"how to Devise Passwords . . "

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
OldOne
Posts: 199
Joined: Sat Jun 25, 2011 7:02 pm
Location: Texas

"how to Devise Passwords . . "

Post by OldOne »

If you've read enough about password management, you might want to avoid this NY Times Personal Tech article. If not, it might be worth reading. My problem is that I read and understand but fail to DO IT. One of these days I'll regret it. Any way, see what you think . .

http://www.nytimes.com/2012/11/08/techn ... ef=general
User avatar
czeckers
Posts: 1082
Joined: Thu May 17, 2007 3:49 pm
Location: USA

Re: "how to Devise Passwords . . "

Post by czeckers »

My annoyance with the whole password thing is that each site has a different set of restrictions. I find that many websites, especially the financial ones, limit the length and use of special characters, thus eliminating the possibility of very strong passwords.

This is my one large gripe with Vanguard and I pray they will remedy this sometime soon.

-K
The Espresso portfolio: | | 20% US TSM, 20% Small Value, 10% US REIT, 10% Dev Int'l, 10% EM, 10% Commodities, 20% Inter-term US Treas | | "A journey of a thousand miles begins with a single step."
User avatar
wilpat
Posts: 534
Joined: Sun Jan 20, 2008 6:30 pm

Re: "how to Devise Passwords . . "

Post by wilpat »

I once made a password by taking the Gettysburg Address and translating it into French then reversing the entire text (fourscore and 7 years became -- sraey 7 dna erocsruof) then using every 16th letter (or number) ( I used 16 because I have 16 Grandchildren) and used the first 12 selections as a password.
Contrary to the belief of many, profit is not a four letter word!
User avatar
Rob5TCP
Posts: 3812
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: "how to Devise Passwords . . "

Post by Rob5TCP »

That has been a big peeve of mine and probably one of the main reason I have considered moving my money elsewhere. Ten characters, no cap/small is absurd. I use meaningless symbols and letters/number, but 10 characters is not enough in this day and age. How do we complain to Vanguard about this?
Fallible
Posts: 8798
Joined: Fri Nov 27, 2009 3:44 pm

Re: "how to Devise Passwords . . "

Post by Fallible »

OldOne wrote:If you've read enough about password management, you might want to avoid this NY Times Personal Tech article. If not, it might be worth reading. My problem is that I read and understand but fail to DO IT. One of these days I'll regret it. ...
Excellent article, especially by someone who writes about cybersecurity (vs. yet another clueless soul who failed to appreciate it until he/she was hacked). I also failed to devise good passwords (but apparently didn't get hacked) until a web developer I started working with last year lectured me on the extreme need for them - and to change them often, plus how to keep track of them. Also, here's a good BH forum on passwords: http://www.bogleheads.org/forum/viewtop ... =3&t=97719
"Yes, investing is simple. But it is not easy, for it requires discipline, patience, steadfastness, and that most uncommon of all gifts, common sense." ~Jack Bogle
ataloss
Posts: 887
Joined: Tue Feb 20, 2007 2:24 pm

Re: "how to Devise Passwords . . "

Post by ataloss »

are folks worried that someone can guess a random 10 character vanguard password in 3 tries?
User avatar
Rob5TCP
Posts: 3812
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: "how to Devise Passwords . . "

Post by Rob5TCP »

ataloss wrote:are folks worried that someone can guess a random 10 character vanguard password in 3 tries?
If that was it; no passwords would ever be cracked. There are tools that use a hash (that they obtain) and cracking is infinitely quicker. While Vanguard probably has good security, none are foolproof. I am not an expert, but friends that are, tell me 10 characters is great - for 2005 (not for 2012).
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: "how to Devise Passwords . . "

Post by Mudpuppy »

Rob5TCP wrote:
ataloss wrote:are folks worried that someone can guess a random 10 character vanguard password in 3 tries?
If that was it; no passwords would ever be cracked. There are tools that use a hash (that they obtain) and cracking is infinitely quicker. While Vanguard probably has good security, none are foolproof. I am not an expert, but friends that are, tell me 10 characters is great - for 2005 (not for 2012).
They do have to violate Vanguard's security first to get the hashes, which means any passwords cracked as a result of such a violation would be due to Vanguard's security deficits, not the user's security deficits. So in such a situation, you would be covered by Vanguard's policies to make you whole for any consequences to your Vanguard account as a result of an attacker using the hash file to come up with your password.

