APLawrence.com - Resources for Unix and Linux Systems, Bloggers and the self-employed

Is your password safe?


© December 2014 Anthony Lawrence

2014/12/01

I was interested to read The Tragic Password Mistake Hackers Are Hoping You'll Make which talks about falling into the trap of using common patterns like always ending your passwords with two or three numbers. I had noticed people doing that a long time ago and assumed that laziness would make it that much easier for a password cracker to break the code.

What I did not realize is that few password checkers really do a good job analyzing passwords. According to that article, only Kaspersky saw the author's own password as weak; all the others, including Gmail, said it was strong.

Of course I headed right over to check a few of my own passwords and was happy to see that the Kaspersky checker approved:


This one came up with 29 years for the Tianhe-2 Supercomputer to brute force crack it, though some of mine scored 119 centuries on that machine. I guess that's good enough for now :)

Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> Is your password safe?

5 comments


Inexpensive and informative Apple related e-books:

Are Your Bits Flipped?

Sierra: A Take Control Crash Course

Take Control of Parallels Desktop 12

iOS 8: A Take Control Crash Course

Take Control of Apple Mail, Third Edition




More Articles by © Anthony Lawrence






Mon Dec 1 14:32:03 2014: 12560   MikeGarmann

gravatar


This is where a good password manager like KeePass will come in handy.





Mon Dec 1 15:13:17 2014: 12561   TonyLawrence

gravatar


I disagree strongly. Password managers are dangerous for two reasons: if you lose your computer and its password is breached, you lose everything. If it isn't breached, unless the data is online, you have lost access to everything.

A far better way is what I describe at (link)



Mon Dec 1 18:39:58 2014: 12562   MikeGarmann

gravatar


> If you lose your computer and its password is breached, you lose everything. If it isn't breached, unless the data is online, you have lost access to everything.

> ONLINE is even worse if it is storing your data out there. But it probably is not: your "secret" passwords are likely stored locally. Which means they are vulnerable to theft and damage.

Very good points.

One thing that is nice about the password manager is that you can use it to store other, nonpassword information that certain sites may need:
- answers to those stupid wish is was two factor "security questions" most financial sites insist on using.
(I typically use a random string of 16 hex digits)

- TANs/account recovery OTPs for sites that implement proper two factor authentication

Maybe I am sacrificing too much on the altar of convenience?

Some things I do do to mitigate the "all my eggs in one basket" issue:

1. Separate password databases for my categories of passwords:
- Bank & Bills (electricity, internet, bank, IRA, ...)
- Internal Passwords (computer passwords, network passwords, router, ...)
- "Important Websites" (Amazon, Gmail, ...)
- "Not-so-important Sites" (Digg, Reddit, various blogs...)
- Work
(obviously #1-4 are not on my work computer and #5 is not on any of my personal computing devices)

2. Separate pass phrases for each database
(I actually use an algorithm similar to the one you mentioned in the linked site to generate nondictonary gibberish words for the pass phrases. )

3. BACKUP, BACKUP, TEST+BACKUP
- databases backed up weekly to two different devices
- periodically test the backed up databases

(As a side note, I noticed that the weak passwords from the "The Tragic Password Mistake Hackers Are Hoping You'll Make are all marked as "strong" on the Kaspersky site... Hmmm... One thing that is disconcerting to me is the lack of consensus on how to create secure passwords, especially with software like HashCat that can be programmed to take common password patterns into account to dramatically reduce the combinations to brute-force...).



Mon Dec 1 18:44:39 2014: 12563   TonyLawrence

gravatar


I don't know. You certainly are doing the right things, but I think convenience always leads to danger. I'd rather use my method.



Mon Dec 1 19:34:21 2014: 12564   TonyLawrence

gravatar


By the way, the samples don't come off all that well at Kaspersky. A few months for Conflicker.

------------------------

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


Printer Friendly Version





Perl: The only language that looks the same before and after RSA encryption. (Keith Bostic)




Linux posts

Troubleshooting posts


This post tagged:

Security



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode