Monday, January 16, 2017

Don't want to get hacked?

Don't use "123456" as a password:
The security industry's ongoing efforts to educate users about strong passwords appears to be for naught, with a new study finding the most popular passwords last year were 123456 and 123456789. 
Keeper Security wonks perused breached data dumps for the most popular passwords when they made the despondent discovery. 
Some 1.7 million accounts used the password "123456", or 17 per cent of the 10 million hacked accounts the firm studied.
Dad used to say that the reason that history repeats itself is that nobody listens the first time.

You want a good password that's hard to crack and easy to remember?  Use a "passphrase" where you take the first letter of each word in an easy to remember sentence.  For example, if you take the first character of each word in "123456 is a lousy password and will get you PWNED!" you get a password of "1ialpawgyP!" which is pretty dang strong.  It's also pretty easy to remember.

Me, I haven't used a password in over 15 years.  Instead, I use this technique and I recommend it to anyone who thinks that "123456" is a bad password.

13 comments:

JayNola said...

http://xkcd.com/936/

I find this method to be fairly useful. Especially with a certain organization that requires a 15+ character passcode.

Divemedic said...

The problem that I, and most people have, is that many systems, especially employers, require you to change your password every 90 days. Do that times the hundreds of things for which we need passwords, and it gets hard to remember all of the phrases. So what do many people do? They cheat by using stupid passwords or by repeating passwords on all of their systems.

What I finally wound up doing was buying a password organizer. I use last pass. Now the only password I need to remember is for the organizer, which I can change as I see fit. All of my other passwords are randomly generated and stored by the app,

Old NFO said...

I use a keystroke sequence from my 'previous' life, and no two things with the same p/w. All I need for a cue is the first character. Maybe not idea, but it works for me and gets me 16 characters... sigh

matism said...

You do understand, Divemedic, that password manager most likely provides backdoor access to the Feds upon demand (no warrant needed) and that not all Feds are angels? Which means that backdoor has been sold more than once to outside parties as well...

SiGraybeard said...

A pet peeve of mine is systems that limit your choice of characters, so that they weaken your password. I go to the effort to make up a good hard password and can't use it.

Divemedic said...

1 If the Feds want it, they can get it all directly from the websites. Why do they need my passwords?

2 Lastpass doesn't have the passwords. They are stored as an encrypted file on Lastpass' servers. No one there has access to the file. This is why, if you lose your password, you are SOL.

3 Anything that I don't want anyone else (the government, for example) to see, I don't put on a computer.

ccbpc said...

Just curious, is it wrong to use an automated password generator to create 15 character passwords then store those passwords in an encrypted text file on a flash drive?

thesouthtexaspistolero said...

Is it wrong to use an automated password generator to create 15 character passwords then store those passwords in an encrypted text file on a flash drive?

That's not a bad idea, but if you're using it in an enterprise environment you want to run that by your IT department first, as using non-company flash drives on computers connected to the company network might be considered a security risk per policy.

abnormalist said...

"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!" - Dark Helmet, Spaceballs 1987

abnormalist said...

One thing I used to do in a place that required strong security is I used three or four words from the ingredients list from a can of Mt Dew. Never a shortage in an IT environment and when I had to change passwords, I just had to recall the first word and the rest were pretty easy. Toss a 1! in the end to get pass the strong text requirements.

I gave up the dew a few years back, but a good example is
"PhosphoricAcid,NaturalFlavors,CAFFEINE1!" and it would make for one hell of a secure password

Feather Blade said...

I like doing alphanumeric substitutions on a random phrase from the Vulgate or Koine Greek Bible.

jon spencer said...

I use a short sort of a sentence about pictures that are nearby.
One of my old passwords from a picture on a books shelf was, "ThreeguysaQueen&2hats.".
You can use about anything that is nearby to compose a password and usually all one has to do is look at the object to remember the password.

Rick C said...

The password hacker guys know about correct horse battery staple. Don't use a password made up of words. Borepatch's "first letter of each word in a sentence" is better.

Don't use patterns on your keyboard, like qazwsx, either. They know about that, too.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/3/

Pay special attention to page three, which specifically references that XKCD, and mentions recovering passwords like "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014."