7 steps to stronger, more secure passwords

1st Major Step to a strong password... don't be lazy and make it easy. Beyond that I think you can figure out what a "difficult" password might be... common sense.

A string of asterisks seems to be a popular password, I see that all the time.

One of the best passwords is old street addresses with the post code. It's something easy to remember and contains upper and lower case letters and numbers.

Doesn't matter how strong your passwords are if they are on a server that's been hacked then they will still get stolen.

The people who maintain large data bases of peoples data and passwords need better ways to secure their servers from attack.

Russia hackers are notorious for hacking into secure data bases.

isn't a long pass-phrase naturally stronger than a pass-word? I can type "runyoucleverboy-andremember" faster than "rycbar1234". it's dictionary words, but wins by sheer length alone.

http://xkcd.com/936/

I calculated on an average day, accessing company and home computers, intranets and business websites, WiFi and BB routers, news and social media websites, some online banking and shopping, and a number of forums, I used around 120 User IDs and passwords. Changing passwords on a regular basis and on multiple devices becomes challenging...and then there is the ATM!

@MissingCylonModel I believe that one has been debunked now. And besides, who remembers passwords? I have a machine to do that for me. Do people here also wash their dishes and clothes by hand?

I use Dashlane to manage my passwords - works well on all devices, etc. They just intro'd a great feature letting you designate someone (or many people) to have access to your account if you are incapacitated, in jail or gone from the world. I do use a very old phone number (when I was 5) as the basis for most of PWs and then add punctuation, letters and caps, most are 10+ characters long but I can remember most of them and have Dashlane to back me up.

Agree that most password thefts are due to hacking servers, but we in Japan have an advantage: Use an obscure Japanese word with a corresponding number, such as "kusaya938".

"Doesn't matter how strong your passwords are if they are on a server that's been hacked then they will still get stolen."

Assuming the passwords are stored in a hashed format (a kind of encryption), the stolen passwords are of no use to the thieves until they can determine the real passwords corresponding to the hashed version. And that's why strong passwords are important. Different methods can be employed by thieves to determine the passwords. One method is to use pre-compiled tables, and to limit your vulnerability to this approach, an obscure password is better. More recently, it is thought that brute force attacks are more common, and in this case the length of the password is more important. So long and obscure is probably best, but such passwords are harder to remember. So you might want to use one of the password storage systems that others have mentioned. But if you don't like trusting your passwords to a third-party method, you can probably devise your own storage system. For example, write the passwords on post-it notes or wherever, but leave out a part that is common to all the passwords. So if you have two passwords: "QkplT9!xxxxxhTtreaclek" and UJ54kkkFe2;Hgr5treacleS", you would right down "QkplT9!xxxxxhTk" and UJ54kkkFe2;Hgr5S". Not perfect, but better than pass123.

Look up "leet", n0085 (no, I don't really speak this way but it's good for passwords).

Also, combine it with nonsense but easy-to-remember sentences, and better yet, mix the word order making it even harder to crack.

The most secure password has to be 1234567. I mean, who would ever use that, lol.

MissingCylonModelAug. 10, 2014 - 11:26AM JST isn't a long pass-phrase naturally stronger than a pass-word? I can type "runyoucleverboy-andremember" faster than "rycbar1234". it's dictionary words, but wins by sheer length alone. http://xkcd.com/936/

You and xkcd are right, this article is ever so wrong.

Brute force attacks (trying random combinations) are not common, and don't work for the following reasons:

A 4 digit numerical code is 1000 combinations (10 to the power of 4). A 4 letter password could be more than a trillion possible combinations (26 letters to the power of 4)... and that's just a simple lower-case, no special characters 4 letter password. Assuming the hacker has root access to the machine (wait, let me stop to laugh hysterically here, because if they had root access they really wouldn't need passwords to do stuff to your account) then it would still take about 5 days to crack your password (assuming they didn't have a super-computer, just a few regular computers slaved together). But that's highly unlikely because...

