; TOT; Piggin passwords

well heres one for Plowperson. 1!Hate!Maggie

I have Figaros password manager. One password to rule them all

The point about a password manager is this:

If any one of your passwords that you use online is nicked, it doesn't compromise any others.

Since you never use the master password except to unlock the password manager, it is unlikely that anyone will get to know it.,

Since the encrypted passwords are held on only one machine, its unlikely they will be hacked and cracked either

This is the only way to ameliorate this habit of having totally different password requirements on sites.

See

Tim

It is a *VERY* bad idea to use the same password for multiple sites.

You should at the very least use a different one for banking than you do for everything else. I have distinct secure ones for everything that matters and relatively weak ones for websites that don't.

When eBay/Paypal was compromised I only had to change their passwords - if I had used the same password elsewhere they would need to be changed.

The uppercase letter offers only a very limited (2x) improvement if you naively put it at the start.

If you choose a restricted alphabet the password of length N is much weaker. N>7 is a reasonable choice anything shorter is too weak.

[a-z] => 26^N = X [a-z,A-Z] => 52^N = X.2^N [a-z,A-Z,0-9] => 62^N ~ X.2.38^N [!-~] => 94^N ~ X.3.6^N

So for an 8 character password the larger alphabet is progressively

256, 1030, 28200 times harder to crack than all lower case.

That said a worrying number of people use password, 12345678, qwerty or if they think they are being clever pa55w0rd. All of which will fail in the first few milliseconds of any classic attack.

A four letter password barely puts up any resistance at all, nor do any words found in dictionaries, dates or placenames.

Increasingly websites do insist that your password reaches some minimum level of security and will not fail instantly to a dictionary attack.

I find it annoying when they don't specify which character set is allowed and my choice is too unusual for their password filter.

And they don't tell you what the password filter is, only why you failed it.

So you enter passwords over and over with a different error each time.

That is actually a secure form of challenge and with practice you can memorise a password to recall individual characters without writing it down. The sites using this method that annoy me are the ones where you have to hit tab to move between input fields. If you type in the entire password and there is a keylogger and not countermeasures (or they too have been compromised) then you are already lost.

The point is that you never disclose the entire password and on some sites you input it using an unconventional no keyboard method.

Increasingly banking sites are using two factor password and PIN challenges and allow you to customise the home page with a slogan and a picture of your choice so you can easily spot a forgery.

I keep the more sensitive passwords in an obscure text file on an external hard drive, but I suppose it's possible to list the most frequently accessed files? An expert house breaker who's also a computer whizz is the stuff of nightmares :-)

Yep.

Not if you encrypt that file.

Just use a password manager.

I remember the passwords I use a lot - but the ones to give a meter reading to the electricity company? No way.

When I set up accounts, I add the name and password to the password manager.

And then you're supposed to forget all the ones that failed and remember the one that passed.

Some of the worst websites simply store your password on their servers exactly as you type it, so their administrators don't need to guess it, they can see it, they usually know your email address too, so they

*could* take your password home on a memory stick and try logging into eBay/facebook/banks etc. Given their crappy security practices they are probably more likely to get hacked and your password ends up in China/India/Russia ...

Good websites should store passwords in a "salted hashed" format so they can tell if you got it right, but they can't see it, the complexity requirements you see are so that even if someone hacks their server and steals the salted/hashed copy of your password, it would take the hackers centuries to decode it.

A brute force attack is only realistically possible if the attacker has fast, direct access to the site/system the password is allowing access to.

You can't realistically brute force a web site login via a web connection, each attempt would take a significant amount of time (in computer terms) and any half sensible site should both slow down and eventually stop accepting inputs after a while.

Surely only true if the password cracker using brute force *knows* that you're using a restricted alphabet. I suppose they could assume you are, on the basis that many people do use only letters if they're allowed to.

Some now want a none alpha numeric as well I notice. This is why I've not changed my password on my isp, as if you go into their new much improved site they want you to update the passwords to one with numbers upper and lowe case and non alphanumerics. This would mean I need to alter all my mail clients info to the new stuff afterwards. I consider all password systems to be equal risks myself, and its giving a false sense of security to suggest anything else

Brian

Blanco scribbled

Fuck using fingerprints.

Oh, it's *much* more ...

1) password forms are automatically filled in (when recognised) 2) highly complex passwords can be autogenerated (adn saved) when signing up to a new site. 3) If cloud based, you can access your passwords anywhere in the world.

When added to your list, it makes my choice of Lastpass a no brainer - the chances (and risk) of compromised are far outweighed by the convenience - IMHO.

I've set my LP up with Google 2FA, so any attempt to access it requires access to my phone.

That rather depends on the site...

By precluding use of say an all lower case password, you thwart any attack that will only search the (much smaller) "lower case only" search space.

(think about how tools like L0phtCrack etc work - they try all lower case before they try the larger search spaces, since in many cases that will crack a substantial number of accounts)

I don't think that statement can be supported with maths ;-)

Indeed, but that seems rather more information than the OP needs.

(and if password hashes are properly "salted", then you can mitigate the advantage of rainbow table attacks)

True, but its probably safe to assume that there is a site somewhere with your details on it that will be hacked and lose its database.

If that is one which has not secured your password sufficiently securely, then it can be brute forced at a much higher guess rate. With a re-used password its a quick way into the more secure sites.