TOT passwords

Interesting. I have long been using passwords created by a pseudo random password generator I wrote in an Excel spreadsheet, but that wasn't something I knew I had to check for.

I have tried several formulas for creating easily remembered passwords. Many years ago i decided to test the formula on one of those test sites like

It told me that a suoercomputer could crack it in 3 trillion years. I immediately wrote to my daughter abroad recommending it to her.

She wrote back and said "I'm not going to bother, mine's good for 600 million years".

I just tried one of mine on

:)

The hackers don't break passwords - they try and steal them either as a phishing exercise or just hacking into the organisation/company that needs to store your details.

I use a password generator which allows me to specify length, what characters to choose from (upper/lower case, numbers, special characters etc). It works well. What I can't is find out what the restrictions are on the websites I want to use the passwords for, in particular banks. I've tried with banks and they won't tell me, I suppose understandingly. A couple of times I''ve locked myself out by trying to set a password it doesn't like, and it won't then accept the old one either. Tedious phone calls to the bank then needed to get a password reset.

I do think there is extreme paranoia about security at the moment. It has been my experience generally that its not the password strength that is the issue, its how easy it is to hack into your machine and steal it. Most people do write them down so they can keep track of them. The other school of thought is that you use a master password on a password manager and all the others are not known to you. Either way, its often the hacking from bogus hotspots near cafes and internet comms ubs via wifi that gather stuff. This recent two factored crap Google are doing is causing no end of problems forcing Google o backtrack and offer one time passwords for email software that cannot handily two factor or validation files. In my view people need to be told that connecting via wifi with personal data is probably not a good idea no mater how you do it. Wired connections are still more secure. Also check for malware with a third party bit of software downloaded from a reputable place. Brian

Even then, with a decently-run site they will only get a hash, have to know the hashing algorithm and have to find the password that corresponds to the hash by brute force. I believe that 'secret', 'qwerty' and '1234' will recover many.

If you forget a password and the site sends you an email containing it, rather than assisting you to create a new one, change this password every day, as the site is storing it complete rather than as a hash. I don't think this happens much now, as most sites use fairly decent third-party software for this kind of thing.

Are there still servers allowing multiple access attempts? Rather than 3 failed attempts to one account, all access to that account locked out for 10 minutes.

If they salt the hash, then common passwords like that won't all be revealed as sharing a hash.

In my time the most dangerous security breach my engineer discovered at a customer site was the root passwords written down behind the receptionists desk and the auto answer modems on the staff PCS connected to their DDI numbers who wanted to work from home. If you want to hack a central server, bribe the sysadmin. Much cheaper.

At a client's it was a link to the outside world, added to what should have been a totally isolated network, so that an operator could watch videos!