Coming up with a password that is very strong.

classic Classic list List threaded Threaded
62 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Coming up with a password that is very strong.

Dale-46
Howdy,

Some may recall me mentioning using LastPass to manage my passwords. 
Obviously, it can generate very strong passwords that are different for
each site.  It can also remember them as well which makes things more
secure than using just a few passwords for all sites.  One for things
like financial sites, maybe a less secure one for some site you still
want reasonably secure and a even weaker one for sites you don't care
about hacking, and hackers likely won't either.  I know some people who
do this even today.  Heck, ages ago, I was one of them.  Things change
tho.  Some passwords can be hacked in seconds by a desktop computer,
including my own if I had the software and knowledge to do it. 

The one thing about most all password managers, they have a master
password.  That one password unlocks the rest.  Trick is, having that
one be a good one that is easy to remember, type on a keyboard and be
secure, virtually unhackable but also unforgettable.  I've had what used
to be a strong password for a while.  Thing is, with today's computing
power, it really isn't anymore.  While no one could just guess it, it
could be cracked/hacked I'm sure.  I need to come up with a new one that
meets the requirements I just mentioned.  Strong, easy to remember, easy
to type but won't forget.  I've read that using maiden names, years of
birth or whole dates of birth, actual names, pet's name, words in a
dictionary and a whole list of other things makes it easier, especially
if you post a lot on social media, for hackers to use against you.  I'm
trying to avoid that sort of thing obviously and have a couple ideas but
am curious as to what method others use, without exposing to much detail
since this is public. 

How do you, especially those who admin systems that are always being
hacked at, generate strong passwords that meet the above?  I've googled
and found some ideas but if I use the same method, well, how many others
are using that same method, if you know what I mean.  ;-)  Just looking
for ideas. 

Thanks much.

Dale

:-)  :-) 

P. S.  I haven't had time to deal with the video thing in previous
thread.  It's on my todo list still.  :-( 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Peter Humphrey-3
On Monday, 4 February 2019 05:47:35 GMT Dale wrote:

> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've googled
> and found some ideas but if I use the same method, well, how many others
> are using that same method, if you know what I mean.  ;-)  Just looking
> for ideas.

You could use a password generator to keep creating random passwords until it
comes up with something you like the look of, then learn it by rote. I did
that some time ago - it must be about time I did it again to make another one.

--
Regards,
Peter.




Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Neil Bothwick
On Mon, 04 Feb 2019 10:24:27 +0000, Peter Humphrey wrote:

> > How do you, especially those who admin systems that are always being
> > hacked at, generate strong passwords that meet the above?  I've
> > googled and found some ideas but if I use the same method, well, how
> > many others are using that same method, if you know what I
> > mean.  ;-)  Just looking for ideas.  
>
> You could use a password generator to keep creating random passwords
> until it comes up with something you like the look of, then learn it by
> rote. I did that some time ago - it must be about time I did it again
> to make another one.
https://xkcd.com/936/


--
Neil Bothwick

There's too much blood in my caffeine system.

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Nikos Chantziaras-2
In reply to this post by Dale-46
On 04/02/2019 07:47, Dale wrote:
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've googled
> and found some ideas but if I use the same method, well, how many others
> are using that same method, if you know what I mean.  ;-)  Just looking
> for ideas.

I don't use a password manager. For website logins, I just use the
password manager in the browser (Firefox), which does not use a master
password :-P I just assume my own system is not going to be compromised.

For the websites I use, I generate a unique password per site using this
command:

$ pwmake 128

This generates a password using 128 bits of entropy from /dev/urandom.
You need dev-libs/libpwquality being installed (it's a dep of something
important, I think, so should be installed on most systems already.)

For remote systems I administer through SSH, I don't use passwords. I
use a public/private key pair to log in (4096 bits.) My private key is
protected with a strong password though, but it's easy to remember since
it doesn't need to change. Something like:

ilp&mac4d@4*r

Which is short for:

I like pizza and macaroni for dinner at four star restaurants.


Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Mick-10
In reply to this post by Neil Bothwick
On Monday, 4 February 2019 10:37:03 GMT Neil Bothwick wrote:

> On Mon, 04 Feb 2019 10:24:27 +0000, Peter Humphrey wrote:
> > > How do you, especially those who admin systems that are always being
> > > hacked at, generate strong passwords that meet the above?  I've
> > > googled and found some ideas but if I use the same method, well, how
> > > many others are using that same method, if you know what I
> > > mean.  ;-)  Just looking for ideas.
> >
> > You could use a password generator to keep creating random passwords
> > until it comes up with something you like the look of, then learn it by
> > rote. I did that some time ago - it must be about time I did it again
> > to make another one.
>
> https://xkcd.com/936/
Not strictly true ... the crackers would probably use rainbow tables attacks
first.  Also, it isn't fair to compare an 11 character passwd against a 25
character passwd.  For the *same* number of characters used in any given
passwd, a random lower/upper/numerical/symbol passwd will provide an
exponentially higher degree of difficulty in cracking it with brute force,
than one which uses only lower case dictionary words.  Anyway, these days many
attacks are focused on OS or hardware vulnerabilities which have been baked in
by design, rather than brute force attacks.

Any financial company worth their salt are employing 2-factor authentication
and account lockups to stop brute forcing of users credentials.  So, guarding
against your own OS compromise is more important than individual website
credentials.

You will be surprised how many people are still using passwds like:

password
password1
arsenal
manchesterunited2018
fido

on websites which store their credit card details.  O_O

You may want to take a look at app-admin/apg and to mitigate against your
CPU's lack of randomness use sys-apps/haveged.  Combining multiple outputs of
apg should arrive at a passwd which is more secure than not.

--
Regards,
Mick

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Nikos Chantziaras-2
On 04/02/2019 13:17, Mick wrote:
> You will be surprised how many people are still using passwds like:
>
> password
> password1
> arsenal
> manchesterunited2018
> fido
>
> on websites which store their credit card details.  O_O

A friend of mine used "********" as a password because it matched what
was being shown on the screen while typing it, and thus no one would
ever be able to figure that one out. He thought he was being very smart.


Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Neil Bothwick
In reply to this post by Mick-10
On Mon, 04 Feb 2019 11:17:13 +0000, Mick wrote:

> > https://xkcd.com/936/ 
>
> Not strictly true ... the crackers would probably use rainbow tables
> attacks first.  Also, it isn't fair to compare an 11 character passwd
> against a 25 character passwd.  For the *same* number of characters
> used in any given passwd, a random lower/upper/numerical/symbol passwd
> will provide an exponentially higher degree of difficulty in cracking
> it with brute force, than one which uses only lower case dictionary
> words.  Anyway, these days many attacks are focused on OS or hardware
> vulnerabilities which have been baked in by design, rather than brute
> force attacks.
I'm not sure xkcd is meant to be taken that seriously...


--
Neil Bothwick

Help a man when he is in trouble and he will remember you when he is in
trouble again

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Rich Freeman
On Mon, Feb 4, 2019 at 8:21 AM Neil Bothwick <[hidden email]> wrote:

>
> On Mon, 04 Feb 2019 11:17:13 +0000, Mick wrote:
>
> > > https://xkcd.com/936/
> >
> > Not strictly true ... the crackers would probably use rainbow tables
> > attacks first.  Also, it isn't fair to compare an 11 character passwd
> > against a 25 character passwd.  For the *same* number of characters
> > used in any given passwd, a random lower/upper/numerical/symbol passwd
> > will provide an exponentially higher degree of difficulty in cracking
> > it with brute force, than one which uses only lower case dictionary
> > words.  Anyway, these days many attacks are focused on OS or hardware
> > vulnerabilities which have been baked in by design, rather than brute
> > force attacks.
>
> I'm not sure xkcd is meant to be taken that seriously...
>

IMO xkcd has treated the situation more seriously than some of the
replies here...

Obviously words from a dictionary have less entropy per character than
random characters do, but the xkcd cartoon already takes this into
account.

For the same number of bits of ENTROPY a random password provides the
exact same level of security as one based on words.

To obtain that entropy through words requires more characters of
course.  However, the whole point of the cartoon is that our brains
are much better at remembering words than random characters, since we
have a big chunk of grey matter evolved to do exactly that which is
more sophisticated than any computer on the planet so far.

Now, if you have some brain-dead software which only accepts 8
character passwords then you would obviously do better to use random
characters (truly random - not picking the most pleasing-looking
random password out of a list) than to try to cram one or two words in
there.  Likewise, if you're using a password manager and want to
maximize entropy per bit of storage/transmission then random passwords
are better since words provide no utility.

However, if you want to obtain the highest number of bits of entropy
for a password that is memorized, xkcd makes a compelling argument
that you're better off with a longer password composed of words,
because they let you cram more entropy into your brain.  Two bits from
a dictionary might be the same as two bits from 1/3rd of a random
character to a brute force cracking engine, but they aren't the same
to your brain.  Xkcd isn't doing a like-for-like comparison, because
the two categories aren't alike.

