"how to Devise Passwords . . "

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities

"how to Devise Passwords . . "

Postby OldOne » Thu Nov 08, 2012 12:50 pm

If you've read enough about password management, you might want to avoid this NY Times Personal Tech article. If not, it might be worth reading. My problem is that I read and understand but fail to DO IT. One of these days I'll regret it. Any way, see what you think . .

http://www.nytimes.com/2012/11/08/technology/personaltech/how-to-devise-passwords-that-drive-hackers-away.html?src=me&ref=general
User avatar
OldOne
 
Posts: 125
Joined: Sat Jun 25, 2011 8:02 pm
Location: Texas

Re: "how to Devise Passwords . . "

Postby czeckers » Thu Nov 08, 2012 1:44 pm

My annoyance with the whole password thing is that each site has a different set of restrictions. I find that many websites, especially the financial ones, limit the length and use of special characters, thus eliminating the possibility of very strong passwords.

This is my one large gripe with Vanguard and I pray they will remedy this sometime soon.

-K
The Espresso portfolio: | | 16% LCV, 16% SCV, 16% EM, 8% Int'l Value, 8% Int'l Sm, 8% US REIT, 8% Int'l REIT, 20% Inter-term US Treas | | "A journey of a thousand miles begins with a single step."
User avatar
czeckers
 
Posts: 638
Joined: Thu May 17, 2007 4:49 pm
Location: Upstate NY

Re: "how to Devise Passwords . . "

Postby wilpat » Thu Nov 08, 2012 4:07 pm

I once made a password by taking the Gettysburg Address and translating it into French then reversing the entire text (fourscore and 7 years became -- sraey 7 dna erocsruof) then using every 16th letter (or number) ( I used 16 because I have 16 Grandchildren) and used the first 12 selections as a password.
Contrary to the belief of many, profit is not a four letter word!
User avatar
wilpat
 
Posts: 472
Joined: Sun Jan 20, 2008 8:30 pm

Re: "how to Devise Passwords . . "

Postby Rob5TCP » Thu Nov 08, 2012 4:23 pm

That has been a big peeve of mine and probably one of the main reason I have considered moving my money elsewhere. Ten characters, no cap/small is absurd. I use meaningless symbols and letters/number, but 10 characters is not enough in this day and age. How do we complain to Vanguard about this?
User avatar
Rob5TCP
 
Posts: 1939
Joined: Tue Jun 05, 2007 8:34 pm
Location: New York, NY

Re: "how to Devise Passwords . . "

Postby Fallible » Thu Nov 08, 2012 5:22 pm

OldOne wrote:If you've read enough about password management, you might want to avoid this NY Times Personal Tech article. If not, it might be worth reading. My problem is that I read and understand but fail to DO IT. One of these days I'll regret it. ...


Excellent article, especially by someone who writes about cybersecurity (vs. yet another clueless soul who failed to appreciate it until he/she was hacked). I also failed to devise good passwords (but apparently didn't get hacked) until a web developer I started working with last year lectured me on the extreme need for them - and to change them often, plus how to keep track of them. Also, here's a good BH forum on passwords: viewtopic.php?f=3&t=97719
"Common sense and a sense of humor are the same thing, moving at different speeds. A sense of humor is just common sense, dancing." -William James
Fallible
 
Posts: 3903
Joined: Fri Nov 27, 2009 5:44 pm

Re: "how to Devise Passwords . . "

Postby ataloss » Thu Nov 08, 2012 8:38 pm

are folks worried that someone can guess a random 10 character vanguard password in 3 tries?
ataloss
 
Posts: 866
Joined: Tue Feb 20, 2007 4:24 pm

Re: "how to Devise Passwords . . "

Postby Rob5TCP » Thu Nov 08, 2012 8:47 pm

ataloss wrote:are folks worried that someone can guess a random 10 character vanguard password in 3 tries?


If that was it; no passwords would ever be cracked. There are tools that use a hash (that they obtain) and cracking is infinitely quicker. While Vanguard probably has good security, none are foolproof. I am not an expert, but friends that are, tell me 10 characters is great - for 2005 (not for 2012).
User avatar
Rob5TCP
 
Posts: 1939
Joined: Tue Jun 05, 2007 8:34 pm
Location: New York, NY

Re: "how to Devise Passwords . . "

Postby Mudpuppy » Thu Nov 08, 2012 10:07 pm

Rob5TCP wrote:
ataloss wrote:are folks worried that someone can guess a random 10 character vanguard password in 3 tries?


If that was it; no passwords would ever be cracked. There are tools that use a hash (that they obtain) and cracking is infinitely quicker. While Vanguard probably has good security, none are foolproof. I am not an expert, but friends that are, tell me 10 characters is great - for 2005 (not for 2012).

They do have to violate Vanguard's security first to get the hashes, which means any passwords cracked as a result of such a violation would be due to Vanguard's security deficits, not the user's security deficits. So in such a situation, you would be covered by Vanguard's policies to make you whole for any consequences to your Vanguard account as a result of an attacker using the hash file to come up with your password.

What would be a security deficit on your part is if you used your 10 character Vanguard password for another place, and that other place had their password hashes stolen and cracked, which then led to someone compromising your Vanguard account. In that case, you would be responsible since you did not follow best security practices. This is why the number 1 thing to remember about passwords is to never reuse them at multiple places. I covered this in my previous thread on password security: viewtopic.php?f=11&t=97664&p=1410534
Mudpuppy
 
Posts: 2679
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: "how to Devise Passwords . . "

Postby NAVigator » Thu Nov 08, 2012 10:14 pm

Rob5TCP wrote:
ataloss wrote:are folks worried that someone can guess a random 10 character vanguard password in 3 tries?


If that was it; no passwords would ever be cracked. There are tools that use a hash (that they obtain) and cracking is infinitely quicker. While Vanguard probably has good security, none are foolproof. I am not an expert, but friends that are, tell me 10 characters is great - for 2005 (not for 2012).

The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so.... :wink:

Jerry
"I was born with nothing and I have most of it left."
User avatar
NAVigator
 
Posts: 2458
Joined: Tue Feb 27, 2007 8:24 am
Location: Iowa

Re: "how to Devise Passwords . . "

Postby Rob5TCP » Thu Nov 08, 2012 10:23 pm

I tried to change my UserName to something more complex. There seemed to be no easy way to do that.
User avatar
Rob5TCP
 
Posts: 1939
Joined: Tue Jun 05, 2007 8:34 pm
Location: New York, NY

Re: "how to Devise Passwords . . "

Postby tetractys » Thu Nov 08, 2012 10:24 pm

I use keyboard patterns, but somewhat unsystematically, so it's easy to remember about 20 different passwords. Really not worried even if a breach occurs, since other redundant security measures cover that pretty good. -- Tet
User avatar
tetractys
 
Posts: 4195
Joined: Sat Mar 17, 2007 4:30 pm
Location: Along the Salish Sea

Re: "how to Devise Passwords . . "

Postby Epsilon Delta » Thu Nov 08, 2012 10:26 pm

NAVigator wrote:The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so.... :wink:

Unless they use the username as a salutation in a plain text email. Then your account became vulnerable in 2002 and you find you've been destitute for the last 10 years. It is best to keep secrets segregated so that it is clear what is secret, and must be protected.
User avatar
Epsilon Delta
 
Posts: 3440
Joined: Thu Apr 28, 2011 8:00 pm

Re: "how to Devise Passwords . . "

Postby NAVigator » Fri Nov 09, 2012 12:08 am

Epsilon Delta wrote:
NAVigator wrote:The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so.... :wink:

Unless they use the username as a salutation in a plain text email. Then your account became vulnerable in 2002 and you find you've been destitute for the last 10 years. It is best to keep secrets segregated so that it is clear what is secret, and must be protected.

I was addressing a concern about Vanguard. They use my real name in the email salutation not my username.

Jerry
"I was born with nothing and I have most of it left."
User avatar
NAVigator
 
Posts: 2458
Joined: Tue Feb 27, 2007 8:24 am
Location: Iowa

Re: "how to Devise Passwords . . "

Postby Epsilon Delta » Fri Nov 09, 2012 1:22 am

NAVigator wrote:
Epsilon Delta wrote:
NAVigator wrote:The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so.... :wink:

Unless they use the username as a salutation in a plain text email. Then your account became vulnerable in 2002 and you find you've been destitute for the last 10 years. It is best to keep secrets segregated so that it is clear what is secret, and must be protected.

I was addressing a concern about Vanguard. They use my real name in the email salutation not my username.

Jerry

I was a little glib the first time, but it still probably won't help much.

The attack your trying to protect against is somebody hacking Vanguard's computer and getting hold of a file containing hashed passwords. Using long complex passwords means that the hacker has to work hard(er) to figure out your password from the hash. But your username is probably in plain text in the password file, so complexity in the username does not help. The reason your username is unlikely to be obscured inside Vanguard's system is that it is a username and not a password, so Vanguard will not take extraordinary efforts to keep it secret.

