How to Create a Strong, Secure Password
What Next?
When it comes to online security, multiple layers are required. One of the most important layers is two-factor authentication. It’s a bit more complex, however, as always, we have step-by-step guides to walk you through the procedure. Do you know someone who uses really bad passwords online? Do them a favor and share these tips with them today! Thanks for the tip. I’d never thought about a phrase before. Very groovy. Glad to hear you liked the Pass Phrase Tip. I’ve been using that trick for years starting about 8-10 years ago when I first discovered spaces are allowed for Windows Active Directory accounts. Our corporate IT guys made us change our password every 45 days and we couldn’t re-use old passwords. The Pass Phrase worked like a charm and several times they made me smile being… no, I won’t tell you what they were but I’ll bet you can figure it out. Neither your system nor the one I mentioned above works in many cases where numerals are also required. Here are some tips I would recommend in addition to the ideas Steve offered. 1) Exchange strategic numbers for specific letters within your phrase. i.e. O=0, l or i = 1, E = 3, etc. So “the tall wall” could become “th3 ta11 wa11” – that gets around the required numbers problem and, if you are consistent, is just as easy to remember. 2) Exchange a punctuation mark like _ or , or . for all spaces – “th3,ta11,wa11” 3) I’m new here so I don’t want to look like I’m a plant for a password storage app, but these can be really helpful. I love the one that positions itself as “the last password you will ever need”. 4) If you don’t use a password manager, then Steve’s rule 1 (about each one being unique) should be tempered (IMHO) a little bit for sanity. For non-financial passwords, I would group them into categories. So, if you have two or three email accounts, you might be able to get away with using the same password for each. But here you have to evaluate risk vs. convenience. BTW, the lookalike number/letter substitution is obvious and always explored as part of dictionary word password breaking. So worst case, I restore a previous version of my PW Database w/Crashplan. The same goes for Ransomware… If my box is ever owned from a Ransomware standpoint, oh well. Wipe the box and restore from Crashplan. It’s not free but, it’s cheap insurance at $60 a year. It’s the one product I tell ALL my readers to buy no matter the platform (Windows/Mac). so if i was to use this website my password would be GroovyPost!!99 facebook would be FaceBook!!99 and unless you know my login name too you won’t guess it or get in. That fix the problem of the maximum 8 characters password. What do you think? Nice system. You said NOT to use dictionary words but “my laptop is black and ugly” is 6 words, all of which are found in the dictionary. I don’t get it. Still, to be safe, phrases should contain at least 4 words unless you choose to slightly mangle the words in a personally memorable way (as was suggested above). i.e. “th3,ta11,wa11” The main reason for this is because websites get broken into all the time at no fault of you, the end users. Perhaps it’s an inside job where a system admin goes rogue or perhaps the website has a bug in it and the attacker can break in. Either way, if they get into the website, your passwords is normally stored in a database. So if the attacker gets into that database they now have your password. Not good…. however this could be REALLY bad if that same password is used on all your accounts over the internet. And REALLY REALLY bad if they now have your email or paypal account…. I perhaps should have elaborated a bit about how hackers go about cracking passwords. Here’s how it works: One method hackers users for breaking into accounts is they take an application make for testing passwords and point it at a list of dictionary words in several languages. The application then crawls applications and websites trying common usernames in combination with that list of dictionary words. Now the way it work is it tries individual dictionary words, not combinations of them IE: phrases. The reason they don’t go after pass phrases is because there are just way way too many combinations of words to put together. I would say impossible and to try them all it would take way way too long. So that’s why if you use a Pass Phrase, you will be 99.999% safer than a person who users a single word like laptop or december or becky or any other name which you can find in a common dictionary. Make sense? Sure, it’s made up of dictionary words, however, together they are not a dictionary word and neither a hacker or an automated brute force password application would be able to break it. Why? Because the number or possibilities endless when you stack dictionary words together into a phrase. Now, there are exceptions to every rule. In other words, I would not use a passphrase like “I love my kids” or, “I love my dog”. That’s not random enough and there is a possibility… it could be guessed by a human or application given enough attempts. Use a passphrase that you can take the specific service onto. The passwords: “this is my gmail account password” “this is my yahoo account password” “this is my bing account password “this is my password i use for crap i dont care about” Are all very secure and nobody would be able to guess them unless you use the same username on every site (or somebody very close to you figures them out). You could also change up the order though: “this is my password for gmail austin” “this is my password for bingo smingo” “this is my password for wahoo yahoo” “this is my password i use for crap i dont care about” Just keep it simple, LONG, and easy to remember, then you should be good. For example, if a hacker (or rogue admin) finds out that your passphrase at, say, Bing is “this is my Bing password”, they could then try that same passphrase at other sites, replacing “Bing” with the name of each site. Put the block in after the x’th character Now – without knowing the phrase it will very very difficult to work out the password from the 4 numbers So – you can (with reasonably safely) write down the numbers the 4 s n m x as the password generated is based on 2 strings of characters you will have a great deal of certainty remembering, yo should never need to write them down. You can take that concept and modify it for your use- Maybe Use one of the numbers to indicate which in the generated string should be a capital Use one of the numbers to indicate which in the generated string should be a number – count through the alphabet, move up the keyboard, whatever – Position your block as a single set – or merge it in, or use it as part of the string from which you select characters Once you have the basic process – then modifying it by applying whatever process you can remember to always use will make things easy And – making easy to remember, and enter, but not easily guessed or worked out is the major consideration The frequent recommendation from ‘Consultant’s that passwords should be random strings should (in my opinion) get that consultant, and those employing them blacklisted. add to that the frequent requirement that passwords be changed every month is one of the surest ways to get passwords written down with a clear indication as to what they give access to. Imagine = having, say 20 facilities that need passwords 12 character long pass codes for each – changed monthly That’s 2880 characters to remember throughout the year, and having to log into each facility each month – even if there is no need to A hackers dream – every month a system will be accessing 20 secure sites – so just lay in wait with a store and forward facility store and forward – what you type or select gets passed on to the site and then their response gets displayed on the screen for you to see and respond to. So – your transaction with the bank happens OK, but was monitored, and how many sessions need monitoring until enough of the access key is known for a try at accessing the facility is likely to succeed. The more security ppl out there the better we all are! Sbb_2716 I think with a cap, an underscore and a number or or four it’s nearly impossible to crack (well maybe you can crack it — with something on the order of a liquid cooled supercomputer running for 96 hours straight!) In most cases, applications and websites have a “I forgot my password” feature. The way it works is a reset password will be emailed to you. You click that link and the app will walk you through resetting your password. Now, if you forget your password to your email account, most services like Gmail and Outlook.com will ask you additional questions to confirm your identity. Like you, I have about a hundred or more accounts online. It’s such an important piece of my life that I’ve invested in an application to help me both create and store my passwords. I highly recommend 1Password for all my groovyPost readers. Buy it for your iPhone, Mac or Windows and you can use the software on all devices. PPL think it’s creative and secure. It’s not secure. :) Pasted below is section A3 from https://pages.nist.gov/800-63-3/sp800-63b.html#appA “A.3 Complexity As noted above, composition rules are commonly used in an attempt to decrease the guessability of user-chosen passwords. Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required. Users also express frustration when attempts to create complex passwords are rejected by online services. Many services reject passwords with spaces and various special characters. In some cases the special characters that are not accepted might be an effort to avoid attacks like SQL Injection that depend on those characters. But a properly hashed password would not be sent intact to a database in any case, so such precautions are unnecessary. Users should also be able to include space characters to allow the use of phrases. Spaces themselves, however, add little to the complexity of passwords and may introduce usability issues (e.g., the undetected use of two spaces rather than one), so it may be beneficial to remove spaces in typed passwords prior to verification. Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.” You should take a look at Two Factor Auth (2FA) – https://www.groovypost.com/unplugged/two-factor-authentication-guide-secure-online-accounts/. In 2017, if you don’t have 2FA setup on all your accounts… it’s only a matter of time before your accounts will get hacked again. Granted 2FA is not perfect but, it does add a VERY strong layer of security between your data and the internet. Comment
Δ