Systems administrators aren't COMPLETE idiots. They'd notice someone running thousands of queries a minute on a single account and even if they had root access it would slow everything down and it would raise warning flags. It would also kick in anti-DOS (denial of service) software, which is software that automatically stops someone outside the system flooding the system with requests.

So yeah, brute-force attacks don't work.

How do hackers get passwords? Well three ways really:

A. You don't update your computer software. Older versions have security holes that are exploited. The solution? Update your software regularly. Avast free anti-virus has a cool feature that checks if your software if up to date (but it only automatically updates on the paid version, so you still have to click on the item and update it)

B. You open spam mail, you visit websites without a good anti-virus (contrary to popular belief the number 1 source of computer viruses is not porn sites, it is poorly maintained community sites, like your church bulletin boards, etc. because these sites cannot afford a full-time system administrator - porn sites are businesses and can definitely afford a full-time systems administrator). The solution? Install a good anti-virus and for heaven's sake when it gives you a warning DO NOT click "ignore" or "I trust this site".

C. Good old-fashioned con work. It could take the form of emails, phone calls, or just some visitor to your workplace noting the passwords stuck to your desk. This is how most major hacks happen, someone is a little too trusting. Be smart, keep your passwords in your head. DO NOT use things like "password wallet" or other apps that store your password, it is putting all your eggs in one basket and that really isn't bright.

As for choosing passwords, choose about a dozen, things that you'll never forget, like the name of that elementary school teacher you had a crush on and your class (e.g. Ms.Wallace2B), or your first car's name (Clapped-out1982VWGolf), etc.

Easy to remember, difficult to guess, nearly impossible to brute force.

Oh, and the number 1 way people find out your passwords? They watch for the confused expression of someone trying to remember an insanely difficult long random password, then they just watch your fingers as you struggle to type it, fail, and then they get another 2 or 3 chances to get the characters they missed the first time.

A password you find easy to type is probably your best defence against it being stolen. If it is easy to remember, flows easily from the fingertips then "IhadsuchacrushonNatasha" is a much better password than "1(30?,*//=9dkz".

Doesn't matter how strong your passwords are if they are on a server that's been hacked then they will still get stolen.

Most of the time that isn't true. Most sites these days will hash the password before storing it in the database. Hashing is a one-way process that cannot be reversed, unlike encryption which can be reversed with a key. Because passwords are hashed, even if someone breaks into the server, they cannot use the password, since it is scrambled. When you log in, the system will hash the password you enter and compare it to the hashed password on the server to see if they are the same.

This means that if the hacked server is storing passwords in a hashed format, as many/most do, you don't have to worry about them finding your password as it will be in unusable format.

@Frungy

Sorry, but I think your comment is only touching a small part of the problem and has little to do with passwords. You're describing attacks on a user's computer or aimed at the user themselves. This is a serious problem, but not really relevant to the issue of passwords.

The most serious way that passwords are revealed is through the theft of data files from companies that store our passwords. This may be by hacking, by loose or errors security by the company concerned, or by an insider leaking the data. There is nothing that individual users can do to prevent this, and our only defense is strong passwords and the hope that the companies store these passwords in a secure way. (Using a salted hash preferably.)

Generally passwords have gotten insecure and are easy to break so the best way to choose a strong password is to find out how they are broken. The usual attack model is the offline attack and crackers who combine from and use different dictionaries. So forget that including the outdated XKCD scheme for generating passwords. Unfortunately anything that can be remembered can be cracked. Therefore if you want your password to be hard to guess choose something the Schneier scheme process will miss. Take a sentence and turn it into a password. Combine a personally memorable sentence with some personally memorable tricks to modify the sentence into a password to create a lengthy password. However the site has to accept all the non-alpha-numeric characters and a long password otherwise it's much harder. But even better is to use or combine a random personally unmemorable alpha numeric passwords with symbols and a password manager to create and store them. Last of all consider using a two-factor authentication if offered by the site

Albaleo - I'm afraid you misunderstand how major corporations store passwords. Are you familiar with the concept of a "checksum". It's a check that the total number of packers sent is the same as the total received. They don't need to know what is in the packets, just that they got the right number.

Passwords aren't stored. Instead they store a kind of checksum. The process is known as hashing. Let's say your password is "Dog". A super simple hashing process (no site uses anything this simple) would be to assign a number to each letter, so D=4 o=15 and g=7 and your password has a total of 36.

All the website stores is 36. When you type in your password it checks it totals the right thing and you're in. Now the example I gave is way too simple, but the result is kindof like if I took an English sentence and used google translate to translate it into Japanese then Chinese then Korean then Russian then back into English and asked you what the original sentence was. Doing the translations one way is easy. Undoing them to find the original (without knowing it) is nearly impossible. Even with a Rosetta Stone (one password where they knew the result and the original) it is still nearly impossible.

So hackers do not get passwords from corporate websites. Instead they get a mess of numbers that bear some relationship to the original password.

Several other posters have mad reference to hashing, but it seems you were not familiar with the practice.

@Frungy - Nice simple explanation of checksums. True point about databases not storing actual passwords, but one-way (hopefully) translations of the password. The actual password is necessary to check against the hash.

Note now that once the hackers get their hands on a list of hashed passwords, they can use dictionary methods to find out the originals. Don't need to contact the server and risk being caught.

Missing - Yeah, they could, but all they actually need is any combination the produces the right hashed result. So using my example the could use God instead of Dog since they both total the same amount. They won't necessarily get your password. At best they'd get a list of possible passwords.

l they actually need is any combination the produces the right hashed result. So using my example the could use God instead of Dog since they both total the same amount.

Hashing, using sha1 or md5 (the most common hashing methods) is nearly unique. The potential exists for duplicates (collisions), but the odds are extremely small. While your example using dog and god would produce the same checksum by the rules you showed, finding two passwords that produced the same hash would be extremely unlikely, if not impossible.

Frungy

I'm familiar with hashing. I referred to it in both of my posts above.

"'So using my example the could use God instead of Dog since they both total the same amount."

But your example is not how hashes are actually calculated. "Dog" and "God" will have quite different hashes. Using php's built-in "crypt" function, and using a random salt, the hashes would look something like the following:

God = ybWKn5e/nIa4PBX5oPHjvKspsvcXewYbSetpNEZuTg2 Dog = OY35/8gLCl7FmjBsZF9TVtnAgHMEWFMc6x.rLXWY4P8

As MissingCyclone says, when the hackers have obtained a list of such hashes, they can start doing a brute force dictionary attack against the list. And weak passwords will be discovered easily.

Albaleo - I used a simple example because it shows the principle, however a friend of mine who's an international expert on computer security (he works for the biggest banks and does scary stuff like quantum encryption) told me that there's a degree of ambiguity in hashing solutions precisely so that they cannot be reverse engineered precisely. At best (using a good algorithm) the hacker should get a range of solutions that satisfy that account's hashing criteria, not an actual definite password.

Of course not every system uses good hashing algorithms, many are generic or even open source, but even then the solution should be ambiguous

My password always seems to be ** no matter what I type! Lol!

@Frungy

This is probably not the best place to continue discussions about hashing algorithms. I made my original post in response to some suggestions that a strong password wasn't important in a situation where a password file had been obtained by criminals. I wanted to make the point that this was exactly the situation where strong passwords matter. I'm sure your friend will agree with that.

there's a degree of ambiguity in hashing solutions precisely so that they cannot be reverse engineered precisely.

Hashes are not supposed to be able to be reverse engineered at all. They are one-way. The md5 hashing method has been shown to be reverse-engineerable, but only with ridiculous amounts of computing power.

About passwords are stored in databases:

http://www.wimp.com/knowpassword/