• This is a political forum that is non-biased/non-partisan and treats every person's position on topics equally. This debate forum is not aligned to any political party. In today's politics, many ideas are split between and even within all the political parties. Often we find ourselves agreeing on one platform but some topics break our mold. We are here to discuss them in a civil political debate. If this is your first visit to our political forums, be sure to check out the RULES. Registering for debate politics is necessary before posting. Register today to participate - it's free!

Warning About Your Choice of Online Password Selection

rhinefire

rhinefire

DP Veteran
Joined
May 3, 2007
Messages
10,399
Reaction score
3,021
Gender
Undisclosed
Political Leaning
Independent
Just saw a piece on your password choice from a professional hacker now owner of his own security company that has testified before Congress. Never use your mothers maiden name.
 
rhinefire said:
Just saw a piece on your password choice from a professional hacker now owner of his own security company that has testified before Congress. Never use your mothers maiden name.
Click to expand...

Who uses simple stuff like that anymore?
 
You should not use anything in your password, or challenge questions for sites that support it, that are identifiable to you by social media, standard internet searching, website biographies (for work,) posted resumes, etc.

And your password itself should not contain any words or names that can be dictionary found. For example... 'selection' should be '$el#CTi0n'... or, 'debate' should be '&eB@tE'

This is basic stuff here these days given how passwords are obtained by hackers, and speak of dictionary or key word attacking encrypted password storage is nothing new.
 
and your password has to be secure, i.e., not that easy to remember, and it has to be different for every site, one for email 1, another for email 2, one for the bank, one for each and every online retailer you use, you need at least a dozen or so passwords, and to remember which one goes where.

Oh, and if you do remember your password, then what's your user name? Is it your email address? Is it your real name? I it a name you've made up?

"Your user name and or password is incorrect. Please try again"

Oh, and you can't see the letters you're typing when attempting to enter the password. That would be too easy.

There must be a better way. Thumbprint scanner? Retinal scanner? The ability to reach through the screen and conk the hacker on the noggin?
 
OrphanSlug said:
You should not use anything in your password, or challenge questions for sites that support it, that are identifiable to you by social media, standard internet searching, website biographies (for work,) posted resumes, etc.

And your password itself should not contain any words or names that can be dictionary found. For example... 'selection' should be '$el#CTi0n'... or, 'debate' should be '&eB@tE'

This is basic stuff here these days given how passwords are obtained by hackers, and speak of dictionary or key word attacking encrypted password storage is nothing new.
Click to expand...
Hackers dont use dictionaries in brute force queries. Why would they? Not everyone speaks English and the special characters would easily defeat you. It's just not a smart way to do it. Instead for hackings like that, you'd input all characters available into a generator, including &@$*, abcde, 1234 and foreign language characters and start chipping away.

That's why changing debate to &eb@te doesnt help one iota. Computers don't speak English. To them the symbol & means exactly the same thing as D, 3 or ú. They're all meaningless swiggly symbols.

Thus the best passwords are passwords that are long. Ones that have 15+ characters. The character selection doesn't matter one bit ... @$!#, 1234, abcde or even Chinese characters. All that matters is that you have it as long as you can possibly remember.

"Horseyjohnnyice1pop" is a far stronger password than "$eb@te".

Heres an xkcd about it ... https://xkcd.com/936/
 
brothern said:
Hackers dont use dictionaries in brute force queries. Why would they? Not everyone speaks English and the special characters would easily defeat you. It's just not a smart way to do it. Instead for hackings like that, you'd input all characters available into a generator, including &@$*, abcde, 1234 and foreign language characters and start chipping away.

That's why changing debate to &eb@te doesnt help one iota. Computers don't speak English. To them the symbol & means exactly the same thing as D, 3 or ú. They're all meaningless swiggly symbols.

Thus the best passwords are passwords that are long. Ones that have 15+ characters. The character selection doesn't matter one bit ... @$!#, 1234, abcde or even Chinese characters. All that matters is that you have it as long as you can possibly remember.

"Horseyjohnnyice1pop" is a far stronger password than "$eb@te".

Heres an xkcd about it ... https://xkcd.com/936/
Click to expand...


Fundamentally I agree, longer passwords are stronger than shorter passwords, that is a given.

However mathematically speaking the inclusion of lower case, upper case, digits and special characters does increase the difficulty in even the brute force method of password cracking.

Take your word "debate".

Taking only a lower case password there are 26 possible characters per position which means 11,881,376 possible combinations (26*26*26*26*26*26).

Using lower case, upper case, digits and special characters that number increases. There are 33 special characters available but some systems do not support them all. Oracle supports 20 so let's use that lower number. That means each position could consist of 26+26+10+20 or 82 characters per position. If you require at least 1 Upper case, 1 lower case, 1 digit, and 1 special characters - some think that reduces the number of permutations, but that is incorrect as long as there is no requirement for that definition to apply to a specific location and that all characters can be used in any position. So you have 82*82*82*82*82*82 = 304,006,671,424

For a password of a given length, the inclusion of mixed case, numbers, and characters does increases the difficulty in cracking that password. Longer passwords are much better though than shorter ones, using the same 82 characters per position and increasing the length to 12 characters results in 92,420,056,270,299,898,187,776 permutations.


>>>>
 
>

I'm in my mid-50's and my password usage has - well - evolved over the years.

At first it was a word document, then an Excel file. I upgraded that to a password protected Excel file. Years ago I went to a Password Management program (it was free but worked well "Efficient Password Manger Pro"). It was a program that ran on my computer and allowed me to create records that were then stored in an encrypted file on my hard drive. I could export the contents to Excel if I needed it and export a backup copy of the encrypted file to another storage media (such as a memory stick) keep then keep that file in a safe place. But to be honest I was as conscientious as I needed to be with making a backup file so there was a danger in that if my hard drive crashed I'd be screwed.

Now I use a modern password manager application called 1Password, it allows me to track various types of sensitive information logins (sites, user id, password, notes, etc.), credit card info, personal identity files, software keys, bank accounts, memberships, emails, secure notes. Now though information is stored not only on my laptop but automatically sync's with the companion app on my phone. That means I don't have to use passwords that I can remember, because I have them with me all the time. I just have to remember one good password to unlock the program. You can create multiple "vaults", so for example you and your spouse can segregate their information.

>>>>
 
********************************

More detailed description of the functioning of 1Password.

Versions:
1. Phone Free version - This provides for limited types of pre-designed entries. Basically IIRC you get "Logins", "Secure notes", and "Credit Card". Which for most people is just fine. You can still sync to cloud storage so that any changes you make are instantly backed-up to a cloud location. I use Dropbox, you can also use Apple's iCloud if that the way you roll.

2. Phone Paid Version ($9.99) - Same program as above but provides additional types of records, the ability to add custom fields on a record, and (IMHO the most important addition) the ability to create folders to organize your entries - such as work, home, hobby, etc.

3. There is an "unlimited" free trial of 30 days, but then the site says there are restrictions after the 30 day period so you can try it before purchasing. The purchase price is $50 - well worth the cost considering the cost of identity theft, IMHO - and that provides 6 licenses for your personal computer use for that type of platform. In other words you have to buy separate licenses for Windows and MACs. Your phone or tablet installations do not acount against these licenses, these are only applicable to laptop/desktop installations.​

The licensing keys do not have to applied to the same cloud storage location or it can be the same. So a husband and wife can use the same Dropbox or iCloud location and create their own "vaults" each vault functions independently from the other but users can switch between vaults if they want. The files that pass through the cloud encrypted before they leave the device and are stored in an encrypted format. What my wife and I do is use separate Dropbox accounts to store our information. That means her 1Password system is completely separate from mine and vice versa. However I have an entry in my vault with the password to her Dropbox account and her vault, she has my Dropbox and vault password in her system. If something - heaven forbid - were to happen to either of us, the other can still get into the others vault if needed.

Using the "Notes" section on any record I can an ensure that I jot down any applicable special PINs or security questions and their answers so that I never forget them again and can ensure I can type them exactly the same.

Extensions:
Browser extensions hooks into your browser that you can choose to install. It adds access to 1Password while you are in the browser window. So for example, there is a new icon on my toolbar for 1Password. So for example let's say I want to login to my Credit Union account. I click the icon and enter my 1Password password and I get a menu of options. Open my "Finance" list and select the Credit Union. 1Password sends the browser to the login page for the credit union and enters the User ID and Password and logs me in. Some websites have pop-up login boxes that don't work the same way, but 1Password still makes it easy to copy and paste secure passwords without having to remember them. There is similar functionality for phone use.


Password Generator:
The system has a Password generator where you can select the number of characters (1-64), specify the number of numerical digits to include, and specify the number of special characters to include to generate really strong passwords. Because of browser extensions you may never (relatively speaking) have to manually type in a password again. You can auto-load it or at worst easily copy and paste it into a login box. Because of that I've gone from a "base-word" type of system, for example "laBr4$or" (i.e. "Labrador" in English) to complex generated password of 20 characters, for example "96fHeMtRDcbDP=U6fbbz".



>>>>
 
You must log in or register to reply here.
Back
Top Bottom