gave me my first E-mail account. Than for gaming i started using another set of passwords due to security reasons. I think now that I have quit gaming I need to mod up my regular passwords. I like the 'system' you mentioned. Its a great idea, and even if you have a 'core' word and you don't modify it between sites, at least remember there are different types of security involved with different types of sites. Although even if somebody gets your password on CD they can ruin your name, most of us might know who you are, or we have logs to check. But certain sites have strict systems of instant banning and at that, for many sites it is hard to vouch who you really are in the first place. And than don't get me started on your banks and other VERY important passwords. Those should be a class all of their own and should never be copied anywhere. That might be part of my system if I get tired of 100000 passwords: three or four levels of security requiring different types of passwords. EX: L1 - Same pass, L2 - Different but similar, L3 - Different, no link what so ever.

Also keep in mind that although it has been common for gaming and clans, there has been an exponential increase in the amount of brute force programs being created and being used, so keep that in mind next time you make your password, characters like "Æ, æ, ™ " are not usually put in those algorithms. For more information on ALT + NUM keys click here.

Peace.

[Travis Schuh]

Quote:

Originally Posted by Pavan

Also keep in mind that although it has been common for gaming and clans, there has been an exponential increase in the amount of brute force programs being created and being used, so keep that in mind next time you make your password, characters like "Æ, æ, ™ " are not usually put in those algorithms. For more information on ALT + NUM keys click here.

Thanks for the site. This opens up lots of new password opportunities, as now I can put in symbols formed by ALT + (Team number).

-Travis

[Quzarx]

I personally prefer using a md5 hash of an md5 hash of a word for my passwords. Yes, bit harder to memorize, but quite difficult to crack.
Such as, the md5 of "test"
098f6bcd4621d373cade4e832627b4f6
The md5 of that:
fb469d7ef430b0baf0cab6c436e70375

[fimmel]

Quote:

Originally Posted by Quzarx

I personally prefer using a md5 hash of an md5 hash of a word for my passwords. Yes, bit harder to memorize, but quite difficult to crack.
Such as, the md5 of "test"
098f6bcd4621d373cade4e832627b4f6
The md5 of that:
fb469d7ef430b0baf0cab6c436e70375

i may try doing that. sounds like fun memorizing hashes.

also i set up a website one time and when i went into phpmyadmin to look at the user table. the passwords were in PLAIN TEXT. that means that any admin or even a hacker that got access to that table in the database would have all of the user names, passwords, emails etc of the users. anyway i decided to not use that script for the login.

/forest

[DonRotolo]

Quote:

Originally Posted by GaryV1188

It must be exactly X characters long or some other such restriction. I like the concept though - I sure have difficulty remembering all my passwords when I go to pay my monthly bills online.

Yep, there might be some excpetions - but I never have trouble remembering any of my passwords, so far...

Quote:

Originally Posted by Pavan

even if somebody gets your password on CD they can ruin your name

Yes, and if you're dumb enough to use the same password for everything, they can do quite a bit more... Maybe not to a high school kid, but think mid-life engineer and what "ruined" might entail.

Also, with no extra effort - actually less effort than your layer system - you can use strong and unique passwords everywhere. Why not then?

Quote:

Originally Posted by Quzarx

I personally prefer using a md5 hash of an md5 hash of a word for my passwords.

You, my friend, win the Uber-geek award for today.
(Anyone who knows what he means is a runner-up)

Don

[Protronie]

I don't care how "strong" a password you use... if someone wants the info enough they will get it. There are always backdoors the industry and government agencies have embedded into your O/S.

If theres something you don't want someone to see... don't trust it to the internet or a computer thats hooked up to it.