Here's Why Your Password is Hackable - Comments Page 3
Posted by:
|
I would love to go back to the Microsoft fingerprint reader I had that you could use in lieu of passwords ! |
Posted by:
|
I have used the password manager KeePass for years. It is free and is available for multiple operating environments. Since I have used it I have been generally using 20 character randomly generated passwords, but recently began moving to 24 character passwords where possible. The thing that frustrates me, because I want to use long passwords, is when I set up a new password on a sight and find that I am limited to a password of 12 or fewer alphanumeric only characters. Fortunately most sites that I have encountered allow longer passwords than I care to generate with at least some symbol characters included, but I have been surprised by some of the sites that do not, organizations that I thought would know better. I understand that it takes more storage space to accommodate longer passwords and storage space is not free, but with the low cost of storage these days I think that when comparing the cost of storage to the cost of a break in, it is very shortsighted to restrict passwords to 12 or fewer characters. |
Posted by:
|
My spouse and I know each others' passwords and use them for making airline reservations, etc. Do programs like Roboform and Keepass allow passwords to be accessed by two people using different computers? |
Posted by:
|
I must confess--I am guilty of making up passwords based on everything said in the first paragraph of "Everything you know about passwords is wrong". Shame on me. Yet I would have continued to do so were it not for this great article pointing this out and supplying excellent ways to generate passwords in such a way that someone could take 1000 years to figure it out. Many thanks, Bob! BTW,I went to XKCD and found hilarious stuff that probably would stump the average Joe. Bookmarked for future laughs! |
Posted by:
|
If a person has several (or even more than 2) accounts that require a password, they would be foolish NOT to be using a password manager program like those mentioned - LastPass, KeePass, or Roboform. Not only are the generated passwords strong, access to the password vault is secure, the program connects to the necessary web site for you, and the program is accessible by more than one person or computer IF you share your master access. I laugh at someone who writes their passwords down in book. I have helped many foolish people regain access to their computer but hacking their simple passwords. My record was 8 seconds by trying one person's previous dog's name. |
Posted by:
|
Bob, I really enjoy all Your Articles. What would be wrong with creating a "ID & Password" Folder and keeping all on Notepads. Then when You need any of them You can just copy and Paste both when You need Them. Doing it that way, You're not liable to Keyloggers. Thanks EDITOR'S NOTE: Not necessarily. Some keyloggers can intercept keystrokes entered via copy/paste. |
Posted by:
|
My 50 years of computing experience has been that passwords create more problems than they solve. They are an outdated method of security that should be replaced. I used the same password for over 40 years in multiple situations before it got hacked. I then changed it for my email only. I still use the now 50 year old one in situations where I dont care if it gets hacked. Eg facebook. One experience I had with a site that required a password was that it did not validate the entered password so would accept anything entered. A password that most humans never try is nothing, just press enter. Unfortunately most system do not allow null passwords. Security is all about risk assessment. Ask an Actuary about it |
Posted by:
|
Sharon, you're right. BTW, did you look at the next cartoon? That one made me laugh, too. On a different note, I don't understand the reason I need passwords on a site where I am paying my bills. I keep hoping that someone will hack it and pay on my account. |
Posted by:
|
Bob - my experience is many sites limit the number of password tries to three. If you haven't gotten it right by then you are locked out and the password has to be reset. In that scenario, how can hackers have unlimited time/tries to hack the password? I imagine hackers have no success at the sites that are limited to three tries, so why don't all sites implement that rule? It seems to me that would go a long way towards solving this problem! EDITOR'S NOTE: The "unlimited attempts" scenario comes into play when a hacker has direct access to a compromised server, and can direct his attacks against the master user/password file. |
Posted by:
|
@geoff. |
Posted by:
|
I have not just changed the last letter or number, but this article is an eye opener...I was hacked in yahoo. Now I have a Gmail account. I wonder how long till Gmail is hacked? I still clean out my yahoo mail. |
Posted by:
|
The first thing I don't understand is why companies who hold sensitive data don't encrypt their information so if the data is hacked it would be unreadable or inaccessible. Next, there should be a two step approach to security so you need a password and a special answer that only the operator would know. And finally, the company should prevent access if the user fails to enter the correct passwords in three or four tries. These approaches would safeguard any outsider from accessing the data. |
Posted by:
|
Password cracking software has long had the ability to immediately override the 3 tries limitation. The 550 year example presumes 1000 tries/second. Edward Snowden has said to presume your adversary capable of 1 trillion tries/second, which for the above example would result in account access in 4 hours and 49 minutes. |
Posted by:
|
To all of you minimising the threat, my advice would be to visit the site (and how-to blog) of forensic password-busting software publisher Elcomsoft. It goes by the cute name of Advanced Password Cracking, and it's fully legitimate, by the way (it sells to law enforcement and the like) : https://blog.elcomsoft.com That's what the good guys are able to do. Now imagine what the bad guys might be up to. |
Posted by:
|
I use lastpass, and for lastpass i have diceware |
Posted by:
|
When you mention CMU geeks, there ought to be a link to their site for testing password strength: https://cups.cs.cmu.edu/meter/ Great article, thanks! |
Posted by:
|
One of my banking institutions forces me to change my password every six months; with the following results. One time I entered 18 characters for my new password and it took it. On trying to use my new password, I discovered there was a maximum length of 17 characters. Did it truncate from the high-order or low-order? Did it not really take the new password? When I called them, all they asked me was my name and SSN and they gave me a temporary password right over the phone. Another time when I was required to change my password, I used my old password as my new password and it took it. This is security! BTW, I use RoboForm as a password manager. I currently use the free, desktop only version. Previously, this was called the desktop version, and had a cost. I also use VeraCrypt to keep everything important secure. And I backup religiously. |
Posted by:
|
I have used 1Password almost from the day it was created. It can create long randomly generated passwords that meet Bob's suggested criteria rather than those he suggests are poor choices. It suggests them automatically when you are on a new site and you can modify them as well. 1PW will even scan all of your passwords and check them for duplication even partial duplication for those who use their initials or similar in their passwords as a memory aid. That memory aid idea negates the concept of a password tool. You do not need memorable passwords if you use 1Password. It syncs between you computers and Phone. Everything it stores is encrypted. All the user has to remember is the password for 1Password itself! There are other tools that do similar things. Everyone should use such tools. |
Read the article that everyone's commenting on.
To post a comment on "Here's Why Your Password is Hackable"
please return to that article.
Need More Help? Try the AskBobRankin Updates Newsletter. It's Free! |
Prev Article: Equifax Takes The Data Breach Cake |
|
Next Article: Geekly Update - 13 Sep 2017 |
Link to this article from your site or blog. Just copy and paste from this box: |
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter About Us Privacy Policy RSS/XML |
(Read the article: Here's Why Your Password is Hackable)