Password Length And Complexity

[alexander]

How long and complex is your password?

[alexander]

wont vote for myself, but 20+ alphanumeric with special characters

[alexander]

Actually noticed that Paypal is not allowing passwords longer then 20 characters... that was a bummer ;) had to make yet another level of a password, now i have a 14, a 18 and a 28 all alpha-numeric lower case and upper case and special symbols and a special 40+ character key (complexity of which i will not disclose, as well as true length) for my military-grade encryption USB flash-drive.

 

For those who are wondering about changing their passwords, here are security guidelines to think about:

 

- All passwords should be or exceed 8 characters, it is highly preferable to be above 12

- It's better to use a number in the middle of the password rather then beginning or the end of one, it make it a lot harder to guess/crack

- Avoid using passwords that people can guess by looking at your persona, passwords such as sport team names, names of pets, names of spouses, kids, etc.

- Avoid using dictionary words or popular culture words

- Use passwords that are typed with both hands (using both sides of the keyboard)

- Use both upper and lower case syllables, as well as numbers and special characters

- For best password strength, use a space or a character that can only be typed using ALT+ method (extended ascii characters like alt+14 or ♫)

[C1ay]

Which one? My password manager has over 50 passwords stored. Some are simple and some are 20+ characters...

[Pyrotex]

Just last week, corporate mandated PC passwords of 12+ chars including CAPs, Nums, and Specs.

 

It's a good thing I memorized a lot of simple poems long ago. Makes password creation rather easy and remembering them almost effortless.

[alexander]

You didn't get the gist of this exercise? The passwords you use every day and know by heart.

 

P.S. password managers are for little girls, real men use.... uuuh... paper.... though some men that use plastic can beat me up.... correction, real men use whatever they want ;)

 

jk, how have you been, clay, haven't seen you (in this section at least) in quite a bit, que pasa?

[C1ay]

I really wouldn't need a password manager if I could just stick to 10 or so passwords but the wide variety of password requirements requires an ever growing list of suitable passwords. I actually use some sites that limit your password to 4 numbers :D Others disallow certain characters or restrict the length to unreasonable sizes, 4, 6, 8 characters. I'm also not much of a one or two password person since using the same password repeatedly is as bad a habit as improperly formed passwords. All my financial logins have unique passwords that I change on a regular basis.

[alexander]

very true, i knew there was a reason to have a password for my bank accounts be different, then paypal, then email, then a couple of work passwords... :D but i know what you mean, it gets to be a major pain in the butt to remember that one password you havent used in forever, almost killed my thumb drive like that, i was within 4 tries of burning that chip containing the private key...

[Theory5]

I use a password manager called keepass so I can have long and complex passwords I dont have to remember. But when I do register for something minor like forums, I use a few different 8 character passwords that all sound similar, its easy to remember them that way. And I dont use anything that could relate to me, the passwords are completely randomish.

[alexander]

For basing your password on something do you use a word/name to start with or do you go with a pattern?

 

for myself i have both, based on words and patterns.

 

Also do you use a password to protect you password manager? (i'd imagine that i would want to have both, biometric authentication and a password to protect my keyring :)

[C1ay]

The manager I use is passphrase protected with a nice long wacky passphrase spelled out with leet :)

 

Most of my passwords are themselves derivatives of various passphrases I create solely for the purpose of creating a password....

[Pyrotex]

;) I got an unbeatable password.

Nobody will EVER guess it in a million years.

It's the word "password". Yuck, yuck, yuck, yuck... :) :) :)

 

Okay, sometimes I have to pad it with zeros to make it long enough.

 

But NOBODY would ever guess that in a ZILLION years! :) :) :)

[alexander]

it's the first password that any dictionary cracker tries... in many variations :)

[Donk]

In a former life I learned quite a bit about keyloggers. Anyone who does that gets a hefty dose of paranoia - you visualise a shadowy figure leaning over your shoulder watching your every move... :(

 

Even after my escape into the real world, some of the paranoia remains.

 

High-strength passwords - at least a dozen random characters/symbols

 

Different passwords for every login

 

A single encrypted file on an encrypted memory stick contains all the passwords

 

Use password manager wherever possible (thanks for the link, C1ay - it looks interesting)

 

Where password manager can't be used (new computer for instance), copy/paste from file using the mouse right-click or edit pulldown, not ctrl-C/ctrl-V. Some keyloggers can convert the ctrl-V keypress into the paste string. Back then, mouse clicks weren't readable via keylogger - if they are now, I'm not sure I want to hear about it!

 

Change passwords frequently - especially if I've used them on a machine I don't entirely trust

 

My memory isn't what it was. If I have to remember a password (e.g. the encrypted password file) I think of a few words connected to what I'm doing at the time (say, George Hotel, desk), change them around using my own leet-similar code (G30rg3 H0t37 d35k) and connect with an odd character (G30rg3!H0t37!d35k).

 

And a few other things I'm too paranoid to talk about! :)

[kelcya]

keep in mind that a bigger charset will increase the time it takes to bruteforce a password.

[alexander]

space is actually a better random character then an exclamation mark...

 

Donk, in my current life i deal with key loggers, both software and hardware, thing is, if someone installed a key logger on your computer to "get your passwords" you are already screwed... they both got in and installed it so your security was compromized already, at that point you dont even have to run a key logger to get your passwords, because there are many ways to get the data, regardless of whether you typed it or pasted it (its as easy to log the copy actions as it is to log key presses).

 

Now hardware loggers are a little different, in that if you copy and paste your passwords they will not catch those passwords, but you cant copy and paste your login password, thus you are still (as they say in leet speak) pwned, as software loggers can be installed afterwards with your login password.

 

Biometric authentication is still bad, as its easy to lift a finger print, and use it to get in (most of those devices are easy to fool).

 

Centrally managed changing keys are probably one of the only, still not fool proof, ways to manage security. But honestly you can be paranoid as you can be with password security in your organization, bottom line is that there is still a "Human Factor" in the equation, which means that exploiting that factor is most of the time, the easiest route to take to gain access. I've talked to many guys who do penetration testing, and i just have to say, you'd be surprised how far a fake badge and a printed design on a shirt, or a cell phone that rings at just the right time, or a telephone butt set set can take you, or a dozen cheap flash drives, or carefully labeled cds can take you... and ofcourse nothing beats the phone call from your new IT guy :)

[buddyzen]

one of my friends that posts around here theory5 uses a password generator it is pretty neet =D