Poor Security

[Pete]

This is a rant about password security or lack thereof with various services lately.

 

The other day I got an email saying that Cryptic had had their password database compromised (anyone therefore with a Star Trek Online account might want to consider changing their password, even though Cryptic no longer ahve anything to do with the game) and then today it turns out my UK hosting company has had its systems compromised.

 

I'll stress now that the latter has no link to StrategyCore as this is on far superior US hosting (UK and European hosting really sucks in terms of service and value for money). but it still annoys me as even though they've likely only accessed encrypted versions of passwords they can still decrypt them given enough time.

 

As I do rather a lot on the web this means I have to change my password in at least 20 places. Yes, I know that I shouldn't use the same password everywhere, but I have trouble remembering more than 2-3 at a time and some services will lock your account after a couple of failed attempts.

 

Oh well. I'll be sure to make a list of the services I need to change for next time as this time I'm just searching through my email inbox for the word "password" in an effort to make sure I've got them all

[FullAuto]

Is there yet a solution to the conundrum of having 20 different secure passwords? I currently compromise, having about a dozen ludicrously easy ones.

[Pete]

I just try to remember one difficult one usually - less chance they're going to crack it by brute force i.e. dumping loads of words into the password field and getting lucky.

[FullAuto]

I saw an app that was like a password safe. It struck me as being a good idea, in theory. The practicality of it was not something I cared to test myself.

[Pete]

We use KeePass at work which is rather good. Perhaps I should use it for my own stuff too.

[Sgt. Strike]

Your best bet is to use a password at least 6 letters with at least one number replacing a letter. This prevents brute force from getting your password. Let me post an example here. Password is easy to guess, easy for a brute force, etc. to find. Now, Passw0rd is much different and won't be easily guessed. P@ssw0rd is even harder. I actually, on some of my accounts, use a phrase. Sometimes there is a number for a space, sometimes just the phrase itself. And you can cycle through passwords as well. You don't need that many passwords, just about a total of ten things, and you can vary them from each use.

[Pete]

I aim for 10 or more as the length as with each additional character you decrease the chance of someone guessin it or a script from cracking it (more permutations).

 

I have 4 uppercase and 2 lowercase letters as well as 4 digits and a symbol just for good measure in a reasonably random order that I can remember (various initials, a memorable date that's not a birthday etc etc).

 

It just falls down when website's databases get hacked as they have your email address and encrypted password locally then and can just throw computing power at it until it works out the password.

[Kret]

Call me paranoid, but I like password length to be in between 12 and 16 chars long. I dislike using mixed case since I'm prone to mistyping passwords that involve toggle keys (Shift, Caps Lock, Alt Gr), but I do add numbers and symbols that don't require suck keys.

 

Also, to avoid my passwords being built from subconscious preferences I use this password generator. Set it up with your preferences, have it generate some passwords and choose the ones you're comfortable with.

 

One thing that people need to stop using is the "Remember Password" option used in any site or app since forcing yourself to retype the password actually helps you memorize it. In fact, sometimes I don't actually remember the password myself, but somehow, my fingers just know what sequence of movements they need to do to type the right keys.

 

Oh, and as a nice anecdote: at my work place, most people remember their passwords because of having to type them, but seldom actually remember their username since they rarely need to type it in.

[Bomb Bloke]

I prefer to choose words I don't know how to spell.

[Sgt. Strike]

The thing is, anymore, what's "secured" and what isn't, is, for most things, a matter of time. True hackers aren't out to be malicious, but information seeking. And getting into, and out of, places without tripping any security.