Passwords

Yahoo’s telling me I had logins from America and Poland in the last week, and being as was in Ireland without internet, it looks like my password been hacked again.
It was 10 characters and a mix of charater and numbers, so gawd knows why they took the time to brute force it. I haven’t used anyone computer except my own in ages and do run regular upto date virus/security/malware scans.

I’ve never been good at password and <ahem> maybe re-use the same one quite a lot.
Seen lots of site that will produce them for you, but if you have to remember 20 meaningless random character passwords, your going to get into trouble. Saw a suggestion to use a line from a book, which I like the idea of (with number/cap thrown in for good measure).
What do you do? Especially to remember them?
(outlines are fine, I’m not looking to compromise your security)

I work out what yours are, then use them. Sometimes with my login, sometimes with yours.

Yahoo’s telling me I had log indeom America and Poland….

Whut?

Anyway, maybe try using something like 1Password. That way you have one master password which is local to your machine, and everything else can be as complex as you like.

Do what one of my colleagues did for ages – treat it as a double bluff – use the simplest, most uncomplex and memorable word, without capitals or digits, you can think of….. those cheeky hackers with their la-de-da bits of code will never think of that, no-sir-eee….

….yes, his password for everything was ‘password’…..

Line from a song is good too: oldmacdonaldhadafarmE1E10

If you find yourself using the same password all over the shop then you can always try adding part of the website into the password.

e.g. you might have a base password of "swordf1sh" then add the first and last letter of the website to it, so on wiggle it is "wswordf1she" and on chain reaction it is "cswordf1shn"

Or just use KeePass: http://en.wikipedia.org/wiki/KeePass

I use Keepass [/url], similar to 1Password I guess.

It works on android, iphone, windows & ubuntu,
& is good for storing all those other gibberish words you need.

Jamie, I saw that and wondered myself & edited it out… sometimes most of the time my typing doesn’t match what’s going on in my head.

If you’re genuinely using a difficult to crack password and you are not a spy with really valuable government secrets I’ll be willing to venture you have a key logger installed on one or more of your machines.

I like the idea of that Gee2DaEss.

Immagonna head off and change my Adult Friend Finder password now.

Immagonna head off and change my Adult Friend Finder password now.

Too late, I already did, 36DoubleD. 😉

Do what one of my colleagues did for ages – treat it as a double bluff – use the simplest, most uncomplex and memorable word, without capitals or digits, you can think of….. those cheeky hackers with their la-de-da bits of code will never think of that, no-sir-eee….

….yes, his password for everything was ‘password’…..

Don’t think that really works, something stupid like 30% of the worlds passwords are password, it’s the first to get hit on a brute force attack by anyone with a brain. But not sure if joking…

No password will help you, even pass sentences, if you have a keylogger on your machine. You could translate your favourite cats name into spanish, invert it, re-code it and use that but they’d still pick it up the next day and leave you confused.

Oh Gee, I’ve just seen your profile on there…nice pics! 😀

nice pics

* not models own.

I’ve never been good at password and <ahem> maybe re-use the same one quite a lot.

I suspect that this is your problem, rather than having inherently weak passwords.

Couple of starter ideas:

As XKCD suggests, base phrases are better than base words. Rather than trying to obfuscate “wednesday,” try starting with initials from lines of a song. “gsogqllonqgsoq” is as memorable as “wednesday” so long as you don’t forget the National Anthem. (Though, a more uncommon song is less likely to crop up in a dictionary attack).

If you must reuse passwords, try adding something to it that’s memorable but unique to the system you’re using it on. That might give us “gsogqllonSTWgsoq.” That’s a bit obvious, so run some or all of it through a Ceaser cypher (so that STW becomes RSV, say).

Alternatively, there’s many ‘password keeper’ type applications out there which can track hundreds of unique passwords so you can have really obscure, unique, secure passwords for everything. If you take this route, just make sure you have your database backed up somewhere…!

EDIT: sorry for retreading some ground there, other posts appeared whilst I was writing.

I’ve never been good at password and <ahem> maybe re-use the same one quite a lot.

So what you are saying is if I set up a website and asked you for your email address and to nominate a password you have just told me your login credentials for every other site you are registered on? Even if I am an upstanding member of the community if my password database is hacked (if it can happen to LinkedIn you can assume then most sites have some vulnerability) then the hacker now has your yahoo etc details…

not every password I use is exactly the same, more a variation of on a theme.. and I am wary of what website I sign up to, for exactly this reason.

