HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Obviously you guys know how to create a strong password but we all know people that don't (I'm looking at you mom), so pass this link along to those that need it. 
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
How To Create A Strong Password And Remember It
- Thread starter HardOCP News
- Start date
BlindedByScience
More Human than Human
- Joined
- May 26, 2000
- Messages
- 9,225
I've used Password Safe for years. No complaints, never been hacked.....
Personally I use a random password generator like this:
http://www.pctools.com/guides/password/
I have several password with different security 'grades' and lengths.
I then use these for different websites according to their 'security rating'.
e.g. really long password for all financial stuff e.g. banks
medium strength for 'trustworthy' sites like Google/Gmail and facebook,
crappy password for dodgy websites like this website :-P (and other forums that always seem to be the favourite target of anonymous)
I find completely random combinations of numbers/letters no harder to memorise than phone numbers, bank accounts, safe combinations etc.
http://www.pctools.com/guides/password/
I have several password with different security 'grades' and lengths.
I then use these for different websites according to their 'security rating'.
e.g. really long password for all financial stuff e.g. banks
medium strength for 'trustworthy' sites like Google/Gmail and facebook,
crappy password for dodgy websites like this website :-P (and other forums that always seem to be the favourite target of anonymous)
I find completely random combinations of numbers/letters no harder to memorise than phone numbers, bank accounts, safe combinations etc.
Sabrewulf165
2[H]4U
- Joined
- Jun 23, 2004
- Messages
- 2,974
I knew someone would post that xkcd comic. It's funny, but I doubt that it's very accurate in practice, aside from the raw numbers. There's a reason people are taught not to use real words in their passwords, it's called a dictionary attack.
[21CW]killerofall
2[H]4U
- Joined
- Mar 16, 2006
- Messages
- 4,064
It depends on whom you are trying to keep form guessing your passwords. If your company/business/site you visit has good security then you don't need to worry about computers guessing passwords as they will be locked out long before they guess it. If you want to keep people from guessing passwords then the first password listed in the xkcd comic is a good one.
simpler to just swap in numbers and upper case into standard words
turn hardocp into hArd0cp! sure its not as good, but its better than most while still something the average person can retain, lowercase, uppercase, number and symbol...basics are covered.
turn hardocp into hArd0cp! sure its not as good, but its better than most while still something the average person can retain, lowercase, uppercase, number and symbol...basics are covered.
chinesepiratefood
2[H]4U
- Joined
- Oct 8, 2005
- Messages
- 2,629
I can't remember any of my passwords except a select few. The other ~20 I just use keepass.
WorldExclusive
[H]F Junkie
- Joined
- Apr 26, 2009
- Messages
- 11,548
Pretty much. A lengthy word or phrase doing what you said does the trick and is easy to remember.
D
Deleted member 80813
Guest
That guide is worthless. Every website has different requirements.
ie. Must have one capital letter and a number. Another has no capital letters or numbers.
Then we have some like my employer that require you to change your password every 90 days, and you can not reuse passwords.
ie. Must have one capital letter and a number. Another has no capital letters or numbers.
Then we have some like my employer that require you to change your password every 90 days, and you can not reuse passwords.
Godmachine
[H]F Junkie
- Joined
- Apr 7, 2003
- Messages
- 10,472
Download KeePass Password Safe , you can make insane 512-bit massive passwords that would take hundreds of billions of years to "guess".
Install it , make passes for all the sites you frequent , make sure they are big long passwords that use every kind of symbol. Save it to a file , make a Keypass key file that won't allow access without it. Take a sturdy USB stick , upload both your saved password files and the key file required to access them to it. Take that USB stick and put it in a safe deposit box or leave it at a difference residence you feel secure with and you'll be set against nearly anything.
I've been using KeePass for a while.
Install it , make passes for all the sites you frequent , make sure they are big long passwords that use every kind of symbol. Save it to a file , make a Keypass key file that won't allow access without it. Take a sturdy USB stick , upload both your saved password files and the key file required to access them to it. Take that USB stick and put it in a safe deposit box or leave it at a difference residence you feel secure with and you'll be set against nearly anything.
