Is Your Password Strong Enough? - Comments Page 1

Category: Security




(Read the article: Is Your Password Strong Enough?)

All Comments on: "Is Your Password Strong Enough?"

Comment Page: 1 |  2 

Posted by:

Lee McIntyre
22 Jan 2013

Bob, you expressed concern that your "secret" answers to security questions aren't really secret. For example, your mother's maiden name, your high school, etc., are all a matter of public record.

A simple way to foil this is to create your own consistent "fake" answer to these questions. Whenever you're asked to give your mother's maiden name, always respond with "BabyFace." The high school you attended? Always respond with "Alcatraz High," unless you really went to school there. In that case, use something else.

Someone who knows where you graduated will be stymied, because their "right" answer won't unlock the door for them. Only your "wrong" answer will.

Of course, you have to remember these wrong answers, but you probably only need two: one for mother's maiden name and one for high school. Oh, and maybe one for favorite pet. "King Kong"?

Posted by:

Ewan Christian
22 Jan 2013

Thanks, that's a brilliant site. Except.......it has come recommended by you, so I trust it but if I had stumbled upon it, I would have been very wary of telling some unknown website all my passwords!!

How did you satisfy yourself that it is a safe place to tell all your secrets?

Posted by:

dpcrn
22 Jan 2013

The scary thing about http://howsecureismypassword.net/ which you referenced above appears to be calculating what a simple desktop computer would take. A supercomputer or other would be even shorter. Kind of scary since some of my passwords would take only 3 days by it's calculations. Of course the password for my encrypted thumbdrive came out to trillions of years:-)

Posted by:

Dave
22 Jan 2013

The answers to some of the two step security questions asked by banks can be found in public records or elsewhere in the cloud.

Posted by:

Nigel Brown
22 Jan 2013

Bob, why don't sites and devices that require passwords have a "time out" after a limited number of attempts? A five-minute delay after 5 failed attempts would put an end to brute-force cracking.

Posted by:

Jeff Lynch
22 Jan 2013

I used to use KeePass but changed over to LastPass about 6 months ago and like it a lot.

Posted by:

bew
22 Jan 2013

Bob

Great article on the passwords. Yet it's so sad to see companies NOT allowing characters in the password. Wish they would read your newsletter.

Keep up the great info :)

Keeping it Safe
Brian

Posted by:

Peter Loppe
22 Jan 2013

Sage advice from a computer geek who lives and breezes technology.

Unfortulately, for a mere mortal such as myself, who has difficulties remebering his social insurance number, and who has to manage over 40 log-in's - it's simply not practical advice.

Most of my log-ins are not big security issues and I use words I can remember, substituting letters with numbers and using random capitalized letters.

Turning the brownser login memory off is a good idea but when I attempted to install Keypass it wanted to leave it's footprint all over my system. No thanks.

I prefer to keep things simple.

For management I keep id's in an obscure text file that is tucked away somewhere wheren I can access it - even if my system experiences a hard disk crash before the most recent back-up.

After all - I don't host any national security secrets - and I am very selective with what I download onto my system. No p**n.

Posted by:

Robert
22 Jan 2013

I don't trust "How Secure Is My Password" to have and check my password.

EDITOR'S NOTE: Two points on that. (1) You're not providing your username, so even if you entered a real password, it would be useless without the context of the username. (And no, a website CANNOT learn your email address, unless you provide it.) (2) You can always enter a password similar enough to yours, to get an idea of how secure it would be.

Posted by:

Bill
22 Jan 2013

Here's the site I use.

http://www.passwordmeter.com/

I keep track of my various passwords on a Rolodex, whick I deem to be safe enough, barring a home invasion.

Posted by:

Walter Hansen
22 Jan 2013

I always wonder what secure site is going to let a password cracker sit there and try various passwords without locking the account? Most of these password cracking assumptions require the password accepting program to sit there and let them query it several times a second. Slowing or stopping this process isn't beyond the reals of possibility. I've implemented security on some of my severs that does this. Why would my bank let some ip submit 100 wrong passwords let alone a few million before shutting them off?

Posted by:

stephen
22 Jan 2013

-I use one 16 combo random letter, upper & lower my and numbers . I use that password exclusively for infrequently visited sites like the one I vist and don't have a clue as to the password. I never change it

2-I add two exclamation marks at the end for sites I use often but not really in need of ultra strong security like forums (18) or email

3-I add to #2 the year of birth of my daughter for sites like Paypal or a web page

4-I have a separate 16 letter/number password phrase for my router and 35 letter/number/WPA2 for my router sign in to laptop etc They are written down in three places as I immediately forget them and might need them

Posted by:

Gary
22 Jan 2013

Steve Gibson has said that the hardest password to crack is D0g. Takes a hacker longer to crack this than any other. Years??? Less than a second for even the strongest password. My bank uses two layers of questions before I even get to my password. So far so good.

Posted by:

Unitary
22 Jan 2013

I respectfully diasgree.

The first two sample passwords are strong only if you consider simple "brute force" attack. These sample passwords are actually quite WEAK because there is much text and context redundancy.

The third sample password is VERY STRONG because it is a sequence of INDEPENDENT characters.

Size matters LESS than randomness!

Posted by:

David Bohlke
22 Jan 2013

Hello Bob,
I would like to understand how these brute-force password crackers can work. Whenever I see them mentioned, they talk about how many attempts they can make per second, which seems contradictory to what my experience is with almost every website or program that I use. In almost all cases, there is a delay between entering a userid/password combo and the acceptance or denial. Plus most of them only allow a few attempts before shutting a person out.

EDITOR'S NOTE: Excellent question, and one I should have addressed in the article. You are correct that with most login systems there is a delay built in, and a lockout when a certain number of incorrect password attempts have been made. The "cracker" programs mentioned are used directly against a username/password database on a server. If a website's server is breached, the attackers can use their tools against the encrypted password database at high velocity. A similar attack can be used against a Windows password file.

Posted by:

Mike Collins
22 Jan 2013

As a teenager I knew a poet and remember a lot of his poetry.
He is now dead and none of his poems are on line.
The first letter of any line of his poetry are very secure passwords according to the site you gave.

Posted by:

Lucy
22 Jan 2013

I read somewhere to always "test" the lost password function on any site.

If they email the actual password and not a link to reset, using further security checks, then I'd seriously consider how safe that website and password actually are.

Posted by:

Joe26
23 Jan 2013

I shave the belly of my cat (he's a mean cat)and use a Magic Marker to write the passwords on his belly. After the hair grows back, you have to look closely to read the passwords. Anyone else trying to read them will end up with a LOT of scars!

Posted by:

Allie
23 Jan 2013

I use 26 varied nonsensical characters for each of my passwords. I keep them stored in a unusual file location on my computer. When I need to use a particular password, I copy and paste it in. I never type in any passwords and all of my answers to the security questions are never truthful. I change passwords often.

Posted by:

Don Lewis
23 Jan 2013

C'mon now. How mean can that cat be if he will let you shave his belly!?

Comment Page: 1 |  2 

Read the article that everyone's commenting on.

To post a comment on "Is Your Password Strong Enough?"
please return to that article.

Send this article to a friend. Jump to the Comments section. Buy Bob a Snickers. Or check out other articles in this category:





Need More Help? Try the AskBobRankin Updates Newsletter. It's Free!

Prev Article:
Is The FBI Holding Your Computer for Ransom?
Send this article to a friend
The Top Twenty
Next Article:
Geekly Update - 23 January 2013

Link to this article from your site or blog. Just copy and paste from this box:



Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter


About Us     Privacy Policy     RSS/XML