OT How strong need my password be?

I know you're baiting me...

If you got to see my personal information you'd probably be bored by it. The only concern is if someone can make changes or somehow be malicious.

One thing I don't understand is the need to change passwords. If you've not hacked my account in the past year, I may change it to something you'd guess on the first try. Now I use the same password for everything. It has 16 capital letters. the biggest city in every New England state, the numbers of every locker combination I had in high school and ends with a comma. Takes me 25 minutes to log on, but I feel secure.

IME, most breaches are because data can be queried *from* an information system.

Instead of: get user's stored password compare to what he has typed in allow access iff they agree it should always be: user X claims his password to be Y; is this correct? i.e., the information system only tells the entity making the query whether Y is correct for X (at this time). If not, the querant only knows "it is not Y; one down, NNN left to try!"

Then, you can monitor traffic to decide when someone is trying to brute force attack with repeated attempts. And, disallow those attempts (make them more expensive or block them entirely)

Any system that allows an adversary to defeat this monitoring is ripe for hacking. E.g., XP/Vista passwords can usually be cracked in minutes -- USING THE CPU POWER OF THE VICTIM'S PC! Once you have physical access to the PC, you can subvert that monitoring: don't let it boot it's *normal* OS, but, instead, boot something that does YOUR bidding using IT'S horsepower!

[This is why security conscious houses disallow USB/CD/DVD/floppy/PXE boots; it ensures that the machine will ALWAYS be under the control of the security team operating the machines (uness you physically break INTO the machine)]

All passwords should be well chosen. A common exploit is to gain access to one "service" through a poorly chosen password. Then, use this to leverage some OTHER service with a more secure password.

For example, using a crappy password on your email account. But, your BANK account has that email account listed as the mechanism by which you can request your BANK password be reset. Adversary pwns your email account; then uses that to convince your bank (your bank's computer!) to let you change the bank password!

I have particularly long, "random" passwords (i.e., no pet names, no birthdates, etc. Passwords that are more like NON VANITY license plates issued by a DMV -- only longer: "What does LKY3F444 mean?" " No doubt the next one in the pile after LKY3F443!"

(but, this requires you to be able to commit odd sequences to memory)

Google "medical identity theft".

An information leak LAST WEEK leaves you vulnerable THIS WEEK -- and NEXT, etc. -- until the information that was leaked is no longer accurate. Will all of the folks who hold accounts of yours promptly notify you of that leak? Will they even KNOW about it?

Changing passwords unilaterally is one thing YOU can do without requiring any response from each of those "account providers".

And, folks who don't change passwords tend also to use the same password for everything -- for the same reason: laziness/convenience.

There are systems that will automatically change your password for you (e.g., S/key). These (one time use) also have the benefit of alerting you when someone has guessed one of the passwords -- because it will have been *used* before you get a chance to use it legitimately!

A friend runs a data center for a large multinational bank. When he's visited, he carries a little device that continuously updates the "password of the MOMENT". So, he can access the bank's servers from wherever he happens to be -- yet the password that he used to gain access is automatically invalidated at the end of that one (?) minute window. I.e., you need to possess that little gizmo in order to know what the password will be WHEN YOU CHOOSE TO LOG IN.

Why make it easy for the bad guys?

Maybe use KeePass or similar to store your passwords?

KeePass prolly won't keep the CIA out but if the CIA is interested in you then you got bigger problems than password management.

Easy to do what? That's my point. Easy to see my past orders from Amazon, easy to ask questions on a computer forum, easy to find out my medical records. I don't care.

But then how does my userid and password help him? If I can't find it on the website, and he can only find by bypassing the website (so that the password won't do him any good), he can already do that, with or without my password.

I amend this. I think IF I used a credit card at a site, it wouldn't have to show for me or someone else to charge things and have them sent to a different address, so I add the few places that have my credit card number. (For the record, I've been a good boy and I use a password at all these places.)

Exactly. I'm bored just thinking about it.

The things I listed were places where nothing important can be changed.

Good question.

LOL

| OT How strong need my password be? |

I usually use 8 random characters for passwords and change them occasionally. I don't expect to remember them. I keep them written down in various places. It's mostly things like email and my web server, which I want some security for. I use very long passwords for our WiFi and router. If someone's trying to crack those they can afford to take their time. There's a password cracker for Windows called Ophcrack that says it can crack anything up to

14 characters. I don't know why 14. I've used it before and it's worked well, at least on XP.

Your computer has no real security. I just cracked a Win7 box recently. Hiren's boot disk. It doesn't need to crack passwords. It just overwrites them with a blank. So the password could have been 30 random characters. Takes a couple of minutes. (One of my brothers was donating a computer to another brother. He gave it to me to set it up. It was password-protected! I knew my other brother wouldn't be wanting a password, so I just had Hiren wipe whatever was there.)

Here's a fun fact that you might find handy: I saw a report awhile back saying that just using

4 random words is one of the best possible passwords. For instance:

brickpurplebottleskunk

Something like that is easier to remember, and it's possible to make it even easier to remember without providing a pattern that a computer can recognize. For instance, if you fish for trout in the Swazey river in the Summer you could have something like:

troutlineswazeywater

It would make some sense to you while being random to any cracking software.

I tried that on your account. Worked like a charm. You got to cut back on those Harbor Freight ads, though.

It only shows the last 4 digits on the website, there is no guarantee the rest of the digits are not stored on the site and maybe available to someone determined.

So, what did you use for your password. We all want to know!

ABCD

For a very short time I had a facebook account. I hated it, so I tried to delete it. It would not let me delete it, but did let me suspend it, which means nothing is there. A few months later I got a notice from facebook via email, telling me to change my password. WHY? That's really stupid!

And if people dont thing Facebook checks our pages, when I made that page, I accidentally typed the wrong zipcode (1 digit was wrong). I was sent a message telling me I had (a number of days) to correct it, or it would be automatically changed. That alone made me uncomfortable with FB. Why does my zipcode matter anyhow?

You're right. I just logged into your account !!! Now I can change your wallpaper to a really ugly naked woman... HERE GOES !!!

Ooooo. I have no idea how to change wallpaper. What will it take for you to change it back?

Not too much, just a million dollars, and you buy the wallpaper paste!!! ....... :)

My FB account pesters me endlessly for my mobile telephone number "for security purposes". I keep not giving that info out.

- . Christopher A. Young learn more about Jesus .

. .

Or, you can delete all his Harbor Freight ads, and watch him go bonkers and withdrawl.