Think your passwords are secure enough?

[qubit]

Watch these two videos and learn why your password for important logins is likely too insecure and just how easy they are to crack with powerful PCs. By important logins I mean things like online banking, online stores like Amazon, PC login at work etc. Change it now.

It should be a minimum of 9 characters, have special characters in it and try not to use dictionary words. Upper and lower case mix really helps too.

Oh and NEVER use the same password on more than one login.

It's all in the videos.

 

[Ferrum Master]

Well... I will say just one - everything made by man can be broken....

 

[Solaris17]

Honestly alot of this stuff is irrelevant. I mean not in the way you think, absolutely you should be using stronger passwords changing them every few months and deff use different ones for different things. But that said no one is sitting in there basement brute forcing my TPU account with 4 titans. Most attacks with password theft usually involve a breach of the database itself. At least in high profile things.

 

[qubit]

But that said no one is sitting in there basement brute forcing my TPU account with 4 titans.

Agreed, the TPU account isn't worth doing, along with most other forums, which is why I didn't list it in the examples. Only logins that would cause one real trouble if they were compromised.

 

[silentbogo]

MD5 is a bad example.
Many moons ago I could do collision cracking with my 74GB rainbow table collection on an old Dell laptop (even had it on DVDs ) .
That was sufficient enough for mixed-case alphanumeric passwords up to 13 symbols long.

 

[verycharbroiled]

If possible, I prefer to use a half dozen or so dictionary words as a password.

 

[Ferrum Master]

Many moons ago I could do collision cracking with my 74GB rainbow table collection on an old Dell laptop

Aaaannndd.... what did you crack?

 

[Dethroy]

I use keepass and its password creator. Would take 'em quite a while to brute force such passwords...

 

[xorbe]

Don't reuse a password with a few characters changed at the end somewhere else. If they crack one password, they can brute-force the last 4-5 characters, if they have only the hash, on a large list. If they were to target you specifically ... and that's why practically every motorcycle forum moved to 10-char passwords last month. They got badly owned (like one firm owns the large majority of m/c forums). At this point, you should really, really should be using fully unique passwords.

 

[silentbogo]

Aaaannndd.... what did you crack?

My coursework in CS

 

[Kursah]

I use keepass and its password creator. Would take 'em quite a while to brute force such passwords...

Unless you're doing this, changing your passwords frequently could actually be a detrimental factor in your account(s) being easier to break into. Depends on how creative you are (or aren't rather...).

http://arstechnica.com/security/201...-the-enemy-of-security-ftc-technologist-says/

http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf

Not that creating unique passwords is hard to do, but it is better to use something like Keepass that has a better random generator. Makes things a bitch if you don't have an effective way to access or sync your KP database. But if you use encrypted cloud storage and some best practice methods, it can get easier. Just depends on what devices you want to have access to certain services/accounts on, and if you can get used to copy & paste...which really isn't that hard to do..especially if you work in any kind of IT service provider position.

Good to see this topic come up here on TPU!

 

[Nabarun]

I painstakingly (manually) create very large and proper passwords that will take even supercomputers quite a while to break. Unfortunately, a proper password is not the only thing to protect the password. A good deal of knowledge and carefulness is also necessary to be actually (relatively) safe.

 

[Recon-UK]

I use a password that uses upper case and numbers and is above 14 characters.
Now with that said it's a real thing and are real words but are not in the dictionary and are not slang.
Put it this way you would need a car enthusiast to know what it actually is even if strung together correctly on the screen in front of the hackers face. I use this password for everything and have remained safe for 8 years now.


But i may change it.

 

[qubit]

I use a password that uses upper case and numbers and is above 14 characters.
Now with that said it's a real thing and are real words but are not in the dictionary and are not slang.
Put it this way you would need a car enthusiast to know what it actually is even if strung together correctly on the screen in front of the hackers face. I use this password for everything and have remained safe for 8 years now.


But i may change it.

Definitely change it. Just because it's something that a car enthusiast would have to understand doesn't mean it will stop it being in a hacker's dictionary. In fact, after 8 years, I guarantee you it is and lots of other car enthusiast words you may not have even heard of. These hackers really don't leave any stone unturned to get to our accounts.

Now, it sounds like it's quite a good password other than this, especially with the length. To make it a lot harder to crack, putting symbols in those words sounds like it would be sufficient.

Finally, don't use it on multiple sites and the video explains why. Basically it's to do with leaked password lists when websites get hacked and one day you might come a cropper because of this. This is advice from a password hacking expert at a university in the video, not just a random forum poster ie me, so I'd head it if you want to continue being safe.

 

[xorbe]

These dictionaries are built from millions of stolen passwords. Guess what, people seem to think alike a lot of the time ... so the passwords which they think are clever, are actually similar.

 

[Frick]

Lastpass, 16 random characters (a shocking number of sites has that limitation) yo.

The best option for non technological minded people is probably to generate a bunch of random passwords, print them out as a table and keep it in a desk drawer. If at home I mean.

 

[FordGT90Concept]

I use my own program:
https://www.techpowerup.com/forums/threads/random-password-generator.164777/

And relevant:

I hate how so many websites enforce weak passwords. Two notable exceptions: Valve and Amazon. They're like 60 characters long. I have no idea how they're hashed though. It could mean nothing.

 

[cornemuse]

Inasmuchas ! have nothing on my computer(s) that is critical/important to me (< that I have not already backed up), no forums o/l where I would be concerned if someone used those passwords, I really do not need, (never needed), or want passwords. If one merely takes an hdd out of computer & connect it via usb etc. to another comp, one has access to lots of data there anyways, , , ,

 

[Dethroy]

If one merely takes an hdd out of computer & connect it via usb etc. to another comp, one has access to lots of data there anyways, , , ,

Encrypt the drive?

 

[R-T-B]

The best thing you can do is quit worrying so much about your password, and just use some kind of secondary access token, like google auth.

Not that these guidelines aren't relevant, but given them on their own and a determined enough hacker, they won't save you.

Encrypt the drive?

I used to work in a data sensitive field. We used OPAL SED's from seagate (Self Encrypting drives). Even if the drive was stolen, it was pretty much useless.

 

[silentbogo]

I hate how so many websites enforce weak passwords. Two notable exceptions: Valve and Amazon. They're like 60 characters long. I have no idea how they're hashed though. It could mean nothing.

Imagine my anger and rage, when I encountered a 12-character max alphanumeric only limit on the online banking system of my previous bank (it was around 2010, so not too long ago)!
It's like they were deliberately trying to compromise their security...

My current bank has an annoying, but more secure multistage authentication: you log in, as usual, and then every time you enter your online banking, or every time you transfer money online - you have to reach for your cellphone to validate each transfer with a PIN number. Some local banks use a little easier, but more confusing system with QR code auth.

 

[Ahhzz]

I use too few passwords myself, too many of mine are duplicated across low-concern areas (games forums, here, other similar, non-money accessible type things). But for my more secure areas, I have 3 9-character random letter/number/special passwords, that I vary a little with uppercase/lowercase here and there. For my largest concern, I have a 25 character random letter/number password. Nothing special about it, but completely random, and no way to be guessed. They'd have to go the long way to get there, I hope...

 

[64K]

I don't know if this is the norm but I was shocked when an account was given to me to handle where I work. It involved purchases for around 80 locations where people made requests for materials. I was placed as administrator of the account and had access to everyone's account and their passwords. Most of the passwords were fine but there were quite a few that weren't. ie one person was using his name as a password. Another was using their location as a password and one joker was actually using 123456 as a password. All of these people were college graduates. Some with masters and a couple with PhDs.

I notified the IT department and they modified the login such that it had to be min 8 characters with at least 1 number and 1 of the shift 0-9 characters and they had to change it every 3 months.

 

[P4-630]

Imagine my anger and rage, when I encountered a 12-character max alphanumeric only limit on the online banking system of my previous bank (it was around 2010, so not too long ago)!
It's like they were deliberately trying to compromise their security...

My current bank has an annoying, but more secure multistage authentication: you log in, as usual, and then every time you enter your online banking, or every time you transfer money online - you have to reach for your cellphone to validate each transfer with a PIN number. Some local banks use a little easier, but more confusing system with QR code auth.

I use an "Edentifier" for my bank, to login I have to put my atm card in it and enter my pin, this generates a number code.
To transfer money or making an online purchase I must enter my pin code on the edentifier and then there is a code on the website which I must enter in the edentifier which generates another number code which I have to enter on the website.

 

[silentbogo]

use an "Edentifier" for my bank, to login I have to put my atm card in it and enter my pin, this generates a number code.
To transfer money or making an online purchase I must enter my pin code on the edentifier and then there is a code on the website which I must enter in the edentifier which generates another number code which I have to enter on the website.