How secure is your password?

[Griselda]

I read this New York Times article today, and I thought I'd post it as a friendly reminder. It seems that most people would trade their online passwords for a chocolate bar. You do have to register to read the article, but registration is free. You just have to come up with a good password first. ;)

-Griselda

[Chief Fruity]

I've let my best friend know one or two of my passwords over the years, but I trust him with my life. I would probably have taken the guy on the street corner up on his offer though, but with a fake password, as I think that most of those that did it did. But I think that it is better to have many different passwords than one long one that is hard to remember. I mean, I use 5 or 6 different passwords for all my things, so even if someone knew one or two of them, that would only allow access to about 1/3 of my things that are password protected.

[Taem]

Reminds me of some of the crap I get in the email. Seriously, I get emails claiming to be from Paypal and eBay with my REAL NAME on them, legit as heck looking backdrops, asking me to confirm my account information by clicking on the conveniently "provided" link and logging in. A quick click on properties tells me that these emails weren't sent from who they say they were, on top of the fact that these companies will never ask you for this kind of information! I can just imagine the poor people that get suckered into this seemingly honest facade of treachery.

What really upset me is that I'm currently helping my grandmother get some of her clothing consignment store on ebay, and that (those emails) is just the type of crap she'd fall for, allowing some jack-ass to ruin her life. It's just not cool! Really gets me mad actually.

[--Pete]

Hi,

It's like combo locks. A three digit el cheapo is fine for the gym locker, but for the office safe something a bit stouter is required.

My passwords for most online sites could (maybe) be guessed and are seldom what a computer security guy would call "secure" (although a dictionary or a reverse dictionary will not break them, brute force probably could). My passwords for online financial matters are way better.

And, of course, my password for WoW is the toughest of then all. One must have one's priorities :)

--Pete

[ShadowHM]

My passwords all do use names. Hence they could, I expect, be broken without too much trouble by someone who wanted to do so.

However, they are names that are not likely easily linked to me by anyone other than a very close family member.

I have turned my irritation with one of the facts of life for most North American women into a blessing for my passwords.

Most women lose their identity upon marriage. Just try and find an old classmate some day and see what happens. The surname is seldom the same as the one they were born with. Heck, it could have changed several times by now. :o And even if they did keep their surname, what chance that the phone will be listed in their own name? And then......what chance the children they bear will carry their birth surname?

Anyway, this disappearing act means that I can quite cheerfully use the full birth names of my grandmothers and great grandmothers as passwords that will not be terribly easy to guess, but are quite easy for me to recall quickly. I never have to write them down. The only trick, of course, is that I have to remember which grandma went with which account/system as a password. B)

[--Pete]

. . . but beware genealogists. :)

--Pete

[kandrathe]

I use ones like this ('jjIZpd&46u), random, 8-12 digits with all characters available. But in order to remember them all I also need to keep a PGP 2048 bit encrypted PW vault with a very long pass phrase. Some systems don't allow certain characters, so I adopt longer ones in that case.

Someday we will have one common digital signature that we can use everywhere.

[Griselda]

Someday we will have one common digital signature that we can use everywhere.

I hope not! If somebody finds my password due to a security flaw of a computer game I play (for example), I don't want them to be able to get into my banking information!

Something that annoys me are sites that put arbitrary restrictions on the passwords you can use. I think that it's a good idea to disallow dictionary words and require numerals, but when you have to have a password that's *exactly* 10 characters long, for example, must contain upper case letters, lower case letters, and numerals, and can't have more than 2-3 in a row of any of those, it becomes unlikely that you'll be able to use a password that you'll remember at that site.

I have no trouble remembering my computer passwords, but can't always remember which one I used for a particular site. So, I don't like getting locked out after 3 tries. Something like 10 would still prevent brute force, but help regular but forgetful users like me.

-Griselda

[Obi2Kenobi]

I have no trouble remembering my computer passwords, but can't always remember which one I used for a particular site. So, I don't like getting locked out after 3 tries. Something like 10 would still prevent brute force, but help regular but forgetful users like me.