I've been using KeePass for a while.
vsboxerboy
2[H]4U
- Joined
- Oct 17, 2005
- Messages
- 3,661
How do dictionary attacks work when it comes to concatenation of multiple words? (Not attacking, just curious). If someone was trying to brute force your password, shouldn't there be systems in place such that by the time you're getting to all combinations of 4 word concatenations you've tried billions of times already. Shouldn't that raise a flag or take long enough that you should have changed your password by then anyway??
GushpinBob
2[H]4U
- Joined
- Dec 11, 2007
- Messages
- 2,721
Hence why it says in the comic, "four random common words." Using a common phrase like "Four score and seven years ago" or a bible verse as a password wouldn't stand a chance against a phrase dictionary attack. Throwing together some arbitrary English words to make a nonsensical phrase (bonus if some of the words are nonsensical) and you're pretty much in the same situation described in the second half of that comic.
GushpinBob
2[H]4U
- Joined
- Dec 11, 2007
- Messages
- 2,721
This, but there are some scenarios where Keepass/Lastpass/yourfavoritekeychainsoftware isn't the best solution. Logging on to any of the computers in the university library or computer lab, for example.
WorldExclusive
[H]F Junkie
- Joined
- Apr 26, 2009
- Messages
- 11,548
Is random words/phrases the best way to remember and protect login info?
Sabrewulf165
2[H]4U
- Joined
- Jun 23, 2004
- Messages
- 2,974
Oh I wasn't thinking of logging into a live system - most any such system would/should lock you out after a few attempts.
Maybe. I am by no means an expert on the subject, but I would imagine that any decent system would have options for stringing together common words, random or not.
HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
PornoSatan
2[H]4U
- Joined
- Sep 3, 2004
- Messages
- 3,493
passwords.txt
so using 'Welcome' or 'Password' is not good?...I'll change all my passwords later tonight
the reasons those long confusing randomly generated passwords suck is because the point of a password is that it be easy to remember...I alternate the same 2 passwords on everything because it is not a commonly used word(s) and it's easy for me to remember
the reasons those long confusing randomly generated passwords suck is because the point of a password is that it be easy to remember...I alternate the same 2 passwords on everything because it is not a commonly used word(s) and it's easy for me to remember
FndTheRver
Gawd
- Joined
- Nov 30, 2005
- Messages
- 626
So I can't use 12345 as my password?
Mungojerrie
[H]ard|Gawd
- Joined
- Jun 19, 2011
- Messages
- 1,940
How did you know my password!?! Are you a wizard?
He'z a wizzard Jerrie!
Seriously though, my favorite is to start with a longish, but easy to remember word. Then I shift the keys up or down, so something like "Password" comes out as ")qww294e".
sfsuphysics
[H]F Junkie
- Joined
- Jan 14, 2007
- Messages
- 15,991
Evil wizard more like it, he knew my password in reverse!
So if one site is caught slipping you are now vulnerable at the 70 other sites you've used that password. I'm all for having a universal password for things you probably don't care about like some coupon site, or foursquare or similar, but you are taking a huge chance just using a few everywhere because everyone is wise to that and will try that phrase everywhere once they figure it out.
Spare-Flair
Supreme [H]ardness
- Joined
- Apr 4, 2003
- Messages
- 7,471
The Oxford mini-dictionary contains ~30,000 words. We are assuming we are only using common English words which that dictionary will cover.
That makes 30,000 x 30,000 x 30,000 x 30,000 which by the 1000 guesses/sec employed by the comic means it would take 25,684,931 years to decrypt based on dictionary attack.
JosiahBradley
[H]ard|Gawd
- Joined
- Mar 19, 2006
- Messages
- 1,791
Actually a dictionary attack is completely useless against the passwords Randall is using because it is comprised of several words where the order is completely unknown. Meaning to successfully brute-force the password the attacker would still have to try every permutation of the dictionary against itself up to 4 times. This amounts to 9.43 x 10^19 different passwords to guess (using the standard Linux dictionary), which at a rate of 1000 guesses a second would take 2,990,233,384 years to crack.
So even though this seems like such a bad idea to you, the math in fact does back it up. I happen to work daily with website security and the number one rule above all else to password complexity is length. Even using Amazon's EC2 cluster it takes beyond the lifetime of a human being or several million dollars to crack a simple 12 character alphanumeric password.
