Poor Passwords a Larger Threat than Malware?

[Rob Williams]

From our front-page news:

What's your password? Of course, I don't want you to actually tell me, but just think about it. What's the password to your most data-sensitive web-services, like your e-mail account or bank account? If you were able to repeat your full password, or even picture it spelled out, instantly in your head, chances are it's a little too simple. And if it's simple, you aren't taking it too seriously, which is too bad, given it is serious.

A recently-posted article at Channel Insider takes a look at the password issue, and they say that weak passwords are so common, that their security risk eclipses that of a computer virus. That's a bold statement, but when you think about it, it's easy to understand why it could be true. Many people are adamant about running virus protection on their PC, along with ad-ware protection, but what about your passwords? All that protection will do you little good if your password is easily-crackable.

I know for a fact that this is indeed a problem, and it's rare to find anyone who actually cares about their password choice. In helping friends out with various things on their computers in the past, for which I've required a password, some of their choices simply appalled me. Some are so bad, that anyone with a brute-force cracker would be able to get into their account within seconds - assuming there were no additional security measures put into place.

You might be quick to say, "But it's just by e-mail... nothing is bad in there.", but that's not the point. The point is that your stuff should be private, and properly protected. Passwords like "hellokit88" are not at all secure. Passwords like "h3ll0k1t88!" are far more secure. To take things even further though, I'd personally recommend choosing a password between 12 - 16 characters long, which includes letters, numbers and special characters. I'll post a few more tips in the discussion thread below, to help you create one such password, so check it out and be secure!

During a security panel I conducted at Breakaway, one of my panelists said that one medical practice he serves recognized the need for strong password policies and required each user to have a strong, mixed alphanumeric password for different applications and resources. The only problem was that this led to “sunflowers,” or users—including the practice’s owner—adorning their monitors with Post-it notes with scribbled passwords.

Source: Channel Insider​

 

[Rob Williams]

So, how do you go about creating a highly-advanced and secure password? Although there are many auto-generators out there, which essentially create a robust password for you, I don't really recommend them. The reason is simply because the password it provides is not at all going to be easy to remember, because you have no previous mental thought about it, and normally, they are far too complicated. It's a far better idea to create your own password from scratch, using various techniques that will carry from one to the next.

Say for instance your current password is "hellokit88" as mentioned in the news posting. That's a horrible password, as it's short, and easily-crackable with a dictionary-based brute-forcer. First, your goal should be to increase the length to at least 12 characters, with anything higher being even better. Once you have a general phrase, start changing letters to numbers, and add in special characters to make things even more complicated.

hellokit88 - Easy to crack.
h3ll0k1t88 - Moderately difficult to crack.
.h3!!0k188# - Difficult to crack.
.!h3!!0k1ttyc@t# - Very, very difficult to crack.
.!h3!!0bl@ckk1ttyc@t#!. - Obscenely difficult to crack.

That last two are only reasonable to crack with the use of super computers. It certainly couldn't be done with even the highest-end home PC today in a reasonable amount of time.

The idea is this. The more special characters you include, the more secure your password. But, length drastically improves things as well. Simply adding one additional special character increases the difficulty in cracking dramatically. So if you use a 12+ character password which includes a healthy dose of letters and special characters, you can confidentially say that your password is safe.

The special characters is what's going to get most people though, and I understand that. After all, how on earth are you supposed to remember these from password to password? That's where your own personal schema's come into play. If you use special characters for each password, use the same ones in the same manner in each password. Here's what I mean...

Begin a password off with a specific set of special characters, like seen in our ".!h3!!0bl@ckk1ttyc@t#!" password. Note that it begins with a .!, which is absolutely easy to remember. If you add just that to each password, then you increase your security significantly. What about the end? Same thing. Here, we have #!, which means that we have four special characters total that are easy to remember, because they could be placed both at the beginning and end of every password you create. Using that method, other potential passwords would be:

.!l1ghtblu3sky#!
.!t3chg@g3#!
.!l1nuxb0x#!

See the pattern? You could even expand it if you have more than one word in your password. Put special characters right smack dab in the middle of whatever words you have, say... even a dollar sign.

.!l1ght$blu3$sky#!
.!t3ch$g@g3#!
.!l1nux$b0x#!

The overall idea is this. If you take a few minutes to figure out a good schema for all your passwords, anything you come up with is going to be easy to remember, especially if you add the same special characters to all your passwords in specific places.

It doesn't take much to create an advanced password, so you have no excuse

Oh, and for passwords, never include specific information about yourself, such as birthdays, family names, et cetera. And NEVER give out your password to anyone, for any reason. The best password in the world won't protect you then.

