Make Passwords Strong And Long

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Hardly a week goes by without news of a data breach that exposes millions or billions of passwords. In most cases, what's actually exposed is a version of the password that's been run through a hashing algorithm, not the password itself. The latest report from Trustwave shows that hashing doesn't help when users create stupid passwords, and that length is more important than complexity in passwords.

Hackers will crack @u8vRj&R3*4h before they crack StatelyPlumpBuckMulligan or ItWasTheBestOfTimes.

Hashing It Out
The idea behind hashing is that the secure website never stores a user's password. Rather, it stores the result of running the password through a hashing algorithm. Hashing is a kind of one-way encryption. The same input always generates the same result, but there's no way to go from the result back to the original password. When you log in, the server-side software hashes what you entered. If it matches the saved hash, you're in.

The problem with this approach is that the bad guys also have access to hashing algorithms. They can run every combination of characters for a given password length through the algorithm and match the results against a list of stolen hashed passwords. For each hash that matches, they've decoded one password.

Over the course of thousands of network penetration tests in 2013 and early 2014, Trustwave researchers collected over 600,000 hashed passwords. Running hash-cracking code on powerful GPUs, they cracked over half of the passwords in minutes. The test continued for a month, at which time they had cracked over 90 percent of the samples.

Passwords—You're Doing It Wrong
Common wisdom holds that a password containing uppercase letters, lowercase letters, digits, and punctuation is hard to crack. It turns out that's not entirely true. Yes, it would be tough for a malefactor to guessa password like N^a&$1nG, but according to Trustwave an attacker could crack that one in less than four days. By contrast, cracking a lengthy password like GoodLuckGuessingThisPassword would require almost 18 years of processing.

Many IT departments require passwords of at least eight characters, containing uppercase letters, lowercase letters, and digits. The report points out that, sadly, "Password1" meets these requirements. Not coincidentally, Password1 was the most common single password in the collection under study.

TrustWave's researchers also found that users will do exactly what they're required to do, no more. Breaking down their password collection by length they found that almost half were exactly eight characters.

Read More
And
Here
 

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
My technique and the one I teach and advocate. Long passwords composed of a mixture of real 'dictionary' words and some modified variants. For example:

DuckSwimLakeyBirdsweetylimhaha

Notice weetylim is not a real word but is memorable because it has a unique sound and look (it's distinct). The other words are all standard, and the trick is simply to remember what order they go in, which comes with practise.

You can learn that password in over half the time it takes to learn Ho:'2p#d;* and it's even more secure than "Peuu907)"9['l@E"L{@O4o"$8YRP@KLR"UO(&"828yuoPU"(*&$(':L:mad:L~{:L"4yIdlnIWOIYOYORY£R" because there is less chance you'll need to write it down (more memorable)...
 

Oxygen

Level 44
Verified
Feb 23, 2014
3,316
I just smash my head against a keyboard and then save it with lastpass.

Example :

gtgtyttuyjh7njn77y6uhrt54fuyjh777777776gttyyyyygrfvvvujhnyh
 
Last edited:

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
Thanks for the info and the laughs, my friends!:D
I've been making use of LastPass's secure password generator, and now two of our accounts are up to, respectively, 17 & 18 characters per password. Yet, during the last couple of days, in a parody of how Fantasy made me laugh with his "...smash my head against the keyboard and then save it with lastpass.", when I found myself temporarily unable to log onto LastPass because of a server error, I came to realize how much I've truly come to depend on this marvelous LastPass tool for remembering, and entering, most all of my passwords and log in information for me, including a scant few which :eek:I did not even know. Since it works so darned well, I began to wonder, "What would I ever do if this important tool failed in the long term?o_O". Sure, I trust it, but what would I do??:rolleyes: So, I'd decided to write down four of our extra long, secure, & even two that were previously unknown, passwords together upon a 3 by 5 card kept where I know where to find them in the event I'm ever truly locked out.;)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top