jerryc41 wrote:
When "Ask Leo" began this topic, I didn't expect three random words to make up a secure password, but I was wrong. For one thing, one word can have a lot of letters. "Constitution@hippopotamus#chrysantheum" You can capitalize random letters and put various characters between the words. You can also misspell words or spell them backwards. This could result in many trillions of combinations and be virtually impossible to break. Leo uses a password vault and twenty random characters for each password. Using fewer characters makes it easier for someone to hack your password.
Askleo.com/137138
When "Ask Leo" began this topic, I didn'... (
show quote)
But then I have a hard time remembering them without writing them down. Then they become more unsafe because it's written down. Ugh!
andesbill wrote:
I hadn’t heard the term social engineering before. I guess it replaces “conning” or “scamming”. Stupidity should cover it though.
I’ve had ID loss 4 times. Three through my credit card (2 of those at gas stations), 1 at a tourist center. The 4th one was online. I new I made a stupid mistake immediately, and called my bank. I was made whole each time. Replacing the cards, and redoing the auto payments was a royal pain.
The problem with secure passwords is that they are impossible to remember, and need to be made up by a password program, which can then be hacked, and so on.
BTW, I solved the gas station credit card problem. I bought a Tesla. Not a cheap solution.
I hadn’t heard the term social engineering before.... (
show quote)
Yeah, it's a very wide gamut of techniques to "trick" or "convince" a victim to provide the threat actor with information. Most of the time the information that is being requested seems innocent enough, because people immediately protect their logon credentials, CC numbers, etc..... But they are very quick to play those "fill in your top whatever" games on social media <<<<<< Social Engineering. It may seem like a game, but somebody started those kinds of lists to pair up information with users....that information is sometimes mysteriously close to our security questions we have to fill out.
As far as password complexity...I mentioned it in my first response in this thread, but this blog from National Institute of Technology (NIST) explains is a somewhat more digestible form how you can make easy passwords that are complex enough to defeat pretty much all cracking (brute force, rainbow tables, bare word) attempts.
For instance, if I was to create a new password for this forum. I would associate it to cameras and use something like: (not my actual password
)
information!exposure!community!photography
or
information exposure community photography
or
information#exposure!community@photography
All have the same level of entropy, they are very easy to remember, and contain a three special characters (spaces are considered special).
Here is the blog (it only took them 10 years to catch up with the rest of us in the security community):
https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-p5w0rdCheers!
Tony
Today I opened a new online banking account, I always use the same password: "cabbage". It's easy to remember. But it seems the computer had other plans...
Please enter your new password:
"cabbage"
Sorry, the password must be 8 or more characters.
"boiled cabbage"
Sorry, the password must contain 1 numerical character.
"1 boiled cabbage"
Sorry, the password cannot have blank spaces.
"50bloodyboiledcabbages"
Sorry, the password must contain at least one upper case character.
"50BLOODYboiledcabbages"
Sorry, the password cannot use more than one upper case character consecutively.
"50BloodyBoiledCabbagesShovedUpYourArse,IfYouDon'tGiveMeAccessnow”
Sorry, the password cannot contain punctuation.
“ReallyPissedOff50BloodyBoiledCabbagesShovedUpYourArseIfYouDontGiveMeAccessnow”
Sorry, that password is already in use!
jerryc41 wrote:
When "Ask Leo" began this topic, I didn't expect three random words to make up a secure password, but I was wrong. For one thing, one word can have a lot of letters. "Constitution@hippopotamus#chrysantheum" You can capitalize random letters and put various characters between the words. You can also misspell words or spell them backwards. This could result in many trillions of combinations and be virtually impossible to break. Leo uses a password vault and twenty random characters for each password. Using fewer characters makes it easier for someone to hack your password.
Askleo.com/137138
When "Ask Leo" began this topic, I didn'... (
show quote)
Why not just use 20 random characters?
The value of the three random words is that you might remember them.
If you are using a password manager, there is no need to remember them.
badapple wrote:
I use the last eight digits of pi.
Since pi is a transcendental number with infinite digits, it would be a bad choice but unhackable.
If in my computer there are no credit card numbers, no bank account numbers or any other sensitive info why should I care if my password has been hacked?
Yep..length is really the only important password characteristic these days…followed by making sure you have both cases, numbers, and symbols included. 3 word passwords with a couple upper case, couple numbers, and a couple of symbols…although the numbers can be the same digit and the same symbol used twice and it makes no meaningful difference. Much easier to type actual words…and since once you get over 17 characters the only useful cracking method is brute force try every possible combination the fact that the individual words re in the dictionary doesn’t matter.
neillaubenthal wrote:
Yep..length is really the only important password characteristic these days…followed by making sure you have both cases, numbers, and symbols included. 3 word passwords with a couple upper case, couple numbers, and a couple of symbols…although the numbers can be the same digit and the same symbol used twice and it makes no meaningful difference. Much easier to type actual words…and since once you get over 17 characters the only useful cracking method is brute force try every possible combination the fact that the individual words re in the dictionary doesn’t matter.
Yep..length is really the only important password ... (
show quote)
That's not an entirely accurate statement. I posted the link twice in this thread on how that mentality in the computer security field has changed. Entropy does not care as much about randomization, numbers, or case usage. Bare word passphrases with a single special character (including space) are very strong.
Brian in Whitby wrote:
Why not just use 20 random characters?
The value of the three random words is that you might remember them.
If you are using a password manager, there is no need to remember them.
Because you won't always have access to a password manager, or the password database gets corrupted, zombies invade and eat hard drives? I mean, it does happen.
One of my words is seven months safe. Of course, that would depend on the computer being used and how desperate they are to get into my library account.
No shortage of unique identifiers if you string a few words together.
I was recently exposed to an app called What Three Words that has a three (random) word address for every square block on earth. It worked better than a GPS coordinate for way-finding in an absolutely featureless desert in Nevada when we were navigating around Burning Man. Of course, you do have to have been there before to know the three word address, or have someone else tell it to you, but for finding your way home it is great.
pyroManiac wrote:
If in my computer there are no credit card numbers, no bank account numbers or any other sensitive info why should I care if my password has been hacked?
Yes I've found photo forums that insist my password must be 10 characters or more contain caps, lowercase, numbers & special characters... WHY? The worst that can happen is someone mis represents me to people I've never met - the requirements for my paypal password are much simpler.
If a password is too complicated I will forget it (I access the net on multiple computers so need to enter it afresh several times)
If you want to reply, then
register here. Registration is free and your account is created instantly, so you can post right away.