Here's Why Your Password is Hackable - Comments Page 3

I would love to go back to the Microsoft fingerprint reader I had that you could use in lieu of passwords !
Is there anything like that available now??

I have used the password manager KeePass for years. It is free and is available for multiple operating environments. Since I have used it I have been generally using 20 character randomly generated passwords, but recently began moving to 24 character passwords where possible. The thing that frustrates me, because I want to use long passwords, is when I set up a new password on a sight and find that I am limited to a password of 12 or fewer alphanumeric only characters. Fortunately most sites that I have encountered allow longer passwords than I care to generate with at least some symbol characters included, but I have been surprised by some of the sites that do not, organizations that I thought would know better. I understand that it takes more storage space to accommodate longer passwords and storage space is not free, but with the low cost of storage these days I think that when comparing the cost of storage to the cost of a break in, it is very shortsighted to restrict passwords to 12 or fewer characters.

My spouse and I know each others' passwords and use them for making airline reservations, etc. Do programs like Roboform and Keepass allow passwords to be accessed by two people using different computers?

I must confess--I am guilty of making up passwords based on everything said in the first paragraph of "Everything you know about passwords is wrong". Shame on me. Yet I would have continued to do so were it not for this great article pointing this out and supplying excellent ways to generate passwords in such a way that someone could take 1000 years to figure it out. Many thanks, Bob!

BTW,I went to XKCD and found hilarious stuff that probably would stump the average Joe. Bookmarked for future laughs!

If a person has several (or even more than 2) accounts that require a password, they would be foolish NOT to be using a password manager program like those mentioned - LastPass, KeePass, or Roboform.

Not only are the generated passwords strong, access to the password vault is secure, the program connects to the necessary web site for you, and the program is accessible by more than one person or computer IF you share your master access.

I laugh at someone who writes their passwords down in book. I have helped many foolish people regain access to their computer but hacking their simple passwords. My record was 8 seconds by trying one person's previous dog's name.

Bob, I really enjoy all Your Articles. What would be wrong with creating a "ID & Password" Folder and keeping all on Notepads. Then when You need any of them You can just copy and Paste both when You need Them. Doing it that way, You're not liable to Keyloggers. Thanks

EDITOR'S NOTE: Not necessarily. Some keyloggers can intercept keystrokes entered via copy/paste.

My 50 years of computing experience has been that passwords create more problems than they solve. They are an outdated method of security that should be replaced.

I used the same password for over 40 years in multiple situations before it got hacked. I then changed it for my email only. I still use the now 50 year old one in situations where I dont care if it gets hacked. Eg facebook.

One experience I had with a site that required a password was that it did not validate the entered password so would accept anything entered.

A password that most humans never try is nothing, just press enter. Unfortunately most system do not allow null passwords.

Security is all about risk assessment. Ask an Actuary about it

Sharon, you're right. BTW, did you look at the next cartoon? That one made me laugh, too.

On a different note, I don't understand the reason I need passwords on a site where I am paying my bills. I keep hoping that someone will hack it and pay on my account.

Bob - my experience is many sites limit the number of password tries to three. If you haven't gotten it right by then you are locked out and the password has to be reset. In that scenario, how can hackers have unlimited time/tries to hack the password? I imagine hackers have no success at the sites that are limited to three tries, so why don't all sites implement that rule? It seems to me that would go a long way towards solving this problem!

EDITOR'S NOTE: The "unlimited attempts" scenario comes into play when a hacker has direct access to a compromised server, and can direct his attacks against the master user/password file.

@geoff.
I would venture to guess that the password you were using 50 years ago (and to this date) has got to be only 4 characters in length. But I am also guessing that there are not that many sites which would allow a 4-digit password entry in the 21st century. Could this be the reason for wrongly stating "...create more problems than they solve"?
I have prescribed strong AND unique passwords for over a dozen years as an essential need just like making sure there is TP when you visit the bathroom, or stocking up on toothpaste for the toothbrush. It is not rocket science to create/update passwords and to remember them (along w/religious use of a password manager, such as KeePass).
The only issue I have with unique/strong password generation is when sites/programs limit the maximum character length of the password: Microsoft Outlook.com used to limit the password length to 16 and WesternDigital limits theirs to 14 characters max. That is just plain wrong! I think the Apple iPhone EXS facial recognition is a great idea for entry to FortKnox but I will opt-out maybe until DNA verification becomes a mandatory standard for smartphones... at which point, I will opt-out altogether from using them!

I have not just changed the last letter or number, but this article is an eye opener...I was hacked in yahoo. Now I have a Gmail account. I wonder how long till Gmail is hacked? I still clean out my yahoo mail.

The first thing I don't understand is why companies who hold sensitive data don't encrypt their information so if the data is hacked it would be unreadable or inaccessible. Next, there should be a two step approach to security so you need a password and a special answer that only the operator would know. And finally, the company should prevent access if the user fails to enter the correct passwords in three or four tries. These approaches would safeguard any outsider from accessing the data.

Password cracking software has long had the ability to immediately override the 3 tries limitation.

The 550 year example presumes 1000 tries/second. Edward Snowden has said to presume your adversary capable of 1 trillion tries/second, which for the above example would result in account access in 4 hours and 49 minutes.

To all of you minimising the threat, my advice would be to visit the site (and how-to blog) of forensic password-busting software publisher Elcomsoft. It goes by the cute name of Advanced Password Cracking, and it's fully legitimate, by the way (it sells to law enforcement and the like) :

https://blog.elcomsoft.com

That's what the good guys are able to do. Now imagine what the bad guys might be up to.

I use lastpass, and for lastpass i have diceware

When you mention CMU geeks, there ought to be a link to their site for testing password strength: https://cups.cs.cmu.edu/meter/

Great article, thanks!

One of my banking institutions forces me to change my password every six months; with the following results.

One time I entered 18 characters for my new password and it took it. On trying to use my new password, I discovered there was a maximum length of 17 characters. Did it truncate from the high-order or low-order? Did it not really take the new password?

When I called them, all they asked me was my name and SSN and they gave me a temporary password right over the phone.

Another time when I was required to change my password, I used my old password as my new password and it took it.

This is security!

BTW, I use RoboForm as a password manager. I currently use the free, desktop only version. Previously, this was called the desktop version, and had a cost. I also use VeraCrypt to keep everything important secure. And I backup religiously.

I have used 1Password almost from the day it was created.

It can create long randomly generated passwords that meet Bob's suggested criteria rather than those he suggests are poor choices.

It suggests them automatically when you are on a new site and you can modify them as well. 1PW will even scan all of your passwords and check them for duplication even partial duplication for those who use their initials or similar in their passwords as a memory aid. That memory aid idea negates the concept of a password tool. You do not need memorable passwords if you use 1Password.

It syncs between you computers and Phone. Everything it stores is encrypted. All the user has to remember is the password for 1Password itself!

There are other tools that do similar things. Everyone should use such tools.