Guideline for a good password

[NullSmurf]

Statistically, about 8% of you are using "password". Another 25% are using a proper name, your wife, child, pet, or something easily remembered, but easily guessed. The rest of you are using something else, something not so easily guessed, but is it a good password? Several members of this board have had their accounts compromised. How many of you know someone whose eBay account, Paypal, or some credit card account "cracked"? I think these are good suggestions, shamelessly copied in part from Dieter Faulbaum.

Some hints (from the Internet) how to build a good password:

It should never:

be an entry in a dictionary (of any language)
be trivial like "ABC"
include your own (nick-)name or the name of any member of your family
be composed of (`own') telephone numbers or birthdays
contain the name of an institution (school, work, etc)
comprise a (last) name of a well known personality, town, place, building or firm
build with proper names and popular fictional names (Bond, Enterprise, etc.)
consist of keys next to each other, like: qwerty(z), mnbvcx or 12345 and so on
embody a computername, a user identifier or parts of those
be made up of acronyms or abbreviations
be readable backward (reteid, reteiD, ...)
be modified by pre- or suffixing a number or any other (special) character (dieter09, 7dieter, .dieter$, %dieter, ...)
note: another 25% of you are NOW using this scheme​

it should:

be built of 8 characters
not only consist of alphabetic characters but also of special characters and/or numbers
contain at most two equal consecutive characters
be easy to memorize, simply because it should not be written down
be as complicated as possible​

it could:

consist of a (totally) wrong written word
enclose more than one word
be one word embedded in another
A Build by a "pass-phrase": make up a sentence like "A cat sits curled up on the roof."; now take the initials of each word Acscuotr.
replace some words by visual assimilable special characters curled up => @
roof => ^
and the new password results in Acs@ot^.

​

By the way, someone I know JUST YESTERDAY had his PP account cracked.

Some common hack methods include the "dictionary" attack - a guessing game running through the more common words in the dictionary. Second, is the brute force attack. Brute force starts with "a" and works its way up to "zzzzzzzzz", trying every combination in between. CP's host software, Invision Power Board has relatively advanced security protocols, including password lockout. After x number of guesses (wrong guesses), the account is locked out for some period of time, including permanently. That effectively counters dictionary and brute force attacks.

However, if a hacker wants you, he can still get you with patience. PLEASE, on your sensitive accounts, beef it up! I used to use variations of some of my old addresses.

1357 Maybell Street can become
1357mayb
!357m@yb
1357MaYb

You get the idea. Remember, almost all passwords are case sensitive. NOW is the time to get secure, Brothers

 

[cookie_1978]

Bruce - Great post. I know I am guilty of some of the pitfalls. Time to change some passwords.

 

[mrjinglesusa]

Another piece of advice, if you frequent many forums or websites that require a password, use multiple passwords, not the same one for every website.

For example, I generally have one password I use for forums, one I use for my banking websites, and one I use for other website merchants that may require a password.

In other words, compartmentalize things so if someone hacks your CP account, they do not obtain a password they can use to access every website you may frequent.

For added protection, take advantage of other security measures your banking websites may offer such as requiring you to also enter a 6 digit code sent to your cell phone or generated by a keyfob (e.g., PayPal/Ebay).

 

[MilesMingusMonk]

Several members of this board have had their accounts compromised.

CigarStone's issue was not an isolated incident? ???

Timely advice Bruce - thanks for the suggestions.

 

[NullSmurf]

Several members of this board have had their accounts compromised.

CigarStone's issue was not an isolated incident? ???

Timely advice Bruce - thanks for the suggestions.

Nothing recent, Kirk. I may also be lumping incidents I've heard of on other boards as well.

 

[grateful1]

Nothing recent, Kirk. I may also be lumping incidents I've heard of on other boards as well.

Which leads to the answer of: why do we use different passwords for different accounts!? :thumbs:

 

[BlindedByScience]

A tool I use all the time is Password Safe. Use it for a while and it's one of those "can't do without" tools. You have to remember one "safe" combination to access your password database. It keeps and stores your passwords in a very simple to "cut and paste" form and will auto type user names and passwords right onto web logon pages for you. This way, you don't have to leave "auto complete" on which of course logs you into any page you've logged into in the past automatically. Another issue is that AutoComplete keeps passwords in a less than secure file format.. PasswordSafe stores your passwords in a heavily encrypted database so even if someone gets your password file, it will do them no good whatsoever.

Best yet - if you wish, it generates very random passwords for you when you create new database entries. Passwords like:

Vrb7HvEF
NOOt5qnq
CLd7AYU5

....etc. Guess that one, I dare you.... :whistling:

This makes it completely easy to have different, fully random, passwords for every site you visit. It works great, and it's free. One of my "go to" programs....

Cheers - T.L.

 

[NDFI]

Very good post! Thanks for the link BBS, I'm going to check that out!

 

[JHolmes763]

Here's something similar to a method I use:

1. Pick a favorite word, name or something with at least a couple of syllables. We'll use "detroit pistons" in this example.
2. Pick a favorite number. We'll use 7.
3. Pick a favorite special character, other than whatever shift-<choice #2> is. We'll use [ in this case.

Password consists of #3, first word/syllable of #1, #2, shift-#2, second word/syllable of #1, #2, shift-#2, #3.

Sounds complicated, but it's an easy process once you come up with all 3 things. So in this case, the password would be:

[Detroit7&Pistons7&[

Notice how the first letter of the word/syllable is capitilized, too. You can vary the word or number easily when you have to change passwords or come up with one for another site. This leaves you with a relatively easy to remember password based upon something you like, but is comprised of 20 hard to guess characters (in this case).

Not as safe as something completely random, but a whole lot easier to remember, imo.


Another method is to get out of the pass"word" mentality and use a pass"phrase". Type out a sentence: "I took Sally out behind the barn!" as you're passphrase. Include the quotes for the hell of it just to make it more complicated to guess. Or something like "In 1994 I ran in my first 10K race!", which is somehow related to something you've done, but who's going to guess that as a passphrase??

---John Holmes...

 

[NullSmurf]

Good one, Tom. I'm playing with it now as a replacement for my passwords spreadsheet (encrypted and passworded, of course!).

 

[grateful1]

Just send me the passwords for all of your accounts - with the user name and login page - and I'll convert them to secure passwords!!!


:whistling:

 

[bfreebern]

So is MattRblowsgoats a good password or not?

 

[NullSmurf]

So is MattRblowsgoats a good password or not?

Nah, too simple. M@ttRbl0ws2m@nyg0t$ is much better.

 

[Devil Doc]

Thanks Bruce for all the assistance in this imbroglio. You get the big E

 

[grateful1]

Thanks Bruce for all the assistance in this imbroglio. You get the big E

He get's a fair?


???

 

[Devil Doc]

Bruce knows what it means. You're obviously not a Sailor. Search is your friend

Doc.

 

[NullSmurf]

I got it right away, Chief. I had to look up imbroglio though. :laugh:

 

[Rod]

Several members of this board have had their accounts compromised.

Good post Bruce, except one inaccuracy. This is the only incident in the past 8 years that someone has had their account compromised. Just wanted to make that very clear - we have MD5 password encryption setup on the server. If someone were to hack CP and download the database (virtually impossible), there is no such way to decrypt an MD5 encrypted password. The only way someone can log into someone else's account is if the other person knows their password (easy to guess for instance). Other than that, good luck.

 

[NullSmurf]

Several members of this board have had their accounts compromised.

Good post Bruce, except one inaccuracy. This is the only incident in the past 8 years that someone has had their account compromised. Just wanted to make that very clear - we have MD5 password encryption setup on the server. If someone were to hack CP and download the database (virtually impossible), there is no such way to decrypt an MD5 encrypted password. The only way someone can log into someone else's account is if the other person knows their password (easy to guess for instance). Other than that, good luck.

Sorry Rod, that should have read that several members of cigar boards, not several CP'ers. A hacker would have to have root access to attempt that kind of hack. Even then, it would take days and a LOT of CPU to crack 64 bit MD5. I was referring to guess attempts here and elsewhere.

 

[JHolmes763]

If someone were to hack CP and download the database (virtually impossible), there is no such way to decrypt an MD5 encrypted password.

I wouldn't take any bets on that. If you're on a shared server, there are ways into other people's databases. Even a dedicated server needs a hosting company to run it. Plus there are vulnerabilities within all programs like IPB which could lead to unauthorized database access. Not to mention there are tables and tables of MD5 hashes out there for reversing what's been saved by IPB.

Not very likely, sure, but never say never.