Same here. At least, until I put them all into my Palm Pilot. :) Protected with the hardest to guess password of all, plus another one needed to power it on. Now how to remember those passwords? :)

[Haider]

but this doesn't mean the password would be a real, working one...
I think the people were simply more cunning than the researchers.

[kandrathe]

Well, I'm hoping it's tied to some very hard to mimic biometric measurement, like iris pattern.

[ShadowHM]

the downside is immense.

Just who would you want to have access to absolutely everything in your life?

Not just your banking information. Not just your game passwords. Your spending habits. Your telephone habits. Your recreation habits. What brand of toothpaste do you usually buy? Where do you purchase your gasoline and where is that you go on those Tuesday afternoons?

I don't ever want it to be possible for someone to be able to find out that much about me. And a single identifier mark that is the basis for all other movements in one's life is an all-too-easy step down that mudslide.

Yours in paranoia,
Shadow
(and now you know why I picked that username, eh?)

[T-hawk]

Here's what I think is the best way to keep track of passwords for online sites. Use a password that's somewhat obfuscated (immune to dictionary attacks), but because it's the only one you'll be using, it'll be easy to remember. Then, append a couple letters to the password depending on what the function is.

So suppose my base password is T-hawk7! . Then my Lurker Lounge password would be T-hawk7!ll , my American Express online password would be T-hawk7!ae , and so on. It can be further obfuscated, by something like adding one to each letter (like T-hawk7!mm for the Lounge).

I haven't forgotten an online password in years. I can use a site once, come back to it 3 years later, and still know my password within a couple tries -- but in a much more secure way than simply using the same password for everything. There's a tiny risk the system could be discovered, but I've never had any problem at all.

[kandrathe]

For me it depends on how it is implemented.

I'm a big fan of public/private key signature technology like PGP. I think one would subscribe to a trusted purveyor of the public side of the key, much as how SSL works now with companies like Thawte, or Verisign. The private side of the digital key would also need to be kept by you at a secure place. Your true identity would only be verified with a combination of your secret pass phrase, the private key, the public key and selected consistent biometric data that is easily scanned and not fakeable(eg. iris). It would be nice if you could use the same type of system in an electronic key fob so one would be able to use it in any door, or device.

Tracking or databasing electronic transactions is an entirely different problem. Frankly, I am more worried about the state of things now. Now it is very easy to forge an identity. Or, with very little information, assume one. Far too often even the experts, like Equifax, get peoples credit, and legal history information muddled together. I would rather that all my electronic transaction's identifiers pointed to a secure anonymous electronic "vault" that I owned, rather than the corporate constructed free for all it is now.

[Artega]

I use a single password for everything, and it's probably not hard to guess, though it's not obvious. I'm just asking to get h4xx0rz3d, I'm sure, but I don't really care. People are too paranoid, if you ask me.

[kandrathe]

Probably. I guess it depends on what you are risking. A replaceable set of DII chars, your Amazon books account, or your lifes savings and retirement accounts in e*trade.

[TaMeOlta]

:lol: I use a combination genetic imprint , DNA sampling , plus retinal scanning ........ I press my face against the screen , whilst drooling over my first cup of coffee and staring deeply into the monitor that controls me , feeding on my superhuman powers ......

[Lady Vashj]

I read this New York Times article today, and I thought I'd post it as a friendly reminder.  It seems that most people would trade their online passwords for a chocolate bar.   You do have to register to read the article, but registration is free.  You just have to come up with a good password first. ;)

-Griselda

How ironic that they want you to register before you can read it.

But since if I ever want to get into nytimes.com again, I'll just register anew, my username was WildEyedBanshee and my password was completely deranged.

Occasionally I can get an account password for a promise of 3 SOJ's and a Buri. Most of the time, I just get a dumb n00b to stop saying "GIME ITMZ PLZ".

[kandrathe]

Me too!!! And here I thought I was the only one. :P

[Chevalis]

I read this New York Times article today, and I thought I'd post it as a friendly reminder.  It seems that most people would trade their online passwords for a chocolate bar.  You do have to register to read the article, but registration is free.  You just have to come up with a good password first. ;)

-Griselda

Am I the only on that see the irony in the NY Times running an article about passwords and security? :rolleyes: