PDA

View Full Version : Fresh look at password strength



linw
16-06-2012, 03:42 PM
Found this article thought provoking:- http://ask-leo.com/how_do_i_choose_a_good_password.html?awt_l=Gi3yJ&awt_m=It1DWVlC5ZdfbL

Seems as if size is important:D

pctek
16-06-2012, 04:25 PM
Yes, one page of text as a password should do it.

8ftmetalhaed
16-06-2012, 07:49 PM
I have multiple passwords that I use and cycle around and retire as I feel necessary.

I think the next set of passwords I come up with will be something along these lines. I've run into this before though, I tried using a looong passphrase and the system wouldn't let me, hah.
That said systems seem to be acknowledging the necessity of it now.

"Applejack is indeed the silliest and best of all ponies".

Nick G
16-06-2012, 08:19 PM
Yes, one page of text as a password should do it.
For a weaker password maybe :D

adslgeek
19-06-2012, 08:03 AM
I was really impressed with Lastpass most of my passwords are now 16 character long, randomly generated mix of upper and lower and special characters..

www.lastpass.com

linw
19-06-2012, 11:48 AM
That should keep the cracker going for long enough!!

The interesting thing, though, is that you can use a memorable one so long as it throws in a couple of char sets (capital, lr case, spec char) as long as the password is a reasonable size. Like ".......Password......" is still an extremely strong one.

1101
19-06-2012, 12:52 PM
Its BS, the real world is a bit different
I worked in a company that enforced a pretty strict password policy
No names, must be 8+ characters, must have numbers etc in it, changes every 6 weeks, new password must be completely different to the old pass.

So what actually happened was the passwords became to complex & changed too often for staff to remember
So.. some guys were constantly ringing IT to have the pass changed because they forgot it
But most simply wrote down the ever changing password on a bit of paper near the monitor
So much for password security then.. :badpc:

All you really need is to break up the password with 2+ numbers in the middle. And a good hardware firewall.
Be more afraid of trojans/keyloggers.

decibel
19-06-2012, 08:39 PM
...I worked in a company that enforced a pretty strict password policy...

And how many log-on attempts did they allow you before you were locked out??\

If the number is kept small and you are locked out for ever-increasing intervals, passwords can be as weak as.

adslgeek
19-06-2012, 10:24 PM
For my usual passwords I have a pass phrase like

Hollywood has stars like Tom Hanks

To convert to HhslTH and then a number phrase.

I am a geek so I have used the Major memory system (eg 1=T or D 2=N etc) and convert the site I am connecting to into a number sequence. And then add a special character at the end.

It is surprisingly easy once you have the method down pat.

It allows for memorable, caps numbers and special characters and its stable.

But like I said I am a bit of a geek...


Doesnt work against the rolling password changes though.

Telecom had that on a lot of their apps and it was crazy cause you have like 30 apps to remember passwords for and rotating passwords. Can't reuse same pass for last 12 changes etc..

tmrafi
20-06-2012, 10:39 AM
All password policies are banal.
XKCD got it right with this comic (http://imgs.xkcd.com/comics/password_strength.png)

linw
20-06-2012, 11:38 AM
The article referenced does not apply to the manual login where a three strikes and you're out often applies. Or to the post-it note problem at the desktop.

It applies to the scenario where sites get cracked and the whole password files are copied e.g Sony, LinkedIn etc. Brute force cracking is where length comes in.

ALL these companies should use salted hash tables as well. This makes it even harder to crack.