Think your passwords are secure enough?

[P4-630]

Not sure why you need to laugh at that.
It's safe and it works!

 

[lorraine walsh]

Previously I used to have my mobile number as my password and then my DOB (i know dumb right). Then got taught a lesson by my roommate as she had access to my private messages and all without m knowing. Anywho password are like the locks to your house doors so you gotta make them pretty tough and hard to break. My advise would be to use punctuation specially in the beginning, use both caps and small letters and include number.

 

[Ferrum Master]

my roommate as she had access to my private messages

Best solution is not to keep private messages at all... anywhere... read and delete. Thus no headache at all.

 

[lorraine walsh]

Best solution is not to keep private messages at all... anywhere... read and delete. Thus no headache at all.

Yes you are right but sometimes it becomes essential/necessity to store your files, photos, videos and other stuff that can not be deleted. So you got to protect that stuff.

 

[Ferrum Master]

Yes you are right but sometimes it becomes essential/necessity to store your files, photos, videos and other stuff that can not be deleted. So you got to protect that stuff.

You din't get the point.

If you have something that "private" that needs hiding from others then act properly. People are very irresponsible about their data. Deleting such things works always the best! Burning "those" letters is a good habit since dark ages. Leaving such data on social portals is like inviting to be robbed actually and sooner or later it will leak if someone really wants your dirty laundry. Just don't leave anything - purge. Nor in a phone (that eventually will die on you anyway) nor on the PC.

I am not talking about the sentimental rubbish like loads of the same meaningless media actually, nobody cares for that. I also don't hold anything from it on my PC, nor daily online accounts with cloud storage access etc. Everything is in order and stored on a separate account(zipped with a additional pass) and a double backup on encrypted hard drive lying in the shelf.

And I say it once again, don't create meaningless things wasting your time in the past... like having no memory at all...

 

[Frick]

Not sure why you need to laugh at that.
It's safe and it works!

My bank uses the same thing, and it's not as cumbersome as you'd think. It's made obsolete by bank apps though.

 

[Caring1]

Not sure why you need to laugh at that.
It's safe and it works!

It seems a very roundabout way just to access your money online.
I do all my transactions online through my bank and they use a virtual keyboard that you click on with your mouse, that way no key strokes are recorded and hackers would have to have remote access to see what is happening.

 

[Nobody99]

I notified the IT department and they modified the login such that it had to be min 8 characters with at least 1 number and 1 of the shift 0-9 characters and they had to change it every 3 months

Changing passwords periodically was proved to be detrimental and I have to agree, if I were a teacher in a school I would have that never-old password written in my notes on a smartphone.

My bank uses the same thing, and it's not as cumbersome as you'd think. It's made obsolete by bank apps though.

I also use the same, you have to get that code from that electronic device two times, second time helps mitigate MITM attacks. I know some people still have the Identifier which shows you the code as soon as you turn it on without PIN enter which is really insecure. Bank apps are neat but I don't consider smartphone safe especially with the outdated Android, I never use SSH client on Android or similar because it is just to alien.

I have to criticize Mozzila for their way of handling password, if you use master password you have to enter it every time you want to access stored password which is really tiresome and it would be a lot better if it entered passwords automatically without entering master password every time. I think Keepass has this feature and this feature is the only feature that encourages me to store passwords securely (when I get around to it).

One thing to remember is that passwords won't save you from vulnerability in the system, all those jailbreaks, hacks on devices are usually done through an exploit which basically bypasses the encryption.

 

[Easy Rhino]

uh, it is pretty hard to brute force a bank account because they are pretty much required to lock the account after a certain amount of failures. like solaris said, passwords are stolen not hacked.

 

[Fx]

I use keepass and its password creator. Would take 'em quite a while to brute force such passwords...

Roboform is awesome. I have been using it for 6+ years. It integrates into all major browsers and still has a way to manually view and edit account information like Keepass. It also does many more convenient tasks such as auto-filling your home address and other such information like for website registration.

 

[BiggieShady]

It's made obsolete by bank apps though.

This ^^
Also, I'll leave this here related to password complexity

 

[Vayra86]

Watch these two videos and learn why your password for important logins is likely too insecure and just how easy they are to crack with powerful PCs. By important logins I mean things like online banking, online stores like Amazon, PC login at work etc. Change it now.

It should be a minimum of 9 characters, have special characters in it and try not to use dictionary words. Upper and lower case mix really helps too.