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Laurence Perkins
In reply to this post by Dale-46


On Sun, 2019-02-03 at 23:47 -0600, Dale wrote:
+AD4-
+AD4-
+AD4- How do you, especially those who admin systems that are always being
+AD4- hacked at, generate strong passwords that meet the above?  I've
+AD4- googled
+AD4- and found some ideas but if I use the same method, well, how many
+AD4- others
+AD4- are using that same method, if you know what I mean.  +ADs--)  Just
+AD4- looking
+AD4- for ideas.
+AD4-
+AD4- Thanks much.
+AD4-
+AD4- Dale
+AD4-
+AD4- :-)  :-)
+AD4-
+AD4- P. S.  I haven't had time to deal with the video thing in previous
+AD4- thread.  It's on my todo list still.  :-(
+AD4-

Take 80 to 100 characters of something you already have memorized.
Poetry, bible verses, RFCs, pages of the phone book, digits of pi out
of the middle, whatever.  Run it through a transposition, substitution,
or combination cipher that you can calculate in your head on-the-fly.
(Do avoid the substitutions that everyone uses since those will be
tried first.)

Now you only need to remember a pointer to the memorized section, the
length, and the cipher specification.  There are enough possible
combinations that an attacker won't be able to make a meaningful
reduction in entropy by examining your social media.

As an example:  The second paragraph of Hamlet's soliloquy and invert
the case based on whether the corresponding digit of e is odd or even.

LMP


Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Lee Clagett
In reply to this post by Dale-46
On Sun, 3 Feb 2019 23:47:35 -0600
Dale <[hidden email]> wrote:

> Howdy,
>
[...snip...]
>
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've
> googled and found some ideas but if I use the same method, well, how
> many others are using that same method, if you know what I
> mean.  ;-)  Just looking for ideas. 

Search for diceware. Memorizing 7-10 word passwords is possible and
fairly strong.

Lee



Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Jack
In reply to this post by Nikos Chantziaras-2
On 2019.02.04 06:10, Nikos Chantziaras wrote:

> On 04/02/2019 07:47, Dale wrote:
>> How do you, especially those who admin systems that are always being
>> hacked at, generate strong passwords that meet the above?  I've  
>> googled
>> and found some ideas but if I use the same method, well, how many  
>> others
>> are using that same method, if you know what I mean.  ;-)  Just  
>> looking
>> for ideas.
>
> I don't use a password manager. For website logins, I just use the  
> password manager in the browser (Firefox), which does not use a  
> master password :-P I just assume my own system is not going to be  
> compromised.
>
> For the websites I use, I generate a unique password per site using  
> this command:
>
> $ pwmake 128
>
> This generates a password using 128 bits of entropy from  
> /dev/urandom. You need dev-libs/libpwquality being installed (it's a  
> dep of something important, I think, so should be installed on most  
> systems already.)
>
> For remote systems I administer through SSH, I don't use passwords. I  
> use a public/private key pair to log in (4096 bits.) My private key  
> is protected with a strong password though, but it's easy to remember  
> since it doesn't need to change. Something like:
>
> ilp&mac4d@4*r
>
> Which is short for:
>
> I like pizza and macaroni for dinner at four star restaurants.
The problem I have with many of these suggestions is that I have  
multiple devices (two desktops, two laptops, tablet, android phone) I  
use sufficiently often that I either need to be able to remember the  
passwords or have some way of easily accessing them when I'm not  
sitting at my main desktop.  Other than using a password manager (which  
I do not currently have) how to others deal with this?

Jack
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Dale-46
Dale wrote:

> Howdy,
>
> <<< SNIP >>>
>
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've googled
> and found some ideas but if I use the same method, well, how many others
> are using that same method, if you know what I mean.  ;-)  Just looking
> for ideas. 
>
> Thanks much.
>
> Dale
>
> :-)  :-) 
>
> P. S.  I haven't had time to deal with the video thing in previous
> thread.  It's on my todo list still.  :-( 
>


I read the replies and got some ideas.  I don't have any favorite songs
or sayings so that wouldn't work with me.  I'm weird, as some know but
might not say it.  ROFL  I did come up with some things tho based on
replies.  I then googled for some password checker sites, found three or
so, and checked to see what they think about my password.  Here is some
results:


It would take a computer about 34 thousand years to crack your password

Medium size botnet About 143 billion years or Standard Desktop PC About
143 quadrillion years

Time to crack your password:  17 centuries or Review: Fantastic, using
that password makes you as secure as Fort Knox.


