04-16-2010 07:29 AM
I have witnessed a lot of unhappiness concerning password complexity requirements. I am starting this thread, hopefully, to lay most of it to rest.
Password complexity requirements are not in place so that you have to make a password you will never remember. Instead they are in place to ensure your safety and security. The reason behind the complexity requirements is that some 74.5% of all current passwords in the world are completely insecure. By insecure, I mean passwords that are part of any of the following criteria:
A) This is really the most common insecurity among passwords, a single word that can be found in the dictionary. The word may seem to be singular and unique to yourself, but it is not. The great majority of 'cracking' (password brute-forcing/guessing) programs start their process by trying words found in the common dictionary.
A sequence of numbers under 6 characters in length. After the said 'cracker' finishes with the dictionary, it then begins running numbers in sequence from 0 to 999999.
C) This one is probably the most over-looked password insecurity. It would be what I call the 'star identifier'. Alot of people assume that using famous people like for example, let's say John Elway, as a password meets the complexity requirements. Now, while using a password like 'broncos7' may seem secure, it is not. The people that write 'crackers' have caught on to this scheme, so after failing at the dictionary and integer based attacks, it will start trying 'star identifiers'. Using a 'star identifier' is never a good idea for a password.
D) This one is known simply as the 'god complex'. This one got its title by people literally using powerful symbols, such as 'god', as their passwords. Examples of such passwords are as follows: 'god','king','lord','master','jesus','man','#1','b
Now you may say "Well they should have people watching out for that." and you are completely correct, they do. However, these technicians are already busy trying to stop other 'crackers' from gaining access to the accounts of 200 other people that thought the exact same thing that you just did. Under that large of a workload the 'cracker' that is working your password may succeed. My point comes to be as such: why take the risk? Help yourself and help the technicians by opting for a more secure and unique password.
Thus the best passwords are built using these simple guidelines:
A) The password should never be part of something that can be identified with you (i.e. Your favorite sport.)
The password should never contain the names of loved ones.
C) The password should NEVER contain part of your name, address, phone number, etc...
D) The password should ALWAYS contain a symbol (i.e. !@#$%^&*()-+ [do please note however that '!' and '#' are the most common symbols used.]) whenever possible.
E) The password should ALWAYS be alphanumeric (containing a combonation of numbers and letters).
F) When possible, the password should be an average length of atleast 10 characters.
04-16-2010 11:02 PM
Good post. You should have a different password for every service or website that you use. You should not use the same password for multiple services because if someone gets your password for one site somehow, they could then use that password to access other services or sites of yours too. For example, lets assume that you use the same strong password for your Internet banking, your Comcast email, and your Facebook account. If someone was to hypothetically hack Facebook and steal a bunch of usernames and passwords, including yours, they would also have your password for your email and your online banking.
Remembering multiple strong passwords can be quite difficult. Remembering one really strong password, perhaps even a sentence with numbers and symbols, isn't too bad. If you can remember one really good password, perhaps you could look into using a password vault type application. There are several. Norton Security Suite has a browser plugin that stores usernames and passwords. I haven't used it myself, but I assume it uses a master password to keep other people from accessing your passwords. I personally use a free open source application called KeePass. It includes a password generator that can generate complex passwords using whatever criteria you specify. I have it set up so that you need my strong password (a sentence with symbols and numbers) and a key file to open it. You have to have both the file and the master password to open my password database. You can set it up to open with only a key file as well. Then you don't have to remember any passwords, you just need the key file to open the database. You could store the key file on your thumb drive for example. Inside the database is all of my accounts each with a different strong password. The database is also encrypted. The only password I have to remember is the one that opens the database (the master password). Another application that I've heard of is Roboform. Roboform has many of the same features as KeePass, and maybe some extras that KeePass doesn't. There is a free version of Roboform, but it has limitations. For more info, just search with your favorite search engine for KeePass, Roboform, Norton Identity Safe, or password manager. Whatever you use, be sure that it's legit. You don't want to enter your usernames and passwords into a program that turns around and sends all of the data across the web to the author of the application. That's why I like open source.
05-02-2010 07:09 PM
I realize this thread is a few weeks old. However, Lifehacker recently posted an article regarding what they refer to as Five Best Password Managers. Roboform and KeePass both made the list.
Here's a link to the article if anyone is interested.
05-03-2010 11:38 PM
Thanks to IGNOTUS for posting that link. This type of information should never be considered " too old to be useful ", at least not for months and months.
I re-formatted my computer last fall, and I found out ( here in this forum ) that I STILL had some malware slowing my system down, which the regulars helped me remove. Before that, I tried online scans from ESET, Windows Live One-Care, Kaspersky, and Trend Micro, and none of them found the malware.
I find it troubling, at the least, that there is malware that cannot be identified by the best programs we have, and can survive Re-Formatting ( probably was in a file I saved and re-installed ).
If using password managers / helpers can stop this from happening, I'm in favor.
©2011 Comcast | Investor Relations | Press Room | Corporate Blog | Privacy Statement | Visitor Agreement | Comcast.com Feedback | Site Map