Password Methodology


Recommended Posts

  On 20/05/2019 at 10:21, Sir Topham Hatt said:

How do you guys choose passwords? 

 

After someone mentioning about LastPass on here, I decided to give it a go. I'm a complete convert!

 

Although most of my low security passwords are the same, does anyone have any sort of pattern with theirs?

 

For example, do you use the name of the site within the password like neowin.netPassword123 for example?

 

Just interested.

Expand  

I used to just use a various combination of two or three passwords, which had different symbols and what have you. But, I've converted to using keepass and storing the database file locally and on the cloud, with a daily sync. I remember the master password and let keepass do the rest. If i need a new password, I use the auto-generator feature built into keepass to create a long, obscure password. Easy enough in my opinion.

For personal stuff, I use a set of passwords... one for trash, one for low security, medium, high, and some in between. Email passwords are unique. I change them all except trash every 6 months. They are based on sets of motifs (one used to be radio station call signs and one is always 3 or 4 character randomly selected gibberish) and use capitals, lowercase, punctuation, and numbers (including sometimes replacing letters with 1337 and punctuation, and changing letters into words) and end up being fairly long. I also have extensions of a few characters for important passwords like my remote servers so those are always unique. They all end up looking fairly random.

 

I also use frequently different passwords and rarely store passwords on my mobile devices, including my Surface if I travel with it, even though it is password locked itself. I only have one email account on my phone (don't use my phone much anyway). I suppose my PC is pretty vulnerable if people got to it, but I probably have bigger problems if that is the case.

 

This is a nice balance of being able to remember them all and being secure. I know that having generated passwords is more secure, but it is both inconvenient when using a lot of devices and makes you totally reliant on one tool that, if ever gets compromised or lost, leaves you helpless. IMO, not being reliant on a program is part of security.

 

The only place I have one written down is in my sealed will in case I die, for convenience, though I do use Lastpass for most regular sites. I cringe that a lot of my family has little notebooks next to their computers listing every site and (crappy) password, but they never listen to me and use a secure program.

 

I do think that I replaced the ability to remember phone numbers with my ability to remember passwords, though. I barely remember my phone number. If I lose my wallet and phone I'm pretty screwed.

When it comes to password security, it's not about character length. It's about tokens. I'll define a token as a character or group of characters that may form part of a password cracker's guesses.

 

Tokens may include:

- Words found in the dictionary

- Site info, like the name or URL

- Personal info, like names, dates, locations, etc.

- Any other well-known word or phrase (e.g. movie titles or quotes)

- Any of the above that is modified in a very common way (e.g. "N30w1n)

- Any password that has ever been seen before by hackers in the wild (e.g. stolen in one of the many data breaches)

- Any password you have ever used before in your life (or portion of it)

- Any combination of characters that form a logical pattern (e.g. even numbers, every second letter in the alphabet, etc.)

- Any combination of characters that form a physical pattern on the keyboard (e.g. "qwerty", "qazwsxedcrfvtgb", "!@#$%^&()_+" etc)

 

The more complex and random the password is, the harder it will be to crack. And you have to set the bar pretty high because you don't know how securely your password is being stored on the remote site (actually, your password hash.. unless they are utterly incompetent and are storing the whole passwords). So figure a motivated cracker could make perhaps one billion guesses per second (both higher and lower are possible).

 

To make a guess, a cracker will use these tokens, and combinations of these tokens, to form each guess. Bruce-force checking of every combination of characters is simply not done, except for very short numbers and/or certain types of characters/patterns. So, as one example, they will try not just "tokentoken", but also "tokentoken0000" through "tokentoken9999". And "token0000token" through "token9999token". And so on.

 

The best way to keep your passwords safe is to use a password manger and have it randomly generate long passwords for you (LastPass, KeePass, etc.). This is what I do. There are plenty of apps that will even type the passwords for you when you go to sign-in. If, however, you think you may have to remember your password or type it in, then there are other techniques you can use.

 

To make a password memorable:

- Start with a long nonsense sentence, and then sprinkle some special characters, repetitions, and numbers into it randomly (e.g. "My cat really likes to attack my arms" becomes "myCATTTr##llylikestoatt$$ackMYarms")

- Create a nonsense sentence using special characters as words based on what the characters remind you of. For example, start with something like "I jumped and threw the 4 balls at the wall" and turn it into "(o)^&threwthe4(())s@the|".  (o)=eye, ^=jumped, (())=ball, etc. Even better, you can make the sentence(s) longer, but use only the first letter of the words (for words you aren't representing with symbols).

 

To make a password random, but easy to type:

- Generate random passwords (15+ letters), but group it to aid in typing (e.g. "MQPYEepvyrDEGPL"). Even if the attacker somehow knows the pattern of capital and non-capital letters, there are still 26^15 = 1,677,259,342,285,725,925,376 permutations of letters. That's over 50,000 years at one billion guesses per second to get through them all. Add a few numbers and special characters (making the password longer) if required.

