Privacy, Government, Surveillance, and You.

And they never change their bad passwords, either. There's another saying about passwords: "They're like underwear; change them often."

Heh. I use that for stupid sites that shouldn't need a password at all, like applying for a job somewhere. What, is someone going to use my application account to show up to an interview pretending to be me? Since there are a lot of sites like that, I'm not surprised it's a common one.

The truth is that password security is not the most important issue with regard to internet security anymore. Viruses and trojans are far more important. After that I would rank not putting your bank account, social security or other numbers online. I would put passwords third.

Actually, no, changing passwords often is one of those security myths that everyone has bought into.

It's far better that you use a complex password that you can remember, and that can't be brute forced or social engineered, than that you change them every 90 days or whatever. The latter leads to you using easy to hack passwords, or doing the worst thing of all: writing them down.

Security experts have demonstrated that a password consisting of four dictionary words separated by spaces is orders of magnitude more secure than "8-10 characters, a mix of upper and lower case, with a digit and a symbol". The best part is that you can remember the damn thing without having to write it down.

This is also correct: brute forcing passwords is not a thing that most hackers do these days, except for the obvious "most common" ones. They look for security flaws in software and hardware or simply employ social engineering tricks like phishing your password or figuring out your mother's maiden name from your public Facebook profile.

edited 20th Jan '15 7:47:10 AM by Fighteer

So, if I keep them in a document that is under a completely different name, it will or has already been hacked at some point?

Granted, the passwords I have written are for stuff which I don't use often (which means I could easily forget them), and are for stuff that's not essential. Still...

When I'm accessing a site that actually matters to me, like my email account, I use a password that consists of the first letter of every word in a sentence.

Let's put it this way: if your computer ever gets stolen or cracked, the first thing the hackers will do after installing their malware is to search for any file that might contain a listing of passwords. Hiding it as something that sounds innocuous will only slow them down by a few minutes at most.

I use a code based on titles. More I shall not say; the point is that it can't be brute-forced but I can easily remember it.

Edit: Of course, my employer's password rotation policy means that I cannot use that any more because I stop being able to remember them. It defeats the basic idea.

edited 20th Jan '15 8:03:00 AM by Fighteer

Ok, I'll delete that one or move it to a USB pen or something.

Is using the titles of songs (which are not world-wide famous, btw) good for passwords?

Sure, as long as the generated passwords are reasonably complex: 8-10 characters using mixed letters, numbers, and symbols; or 15+ using a string of words.

The important elements are that the password cannot be guessed by using a dictionary or brute-force attack, that it is not obvious from browsing your social media profile (like your child's name and DOB, for example), and that you can easily remember it so you don't have to write it down.

edited 20th Jan '15 8:11:07 AM by Fighteer

My passwords fit that criteria. Thank you.

I have three complex passwords that I've been rotating between for about ten years.

I use elements from the stuff I write, which means it usually looks like complete gibberish to most people.

@ Fighteer: Well yes, strong passwords are more important than changing bad passwords often. Let me put it this way: Say a website gets hacked, and the usernames/passwords are in the hacker's possession. The hacker starts going through the accounts and using people's passwords to do random crap (say, ordering them items they didn't purchase). Wouldn't it be smart for the legitimate user to change their password so that when the hacker goes to use it, it doesn't work because it's out of date?

Real life example: When eBay was hacked, eBay emailed all users to inform them to immediately change their passwords so the hackers couldn't use the stolen ones.

edited 20th Jan '15 8:42:45 AM by speedyboris

That makes a number of assumptions. First, users cannot control the security of sites that they do business with, so it's generally a bad idea to reuse the same password for a lot of sites. That most people do it is something that generates shrugs from security experts. If you have 100 accounts on various sites, are you going to generate and remember 100 different passwords? No human being is capable of that, never mind if you have to create new ones every couple of months.

Second, if a hack occurs, you'll generally find out about it one of two ways: you notice signs of identity theft, or the site in question reveals the data breach. In the former case, there are well-established principles for how to deal with it, and in the latter case, you should change your passwords once you find out. Otherwise, there's little you can do about it aside from taking your business away from sites that use poor security practices.

Basically, you want to control the risks that are in your power to deal with, and mitigate the risks that you can't control. Your passwords are in your control, so you want to follow the guidelines I set out above. The security of sites that you visit is not under your control, and changing your passwords is only a minor stumbling block to a hacker who already has access to one of those systems, so your best defense is to avoid excessive reuse and make sure to change passwords immediately if/when a breach is exposed.

You can also use password vaults that generate a unique, complex password for every site that you visit. That's by far the most secure from that perspective, since you can't get phished for a password that you don't know. Of course, the problem is that you don't know the passwords, so if your vault gets corrupted, hacked, lost, or suffers a hardware failure, you're up shit creek.

edited 20th Jan '15 8:49:14 AM by Fighteer

"First, users cannot control the security of sites that they do business with, so it's generally a bad idea to reuse the same password for a lot of sites."

I never said you should re-use the same password across tons of sites. That's also a bad idea, as if you're hacked in one place, you're screwed.

edited 20th Jan '15 8:54:09 AM by speedyboris

Did you read the rest of my post? Who's going to be able to remember every password they used if they have to create a new one for each site? The "best practice" is ignored by 99 percent of people because it's impossible to apply in reality.

