Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
7 Tips To Toughen Passwords
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
MikeT951
50%
50%
MikeT951,
User Rank: Apprentice
10/17/2016 | 3:36:20 AM
Re: Best advice i've ever heard on passwords....
You also might want to use a random password generator such as this one bestpasswordgenerator That's the best way to create a secure and strong password.
Anne-MarieL355
50%
50%
Anne-MarieL355,
User Rank: Apprentice
12/7/2013 | 3:48:20 PM
Best advice i've ever heard on passwords....
Found very simple advice here.  This article says length beats complexity every time and is easier for you to remember: http://devnull1.blogspot.ca/2013/12/your-password-is-no-good.html 
jleon570
50%
50%
jleon570,
User Rank: Apprentice
6/18/2012 | 10:01:50 PM
re: 7 Tips To Toughen Passwords
It seems to me that the biggest problem is the lack of security at the account host (aka LinkedIn, Google, eHarmony, Wells Fargo, Amex, etc). Yes, it is a bad thing if stupid ol' me uses the same "12345" for all my accounts from my eTrade account to my luggage. BUT, when the hacker community gets MY password, they have only MY password. As much as any technophobe would poke fun at me for my individual lack of security, the top 5 executives at LinkedIn, eHarmony, Last.fm, et al, need to be a proportionally larger laughing stock (because they're proportionally more stupid). In the web code I've been writing for at least the last 10 years, salting passwords has been universal, and (sadly) none of my sites hold a candle to LinkedIn in terms of subscribers or tech resources.

The entire internet development community needs to create and be generally aware of password protection standards, and web sites need a way to show the users that the site operators know those standards and to which level of protection they aspire. That way, I could tell my readers to stay away from banking sites that don't comply with say, "at least Password Protection Standards level 4 or higher, and 5 or higher is even better." I tell my readers that if the web site can send your actual password by e-mail if you forgot it, then every employee and business partner of that company already has your password. That would be "Password Protection Standards Level 0". So that morons like those at LinkedIn might be better aware, Level 1 would be an unsalted one-way hash or use of a weak hashing function (like MD5). Level 2 requires salted hashes using an unbroken and at least 160-bit one-way hash function. Level 3 requires salted hashes with a minimum of 48-bit salt using an unbroken and at least 224-bit one-way hash. Level 4, 5, 6, who knows. Maybe there should be other hash function requirements like resistance to collision attacks or preimage attacks, etc. But this protection would define only how well the passwords are stored and is meaningful only in the event that the password list is stolen.

The should be other descriptions of how the site protects its users, like: password entry is only allowed over a secure connection, password change enforcement, password length and diversity enforcement.

My password in MY possession is MY responsibility. My password in YOUR possession is YOUR responsibility.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
6/13/2012 | 10:00:01 AM
re: 7 Tips To Toughen Passwords
Rock Star, you're entirely correct that websites need to do a better job of protecting their passwords, and two-factor is a great idea. So is using password encryption algorithms, versus cryptographic algorithms such as MD5 that are now widely used. Unfortunately, there's no magic wand ... with luck, the LinkedIn (et al) breaches will lead more companies to proactively invest, to help avoid any damage to their reputation when/if their password database gets knocked over. But from a consumer/user standpoint, using stronger passwords will at least slow attackers down, and making sure they're unique will prevent hopscotch-style password cracking attempts.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
6/13/2012 | 9:45:46 AM
re: 7 Tips To Toughen Passwords
Hi Osmore, thanks for your comment. If there could be any single piece of advice that this author would propose, it would be: Use a password manager. No, it won't protect you if a site gets its password database stolen and cracked. But it does give you a practical, affordable way to generate and manage unique, strong passwords for the over 100 websites you use. That way, if your LinkedIn password does get published, it's a one-off. Inconvenient, but no one will be able to use it to access your Gmail account.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
6/11/2012 | 11:22:58 PM
re: 7 Tips To Toughen Passwords
Should do away with passwords altogether and use biometric access instead.
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
6/11/2012 | 9:02:57 PM
re: 7 Tips To Toughen Passwords
That's interesting because I was thinking of posting this very thing. It doesn't much matter how convoluted the algorithm you use to generate passwords: If they are 8 characters or fewer there's enough brute strength to hack them. It may take two days for yours as opposed to 1/2 hr for someone else's but the result is the same.

We need to move to passphrases. Passphrases needn't be unbearably cryptic as long as they are not trivial (e.g. "all cows eat grass" or "the password is swordfish"). One can string together words that are meaningful to them but not obvious to others.

Voila. It's memorized. To personalize for each site that has critical data, embed an abbreviation (not the full name) related to the site. For example, Facebook might have an fb in it or an ook. That's not risky in the context of a longer passphrase.

By all means punctuate your passphrase in an unpredictable way and/or throw in a cap if you like but only if you'll easily remember them.

The math for this is well documented. Longer string, MUCH harder to crack and more opportunity to create something that's easy to remember without being written down. End of story.

Why then do so many sites restrict password size to 8 characters? Why did Amex of all places reduced its max allowable password length from 8 to 6 a few years ago???!!!! Why do so many sites disallow spaces when by lengthening a passphrase they make it harder to crack it?

We need a new paradigm here, not more cryptic short passwords.
Eric_Brown
50%
50%
Eric_Brown,
User Rank: Apprentice
6/11/2012 | 12:55:13 PM
re: 7 Tips To Toughen Passwords
I have to argue with you, the biggest single security problem is articles like this one. I have to laugh by the fact that million articles about password strength and password managers the minute there are reports of passwords being stolen. HELLOGǪ anyone out there, the strength of your password or having it locked-up in Fort Knox does not mean anything when it is stolen from the source! You need to be talking about other steps like the need to implement some form of 2FA (two-factor authentication) were you can telesign into your account to protect you if your password were to be stolen. If they were to try to use the GǣstolenGǥ password and were not on the computer, smartphone or tablet you have designated trusted, they would still need the one-time PIN code which is delivered to YOUR phone via SMS or Voice.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/9/2012 | 9:33:40 PM
re: 7 Tips To Toughen Passwords
Personally, I think the best thing to do is prioritize. Like Osmore is saying, there are a lot of sites that require passwords (such as this one). But this account probably isn't as important to you in terms of personal information etc. as your Facebook or email. So maybe come up with complex but memorable passwords for the important stuff and weaker passwords for the sites that are less important.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
thecalitree
50%
50%
thecalitree,
User Rank: Apprentice
6/9/2012 | 8:52:22 PM
re: 7 Tips To Toughen Passwords
If you really want to know how to choose a correct password, look at this comic.

http://xkcd.com/936/

I literally just registered to post this.

The author of the comics is a physicist/computer scientist from what I can tell. Seems legit.

Page 1 / 2   >   >>


Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.