 

Once you have your amazing new password, never use it (or any part of it) on more than one site. No matter how good it is, sometimes sites themselves mess up (e.g. Google just announced some passwords were stored in plaintext for a time). 10 similar passwords on 10 sites means 10x the chance that all 10 of your accounts are going to be compromised. Even losing control of a seemingly unimportant account could be cause for concern. For example, you probably wouldn't want anyone to consider, even for a brief moment, that you might be responsible for whatever bad/illegal thing the attacker does while logged into your account. Just something to think about.

 

Incidentally, "correcthorsebatterystaple" (from the xkcd comic) is made up of 4 common words. Figure 3000 common words in English. 3000^4 = 81,000,000,000,000 permutations. That's about 22.5 hours at one billion guess per second to find all 4-word passwords made of common English words. This is why using only a handful of common words in your passwords is an absolutely terrible idea.

Edited by ShadeOfBlue
  On 20/05/2019 at 16:15, shockz said:

Do tell how I'd copy and paste a password from my phone to a computer?

Expand  

You don't. You either install the password manager extension in your browser on your desktop or log into your vault on the desktop. The only pain point is if you are on a public computer but then you have a long list of other security concerns anyway. 

  On 20/05/2019 at 11:00, InsaneNutter said:

Let your password manager generate something totally random for you.

 

All my passwords are totally random like this: Ma^Ce@JZ}dZGA7+GnFg:ruI~1x3g19DhwxqRBp*jUn1i!E%Jeb and are unique to every website.

Expand  

I do this too

 

let last pass generate...

 

alternatively look around you....make simple nonsensical phrases, more words the better.

 

7purple&chimichanga!nipples

 

let me know how long to brute force that one.  

 

https://www.grc.com/haystack.htm

 

 It is 27 characters long, but quite easy to remember....  The key is pass phrases, not pass words.   The variable is password length...hackers generally don't know it, brute force systems don't know it...You would have to mix up ever word in the dictionary without knowing how many combinations of words or combinations of combinations of spellings of words utilizing every possible replacement.  It is pretty secure due to the character length and unknown random characters even if they are placed at beginning/ending of words....really screw them up put a random character in the middle of a word.

 

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Intel Nova Lake alleged performance shows massive improvement, could answer AMD 3D V-cache by Sayan Sen Intel’s next-generation Nova Lake-S desktop CPUs are shaping up to be a major overhaul if a recently leaked slide is to be believed. According to the leak, which appears to be a cutout portion of Intel's presentation slide, the top-end Core Ultra 9 SKU could deliver roughly 1.1x or 10 percent better single-threaded (ST) performance and a 1.6x or 60 percent boost in multi-threaded (MT) workloads over Arrow Lake-S. Assuming this is true, in order to achieve this big MT jump, core counts are expected to go significantly up compared to the current gen (Arrow Lake-S). A previous report outlines up to 52 total cores on the flagship part, 16 performance “P-cores,” 32 efficiency “E-cores,” and four ultra-low-power “LP-E” cores, yielding 52 threads in all (If you recall, Intel has dropped hyper-threading, its version of SMT or simultaneous multi-threading on the Lunar Lake architecture). There is no information regarding clock speed though, so we can't guess what kind of IPC (instructions per cycle) Nova Lake may be delivering. Nova Lake-S is also said to support DDR5-8000 memory by default and bring 32 PCIe 5.0 lanes plus 16 Gen 4 lanes for I/O, on a new socket,1954. Nova Lake aims to succeed Arrow Lake’s combo of Crestmont P-cores and Skymont E-cores with new microarchitecture, codenamed “Coyote Cove” and “Arctic Wolf,” respectively, along with the addition of LP-E (Low Power Island) cores that debuted on Meteor Lake. If the internal slide’s performance claims hold true, Intel could close the single-threaded gap against AMD’s Zen 6 Ryzen 9000 X3D parts and redefine desktop gaming leadership. For now, these performance numbers remain unverified rumors even though it sort of does look like the real thing (the font matches). Intel has yet to share any official Nova Lake-S benchmarks or architectural deep dives. Finally, Nova Lake is also rumored to debut a large LLC (last level cache) somewhat similar to AMD's 3D V-cache which helps in boosting gaming performance and other tasks. If you recall, Intel has been working on an L4 (level 4) cache for a while.
    • It would be great if they could release a B750 and take on more of the mid-range at a better price.
    • RDP still doesn't work when you aren't logged in? And still only takes over the screen, not an existing session?
    • And how big your corporation has to be to get that support? 20 thousand employees?
  • Recent Achievements

    • One Year In
      TsunadeMama earned a badge
      One Year In
    • Week One Done
      shaheen earned a badge
      Week One Done
    • Dedicated
      Cole Multipass earned a badge
      Dedicated
    • Week One Done
      Alexander 001 earned a badge
      Week One Done
    • Week One Done
      icecreamconesleeves earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      569
    2. 2
      ATLien_0
      187
    3. 3
      +FloatingFatMan
      184
    4. 4
      Skyfrog
      112
    5. 5
      Som
      108
  • Tell a friend

    Love Neowin? Tell a friend!