Oh and NEVER use the same password on more than one login.

It's all in the videos.

I look at this differently.

I expect my bank to have sufficient failsafes and redundancy, and in case of a breach, to compensate for damages. It's not like I have a responsibility here to be 'in the loop' with regards to the latest developments in cracking and hacking techniques.

I pay for this responsibility to be taken by the service provider. And wherever I am not paying, losing the account would not be important enough to warrant a complicated login procedure every time I use it.

End of story

 

[Ahhzz]

This ^^
Also, I'll leave this here related to password complexity
View attachment 78266

I've seen this before, and it amused the hell out of me, but I never really got the math they used. I redid it just now, and by my logic (52 letters, upper and lower, 10 numbers, and 10 spec characters, assuming an 11-place password, random anywhere), brute forcing at 3000 guesses per sec would come to 3.85e+63 days, or 1e +61 years.... Even with an i7 2600k running John the Ripper, at almost 2mill keys a sec, you're at 520,000 years....

Nice site here, to make yourself feel a little more secure if you're going total random on your passwords..

http://calc.opensecurityresearch.com/

 

[Ahhzz]

I look at this differently.

I expect my bank to have sufficient failsafes and redundancy, and in case of a breach, to compensate for damages. It's not like I have a responsibility here to be 'in the loop' with regards to the latest developments in cracking and hacking techniques.

I pay for this responsibility to be taken by the service provider. And wherever I am not paying, losing the account would not be important enough to warrant a complicated login procedure every time I use it.

End of story

I understand, and agree, that the bank or whomever you're storing your goods and info, should be required to maintain some level of security standards. But, I think we could all agree that there's no reasonable way that any one institution could be expected, to stay on top of all the little nightmarish games that are played in the security hell we digitally exist in.

However, it's on me if I'm logging into their site without taking some modicum of protective measures from my end. If they get hacked? It's on them for not protecting my data, even if my password is "qwerty123" (reminds me to change that....), but if they're not hacked, and my info gets stolen on the way, sniffed from my keyboard to their front door? That's on me.

 

[BiggieShady]

but I never really got the math they used.

Low total number of bits of entropy for the first case is a result of password guessing algorithm using a dictionary of non gibberish uncommon words, varying replacement characters and adding different suffixes

 

[qubit]

I look at this differently.

I expect my bank to have sufficient failsafes and redundancy, and in case of a breach, to compensate for damages. It's not like I have a responsibility here to be 'in the loop' with regards to the latest developments in cracking and hacking techniques.

I pay for this responsibility to be taken by the service provider. And wherever I am not paying, losing the account would not be important enough to warrant a complicated login procedure every time I use it.

End of story

You can't abdicate responsibility like that. Saying this suggests to me that you don't understand how computer security works. There's no silver bullet and everyone has to play their part to keep safe from attackers.

@Ahhzz +1 nicely said.

 

[Frick]

Banks using just password logins were never proper. I don't think any bank here (Sweden) ever used that system, they went for card readers from the start.

Anyway, phones and tablets are definitely part of the problem. That 16 character random phrase with numbers/letters/symbols might be fine on a keyboard, but not on a phone. And password managers are fine, but at least Laspasd costs money on mobile, and you're bound to always be logged in anyway so if your device gets stolen/lost you're screwed. My next phone will definitely have biometrics.

 

[qubit]

Banks using just password logins were never proper. I don't think any bank here (Sweden) ever used that system, they went for card readers from the start.

Anyway, phones and tablets are definitely part of the problem. That 16 character random phrase with numbers/letters/symbols might be fine on a keyboard, but not on a phone. And password managers are fine, but at least Laspasd costs money on mobile, and you're bound to always be logged in anyway so if your device gets stolen/lost you're screwed. My next phone will definitely have biometrics.

Agreed, a bank login must have a one time pad 2 factor device or I don't bank online, end of story. A while back I considered changing my current account to a better one, but none of the other banks with decent offers had a one time pad device, so I passed. Identity theft and financial loss would be nightmares that overshadow any potential better offers on a bank account.

My bank offers a "convenient" password entry only mode for read only access, which I would have to enable in order to use it. I haven't and I won't.

I wouldn't trust an Android device of any type, even the purest Nexus devices with my bank login credentials. iPhones and iPads seem to be more secure, with Apple's walled garden paying off here, but I'm still not sure how much I'd trust them.