A complex username helps a little if somebody is trying random passwords and username's on Vanguards login page, but Vanguard should be monitoring login attempts closely enough that even very short passwords make this attack very unlikely to succeed.
User avatar
Epsilon Delta
 
Posts: 3440
Joined: Thu Apr 28, 2011 8:00 pm

Re: "how to Devise Passwords . . "

Postby overst33r » Fri Nov 09, 2012 9:52 am

I haven't made a new password in ages. www.Lastpass.com
overst33r
 
Posts: 78
Joined: Fri Jan 04, 2008 12:29 pm

Re: "how to Devise Passwords . . "

Postby ataloss » Sat Nov 10, 2012 9:37 am

I use Keypass with the "random" password generator. If I use 10 characters using just lower case and numbers I have (36)^10 = 36,000,000,000,000,000 possible combinations. It seems like the odds of guessing the right one in 3 tries would be rather low. Vanguard turns off your account after a few wrong guesses (it happened to me years ago) So other than having friends who tell us that adding more characters would be better an anyone actually explain how this would really be more secure?
ataloss
 
Posts: 866
Joined: Tue Feb 20, 2007 4:24 pm

Re: "how to Devise Passwords . . "

Postby Mudpuppy » Sat Nov 10, 2012 5:04 pm

ataloss wrote:I use Keypass with the "random" password generator. If I use 10 characters using just lower case and numbers I have (36)^10 = 36,000,000,000,000,000 possible combinations. It seems like the odds of guessing the right one in 3 tries would be rather low. Vanguard turns off your account after a few wrong guesses (it happened to me years ago) So other than having friends who tell us that adding more characters would be better an anyone actually explain how this would really be more secure?

People are not concerned about online, live password guessing (e.g. the three guesses at Vanguard's website) when they are concerned about a short password length. They are concerned about someone cracking the hashed password file. But as I said previously, they would have to violate Vanguard's security to get that first. As long as you don't reuse your Vanguard password at another site, any breaches would be primarily Vanguard's responsibility. But if you do reuse your Vanguard password elsewhere, it becomes your responsibility because you used poor security practices.
Mudpuppy
 
Posts: 2679
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: "how to Devise Passwords . . "

Postby paulsiu » Wed Nov 14, 2012 11:31 am

On forum websites and such, I don't always use really long password, especially if there's nothing sensitive to get into.

On email and financial sites, I often use somewhat hard to guess but easier to remember sentences (ex: "chasLikeMenudoWithOnion1911").

While this maybe a bad idea in a secured environment, writing the password in a piece of paper and then storing it physically somewhere secure (not near your computer) is good enough. Hackers can't hack into it and if your computer is stolen, it's not so likely they'll get to the password. You may not even need to lock it. Hide the sheet in something people won't bother stealing, a copy of War and Peace, or the Holy BIble.

Paul
paulsiu
 
Posts: 1387
Joined: Sun Nov 16, 2008 8:46 pm

Re: "how to Devise Passwords . . "

Postby mike143 » Wed Nov 14, 2012 9:27 pm

Type your password into google and see if you get any hits. My better ones get no hits.
Nothing is free, someone pays...You can't spend your way to financial freedom.
User avatar
mike143
 
Posts: 1232
Joined: Thu Feb 02, 2012 9:55 pm

Re: "how to Devise Passwords . . "

Postby ataloss » Wed Nov 14, 2012 11:34 pm

People are not concerned about online, live password guessing (e.g. the three guesses at Vanguard's website) when they are concerned about a short password length. They are concerned about someone cracking the hashed password file.


I understand your concern and it is legitimate although none of us know the details of the hashing and salting at Vanguard and increased password length may not be useful depending on the unknowns. Rob5tc finds the Vanguard restrictions absurd but can't really articulate why. I think the fact that login attempts are limited enhances security far more than increasing pw length, especially considering that many users will try using "password" and if you require a number will try "password1." The image at login is a nice idea to prevent password losses to fake sites although I am not sure if most users pay attention. Making the password requirements too onerous results in people calling in so that the phone rep can ask them their first pet's name and their favorite Beatle. I think the "security" questions as usually completed are probably a weaker target for thieves.
ataloss
 
Posts: 866
Joined: Tue Feb 20, 2007 4:24 pm

Re: "how to Devise Passwords . . "

Postby Mudpuppy » Wed Nov 14, 2012 11:41 pm

mike143 wrote:Type your password into google and see if you get any hits. My better ones get no hits.

Except Google now has a record of your password to add to its search term statistics.... all of those auto-complete features of Google don't just happen out of thin air after all, Google keeps a log of search terms entered: http://www.google.com/goodtoknow/data-o ... arch-logs/
Mudpuppy
 
Posts: 2679
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California


Return to Personal Consumer Issues

Who is online

Users browsing this forum: adamthesmythe, dbCooperAir, Depardieu, Doom&Gloom, Flashes1, leehsm, littlebird, masteraleph, The Wizard, Tom_T, vesalius and 70 guests