Password strength and security

[rmkrum]

I'm more worried about collateral damage to the AS if I don't aim just right...


Sent from my pocket Internet using Airstream Forums

[alano]

There's a bunch of good password managers out there. I especially like Dashlane since it can sync across different platforms (iPhone, Windows, Mac, etc.) and it works well. Many of the password managers will automatically generate random passwords using whatever combination of letters, numbers and symbols is required. Not only do these tools increase your security by allowing you to generate strong individual passwords for each site, they save time by completing login fields automatically.

[SilverGate]

Quote:

Originally Posted by alano

There's a bunch of good password managers out there. I especially like Dashlane since it can sync across different platforms (iPhone, Windows, Mac, etc.) and it works well. Many of the password managers will automatically generate random passwords using whatever combination of letters, numbers and symbols is required. Not only do these tools increase your security by allowing you to generate strong individual passwords for each site, they save time by completing login fields automatically.

Dashlane is included in CNET's report on the best password managers:

CNET Tech Minute: Best password managers

[SilverGate]

I was surprised to learn that current research indicates that I do not have to regularly or frequently change my password as long as it is a strong password*, not used on multiple websites, and has not been compromised (via malware, phishing, hacking, data breach, etc.)!

FTC Chief Technologist, Lorrie Cranor, in her article, "Time to rethink mandatory password changes," March 2, 2016, says, "there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases."

*Regarding a strong password, Lorrie says, "You can generally achieve pretty good security and reasonable usability with a password that is about 12 characters long and has 3 different "character classes" (uppercase, lowercase, digit, symbol). It is best for non-lowercase letters to be placed somewhere other than the beginning and end of the password." (From her comment under the article cited above).

Current thinking on when passwords should be changed:

1. You have a weak password.
2. You are using the same password on multiple websites.
3. Your password was compromised (see above).
4. If it makes you feel better!

[SilverGate]

Quote:

Originally Posted by rmkrum

Absolutely. Use a longish password that is hard to guess. It does not have to be random. A few different short English words strung together with numbers and a symbol is hard to guess. The trick is to make it as long as a site will put up with...

I made my living as a paid paranoid in the computer security end of the business. Still do.

Sent from my pocket Internet using Airstream Forums

Paranoid.. or reasonably concerned... A new, chilling documentary about the rise and acceleration of cyber-warfare opened today and sheds light on an issue that some do not want to talk about.

PBS NEWSHOUR covered this story last evening: "'Zero Days,' a detective story about the cyber warfare arms race."

Zero Days (2016)

[SilverGate]

A Washington Post story of August 11, 2016, "There's a new way to make strong passwords, and it's way easier," reports that a new standard is emerging for passwords, which emphasizes less complexity in favor of length.

Instead of a password that has an incomprehensible string of letters, numbers and symbols that are hard to remember, a unique passphrase that you make up can be harder for hackers to crack, while being easier to remember.

For example, the story says, "Passwords that once looked like this:
W@5hPo5t!, can now be this:mycatlikesreadinggarfieldinthewashingtonpost."

See the full article linked above or here!

[rmkrum]

Yup. Exactly. A long concatenation of upper and lowercase words plus a couple numbers and/or symbols if the system requires them is easier to remember and a lot harder to guess.

Had a friend that used a long line of poetry in Vietnamese to make his passwords. Uncrackable, easy for him to remember. He did type his password for quite a long time, but according to my logs, he never blew it.

The complexity of a password is not the key to its strength. The length and lack of repeats is the true measure.

CISSP hat on...I do this stuff for a living.


Sent from my pocket Internet using Airstream Forums

[SilverGate]

Quote:

Originally Posted by rmkrum

Yup. Exactly. A long concatenation of upper and lowercase words plus a couple numbers and/or symbols if the system requires them is easier to remember and a lot harder to guess.

Had a friend that used a long line of poetry in Vietnamese to make his passwords. Uncrackable, easy for him to remember. He did type his password for quite a long time, but according to my logs, he never blew it.

The complexity of a password is not the key to its strength. The length and lack of repeats is the true measure.

CISSP hat on...I do this stuff for a living.


Sent from my pocket Internet using Airstream Forums

Thanks, rmkrum, CISSP, for your note! (CISSP - Certified Information Systems Security Professional)

Edward Snowden says the best advice here is to shift your thinking from passwords to passphrases:

Edward Snowden on Passwords

[rmkrum]

Snowden is just another small part of the reasons I have lots of work to do...


Sent from my pocket Internet using Airstream Forums

[SilverGate]

Quote:

Originally Posted by rmkrum

Snowden is just another small part of the reasons I have lots of work to do...

Sent from my pocket Internet using Airstream Forums

Certified Information Systems Security Professionals will have additional work to do in regards to today's story in The Wall Street Journal:

"Hacker Reveals Personal Information for Almost 200 Democrats: Guccifer 2.0 says records stolen as part of breach of Democratic Congressional Campaign Committee."

Excerpt: "Hours after the information was posted online, an email list-serve run by the Democratic Caucus sent a notice to recipients informing them to 'change passwords to all email accounts that you use' and also to 'strongly consider changing your non-House email addresses if possible.'

It also told them to 'be extremely suspicious' before opening any emailed links or attachments and to consider changing passwords for banking accounts, among other things."


This underscores the importance of choosing a strong and unique password for each site.


(Listen to and see Edward Snowden's interview on passwords, post #28, page 2 of this thread.)

How to Choose a Password

[rmkrum]

The other serious issue in computing security is that it's not usually the computers.

It's the people who fail to follow the rules, click on darn near anything, choose passwords that are easily guessed, or just give away critical data to anybody that calls and sounds legitimate.

We won't get into the organizations that don't think security is even necessary and is too 'inconvenient'. They are the ones that fail to spend the money to do it right, then discover just how much it costs when a breach occurs.

Sadly, all of this silliness is predictable early on, and the folks in charge often fail to comprehend what their data is worth. I had a manager looking at my security update budget of a few hundred thousand dollars once, and he actually asked the right question:

"How much is our data really worth?"

My reply, "How much have we spent on our entire project to date?"

When he realized that number was in the billions, he got real pale, real quiet, and signed off on the budget real quick!

I guess money does talk real loud at times...


Sent from my pocket Internet using Airstream Forums