What would be a security deficit on your part is if you used your 10 character Vanguard password for another place, and that other place had their password hashes stolen and cracked, which then led to someone compromising your Vanguard account. In that case, you would be responsible since you did not follow best security practices. This is why the number 1 thing to remember about passwords is to never reuse them at multiple places. I covered this in my previous thread on password security: http://www.bogleheads.org/forum/viewtop ... &p=1410534
User avatar
NAVigator
Posts: 2545
Joined: Tue Feb 27, 2007 6:24 am
Location: Iowa

Re: "how to Devise Passwords . . "

Post by NAVigator »

Rob5TCP wrote:
ataloss wrote:are folks worried that someone can guess a random 10 character vanguard password in 3 tries?
If that was it; no passwords would ever be cracked. There are tools that use a hash (that they obtain) and cracking is infinitely quicker. While Vanguard probably has good security, none are foolproof. I am not an expert, but friends that are, tell me 10 characters is great - for 2005 (not for 2012).
The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so.... :wink:

Jerry
"I was born with nothing and I have most of it left."
User avatar
Rob5TCP
Posts: 3812
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: "how to Devise Passwords . . "

Post by Rob5TCP »

I tried to change my UserName to something more complex. There seemed to be no easy way to do that.
User avatar
tetractys
Posts: 6249
Joined: Sat Mar 17, 2007 3:30 pm
Location: Along the Salish Sea

Re: "how to Devise Passwords . . "

Post by tetractys »

I use keyboard patterns, but somewhat unsystematically, so it's easy to remember about 20 different passwords. Really not worried even if a breach occurs, since other redundant security measures cover that pretty good. -- Tet
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: "how to Devise Passwords . . "

Post by Epsilon Delta »

NAVigator wrote: The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so.... :wink:
Unless they use the username as a salutation in a plain text email. Then your account became vulnerable in 2002 and you find you've been destitute for the last 10 years. It is best to keep secrets segregated so that it is clear what is secret, and must be protected.
User avatar
NAVigator
Posts: 2545
Joined: Tue Feb 27, 2007 6:24 am
Location: Iowa

Re: "how to Devise Passwords . . "

Post by NAVigator »

Epsilon Delta wrote:
NAVigator wrote: The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so.... :wink:
Unless they use the username as a salutation in a plain text email. Then your account became vulnerable in 2002 and you find you've been destitute for the last 10 years. It is best to keep secrets segregated so that it is clear what is secret, and must be protected.
I was addressing a concern about Vanguard. They use my real name in the email salutation not my username.

Jerry
"I was born with nothing and I have most of it left."
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: "how to Devise Passwords . . "

Post by Epsilon Delta »

NAVigator wrote:
Epsilon Delta wrote:
NAVigator wrote: The username can be made as cryptic as your password. The combination increases the complexity. I did that so I should be secure until 2019 or so.... :wink:
Unless they use the username as a salutation in a plain text email. Then your account became vulnerable in 2002 and you find you've been destitute for the last 10 years. It is best to keep secrets segregated so that it is clear what is secret, and must be protected.
I was addressing a concern about Vanguard. They use my real name in the email salutation not my username.

Jerry
I was a little glib the first time, but it still probably won't help much.

The attack your trying to protect against is somebody hacking Vanguard's computer and getting hold of a file containing hashed passwords. Using long complex passwords means that the hacker has to work hard(er) to figure out your password from the hash. But your username is probably in plain text in the password file, so complexity in the username does not help. The reason your username is unlikely to be obscured inside Vanguard's system is that it is a username and not a password, so Vanguard will not take extraordinary efforts to keep it secret.

