Author Topic: IMPORTANT: Password Security  (Read 34113 times)

Offline Christine

  • Administrator
  • Senior Contributor
  • *****
  • Posts: 28908
Re: IMPORTANT: Password Security
« Reply #15 on: October 10, 2008, 12:58:31 PM »
You'd be suprised how many people use such bad passwords though!
If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family anatidae on our hands.
Douglas Adams

Offline skye131924

  • Junior Contributor
  • *****
  • Posts: 391
Re: IMPORTANT: Password Security
« Reply #16 on: April 24, 2011, 04:44:43 PM »,2817,2383890,00.asp

In my lifetime, I have created exactly one awesome password. It's 24 characters long, includes letters and numbers, and is a memorable sentence that no rational person, with the exception of myself, would ever know. Every other password I've created—and occasionally still use—is crap.

I use this awesome password with my LastPass account, which actually handles all of my password creation and management. It generally spits out shorter passwords full of letters and numbers, but they're created in such a way that they're neither guessable nor memorable. LastPass, by the way, is the free, online, award-winning password manager I've been using for almost two years. I don't know what I'd do without it, but I now know what many other people do when they don't use password creation and management products, such as LastPass, RoboForm or perhaps Norton Internet Security: They create some of the worst and most embarrassing passwords known to man.

I asked my Twitter followers to reveal their worst and most embarrassing passwords (though not ones they currently use) and got back some whoppers. I suspect that a few of these are the same as your embarrassing digital code words. My hope is that this list will entertain (some are chuckle-worthy) and educate you (now you have proof that your own passwords are ridiculous). I swear folks, these are real.

Before we get to the list, though, if you insist on creating your own passwords, here are some rules to live by:

    Use at least six characters
    Mix letters and numbers
    Other characters, like underscores, work, too
    Use uppercase and lowercase letters
    A sentence is great as long as it's not a famous quote
    Do not use the same password in multiple places

With that out of the way, let's look at some of your worst and most embarrassing passwords.

1) password
As you might guess, this is one of two password selections that showed up more than once. If you're still using it, you might as well print out all your personal documents, financial records, and photos, tape them to a minivan, and drive it around the neighborhood.

2) 12345
This guy is popular on computers and, apparently, luggage. It's no easier to remember a physical lock combo than it is a digital one, so many people who buy briefcases with locks and either never set them and pull the red tab (that would be me) or make sure that the combo is the most obvious in existence.

3) CaseSensitive
This one wouldn't be so terrible if it weren't so painfully obvious.

4) Teletubbie
Having trouble writing this because I…am…laughing…so…hard. Parents of young children can be partially excused for using this embarrassment, but next time, I suggest something with a bit more edge like: DoraTheImpaler.

5) F*ckOffPlease
One Twitter follower told me that every one of his passwords at his old job was a profanity or a phrase featuring a profanity. Clearly, the guy had some issues at work. Here's hoping he's now at a new job where the spiciest password he uses is EveryoneHereIsSoNice.

6) hellogod
This one isn't so bad, but if someone gets a hold of this one, you may be pegged as a religious zealot.

7) homeboyee
This one might be a little embarassing when you have that conversation with your IT administrator. You'll say it, the admin will likely snicker (and assume he heard you wrong), you'll spell it out, and then you'll get that look.

8) <3BSB<3
This is actually a good password (look at those characters!), but completely embarrassing subject matter. Its author revealed that she was very into the Backstreet Boys when she came up with it. I wonder if her new password is NKOTB.

9) goldeneye
Nerds and geeks have a habit of using their favorite characters and/or movie and book titles in their passwords. This one isn't too nerdy, but if anyone knows you're a fan of James Bond, your goose is cooked. As an aside, all Star Wars fans should steer clear of Jedi, Luke, and Darth.

10) OpenUp
This is easily one of the worst passwords ever. In fact, I doubt any real thought went into it.

11) asdfhgjkl
This one is a classic. At first, it looks pretty good and you might think, "Look, it's just random letters. Who would ever figure that one out?" However, those letters look kind of familiar, don't they? Take a good look at your keyboard. That's right, it's all the letters in the third row, from "a" to "l."

12) gotohell40
No one likes turning 40 (or 50, 60 or 70), but this kind of password is only safe when you're not 40

Offline Saturn

  • Senior Contributor
  • *****
  • Posts: 1311
Re: IMPORTANT: Password Security
« Reply #17 on: April 24, 2011, 09:42:16 PM »
When Bill Clinton was president I remember the two most common passwords were "sex" and "Bill Clinton" lol.

Offline Jazza

  • Site Technician
  • Administrator
  • Centurion
  • *****
  • Posts: 158
  • Mr. No-Moar-Upgrades-Plz
Re: IMPORTANT: Password Security
« Reply #18 on: April 25, 2011, 07:48:19 PM »
Quote from: skye131924,2817,2383890,00.asp
Not the best article I've seen about password protection.

Authentication by use of passwords (a knowledge factor, something you know) is done in a few stages:
The user enters in the password they want to use for their account. The password is put through a crytographic hash function which turns a user's password into a hash (Eg: 'passw0rd' when put through the hash function SHA-1 becomes '7c6a61c68ef8b9b6b061b28c348bc1ed7921cb53').
This hash is kept on the service which holds your account.

When you go to login later, you enter in your password just like before. This too is hashed and this hash is then checked against the one in the database associated with your account. If the hashes matches, it means the password that was entered was the same as the one originally used to create the hash in the database (assuming the hash function being used doesn't suck).
One of the reasons hashes are used is so passwords are not kept in plaintext (as-is) in databases is if they are compromised it makes it more difficult to obtain the original password used to create the hash and use that with the service. You can't just grab a hash and use it as the password for an account, because that hash will be treated as a normal password and it will create a hash of the hash to check against (which won't be the same). It also means administrators like me can view the raw user data of a database without knowing your passwords.

I think it's important people understand the mechanisms of how password authentication works, many important services from social networking, banks, government websites, eBay, other shopping websites etc. can rely solely on passwords. With so much at stake (identity theft etc.) I would hope people would care about how these things work as much as they do about how the safety features in a car work.

People should also avoid using the same password for multiple services because if one account is compromised, it's possible that an attacker can attempt to use the same details on other accounts such as a linked email or social networking account.

Also, symbols are a definite plus, in a perfect world I'd make them mandatory. They can dramatically increase the time it takes to for an attacker to brute-force a password and it can reduce their options in using precalculated tables in case they manage to actually steal your password hash from a service. A good service will use a salt to make those pre-calculated tables less effective, even if the user picks a weak password.

Avoid dictionary words where possible, a password comprised of mostly dictionary words makes your password vulnerable to a dictionary attack.

Though, in reality, a lot of services will limit the number of password attempts before locking you out for a set period of time. The trouble really comes in when an attacker has gotten access to your password hash, from either hacking your computer and taking a saved password or breaking into a service and extracting it from a database. In those scenarios, they can brute-force them or use pre-calculated tables using their own equipment and their own time without interacting with the target any further.

However, the future really is in multi-factor authentication. An example being a bank account with a password (something you know) and a token (something you have).
« Last Edit: April 25, 2011, 07:51:31 PM by Jazza »
There's always the Back button. Is your browser up to date?


SMF 2.0.18 | SMF © 2021, Simple Machines | Terms & Conditions | Privacy Policy
SimplePortal 2.3.3 © 2008-2010, SimplePortal