How Safe Is Your Password?

[ajwakeboarder]

Several Years ago, My wife locked herself out of her computer. She told me it was 4 digits all numbers. She thought the first number was "3". I spent 2 and a half days trying to brute force it the old fashioned way. (0001, 0002, 0003, ect.) I was somewhere in the mid 5000s when I got frustrated and started exploring the "darker" side of the internet. Within 5 minutes, I had a program that could get into her computer. It took a little tweaking to figure it out, but after messing around for another 10 minutes, I learned how to work it. I downloaded it to a usb, plugged it into her computer, and had the password in less than 30 seconds. The funny/annoying thing is...Her password was 5 digits.

[ajwakeboarder]

Lots and lots of creative criminals on the internet.

Yep; and we didn't mention another local-computer favorite: Trojan key-loggers.

I had to answer a call... busy morning.
Thanks for the added info... Great reminder on WiFi encryption. I had to double check that "Low" risk uses WPA2 on my router.

me to and we did just did the change password drill. my government accounts are sticklers for length and odd characters.
but my wifi is blocked by all the metal in the house form getting past the door

My government passwords are annoying as all get out. I have to change it every other month and can't use the same password twice. I make really strong passwords (alphanumeric and special character at least 20 characters long) and it gets really difficult to make up and remember new ones in the frequency they want me to. Most of my coworkers either write theirs down, or save it to their phones. These choices are a bigger security vulnerability than keeping the same password for a longer length of time.

[BigGuy]

Lots and lots of creative criminals on the internet.

Yep; and we didn't mention another local-computer favorite: Trojan key-loggers.

I had to answer a call... busy morning.
Thanks for the added info... Great reminder on WiFi encryption. I had to double check that "Low" risk uses WPA2 on my router.

me to and we did just did the change password drill. my government accounts are sticklers for length and odd characters.
but my wifi is blocked by all the metal in the house form getting past the door

My government passwords are annoying as all get out. I have to change it every other month and can't use the same password twice. I make really strong passwords (alphanumeric and special character at least 20 characters long) and it gets really difficult to make up and remember new ones in the frequency they want me to. Most of my coworkers either write theirs down, or save it to their phones. These choices are a bigger security vulnerability than keeping the same password for a longer length of time.

Just love the companies with draconian password procedures where employees have their 20 character passwords, including at least one upper and one lower case character, one number, and one special character, written on a sticky note pasted on their monitor or keyboard. And I don't blame the employees. I know I can't remember such nonsense for 20 accounts that changes every 6 months. I don't use sticky notes, but I do have a text file. And I ran the IT dept. for a newspaper for 15 years.

[powerboatr]

Lots and lots of creative criminals on the internet.

Yep; and we didn't mention another local-computer favorite: Trojan key-loggers.

I had to answer a call... busy morning.
Thanks for the added info... Great reminder on WiFi encryption. I had to double check that "Low" risk uses WPA2 on my router.

me to and we did just did the change password drill. my government accounts are sticklers for length and odd characters.
but my wifi is blocked by all the metal in the house form getting past the door

My government passwords are annoying as all get out. I have to change it every other month and can't use the same password twice. I make really strong passwords (alphanumeric and special character at least 20 characters long) and it gets really difficult to make up and remember new ones in the frequency they want me to. Most of my coworkers either write theirs down, or save it to their phones. These choices are a bigger security vulnerability than keeping the same password for a longer length of time.

Just love the companies with draconian password procedures where employees have their 20 character passwords, including at least one upper and one lower case character, one number, and one special character, written on a sticky note pasted on their monitor or keyboard. And I don't blame the employees. I know I can't remember such nonsense for 20 accounts that changes every 6 months. I don't use sticky notes, but I do have a text file. And I ran the IT dept. for a newspaper for 15 years.

my last gov contractor gave us little usb drive things, they had encrypted passwords on it and randomly chose one when you inserted it in the computer keyboard, then you had to remember your password and it verified the passwords on the usb to be subscribed to you.
royal PAIN in the rear. when we traveled overseas it would fail every time so we had to call the boss and have him log us in .... and use his vpn to do our daily times sheet ...because the government just cant thane contractors abroad and not do a freaking daily timesheet to bill a contract

[K.Mooneyham]

The guy that does the XKCD comic is a physicist and worked in robotics at NASA's Langley Research Center in Virginia. Knows his math.



IT for over three decades and the most violated rule was "don't write it down" because of the complexities. Best thing DoD did was move away from passwords.

The problem is that many of us are forced to create passwords using the former method (must have upper, lower, number, symbol, etc.).

[jmorris]

Oh, I know. I have to do the same. It's just that one guy came up with the scheme, the idea grew, and now TPTB refuse to back down from the myth.

That guy regrets it.

And it's why I use a password manager I can share amongst my devices.

[The Annoyed Man]

Mine is so secure, I don’t mind sharing it publicly. It is: ************

[Rafe]

Mine is so secure, I don’t mind sharing it publicly. It is: ************

Hey! Wait a minute! That... That looks just like mine!!

Whenever feasible, for sensitive accounts I always opt to use two-factor authentication. Bit of a pain, but worth it. We even used it as a product from RSA over 15 years ago at a company I worked for. That particular method never caught-on widely, though. We were issued a little key fob manufactured by RSA (in case Andy is reading, not that RSA; RSA Security LLC, now owned by Dell). Each key fob was unique, and every three minutes (I think that was the duration) the fob would display a new numeric code. The code was synched with the RSA servers, so we had to enter our password plus the code to log in; impossible to log in without the key fob.

Today the most common two-factor auth method is to to send you a numeric code via an SMS text message to your cell number on file and have that code expire in a few minutes. You're still hosed if you need to log-on but have lost your phone...or dropped it in the bay that time you lost all your firearms while boating off Galveston.

I had one two-factor account that drove me crazy because they used email to send you the code. And the code expired similarly in just a couple of minutes. But my email of record was a Gmail account that I had set to forward to an email server that I managed, and then I handled the emails from that account in Outlook. So the email had to chain through a series of forwarders. By the time I got the code in Outlook, most of the time it was already expired. They eventually enabled SMS messaging for the code, finally.

[RoyGBiv]

Whenever feasible, for sensitive accounts I always opt to use two-factor authentication. Bit of a pain, but worth it. We even used it as a product from RSA over 15 years ago at a company I worked for. That particular method never caught-on widely, though. We were issued a little key fob manufactured by RSA (in case Andy is reading, not that RSA; RSA Security LLC, now owned by Dell). Each key fob was unique, and every three minutes (I think that was the duration) the fob would display a new numeric code. The code was synched with the RSA servers, so we had to enter our password plus the code to log in; impossible to log in without the key fob.

Today the most common two-factor auth method is to to send you a numeric code via an SMS text message to your cell number on file and have that code expire in a few minutes. You're still hosed if you need to log-on but have lost your phone...or dropped it in the bay that time you lost all your firearms while boating off Galveston.

I used that RSA fob back in the day. Worked just fine, I thought.

Currently use Google Authenticator frequently for 2FA.... Works reliably and has a growing base of websites that can use it. One application for 2FA makes things simpler. I prefer not to use SMS, since that requires me to give up my mobile number, when it's appropriate not to.