Main Area and Open Discussion > Living Room

Looking for password "scheme" suggestions

<< < (4/6) > >>

40hz:

Like I've said before, a password is only as secure as the server it's stored on.
If somebody gets in, it doesn't matter if your password is d1O@n3A$t or mickey mouse.
$0.02

-Edvard (January 26, 2012, 06:47 AM)
--- End quote ---

Excellent point, and very true.

Also don't leave out "as secure as the device it's entered on" (and the network it's connect to) since keyloggers and network sniffers also have their place in a blackhat's toolkit.

Not so much an issue for home users. But it's definitely a very real concern in business IT environments.
 :)

 

tranglos:
Like I've said before, a password is only as secure as the server it's stored on.
If somebody gets in, it doesn't matter if your password is d1O@n3A$t or mickey mouse.
$0.02-Edvard (January 26, 2012, 06:47 AM)
--- End quote ---

This is rule number one for me. It used to be that we were supposed to make passwords "easy to remember but hard to guess". Yeah, make it so that your family or your boss or your pals won't guess it (if that's who you want privacy from), but beyond that, the complexity, bits of randomness or key length don't matter much anymore. Once a server gets hacked into, there's no telling what happens next.

For the really important stuff (where I could lose money or critical access, like banking or my domain control panel) I use long, complex passwords; other than that I don't even bother any more.

What happens in the end that someone hacks into your ISP and they can't even tell exactly what was accessed. Or one day you find unauthorized charges to your credit card, because you paid with this card online once and some idiot thought it was a good idea to store your cc number on their badly secured server "for your convenience". (I was lucky and got every penny refunded by VISA within a week; the charges were obviously fraudulent, like $20 every hour from some UK gambling joint until the account was empty.)

But, FWIW, to me the most useful method for generating a fairly secure (in the outdated sense) password is to start with a quote or a line from a book or a song that you know well and take the first (second, third, take your pick) letter of each. Make some of them numbers or add punctuation if you want, but the important thing is to use a fairly long quite, and not something obvious like "to be or not to be".

Another way that I've used a few times: just type nonsense on the keyboard but in such a way as to let your fingers do the work for you. Type keys that feel natural to press one after another, so that the typing itself has a "flow". For example, if you use only the left hand, typing "wjzu" on a QWERTY keyboard is hard and slow, but typing "wdax" is quick and feels natural. Extend this to 10 or 12 characters and learn this flow, then your muscle memory will do the rest. I sometimes forget my PIN, but I remember the pattern of buttons to push, that's just as good.

tranglos:
...and just for your amusement, I should add that here in Poland the Anonymous and other hacking "collectives" have been ddos-ing and hacking into various government sites in response to the government's signing of ACTA. Apparently the prime minister's computer was secured with username 'admin' and password 'admin1'. Our PM has a new nickname now :-)

Stoic Joker:
I was Just at a new client this morning that was using password as the password for the administrator account. They thought it was just fine because they'd renamed the Administrator account to something "clever"... *Sigh* ...Apparently they've also never heard of (the built-in account) GUIDs.

40hz:
Seen similar stupidity here. I had a client's server compromised because the owner of the company insisted on using Administrator as his login name coupled with a password so obvious it was laughable.

When I asked the local admin why she didn't follow the recommended practice of disabling or renaming that account, she said she did. But the owner insisted she put it back - and give it to him.

He seemed to think having Administrator (as an ID) conferred some über-Ninja powers not held by any other domain admin account. He figured if he had that, he could never get locked out of HIS server by someone else.

He had done some "reading up" on Windows 2003 Server don't you know?

Amazing! In this day and age...a guy running a successful multimillion dollar marketing operation, who's that technically clueless.

And he's younger than me!

I didn't think there were any of those left. ;D

Navigation

[0] Message Index

[#] Next page

[*] Previous page