 

[Ubersonic]

It should be a minimum of 9 characters, have special characters in it and try not to use dictionary words. Upper and lower case mix really helps too.

Lol.

From 1997-2014 my Yahoo Mail password was sonysony, and I only added the second sony because they raised the minimum character count. Brute forcing of passwords simply isn't a thing and hasn't been for decades.

Seriously, "purplefartpants" is just as secure as "AwEs0m3!" and much easier to remember. When people get their Twitter/Facebook hacked it's due to malware or social engineering, not because somebody wrote a script to spam the login server with their email address and passwords randomly generated from every possible character combination.

 

[Ahhzz]

Lol.

From 1997-2014 my Yahoo Mail password was sonysony, and I only added the second sony because they raised the minimum character count. Brute forcing of passwords simply isn't a thing and hasn't been for decades.

Seriously, "purplefartpants" is just as secure as "AwEs0m3!" and much easier to remember. When people get their Twitter/Facebook hacked it's due to malware or social engineering, not because somebody wrote a script to spam the login server with their email address and passwords randomly generated from every possible character combination.

There's so much fail in that statement, especially since the second one highlighted is a basic definition of brute force cracking. I had to deal with a server most of yesterday morning that had been brute forced on the RDP port.

"Seriously?" The adults are talking here.

 

[Ubersonic]

There's so much fail in that statement

Care to point out what you disagree with instead of just trash talking the post?

the second one highlighted is a basic definition of brute force cracking.

Yeah, that's why I wrote it lol.

 

[Ahhzz]

Care to point out what you disagree with instead of just trash talking the post?

I already did.

"I had to deal with a server most of yesterday morning that had been brute forced on the RDP port. " Just because you used a pitiful password for years and didn't get busted doesn't mean that the reality is any different. There's a reason that tools like Brutus, Cain and Abel, and John the Ripper are still in use: brute forcing is still effective.

Yeah, that's why I wrote it lol.

I wrote something longer, just dumped it. The reason I quoted the second part, is I gave you the benefit of the doubt, assuming you didn't know what brute forcing was, and yet still put the definition later in your statement. The fact that you know what it is, and still made the statement... just makes it worse....

 

[qubit]

Lol.

From 1997-2014 my Yahoo Mail password was sonysony, and I only added the second sony because they raised the minimum character count. Brute forcing of passwords simply isn't a thing and hasn't been for decades.

Seriously, "purplefartpants" is just as secure as "AwEs0m3!" and much easier to remember. When people get their Twitter/Facebook hacked it's due to malware or social engineering, not because somebody wrote a script to spam the login server with their email address and passwords randomly generated from every possible character combination.

I see you like to live dangerously.

There are two videos in my OP made by experts on computer security where I got that statement from, but I'm really glad that you know better and are educating everyone to use weak, easily hackable passwords. Nice one.

 

[Ubersonic]

I already did.

"I had to deal with a server most of yesterday morning that had been brute forced on the RDP port. "

Fine I will rephrase, Brute forcing of passwords simply isn't a thing anymore and hasn't been for decades, with the obvious exception of random unsecured servers that the general public won't be accessing anyway.

Your argument is like saying everyone should wear asbestos fire suits because you know a guy who jumped in a volcano.

I'm not saying there's no need to have a long password on a server admin account, just that complex passwords for email, Facebook, shopping sites, etc are pointless and the sites simply ask for them because it's become "the way" due to the fear of brute forcing vastly outliving the threat of it.

I see you like to live dangerously.

It's not really living dangerously when the danger is negated, Yahoo's servers have been immune to brute force since before Playstation was a word. Filling passwords with random characters just makes them harder to remember and in many cases easier to break (if breaking them was a viable option).

Like I said, almost all hacking these days is done by acquiring passwords either using social engineering or malware/spyware. If an account is compromised due to a brute force attack that is 100% the fault of the two bit organisation who got brute forced, not the user who gave them more credit than they deserved.

I'm really glad that you know better and are educating everyone to use weak, easily hackable passwords. Nice one.

Random note, in my example ("purplefartpants" is just as secure as "AwEs0m3!") the one with the numbers/capitals/! is actually significantly weaker.

 

[droopyRO]

My next phone will definitely have biometrics

About this, i never used that tehnology do they for instance rememebr the prints from multiple digits of your hand or just one ? What if you are in an accident and you get your fingers burned and that is the only authentication method that you can access that phone tablet whatever ?