I've read a number of articles over the past few years about secure password generators. Does anyone here use such a program and why did you choose that one or think it is better than any other?
I use a program called keepass 2. It has a good generator and stores user names and passwords in an encrypted file. My passwords are 20 chars long and look like a SHA hash.
It runs on all platforms, including Android. I always have my passwords with me.
When you set the main password make it long and strong and memorable. Then you only need to remember one!
Password generators are just not needed. The key to decent passwords that can be remembered is mnemonics.
For instance, take this sentence from an above post:
"Pick three things that you remember without a problem."
Use the first letters of each word except when the word is a number and you get:
P3ttyrwap
If you want, add your zip code on the front or back.
You could take the second letter in each word to make a different password, and so on. You can invert the capitalization. You can capitalize every other letter.
Ultimately, ANY sixteen character password can now be cracked in less than a day if the cracker has the computing power. Security depends on limiting the attempts to guess and using time outs - even more than super-strong passwords.
Pick a word, interspace it with numbers and add a couple symbols
Example
word = Chevrolet - Pick a random word having nothing to do with you - not a kids or pets name, etc
someones phone number = 555-1234 (don't pick your current one.
Random Symbols = $%
My older son is in the computer industry, and at a recent seminar, the presenters proved that all passwords can be broken in less than an hour.
Alice gets the apple.
Quote:
Originally Posted by snoozy
Well then what is the point in a password at all?
Once you realize what she has pointed out, you should do at a minimum these things:
1) Stop using digital services.
2) For those things that you can't stop using, backup the Heck* out of your data.
3) If finances are involved in the case of #2, have good insurance.
What a good password is good for, if anything, is to keep from invoking the painful recovery of data--provided you have a backup.
Joseph's, Harry's, and MNN's ideas are all excellent.
The most important advice that I give (and I give it to my mom, so it is very sincere and heartfelt), is to not re-use passwords for the real important stuff, like on-line banking, on sites that are casual, like HomesteadingToday.
__________________
Honesty and integrity are homesteading virtues.
Last edited by AngieM2; 03/14/14 at 09:32 AM.
Reason: edited.
True, but the most important thing for true security is to not reuse passwords.
I make the most of my internet connection and as such I have probably a hundred passwords.
Banking, utilities, voip, suppliers, blog, email, any one could be hacked and result in loss of money that is amplified by any shared password.
As such a robust generator and vault are the only practical solution for someone heavily invested in the online world.
Even the time delay introduced by network lag massively increases the time to brute force a password. If it is not vulnerable to dictionary attacks (randomly generated) a 20 character password will hold up for years, by which time hopefully the site has detected the attack.
While it's true that a shorter password could be guessed/cracked in only a few hours if the attacker/hacker is given the opportunity to submit millions or billions of guesses per second, that isn't really possible. As Rectifier pointed out, just adding in network latency would slow things down considerably, but there are a couple other factors that protect your account too.
Most websites (and hopefully ALL websites that actually store important data) will also limit the number of unsuccessful login attempts before the account is locked. I've seen as few as 3 allowed attempts, and as many as 10 before it gets locked. Once the account is locked, it may only stay locked for a limited period of time, such as 15 minutes, or it may stay locked until you call in, prove you're the account owner, and have it manually unlocked by customer service.
Another method of slowing down attackers is called tarpitting. Instead of locking a user's account after a certain number of failed attempts, tarpitting just increases a waiting period between allowed login attempts. If a valid user just mistypes their password a couple times, they won't even notice the waiting period. First attempt fails, wait .25 seconds, 2nd attempt fails, wait .5 seconds. It will generally take a user that long to type in a password and hit "enter" to send the login attempt. However, an automated attack trying to guess the password will quickly result in a huge waiting period between allowed login attempts if the time period is doubled after each failed attempt. Using the same .25 seconds after the 1st failed attempt from above, after 12 failed attempts the time is already over 1 minute (64 seconds), and after 18 failed attempts the waiting period is over an hour (4096 seconds). Using tarpitting, it's simply not possible to even try hundreds of guesses, let alone millions or billions.
In addition, many websites monitor for large amounts of failed login attempts in a short period of time, and will alert the website owner of the attack.
The only way these high speed attempts at cracking a password can really work is if the hacker managed to break into the server using some other method and then stole the encrytped password data that contains all of the users' passwords. They could then run their cracking tool against that stolen password list and decrypt the passwords at their leisure. This is one of the reasons that it's recommended to change your passwords periodically.
Here's a cool tool that lets you see how long it would take to guess a password: https://www.grc.com/haystack.htm (I don't recommened testing your real passwords there). I tried a couple of made up passwords, and was actually surprised by the time differences: Hit$m3!0 vs H0m3$t3ad1ngT0d@y.
With the massive attack array, the first password could be guessed in only 1.12 minutes, while the second would take 13.44 billion centuries. However, even with an unlimited online attack (no account locks or tarpitting), the first password would take 2.13 thousand centuries. In the event that the encrypted password list was stolen, it could feasably be cracked in just 18.62 hours. Just adding a couple numbers to the end to increase it to 10 characters would increase that fast offline attack time to 19.24 years, and even just using 9 characters would take 2.43 months.
I use keypass also, just let it generate a strong password (one I cant possible even remember) for each different account, save, then just cut-and-paste when needed.
There is no turning back.
The digital world requires passwords, so worrying about whether a strong one can be broken, is a moot point.
Just make the strongest one you can, a different one for each account and hope for the best and get on with life.
I think passwords generated by strings of words or events or anything tangible are vulnerable.
When I want a secure password I randomly type the required number of letters and numbers without looking as I randomly move my hand around the keyboard. There is no rhyme or reason behind it so there is now way to figure it out.
Then I write them down because there is no way I can remember them.
__________________
"Do you believe in the devil? You know, a supreme evil being dedicated to the temptation, corruption, and destruction of man?" Hobbs
"I'm not sure that man needs the help." Calvin
Hold the shift key down and go bottoms up diagonally from Z to !, then release it and come back down on the same line, so you end up with
ZAQ!1qaz
If you need more characters, try adding X to @, and back down, so you have
ZAQ!1qazXSW@2wsx
You could go on a right-handed slant, Z to $ 4 to z, or whatever, but try to limit your keystrokes to groups of 4 for simplicity's sake.
This is considered a very strong password, as it has a combination of upper and lower case letters, numbers, and special symbols in a seemingly nonsensical arrangement.
The only thing you give up from a system-generated password is the oddly-random character arrangement factor, but this is much simpler to remember, so you don't have to memorize anything, or worse, write it down.
Edited to add: this may not work on cell phone / text keypads
Just keep in mind that nothing is foolproof. My older son is in the computer industry, and at a recent seminar, the presenters proved that all passwords can be broken in less than an hour.
Not true. I'm in the computer industry too. If the system appropriately slows down brute force attacks then good passwords can not be cracked. To break any password in an hour would require the cooperation of the server and near infinite speed of not just computation but also of communications. Servers thwart this on purpose or by accident due to loading issues. I could go on but won't bore you.
__________________
SugarMtnFarm.com -- Pastured Pigs, Poultry, Sheep, Dogs and Kids
10Likes
