LocostBuilders - powered by XMB

Good article on picking good passwords

David Jenkins - 31/3/10 at 08:04 AM

Just a reminder about passwords - very well written, I thought.

Lifehacker password guide

It made me think about the ones I use...

Irony - 31/3/10 at 08:11 AM

Well thats a bit scary. Changing my passwords now.

cd.thomson - 31/3/10 at 08:12 AM

i like the idea of using l33t sp3@k

whitestu - 31/3/10 at 08:48 AM

All my passwords are pretty secure by the standards set out. What really scares me is the recommendation to use a package on your PC to store and manage all your passwords!

Stu

iank - 31/3/10 at 08:50 AM

I really wouldn't use the microsoft password checker. Using any 3rd party is just too risky as you are having to trust both Microsoft as a company, all the unknown number of employees that worked on the system and that SSL (the web encryption https uses) is secure (I recently heard about a company selling boxes that claim to sit in the middle decrypting everything that goes through them).

Using the diceware technique for password generation gives you effectively unbreakable (in sensible time) password that is easy to remember and type.
http://world.std.com/~reinhold/diceware.html

[Edited on 31/3/10 by iank]

ironside - 31/3/10 at 09:54 AM

quote:
Originally posted by iank
I really wouldn't use the microsoft password checker. Using any 3rd party is just too risky as you are having to trust both Microsoft as a company, all the unknown number of employees that worked on the system

You're right to be suspicious, putting your passwords into a third party site is not a good idea for the reasons you state, but the Microsoft password checker is ok. The data is never sent to Microsoft, the passwords are checked on your own computer using JavaScript. Disconnect your network connection and you'll see it still works.

quote:
(I recently heard about a company selling boxes that claim to sit in the middle decrypting everything that goes through them).

That is possible if the end user ignores certificate authentication errors as the box in the middle would have to impersonate the secure site:

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

iank - 31/3/10 at 10:14 AM

quote:
Originally posted by ironside

quote:
Originally posted by iank
I really wouldn't use the microsoft password checker. Using any 3rd party is just too risky as you are having to trust both Microsoft as a company, all the unknown number of employees that worked on the system

You're right to be suspicious, putting your passwords into a third party site is not a good idea for the reasons you state, but the Microsoft password checker is ok. The data is never sent to Microsoft, the passwords are checked on your own computer using JavaScript. Disconnect your network connection and you'll see it still works.

quote:
(I recently heard about a company selling boxes that claim to sit in the middle decrypting everything that goes through them).

That is possible if the end user ignores certificate authentication errors as the box in the middle would have to impersonate the secure site:

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Actually all you need is a forged certificate, with 100's of companies able to issue them it's not a stretch to believe anyone with enough $$$ can get one if they want one. It's not like they are selling useless boxes so someone's giving them out, maybe only to governments right now but in the future...

http://www.wired.com/threatlevel/2010/03/packet-forensics/

Staple balls - 31/3/10 at 01:04 PM

quote:
Originally posted by David Jenkins
Just a reminder about passwords - very well written, I thought.

Lifehacker password guide

It made me think about the ones I use...

Some good advice in there, but it misses a few things.

The most noticeable one being the security question.

Never answer those with anything that makes sense, far too easy for someone to guess the answer, or find it out with a little poking around.

I generally tend to use the MD5 hash of one of my super insecure passwords to answer security questions. as such, my mother's maiden name, hospital I was born in, and first pet's name is the catchy 362aa834837c647b6797d6fef4dd3e06, it's not a strong password (and nor's the source) but it's a lot stronger than answering the question accurately, and shouldn't really need to be used that much.

Also, I'm not a great fan of using lots of passwords, because you start having to rely on software or bits of paper to keep track of them.

It's all well and good keeping your passwords encrypted in software, but if it's an 8 char dictionary word you use to secure it, you've just given all your super secure passwords away for free.

Visual cues for passwords are bad, anyone sitting at your computer can look around the room and get decent hints. (which I'd bet is where the writer got Mod3lTF0rd from)

TimEllershaw - 31/3/10 at 02:12 PM

quote:

Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.

However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.

Hands up who has used the same password on their favourite kit car forum and on the internet banking

... errrr.... actually, don't put you hand up.... that would be a bad thing to do. Just hide under the desk and hope nobody notices you.

ironside - 31/3/10 at 02:13 PM

quote:
Originally posted by iank
Actually all you need is a forged certificate, with 100's of companies able to issue them it's not a stretch to believe anyone with enough $$$ can get one if they want one. It's not like they are selling useless boxes so someone's giving them out, maybe only to governments right now but in the future...

http://www.wired.com/threatlevel/2010/03/packet-forensics/

Wow, interesting article. You're absolutely right, if you can compromise a certificate authority you can do whatever you want with very little chance of detection. But if you believe that's happened then you have to believe that potentially nothing is secure. Online banking, credit card transactions in the shops, the lot. It wouldn't matter how complex your password was!

It's nice that Verisign and GoDaddy at least state that they've never issued a fake certificate. Hopefully any CA that is discovered to have issued fakes is removed from the trusted list swiftly.

Just as an aside, if you control the client comptuer (say if you're in the IT department or you've written a trojan that has compromised a PC) this type of hack would be trivial to do. You can force the client PC under your control to trust your own certificate authority, generate your own certificate for whatever bank and carry out your man in the middle attack. Doddle.

Thanks Ian, now I will worry about more things

I guess mutual SSL authentication is the way to solve this but as far as I know no mainstream online banking site does this.

gottabedone - 31/3/10 at 04:11 PM

Nothing new really guys!

Make your passwords 8 characters or more with letters, numbers and symbols. Liverpool or any other football team are always high on the list. Slang is a good start then swap numbers that are similar to letters etc.

As for more to worry about - worry about what you can change and leave the rest to someone else.
Pay for most of your purchases with your credit card and let them deal with any cloning or skiming. It happens and it's a pain but you wont be out of pocket especially if you regularly keep an eye on your statements.

Steve