Spare-Flair
Supreme [H]ardness
- Joined
- Apr 4, 2003
- Messages
- 7,471
Exactly. Instead of 26 alphabet + 10 numbers + a dozen more symbols (so about 30-40 characters total) for the normal set for a character by character password break for each "slot"...
Applying a dictionary attack turns each "slot" into a 30,000-150,000 dictionary word password break driving the break time into the millions of years for any password containing more than 3 English words!
Applying a dictionary attack turns each "slot" into a 30,000-150,000 dictionary word password break driving the break time into the millions of years for any password containing more than 3 English words!
Hop-Scotch
Gawd
- Joined
- Mar 1, 2010
- Messages
- 954
Password Card
Unless you need really long passwords, or you have a better method, I've got most of my family members setup with one, including the app on their phones. Easy to remember, remeber a symbol and a number/color, and a length. Cake.
Unless you need really long passwords, or you have a better method, I've got most of my family members setup with one, including the app on their phones. Easy to remember, remeber a symbol and a number/color, and a length. Cake.
Here is another good password article. Why "This Is Fun" Is 10x Safer Than "J4fS!2"
If you look at the bits of entropy listed, it's already assuming that a dictionary attack will be used, and it's still better. Although it's also assuming that a dictionary attack will be used in the first case as well, with common variations and substitutions of capitals, numbers, and symbols.
The problem is that people don't pick words randomly out of the dictionary.
They pick works that are easy to remember/spell and tend to be short. People use only about 300 words commonly. The cartoon example used words on common usage list.
(300)^4 = 8.1e9.
I always liked the idea of doing patterns on the keyboard.
Example:
What you remember: circles, G, T, O, clockwise
Password that comes out: tyhbvfr6yhgfr50plki9
Completely nonsensical and long but just a pattern. Not individual characters to remember.
You can do triangles, konami code, smiley face, arrows of varying length.
Example:
What you remember: circles, G, T, O, clockwise
Password that comes out: tyhbvfr6yhgfr50plki9
Completely nonsensical and long but just a pattern. Not individual characters to remember.
You can do triangles, konami code, smiley face, arrows of varying length.
JosiahBradley
[H]ard|Gawd
- Joined
- Mar 19, 2006
- Messages
- 1,791
Then simply use a few more words like passwordpasswordpasswordpassword[insertnameofdoghere]
Complexity rules only exist to force the simple-minded not to use common, easy to guess passwords. They do nothing else.
Here's an easy-to-remember way to do all of that without writing anything down.
Example: nikedgrommetr - This is a random word + the 4th letter of the site's domain name (hardforum.com) + another random word + the 3rd letter of the domain. Sounds complicated, but it's really easy to remember: total length 13 chars, dictionary safe, and different for each site.
It's also difficult to figure out the pattern if someone sees one of your passwords. Of course you should pick a different pattern but you get the general idea. Throw in a number or symbol if a lot of sites require it.
- Brute force attacks only care about one thing: length.
- Dictionary attacks only care about one thing: that it's in the dictionary.
- Human attacks only care about one thing: that it's guessable
Here's an easy-to-remember way to do all of that without writing anything down.
Example: nikedgrommetr - This is a random word + the 4th letter of the site's domain name (hardforum.com) + another random word + the 3rd letter of the domain. Sounds complicated, but it's really easy to remember: total length 13 chars, dictionary safe, and different for each site.
It's also difficult to figure out the pattern if someone sees one of your passwords. Of course you should pick a different pattern but you get the general idea. Throw in a number or symbol if a lot of sites require it.
Trepidati0n
[H]F Junkie
- Joined
- Oct 26, 2004
- Messages
- 9,269
Why don't they just send you a text message with a unique code every time you try to login. You just enter that code. Not saying make it a law, but lets say you get a 0.25%-1.00% discount if you do (enough to deal with it). This would cover a very large majority of cases in question. Enough that if a large breech occurs, the fallout is minimized.
The method of have something + know something is insanely more secure than one or the other.
The method of have something + know something is insanely more secure than one or the other.
hmm that sounds like too much hassle imo
JosiahBradley
[H]ard|Gawd
- Joined
- Mar 19, 2006
- Messages
- 1,791
That is exactly how my bank and Gmail work for me. Sometimes it's a PITA but after my Gmail account was hacked from Turkey(probably a proxy) of all places, I figured it was time for 2 step authentication.