I just wrote a long post about how the XKCD cartoon was completely wrong, then did the maths to back up my argument. Turns out the XKCD cartoon is actually spot on and fairly conservative (they assume you’re picking randomly from 2000 words).

I always reccommend phrases or abbreviations. Songs and quotations always work well.

wadadm24lhLA – what a difference a day makes 24 little hours – Loius Armstrong.

As with sex, boats and swimming, length is the most important thing with passwords.

Using the same password all over the place is very poor form, once one weak site has been compromised, you can bet other common sites will be targetted very quickly.

TBH I was surprised when my yahoo was hacked the first time (original password created 5 years previous…), that they didn’t go off and try some of the other obvious site with that email addy and password… not that it would have worked or anything… 😳

depends how sophisticated they are. Those using some very cleverly built autoamtic systems will make the attempt almost simultaneously with them recovering the password.

When my Adult Friend Finder account was hacked, they were quite successful – got loads of shags out of it from what I could gather.

Turns out the XKCD cartoon is actually spot on

It usually is.

Re: “amnesia”, I have a policy of setting that as a password for anyone who forgets their password twice in a row. Funny how no-one ever forgets it.

obviously this whole post was ole smelly feet hacking my account again… <scampers off to change STW password>

LastPass. That way I have one uber password that I sign in with once a day and it remembers all my passwords for me. Any new sites I sign up to it generates a random password and you can define how strong that password is.

If you’re worried about people guessing your uber password it also supports two factor authentication using either a specific dongle or using Google Authenticate on your phone.

http://lastpass.com/

Brute force attacks are uneconomical and don’t work against popular services like gmail, yahoo, paypal etc.

Most passwords are “hacked” by dumping databases and extrapolating (you don’t use the same login credentials for your paypal account as you do for your obscure bike forum account do you now? 🙂 ) or keyloggers.

…but the password “correcthorsebatterystaple” is not a secure password.

Dammit!

*changes stw password*

I use variants of either postcodes or vehicle registrations (not my own) which are semi-random and not too long. So far I’ve not knowingly been hacked.

don’t use the same login credentials for your paypal account

Use two factor authentication on PayPal and Gmail.
Basically when you log in they text you a code which you need to enter.
That way no one can get access to your account without your phone, even if they do know your password.

http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html

Unless they’ve nicked your phone.

Which probably has your passwords saved for your email accounts. 😉

Here’s a system I use, take a number/ number letter combo you know off by heart and hold down the shift key and type out the number on a keyboard. You get a password made entirely of symbols or symbols and caps and in an easily memorable format.

Unless they’ve nicked your phone.

Which probably has your passwords saved for your email accounts.

True – but it also requires a 4-digit code to unlock it and it erases the phone after 10 failed attempts.
Or I can just erase it remotely instead.

So it is relatively safe.

Here’s a system I use, take a number/ number letter combo you know off by heart and hold down the shift key and type out the number on a keyboard. You get a password made entirely of symbols or symbols and caps and in an easily memorable format.

Good luck typing that out on a phone or tablet!

True – but it also requires a 4-digit code to unlock it and it erases the phone after 10 failed attempts.
Or I can just erase it remotely instead.

So it is relatively safe.

It’s ok I guess. Choose a proper password for your phone and you should be ok.

Choose a proper password for your phone and you should be ok.

Yeah – I should probably switch off the “simple” 4-digit one and use a longer one – but it’s hard enough trying to type in the four digits while driving 😉

If the 4 digits pins for your phone are actually random and not something guessable like your DOB then the chance of guessing them in 10 goes is small enough not to be worried.

The chances are even better when you factor in the chance that the guesser will try non-random combinations first, reducing the number of guesses they have.

4 digits pins are good enough for banking, they should be good enough for your phone.

It was 10 characters and a mix of charater and numbers

afaik, there are reverse lookup tables for most major combinations up to 12 characters now so your problem may be the 10. If they got into one place where you had used that password (and email address) and then used a lookup table they can then automate trying that combination everywhere else.

Either crank it up to several words to get to 14 or use some of the other suggestions.

I believe that common phrases are now also being used so I wouldn’t do that any more – the suggestion of first letters of words of a song may be better