You’ve Been Misled About What Makes a Good Password

Discussion in 'privacy technology' started by lotuseclat79, Oct 20, 2015.

  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Length Beats Numbers and Uppercase Letters When it Comes to Password Strength.

    -- Tom
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    My understanding of current password crackers is that there are many enhanced techniques they'll use, including the data from breaches, but also upper case cycling, and common letter substitutions with special characters (e.g. ! for l) and so on. If they can, they will also index your hard drive for all the words on there to use as seeds, so what you thought was private knowledge no longer is.
    Which is why my personal preference is for a few long diceware passwords, plus a password manager.
    What the article doesn't emphasize though, is the dismal website support for TFA, and adoption of reasonable TFA like U2F is glacial. Or the providers will attempt to foist nasty biometric nonsense, or mobile-phone stuff on an unsuspecting public.
     
  3. Timok

    Timok Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    51
    Location:
    Germany
  4. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    A password manager is the only real solution and it is convenient (a good one anyway). I have long, strong passwords and I don't have to type or remember anything. (some web sites' max char limit is laughable and the ones that can't handle symbols really leave me to question just how vulnerable that site is)

    For high-profile accounts (Microsoft, LastPass, Google, popular games), 2FA (Google Authenticator, Microsoft's authenticator) is effective and not cumbersome.
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Indeed, like Microsoft (xbox, 10) or Paypal, 16 char limit and paypal does not even allow paste, so creating a strong password really gets on nerves.
     
  6. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    I hate when sites do that! Especially with e-mail. Umm...paste = error-free..typing = error-prone!
     
  7. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    My Bank doesn't allow copy & past but i can do Ctrl + v. The longer the password AT&T used to ask for a 4 number pin now I read they want a 6 to 8 number pin. I use a password manager and a long password.to lock the password manager
     
  8. Rigz

    Rigz Registered Member

    Joined:
    Jun 28, 2015
    Posts:
    65
    Location:
    Earth
    The issue with copy and paste is the clipboard log on some systems.

    For instance some Windows computers with Microsoft Word installed can be configured to keep the copy/paste history. This can be hugely convenient, but isn't great for passwords since the log is in plain text.
     
    Last edited: Oct 24, 2015
  9. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    I like the convenience (I use Ditto and Pushbullet) and with 20-60-character passwords, I'm surely using the clipboard!
     
  10. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Dont utilities like keepass clear the clipboard history after 10 seconds?
     
  11. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    It's an option, on by default.
     
  12. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I've always made a point to make my important PW's (encryption keys especially, etc...) as long as possible. Meaning 63 (ASCII)/WPA2 key, or 32. But employ both methods. I try to make them memorable my creating phrases with intentional typos the way the words sound, with strong vowels capitalized and punctuation. And numbers that mean something to me only. 20 digits long is very strong too, and I use it often. I try not to go under that believe it or not... I know it sounds like overkill.

    8 should be the bare minimum, with combination of upper/lower case, numbers, and special characters. As long as there's no properly spelled word in there it should take forever to crack. 32 digits ASCII and we're talking it standing the life age of the Earth.

    I once had a router that didn't accept special characters for the key... what a joke. Didn't hang onto that one for long.

    I wonder how much of a difference it would be between having a 63 digit ASCII key or 64 digit HEX?... anyone know for sure here? I would think that 1 extra character would make a substantial difference in strength. Each multiple of 12 I've heard makes a good bit of difference compared to 1 digit less. 12 vs. 11 for example, or 32 vs. 31. I wonder then why they wouldn't allow you to just create 64 digit ASCII keys? Because then even 3 letter agencies would have a rough time breaking them?...
     
    Last edited: Nov 10, 2015
Loading...