[Macworld]

Post your comments for What you don't know about passwords might hurt you here

[hagen]

Wow, what a load of crock. Why not just use the 'longer but less-complex password' solution you list at the bottom? Length is THE significant factor in preventing password cracking than using strange characters.

The majority of password problems these days (as you pointed out) are not people breaking down your password via brute methods, but breaking into a company and stealing everyone's passwords.

Oh, no wait. That means my password for linkedin needs to be picked out of the millions (you did say millions) of released passwords. Hmm. A very slim chance there.

Oh and you better use the on-line centralized versions of those password programs (yours does have one don't they?) if you use multiple computers or public computers when you're on a holiday. Assuming you can now remember that super-long simple phrase password that you could be using for everything else. But what happens when dropbox gets hacked? Oops, sorry. Oh and you're still vulnerable with ANY password used if a site like linkedin gets hacked. Theoretically they can't use that password to get into other sites if yo've been using a centralized password program.

Oh but you'd be wrong there too: if they can get personal info from the hacked account, they can now start using it to phone your other companies and use those facts to prove it is you. So all that personal info and data you've been putting in a centralized place out in the web? Oops.

In short, anything on-line is at risk. The actual chance of you getting hacked is tiny tiny (still not nice if it happens). And the likelihood is driven more by your own personal habits (storing personal info on-line) than it is by the security of your passwords.

[bastion]

The broad message here is fine, but a couple of the specific assertions are bogus.

"However, it’s very hard for a human to create a truly random password, but it’s easy for a computer to do."

Both halves of that are false. Strictly speaking, today's computers are incapable of generating "truly random" values. Contrarily, all a human has to do is close their eyes, then poke and mash on the keyboard several times as the mood suits them. In light of that, the claim that, "[a]nd that’s for passwords randomly generated by a computer. Passwords you create by hand must almost always be longer to have the equivalent strength," is obviously false. The strength of a password is entirely about the collection of characters. It doesn't matter how that collection was generated.

One addition: Every copy of Mac OS X installed includes a utility that can generate and securely store (but not auto-enter) passwords. Keychain Access is an eminently reasonable first step.

[worksafe]

We all know that they get paid to prop up different programs that might advertise at MacWorld so you always take these articles with a grain of salt.

[Kennethfcooper]

bastion, glad you are on the job. I have a question for you: Years ago the company, for which I worked, had a policy of making you wait five minutes to re-enter a password, if you had tried three times unsuccessfully. This was intended to defeat brute force attacks. I don't see this approach used, even by banks. I am wondering it that means it is ineffective. Do you know of a way around this strategy that makes it not useful? - thanks

[Stargazer]

So the moral here it to use an unrelated password for each site. So if passwords are hacked from one site, the hacker will not be able to use the password to access any of your other sites.

[d00d]

Quote

bastion, glad you are on the job. I have a question for you: Years ago the company, for which I worked, had a policy of making you wait five minutes to re-enter a password, if you had tried three times unsuccessfully. This was intended to defeat brute force attacks. I don't see this approach used, even by banks. I am wondering it that means it is ineffective. Do you know of a way around this strategy that makes it not useful? - thanks

It's highly effective for brute force attacks. That said, I would hope most online services would lock out an IP that submits login attempts at an unhuman rate.

[Kennethfcooper]

Quote

bastion, glad you are on the job... - It's highly effective for brute force attacks. That said, I would hope most online services would lock out an IP that submits login attempts at an unhuman rate.

It seems like an obvious precaution to me, but then why are we talking about brute force attacks?

[fjpoblam]

All this is well and good until you run into stoopid limits imposed by the password-involved website. One was Microsoft. Their article on strong passwords gives an example "strong" password longer than 16 characters, and I *used to* have one for my hotmail account. But whan they recently "modernized" hotmail, they imposed the limit of 16 characters for the password length. Worse yet, one of our other connections imposes a limit of, not only eight characters, but also, upper/lower case and numbers (no special characters), *beginning with upper*! Entirely stoopid.

[sirmarcos]

http://xkcd.com/936/ Why not just go this route; four random dictionary words. Length is the key thing. Also, how many breaches come from guessing the password and how many come from socially engineering the password reset process (i.e. what happened to @mat)? I mean, obviously don't pick 123456, and minimizing if not eliminating password reuse is a good idea. But passwords that are RE#$@alec2! that no one can remember are dumb (unless you want to spring for 1password)

[Stewsburntmonkey]

Kennethfcooper, on 27 November 2012 - 06:34 AM, said:

bastion, glad you are on the job. I have a question for you: Years ago the company, for which I worked, had a policy of making you wait five minutes to re-enter a password, if you had tried three times unsuccessfully. This was intended to defeat brute force attacks. I don't see this approach used, even by banks. I am wondering it that means it is ineffective. Do you know of a way around this strategy that makes it not useful? - thanks

A lot of places still use some variant of this, Google starts requiring a captcha as well as password after a certain number of failed attempts (and probably escalates beyond that if there continue to be failures). The limit of three has changed as people realize it catches a lot of legitimate users out (which then leads to more tech support calls and costs). A higher limit is pretty much equally effective against brute force attacks so many places use higher limits which people will rarely hit. Likewise, hackers rarely target individuals in this manner and instead go for social engineering or work to attain user information in bulk since it is a lot easer to hack a list of thousands or millions of passwords than just one.

[Arygaetu]

[kirkworld]

[kirkworld]