A complex username helps a little if somebody is trying random passwords and username's on Vanguards login page, but Vanguard should be monitoring login attempts closely enough that even very short passwords make this attack very unlikely to succeed.
overst33r
Posts: 112
Joined: Fri Jan 04, 2008 10:29 am

Re: "how to Devise Passwords . . "

Post by overst33r »

I haven't made a new password in ages. www.Lastpass.com
ataloss
Posts: 887
Joined: Tue Feb 20, 2007 2:24 pm

Re: "how to Devise Passwords . . "

Post by ataloss »

I use Keypass with the "random" password generator. If I use 10 characters using just lower case and numbers I have (36)^10 = 36,000,000,000,000,000 possible combinations. It seems like the odds of guessing the right one in 3 tries would be rather low. Vanguard turns off your account after a few wrong guesses (it happened to me years ago) So other than having friends who tell us that adding more characters would be better an anyone actually explain how this would really be more secure?
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: "how to Devise Passwords . . "

Post by Mudpuppy »

ataloss wrote:I use Keypass with the "random" password generator. If I use 10 characters using just lower case and numbers I have (36)^10 = 36,000,000,000,000,000 possible combinations. It seems like the odds of guessing the right one in 3 tries would be rather low. Vanguard turns off your account after a few wrong guesses (it happened to me years ago) So other than having friends who tell us that adding more characters would be better an anyone actually explain how this would really be more secure?
People are not concerned about online, live password guessing (e.g. the three guesses at Vanguard's website) when they are concerned about a short password length. They are concerned about someone cracking the hashed password file. But as I said previously, they would have to violate Vanguard's security to get that first. As long as you don't reuse your Vanguard password at another site, any breaches would be primarily Vanguard's responsibility. But if you do reuse your Vanguard password elsewhere, it becomes your responsibility because you used poor security practices.
paulsiu
Posts: 1457
Joined: Sun Nov 16, 2008 6:46 pm

Re: "how to Devise Passwords . . "

Post by paulsiu »

On forum websites and such, I don't always use really long password, especially if there's nothing sensitive to get into.

On email and financial sites, I often use somewhat hard to guess but easier to remember sentences (ex: "chasLikeMenudoWithOnion1911").

While this maybe a bad idea in a secured environment, writing the password in a piece of paper and then storing it physically somewhere secure (not near your computer) is good enough. Hackers can't hack into it and if your computer is stolen, it's not so likely they'll get to the password. You may not even need to lock it. Hide the sheet in something people won't bother stealing, a copy of War and Peace, or the Holy BIble.

Paul
User avatar
mike143
Posts: 1332
Joined: Thu Feb 02, 2012 7:55 pm

Re: "how to Devise Passwords . . "

Post by mike143 »

Type your password into google and see if you get any hits. My better ones get no hits.
Nothing is free, someone pays...You can't spend your way to financial freedom.
ataloss
Posts: 887
Joined: Tue Feb 20, 2007 2:24 pm

Re: "how to Devise Passwords . . "

Post by ataloss »

People are not concerned about online, live password guessing (e.g. the three guesses at Vanguard's website) when they are concerned about a short password length. They are concerned about someone cracking the hashed password file.
I understand your concern and it is legitimate although none of us know the details of the hashing and salting at Vanguard and increased password length may not be useful depending on the unknowns. Rob5tc finds the Vanguard restrictions absurd but can't really articulate why. I think the fact that login attempts are limited enhances security far more than increasing pw length, especially considering that many users will try using "password" and if you require a number will try "password1." The image at login is a nice idea to prevent password losses to fake sites although I am not sure if most users pay attention. Making the password requirements too onerous results in people calling in so that the phone rep can ask them their first pet's name and their favorite Beatle. I think the "security" questions as usually completed are probably a weaker target for thieves.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: "how to Devise Passwords . . "

Post by Mudpuppy »

mike143 wrote:Type your password into google and see if you get any hits. My better ones get no hits.
Except Google now has a record of your password to add to its search term statistics.... all of those auto-complete features of Google don't just happen out of thin air after all, Google keeps a log of search terms entered: http://www.google.com/goodtoknow/data-o ... arch-logs/
Post Reply