I was interested to read The Tragic Password Mistake Hackers Are Hoping You'll Make which talks about falling into the trap of using common patterns like always ending your passwords with two or three numbers. I had noticed people doing that a long time ago and assumed that laziness would make it that much easier for a password cracker to break the code.
What I did not realize is that few password checkers really do a good job analyzing passwords. According to that article, only Kaspersky saw the author's own password as weak; all the others, including Gmail, said it was strong.
Of course I headed right over to check a few of my own passwords and was happy to see that the Kaspersky checker approved:
This one came up with 29 years for the Tianhe-2 Supercomputer to brute force crack it, though some of mine scored 119 centuries on that machine. I guess that's good enough for now :)
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2015-03-12 Anthony Lawrence
Perl: The only language that looks the same before and after RSA encryption. (Keith Bostic)
Mon Dec 1 14:32:03 2014: 12560 MikeGarmann
This is where a good password manager like KeePass will come in handy.
Mon Dec 1 15:13:17 2014: 12561 TonyLawrence
I disagree strongly. Password managers are dangerous for two reasons: if you lose your computer and its password is breached, you lose everything. If it isn't breached, unless the data is online, you have lost access to everything.
A far better way is what I describe at (link)
Mon Dec 1 18:39:58 2014: 12562 MikeGarmann
> If you lose your computer and its password is breached, you lose everything. If it isn't breached, unless the data is online, you have lost access to everything.
> ONLINE is even worse if it is storing your data out there. But it probably is not: your "secret" passwords are likely stored locally. Which means they are vulnerable to theft and damage.
Very good points.
One thing that is nice about the password manager is that you can use it to store other, nonpassword information that certain sites may need:
- answers to those stupid wish is was two factor "security questions" most financial sites insist on using.
(I typically use a random string of 16 hex digits)
- TANs/account recovery OTPs for sites that implement proper two factor authentication
Maybe I am sacrificing too much on the altar of convenience?
Some things I do do to mitigate the "all my eggs in one basket" issue:
1. Separate password databases for my categories of passwords:
- Bank & Bills (electricity, internet, bank, IRA, ...)
- Internal Passwords (computer passwords, network passwords, router, ...)
- "Important Websites" (Amazon, Gmail, ...)
- "Not-so-important Sites" (Digg, Reddit, various blogs...)
- Work
(obviously #1-4 are not on my work computer and #5 is not on any of my personal computing devices)
2. Separate pass phrases for each database
(I actually use an algorithm similar to the one you mentioned in the linked site to generate nondictonary gibberish words for the pass phrases. )
3. BACKUP, BACKUP, TEST+BACKUP
- databases backed up weekly to two different devices
- periodically test the backed up databases
(As a side note, I noticed that the weak passwords from the "The Tragic Password Mistake Hackers Are Hoping You'll Make are all marked as "strong" on the Kaspersky site... Hmmm... One thing that is disconcerting to me is the lack of consensus on how to create secure passwords, especially with software like HashCat that can be programmed to take common password patterns into account to dramatically reduce the combinations to brute-force...).
Mon Dec 1 18:44:39 2014: 12563 TonyLawrence
I don't know. You certainly are doing the right things, but I think convenience always leads to danger. I'd rather use my method.
Mon Dec 1 19:34:21 2014: 12564 TonyLawrence
By the way, the samples don't come off all that well at Kaspersky. A few months for Conflicker.
------------------------
Printer Friendly Version
Is your password safe? Copyright © December 2014 Tony Lawrence
Have you tried Searching this site?
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Contact us
Printer Friendly Version