I'm not sure if one can convert that to NSA time or not.  o_O  The
password contains upper/lower case letters, couple symbols from up top
of the number keys and several numbers.  None of which anyone would be
able to guess in any way.  They have nothing to do with that list of
things not to use, birthdays etc.  If a person was trying to just guess
it, even a best friend who knows me extremely well, they would not be
able to guess it much less the order of it.  The only bad thing, it
isn't to easy to type.  Of course, a really good password usually isn't
so . . .

I'm going to practice typing that thing in a bit to see if I get the
hang of it.  Maybe it will grow on me or I can come up with a change
that makes it easier to type. 

Thanks to all for the suggestions.  It did help.  Some were sort of
funny but they would make a good password easy to remember.

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Rich Freeman
On Mon, Feb 4, 2019 at 3:09 PM Dale <[hidden email]> wrote:

>
> I'm not sure if one can convert that to NSA time or not.  o_O  The
> password contains upper/lower case letters, couple symbols from up top
> of the number keys and several numbers.  None of which anyone would be
> able to guess in any way.  They have nothing to do with that list of
> things not to use, birthdays etc.  If a person was trying to just guess
> it, even a best friend who knows me extremely well, they would not be
> able to guess it much less the order of it.  The only bad thing, it
> isn't to easy to type.  Of course, a really good password usually isn't
> so . . .

And do you use that password on only a single site?

If you use it on more than one, then as soon as one of those sites is
compromised it will sniff your password and then your password can be
used on all the others without any cpu cycles wasted on brute-forcing
it at all.

That is the weakness of random passwords.  Unless you use some kind of
password manager you won't actually use a unique password on each site
due to difficulty with memorization...

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Nikos Chantziaras-2
Nikos Chantziaras wrote:

> On 04/02/2019 07:47, Dale wrote:
>> How do you, especially those who admin systems that are always being
>> hacked at, generate strong passwords that meet the above?  I've googled
>> and found some ideas but if I use the same method, well, how many others
>> are using that same method, if you know what I mean.  ;-)  Just looking
>> for ideas.
>
> I don't use a password manager. For website logins, I just use the
> password manager in the browser (Firefox), which does not use a master
> password :-P I just assume my own system is not going to be compromised.
>
> For the websites I use, I generate a unique password per site using
> this command:
>
> $ pwmake 128
>
> This generates a password using 128 bits of entropy from /dev/urandom.
> You need dev-libs/libpwquality being installed (it's a dep of
> something important, I think, so should be installed on most systems
> already.)
>
> For remote systems I administer through SSH, I don't use passwords. I
> use a public/private key pair to log in (4096 bits.) My private key is
> protected with a strong password though, but it's easy to remember
> since it doesn't need to change. Something like:
>
> ilp&mac4d@4*r
>
> Which is short for:
>
> I like pizza and macaroni for dinner at four star restaurants.
>
>
>


One reason I use LastPass, it is mobile.  I can go to someone else's
computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
logoff and it is like I was never there.  Also, if my computer were to
die a sudden death, power supply goes bonkers and burns everything in it
up including hard drives, my passwords are still safe but available. 
When I get a new rig built, I can install LastPass, put in my email and
password then go on like nothing ever happened.  I can also use a
neighbors computer to order the parts for a new rig as well.  I just use
LastPass on their computer.  I could do that even if my backups were out
of date as well. 

I also like that it generates passwords that are dang near impossible to
crack.  It also doesn't have to be anything I can remember either.  This
is a few examples of what it generates.

*k0Dx^RiNPHOocIg

5wfy&YQA&vNa4^HHgwZ3

NnWM9DwCrVYyVryS3Aa9

Now I admit, I sometimes see one that pops up that I don't like the
looks of and I click for a new one.  Just like the last one in the
list.  It has two of the same letter at the beginning.  One upper and
one lower but still the same.  I'd skip that one.  Still, good luck
guessing it easily.  Cracking it is always possible but it makes it
difficult.  Also, I sometimes have to leave off the other characters
since some websites don't allow those.  My bank for example doesn't
allow a couple of them.  I think "*" and "$" is a no go.  It does reject
it when you try to enter it tho. 

If I were to ever get me a smart phone, LastPass works on those too.  I
still like my Razr tho.  It makes phone calls and allows me to text.  It
does what I need.  It also takes the place of a watch as well.  ;-) 

I get why some may just use Firefox or other browsers password tool but
thing is, if you don't have a backup of it and something happens, you
could be working a while to get those passwords going again.  If I
recall correctly, I have to go to the bank, present ID and such to do a
complete reset of my bank password.  I know it was that way several
years ago because I had to do it once. 

Those keys do work for things that support it.  I don't think any site I
use has that ability tho.  If it does, I don't know about it.  Maybe one
day tho. 

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Neil Bothwick
In reply to this post by Jack
On Mon, 04 Feb 2019 14:38:38 -0500, Jack wrote:

> The problem I have with many of these suggestions is that I have  
> multiple devices (two desktops, two laptops, tablet, android phone) I  
> use sufficiently often that I either need to be able to remember the  
> passwords or have some way of easily accessing them when I'm not  
> sitting at my main desktop.  Other than using a password manager
> (which I do not currently have) how to others deal with this?

If you don't want to use an online passwrd manager like LastPass, you
could use a local solution. I use KeePassX, which is available for Linux
and Android (and some minority OSes). It stores the passwords in an
encrypted database file, protected by a master password. As it's a single
file it is easy enough to keep this synchronised between devices. I
initially did this with DropBox but soon switched to Syncthing.

It's just another file to keep synchronised between devices, so use
whatever method you already use for that purpose.


--
Neil Bothwick

You are about to give someone a piece of your mind,
something you can ill afford...

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Rich Freeman
In reply to this post by Dale-46
On Mon, Feb 4, 2019 at 3:49 PM Dale <[hidden email]> wrote:
>
> One reason I use LastPass, it is mobile.  I can go to someone else's
> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
> logoff and it is like I was never there.

As much as I like Lastpass I would never do that.  It isn't magic - it
is javascript.  If there is a compromise on your computer, then your
password database will be compromised.  This is true of other
solutions like KeePassX and so on - if something roots your box then
it will be compromised.

If you were talking about something like a Chromebook that is still
locked down and you're using guest mode or logging in under a separate
user account from anybody else, then you're probably fairly safe
against that.  However, if you're just looking into a generic windows
box or a shared linux account then there isn't going to be much
protection if something has compromised the system.

At that point you're vulnerable to all kinds of attacks, from theft of
the password manager database, to just skimming the accounts you're
using.

This won't stop sniffing of individual passwords, but you could at
least protect your overall database by looking up the password on a
secure device (your phone or whatever) and rekeying it on the
untrusted device.  Then while that password is still vulnerable your
password database never touches that box.

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Neil Bothwick
On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:

> > One reason I use LastPass, it is mobile.  I can go to someone else's
> > computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
> > logoff and it is like I was never there.  
>
> As much as I like Lastpass I would never do that.  It isn't magic - it
> is javascript.  If there is a compromise on your computer, then your
> password database will be compromised.  This is true of other
> solutions like KeePassX and so on - if something roots your box then
> it will be compromised.

I don't see what root has to do with it. If someone gains access to your
box, they can copy the database file and then take their time trying to
crack the password, but you don't need to be root to do that.


--
Neil Bothwick

... "I'm simply not a nice girl", she whispered tartly.

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Rich Freeman
Rich Freeman wrote:

> On Mon, Feb 4, 2019 at 3:09 PM Dale <[hidden email]> wrote:
>> I'm not sure if one can convert that to NSA time or not.  o_O  The
>> password contains upper/lower case letters, couple symbols from up top
>> of the number keys and several numbers.  None of which anyone would be
>> able to guess in any way.  They have nothing to do with that list of
>> things not to use, birthdays etc.  If a person was trying to just guess
>> it, even a best friend who knows me extremely well, they would not be
>> able to guess it much less the order of it.  The only bad thing, it
>> isn't to easy to type.  Of course, a really good password usually isn't
>> so . . .
> And do you use that password on only a single site?
>
> If you use it on more than one, then as soon as one of those sites is
> compromised it will sniff your password and then your password can be
> used on all the others without any cpu cycles wasted on brute-forcing
> it at all.
>
> That is the weakness of random passwords.  Unless you use some kind of
> password manager you won't actually use a unique password on each site
> due to difficulty with memorization...
>


Right now, I'm coming up with a master password for LastPass and maybe a
new set of keys.  I may use something different for my keys to your
point.  My encryption thingy broke on Seamonkey, the keys are broken
somehow.  I googled, tried some stuff but can't figure out how to fix
them so I revoked the things and am going to start fresh.  Heck, only
one person ever uses them anyway.  lol 

Once I get logged into LastPass, I generate unique passwords with it for
each site.  Depending on the site, I try to generate as long and use as
many characters as the site will allow.  If it allows the symbols on top
of the number keys, I enable them.  If it doesn't, I cut that off.  If
it allows 20 characters, I set it to generate 20.  It's not like I have
to remember it or even type it in either.  I may as well be as secure
and random as possible.  The master password is the current project tho. 

Way back, I used to have three passwords.  One fairly secure one for
financial type sites, one somewhat decent one for stuff like social
sites and one I could care less about.  None of them would be easy to
guess but the complexity changed.  Nowadays, I wouldn't even dream of
doing like that.  Far to many script kiddys out there trying to steal
stuff.  That doesn't even mention the pros and what they do. 

You are right tho, reusing passwords is a really bad idea.  It makes it
dead simple to hack everything else. 

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Neil Bothwick
Neil Bothwick wrote:

> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
>
>>> One reason I use LastPass, it is mobile.  I can go to someone else's
>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
>>> logoff and it is like I was never there.  
>> As much as I like Lastpass I would never do that.  It isn't magic - it
>> is javascript.  If there is a compromise on your computer, then your
>> password database will be compromised.  This is true of other
>> solutions like KeePassX and so on - if something roots your box then
>> it will be compromised.
> I don't see what root has to do with it. If someone gains access to your
> box, they can copy the database file and then take their time trying to
> crack the password, but you don't need to be root to do that.
>
>


I might point out, LastPass encrypts the password before sticking it in
a file.  It isn't visible or plain text.  Even getting the file would
still require some tools and cracking to get the password itself. 
Cracking the master password would likely be much easier and doesn't
even require access to the box itself, Linux or windoze.  Also, LastPass
only stores the encrypted password on its servers.  Even if LastPass is
hacked, the passwords are still encrypted.  It's one reason LastPass
shouldn't have to worry about getting court orders to turn over
passwords.  It doesn't really have them.  I would suspect that cracking
a encrypted password is as difficult as is just poking at a password
until it is guessed. 

Even if a person is using a perfect tool, cracking a password is always
going to be possible.  The tougher the password, the harder it will be
and the longer it will take.  Still, it can be done.  Using these tools
just makes it harder.  I'm not aware of a perfect password tool.  I
doubt one exists or ever will either.  ;-)  It's still good to pick one,
use it and try to be as secure as one can. 

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

tanstaafl-2
In reply to this post by Dale-46
On 2/4/2019, 12:47:35 AM, Dale <[hidden email]> wrote:

> Thing is, with today's computing power, it really isn't anymore.
> While no one could just guess it, it could be cracked/hacked I'm
> sure.  I need to come up with a new one that meets the requirements I
> just mentioned.  Strong, easy to remember, easy to type but won't
> forget.  I've read that using maiden names, years of birth or whole
> dates of birth, actual names, pet's name, words in a dictionary and a
> whole list of other things makes it easier, especially if you post a
> lot on social media, for hackers to use against you.  I'm trying to
> avoid that sort of thing obviously and have a couple ideas but am
> curious as to what method others use, without exposing to much
> detail since this is public.
I've been using a little Firefox Addon called Passwordmaker for many,
many years, and despite all of its warts, I've been loathe to give it
up, even though it will never be upgraded to work as a WebExtension.

2 things I loved about it -

 a) it doesn't save the password locally, only info about the
    site/account, and
 b) you can use an unlimited number of Master Passwords

I'm looking at migrating to KeePassXC, and even though I really hate the
idea of saving the actual password - Passwordmaker simply generates the
password on the fly each time based on certain specified criteria (ie,
the site URL, username, password length, etc for each account - one
technique I adopted shortly after assisting in updating the
Passwordmaker website eases my mind about it...

This is a simple technique I strongly recommend that everyone employ,
especially if you use a Password manager (like LastPass or KeePass)...

It is uncrackable (well, as long as it isn't the CIA or NSA that wants
to crack it and they are willing to kidnap/torture you to do so).

You sit down and come up with a ... call it a 'password modification
protocol' ... whereby, you always modify your generated/stored password
in a specific way before pressing enter.

For example, you delete characters 3, 5 and 7, then add 2 characters to
the beginning and 2 to the end.

It is very simple, and negates worrying about someone stealing your
password vault.

1234