David Jenkins
|
| posted on 31/3/10 at 08:04 AM |
|
|
Good article on picking good passwords
Just a reminder about passwords - very well written, I thought.
Lifehacker password guide
It made me think about the ones I use...
|
|
|
|
|
Irony
|
| posted on 31/3/10 at 08:11 AM |
|
|
Well thats a bit scary. Changing my passwords now.
|
|
|
cd.thomson
|
| posted on 31/3/10 at 08:12 AM |
|
|
i like the idea of using l33t sp3@k 
Craig
|
|
|
whitestu
|
| posted on 31/3/10 at 08:48 AM |
|
|
All my passwords are pretty secure by the standards set out. What really scares me is the recommendation to use a package on your PC to store and
manage all your passwords!
Stu
|
|
|
iank
|
| posted on 31/3/10 at 08:50 AM |
|
|
I really wouldn't use the microsoft password checker. Using any 3rd party is just too risky as you are having to trust both Microsoft as a
company, all the unknown number of employees that worked on the system and that SSL (the web encryption https uses) is secure (I recently heard about
a company selling boxes that claim to sit in the middle decrypting everything that goes through them).
Using the diceware technique for password generation gives you effectively unbreakable (in sensible time) password that is easy to remember and
type.
http://world.std.com/~reinhold/diceware.html
[Edited on 31/3/10 by iank]
--
Never argue with an idiot. They drag you down to their level, then beat you with experience.
Anonymous
|
|
|
ironside
|
| posted on 31/3/10 at 09:54 AM |
|
|
quote:
Originally posted by iank
I really wouldn't use the microsoft password checker. Using any 3rd party is just too risky as you are having to trust both Microsoft as a
company, all the unknown number of employees that worked on the system
You're right to be suspicious, putting your passwords into a third party site is not a good idea for the reasons you state, but the Microsoft
password checker is ok. The data is never sent to Microsoft, the passwords are checked on your own computer using JavaScript. Disconnect your network
connection and you'll see it still works.
quote:
(I recently heard about a company selling boxes that claim to sit in the middle decrypting everything that goes through them).
That is possible if the end user ignores certificate authentication errors as the box in the middle would have to impersonate the secure site:
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
|
|
|
iank
|
| posted on 31/3/10 at 10:14 AM |
|
|
quote:
Originally posted by ironside
quote:
Originally posted by iank
I really wouldn't use the microsoft password checker. Using any 3rd party is just too risky as you are having to trust both Microsoft as a
company, all the unknown number of employees that worked on the system
You're right to be suspicious, putting your passwords into a third party site is not a good idea for the reasons you state, but the Microsoft
password checker is ok. The data is never sent to Microsoft, the passwords are checked on your own computer using JavaScript. Disconnect your network
connection and you'll see it still works.
quote:
(I recently heard about a company selling boxes that claim to sit in the middle decrypting everything that goes through them).
That is possible if the end user ignores certificate authentication errors as the box in the middle would have to impersonate the secure site:
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
Actually all you need is a forged certificate, with 100's of companies able to issue them it's not a stretch to believe anyone with enough
$$$ can get one if they want one. It's not like they are selling useless boxes so someone's giving them out, maybe only to governments
right now but in the future...
http://www.wired.com/threatlevel/2010/03/packet-forensics/
--
Never argue with an idiot. They drag you down to their level, then beat you with experience.
Anonymous
|
|
|
Staple balls
|
| posted on 31/3/10 at 01:04 PM |
|
|
quote:
Originally posted by David Jenkins
Just a reminder about passwords - very well written, I thought.
Lifehacker password guide
It made me think about the ones I use...
Some good advice in there, but it misses a few things.
The most noticeable one being the security question.
Never answer those with anything that makes sense, far too easy for someone to guess the answer, or find it out with a little poking around.
I generally tend to use the MD5 hash of one of my super insecure passwords to answer security questions. as such, my mother's maiden name,
hospital I was born in, and first pet's name is the catchy 362aa834837c647b6797d6fef4dd3e06, it's not a strong password (and nor's
the source) but it's a lot stronger than answering the question accurately, and shouldn't really need to be used that much.
Also, I'm not a great fan of using lots of passwords, because you start having to rely on software or bits of paper to keep track of them.
It's all well and good keeping your passwords encrypted in software, but if it's an 8 char dictionary word you use to secure it,
you've just given all your super secure passwords away for free.
Visual cues for passwords are bad, anyone sitting at your computer can look around the room and get decent hints. (which I'd bet is where the
writer got Mod3lTF0rd from)
|
|
|
TimEllershaw
|
| posted on 31/3/10 at 02:12 PM |
|
|
quote:
Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.
However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might
not be as well prepared. So those are the ones I'd work on.
Hands up who has used the same password on their favourite kit car forum and on the internet banking 
... errrr.... actually, don't put you hand up.... that would be a bad thing to do. Just hide under the desk and hope nobody notices you.
|
|
|
ironside
|
| posted on 31/3/10 at 02:13 PM |
|
|
quote:
Originally posted by iank
Actually all you need is a forged certificate, with 100's of companies able to issue them it's not a stretch to believe anyone with enough
$$$ can get one if they want one. It's not like they are selling useless boxes so someone's giving them out, maybe only to governments
right now but in the future...
http://www.wired.com/threatlevel/2010/03/packet-forensics/
Wow, interesting article. You're absolutely right, if you can compromise a certificate authority you can do whatever you want with very little
chance of detection. But if you believe that's happened then you have to believe that potentially nothing is secure. Online banking, credit card
transactions in the shops, the lot. It wouldn't matter how complex your password was! 
It's nice that Verisign and GoDaddy at least state that they've never issued a fake certificate. Hopefully any CA that is discovered to
have issued fakes is removed from the trusted list swiftly.
Just as an aside, if you control the client comptuer (say if you're in the IT department or you've written a trojan that has compromised a
PC) this type of hack would be trivial to do. You can force the client PC under your control to trust your own certificate authority, generate your
own certificate for whatever bank and carry out your man in the middle attack. Doddle.
Thanks Ian, now I will worry about more things I guess mutual SSL authentication is the way to solve this but as far as I know no mainstream online
banking site does this.
|
|
|
gottabedone
|
| posted on 31/3/10 at 04:11 PM |
|
|
Nothing new really guys!
Make your passwords 8 characters or more with letters, numbers and symbols. Liverpool or any other football team are always high on the list. Slang
is a good start then swap numbers that are similar to letters etc.
As for more to worry about - worry about what you can change and leave the rest to someone else.
Pay for most of your purchases with your credit card and let them deal with any cloning or skiming. It happens and it's a pain but you wont be
out of pocket especially if you regularly keep an eye on your statements.
Steve
|
|
|