 

[Doomsday]

hmm, damn how do i remember those passwords, dhyt674029sdj#$%? its more likely i'll forget em. hmm, I'll write em down somewhere secrety!

 

[Rob Williams]

hmm, damn how do i remember those passwords, dhyt674029sdj#$%? its more likely i'll forget em. hmm, I'll write em down somewhere secrety!

Don't write them down! Read my tips... it explains how to remember such passwords.

Another tip would be to password-protect things like Firefox passwords. By default, ANYONE can see your full password for ANY service you are logged into, quite easily. Password-protecting it solves that problem.

 

[madstork91]

I remember when you used to able to use a password that was 3 characters long.

My biggest hurdle with passwords is that they all have different rules when you set them up.

Does uppercase matter? Lower case? Can I use special characters? How many? Do I have to use numbers? How many of what do you require?

And the rules seem to change every 6 months to a year.

I use a hierarchy of passwords in addition to some of the tips here.

Most secure: Bank account. - A few characters, a few numbers, unrelated words
Tier 2: Server - A few characters, a few numbers, unrelated words
Tier 3: Email - A word, with some characters, and a number
Tier 4: Websites & Services I trust - Word + numbers
Tier 5: junk email - A word
Tier 6: Websites & services i dont know - A word

And the arrangements and assortment of each of those is like a word scramble.

6 passwords. Easiest to be breached are the lower tow tiers. But at no point would any information from an upper tier be on a lower.

Edit: I suppose I could be a lil more clear...

Pick a word and pick a word with one more or less number of letters. Or pick two words with the same number. Got it? Good.

Now ipnlsaicdee (place inside)

Now use some characters or numbers

ipnls@icd3e

Ideally you would use two unrelated words, like bear and bow = bbeoawr = bb30@wr

That would give you 2 numbers and a special character.

 

[2Tired2Tango]

A recently-posted article at Channel Insider takes a look at the password issue, and they say that weak passwords are so common, that their security risk eclipses that of a computer virus.

You would be amazed how many people use default passwords or silly things like their first name is the user name and their last name is the password. My favorite is the guy who uses the same password everywhere....

My trick is to take longish words like "anthropomorphise" and sort the letters into alphabetical (or reverse alpha) order... Remembering them is not much of a trick but getting them right when typing them in is a real chore.

 

[evilives34]

and the weirdest thing if i remember right. MMO accounts are the most target these days. as people dont think about all the personal info that stored in your MMO account and the passwords people pick are most of the time really simple so they can get in to the game faster. also RMT is big business and if they can steal the in-game money they make more real money

 

[Merlin]

Some sites will not allow special characters and others have a rating bar that allows almost anything.
I HAVE to write mine down, for a have so many different ones in paying bills. Since at work we Have to change it every 90 days, at home I change mine also every 90 days. Even Einstein wrote things down so he would not have to remember them, that's works with me as well

 

[Kougar]

Even a few simple tips like not using names or any word found in a dictionary will go a long ways for securing those financial passwords. Dictionary style brute-force methods are commonplace and are pretty simple to use.

I keep mine simple and easy to remember just by throwing together some acronyms with a string of letters on the end with an average length of nine characters. So if I ever forget it I can remember what the acronym stood for... I've never had one of those passwords fail on me yet and they are still easy to remember. Oddly I have more trouble remembering which login name it was rather than the passwords...

 

[madstork91]

I got it!

I will use the acronym "Keep It Simple Stupid" cause that one isnt in the dictionary!

Thanks!

(the above was totally a joke. Btw, kougar you passed me in the forum count... )

(p.p.s. holy crap! this was my 1.3k post! 37 more and im leet!)

 

[Optix]

I have found knowledge, enlightenment IN the perfect pizza but they closed and I have been pissed ever since! Be gone!

*sniff*

I miss crack pizza from Fredericton.

 

[killem2]

I like using the first initial of my first name and last name, then my wife's my children, then a 2 didgnit number, and my favorite tv show its long but ti works.

example

ghjhkhlhoh03dukesofhazzard

 

[Kougar]

I like using the first initial of my first name and last name, then my wife's my children, then a 2 didgnit number, and my favorite tv show its long but ti works.

example

ghjhkhlhoh03dukesofhazzard

As long as that wasn't your actual password, that's great.

But seriously, acronyms with some numbers taken from something are a simple, easy to remember but make for a very secure password. Throw together the first couple letters of a favorite game and an old address or zip code and it's hard to forget it.

Other than brute force cracking it's secure as can be, or the site it was used on. To date I've only ever had my passwords compromised by site leaks.

 

[Glider]

I don't remember passwords... I remember typing patterns... I variate passwords by shifting the pattern on my keyboard... works like a charm

 

[killem2]

oh no that's not my password haha.