Is your password safe?

2014/12/01

I was interested to read The Tragic Password Mistake Hackers Are Hoping You'll Make which talks about falling into the trap of using common patterns like always ending your passwords with two or three numbers. I had noticed people doing that a long time ago and assumed that laziness would make it that much easier for a password cracker to break the code.

What I did not realize is that few password checkers really do a good job analyzing passwords. According to that article, only Kaspersky saw the author's own password as weak; all the others, including Gmail, said it was strong.

Of course I headed right over to check a few of my own passwords and was happy to see that the Kaspersky checker approved:

This one came up with 29 years for the Tianhe-2 Supercomputer to brute force crack it, though some of mine scored 119 centuries on that machine. I guess that's good enough for now :)

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER) (NEWEST)

Printer Friendly Version

->

-> Is your password safe?

Increase ad revenue 50-250% with Ezoic

Inexpensive and informative Apple related e-books:

Take Control of iCloud, Fifth Edition

Take Control of Upgrading to Sierra

Photos: A Take Control Crash Course

Take Control of the Mac Command Line with Terminal, Second Edition

Photos for Mac: A Take Control Crash Course

More Articles by Anthony Lawrence

Find me on Google+

© 2015-03-12 Anthony Lawrence

Mon Dec 1 14:32:03 2014: 12560 MikeGarmann

This is where a good password manager like KeePass will come in handy.

Mon Dec 1 15:13:17 2014: 12561 TonyLawrence

I disagree strongly. Password managers are dangerous for two reasons: if you lose your computer and its password is breached, you lose everything. If it isn't breached, unless the data is online, you have lost access to everything.

A far better way is what I describe at (link)

Mon Dec 1 18:39:58 2014: 12562 MikeGarmann

> If you lose your computer and its password is breached, you lose everything. If it isn't breached, unless the data is online, you have lost access to everything.

> ONLINE is even worse if it is storing your data out there. But it probably is not: your "secret" passwords are likely stored locally. Which means they are vulnerable to theft and damage.

Very good points.

One thing that is nice about the password manager is that you can use it to store other , nonpassword information that certain sites may need:
- answers to those stupid wish is was two factor "security questions" most financial sites insist on using.
(I typically use a random string of 16 hex digits)

- TANs/account recovery OTPs for sites that implement proper two factor authentication

Maybe I am sacrificing too much on the altar of convenience?

Some things I do do to mitigate the "all my eggs in one basket" issue:

1. Separate password databases for my categories of passwords:
- Bank & Bills (electricity, internet, bank, IRA, ...)
- Internal Passwords (computer passwords, network passwords, router, ...)
- "Important Websites" (Amazon, Gmail, ...)
- "Not-so-important Sites" (Digg, Reddit, various blogs...)
- Work
(obviously #1-4 are not on my work computer and #5 is not on any of my personal computing devices)

2. Separate pass phrases for each database
(I actually use an algorithm similar to the one you mentioned in the linked site to generate nondictonary gibberish words for the pass phrases. )

3. BACKUP, BACKUP, TEST+BACKUP
- databases backed up weekly to two different devices
- periodically test the backed up databases

(As a side note, I noticed that the weak passwords from the " The Tragic Password Mistake Hackers Are Hoping You'll Make are all marked as "strong" on the Kaspersky site... Hmmm... One thing that is disconcerting to me is the lack of consensus on how to create secure passwords, especially with software like HashCat that can be programmed to take common password patterns into account to dramatically reduce the combinations to brute-force...).

Mon Dec 1 18:44:39 2014: 12563 TonyLawrence

I don't know. You certainly are doing the right things, but I think convenience always leads to danger. I'd rather use my method.

Mon Dec 1 19:34:21 2014: 12564 TonyLawrence

By the way, the samples don't come off all that well at Kaspersky. A few months for Conflicker.

------------------------

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Printer Friendly Version

Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Printer Friendly Version

Within C++, there is a much smaller and cleaner language struggling to get out. (Bjarne Stroustrup)

Troubleshooting posts

This post tagged:

Security

Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode