APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Is your password safe?


2014/12/01

I was interested to read The Tragic Password Mistake Hackers Are Hoping You'll Make which talks about falling into the trap of using common patterns like always ending your passwords with two or three numbers. I had noticed people doing that a long time ago and assumed that laziness would make it that much easier for a password cracker to break the code.

What I did not realize is that few password checkers really do a good job analyzing passwords. According to that article, only Kaspersky saw the author's own password as weak; all the others, including Gmail, said it was strong.

Of course I headed right over to check a few of my own passwords and was happy to see that the Kaspersky checker approved:


This one came up with 29 years for the Tianhe-2 Supercomputer to brute force crack it, though some of mine scored 119 centuries on that machine. I guess that's good enough for now :)


Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Is your password safe?

5 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Mon Dec 1 14:32:03 2014: 12560   MikeGarmann

gravatar


This is where a good password manager like KeePass will come in handy.





Mon Dec 1 15:13:17 2014: 12561   TonyLawrence

gravatar


I disagree strongly. Password managers are dangerous for two reasons: if you lose your computer and its password is breached, you lose everything. If it isn't breached, unless the data is online, you have lost access to everything.

A far better way is what I describe at (link)



Mon Dec 1 18:39:58 2014: 12562   MikeGarmann

gravatar


> If you lose your computer and its password is breached, you lose everything. If it isn't breached, unless the data is online, you have lost access to everything.

> ONLINE is even worse if it is storing your data out there. But it probably is not: your "secret" passwords are likely stored locally. Which means they are vulnerable to theft and damage.


Very good points.

One thing that is nice about the password manager is that you can use it to store other, nonpassword information that certain sites may need:
- answers to those stupid wish is was two factor "security questions" most financial sites insist on using.
(I typically use a random string of 16 hex digits)

- TANs/account recovery OTPs for sites that implement proper two factor authentication

Maybe I am sacrificing too much on the altar of convenience?

Some things I do do to mitigate the "all my eggs in one basket" issue:

1. Separate password databases for my categories of passwords:
- Bank & Bills (electricity, internet, bank, IRA, ...)
- Internal Passwords (computer passwords, network passwords, router, ...)
- "Important Websites" (Amazon, Gmail, ...)
- "Not-so-important Sites" (Digg, Reddit, various blogs...)
- Work
(obviously #1-4 are not on my work computer and #5 is not on any of my personal computing devices)

2. Separate pass phrases for each database
(I actually use an algorithm similar to the one you mentioned in the linked site to generate nondictonary gibberish words for the pass phrases. )

3. BACKUP, BACKUP, TEST+BACKUP
- databases backed up weekly to two different devices
- periodically test the backed up databases

(As a side note, I noticed that the weak passwords from the "The Tragic Password Mistake Hackers Are Hoping You'll Make are all marked as "strong" on the Kaspersky site... Hmmm... One thing that is disconcerting to me is the lack of consensus on how to create secure passwords, especially with software like HashCat that can be programmed to take common password patterns into account to dramatically reduce the combinations to brute-force...).



Mon Dec 1 18:44:39 2014: 12563   TonyLawrence

gravatar


I don't know. You certainly are doing the right things, but I think convenience always leads to danger. I'd rather use my method.



Mon Dec 1 19:34:21 2014: 12564   TonyLawrence

gravatar


By the way, the samples don't come off all that well at Kaspersky. A few months for Conflicker.

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us