I have a couple of passwords that I rotate for "low security", "medium security", and "high security" sites. Most forums, for example, get one of my low security passwords because a breach there is not serious.

edited 20th Jan '15 8:55:32 AM by Fighteer

Yes, I read the rest of your post. I just disagree with it. Your argument is that no human being can possibly memorize dozens of unique passwords for the sites they visit. That's a valid point, but there are ways to get around that. Write down a memory jogger for each password, for example.

Having only two or three passwords that you never change, even if they're really "strong" passwords, is not smart. Even if it requires more mental effort, it's a much better idea to have unique passwords for every site you visit. That way, the damage is minimized if you're hacked at one site. They can't use that one password to unlock all of your important accounts.

And changing passwords often is smart because, as we've seen in the news for the last couple years, corporations often wait for weeks, even months, after a hack actually took place, before informing the public of it. So all that time, you're potentially vulnerable to whatever malicious stuff the hackers want to do, whether it be draining your bank account or committing identity theft. Why wait until you notice or are told there is a problem to change your password? Be proactive. Make it harder for the hackers.

edited 20th Jan '15 9:24:33 AM by speedyboris

You're investing a lot of time and effort into something that isnt your greatest vulnerability. You're marginally safer if you have 100 passwords than, say, two. But the diminishing rate of returns kicks in. You would be better off taking the same amount of time and learning about data encryption instead.

Yeah I rotate between two passwords depending on how severe the need for security is. Neither of them are words, acronyms, or anything — they're both complete alphanumeric gibberish.

"password" is probably artificially inflated in its representation, as it's often used in isolated intranet test machines that have to be constructed on the fly under weird configurations as testing demands. Stupidly, and they really should be using an internal password, but it's a thing that happens every once in a while.

There's no excuse for 123456 though. There's a reason Spaceballs made fun of that shit.

edited 20th Jan '15 11:48:42 AM by Pykrete

Since we're talking password security, does anyone else here use LastPass for randomized password generation and secure storage?

I do, although I rarely use the password generation feature, as it always gravitated towards the "secure but hard to remember" type of password. For someone who's on mobile a lot and doesn't have LastPass Premium, it can be a hindrance. I usually make up a password and then audit it there. Those I've come up with get rated as "good" or "excellent" for now.

Be your own password generator, that way no one can hack the online service and steal them. "Two good boys were invited to the party, one was left behind": 2gbwi2tp1wlb

No one will ever hack that.

I use the same password for everything. It's fairly random and personal so I'll remember but it's personal enough that literally nobody else would know it.

Of course I'm not very concerned about my identity being stolen or anything. What are they gonna do? Get a loan with my negative credit? Steal all the $3.47 from my bank account?

You should protect your email and bank account info, because even though you may have little to lose, someone might use your identity to commit a crime, and victimize someone else.

About password security... I think it's important to know the common attack vectors. Everything online has a login delay, so for accounts over the internet dictionary attacks are useless. Any uncommon single word is in general sufficient. It needs to be uncommon, as attacks on the username (using the same simple password and trying to find a user who chose that) are feasable. Last time I checked I got around 50 login attempts to the administrator account (unfortunately this one needs to be accessible that way) of a server I administrate per day. I'm not worried.

Online accounts have a second vulnerability, that is password reuse. If you use a password on both low and high security websites, the low security ones can be compromised and the username/password combination is often tried out on more important sites. Password reuse is dangerous! (Anyone who knows what he's doing will store user passwords as salted hashes, unfortunately many sites don't try to do that).

The last issue are encrypted archives/encrypted communication. This is basically the only situation where the high entropy of a password is actually relevant, as such archives or communication can be attacked offline (no delay on attempts). It's not really a common situation (apart from automated encryption like https, the user doesn't have to bother with that).

The most common attack is social engineering, basically bypassing the technical protection altogether and get the user to do something stupid and reveal their password. Trojans, fake websites etc.

Another possible attack is using 0-day exploits to install a trojan, but as good 0-day exploits can be sold for 100000+$, this is only of concern for really high value targets.

In summary: Use moderately complex/uncommon passwords, don't reuse passwords too often (or only reuse them for not important stuff) and don't get fooled by social engineering attacks. Highly complex passwords are only relevant for offline encryption.

I expect we'll be seeing more proper salt-hashing of passwords in the near future as recent grads start advancing up to their workplaces' backbone code. CS classes these days tend to teach that sophomore year, along with what happens when you don't (Adobe, which is generally a convenient example for all kinds of stupidity).

That said, social engineering seems to have all but replaced conventional attacks. You'll still get the occasional big one like Heartbleed, but for the most part, we've already passed the point where cracking security just isn't worth the effort. Hackers, like any of us programmers, are cheap, lazy bastards. They can spend months tediously running break-in suites and examining dinosaur code in unsafe languages for the few remaining unchecked string overflows just to attack a small handful of sites. But chances are they'd rather phone your grandpa and tell him he has a virus and needs to install their ransomware, or pay a disgruntled Sony Pictures layoff to give them admin access to the company.

At this point, things like the NSA coercing devs to insert backdoors or physically ganking your machine out of delivery to install a rootkit are probably a bigger hazard than conventional virus attacks.

edited 21st Jan '15 2:29:50 PM by Pykrete