PDA

View Full Version : Personal venting.. ugh.. passwords..



AdamAvenali
05-06-2009, 07:30 PM
hey all,

well, i am thoroughly frustrated with the internet haha i have signed up for many sites, everything from forums to shopping, etc and every one involves some type of password. now, it appears the new thing is the "strength" of your password. i went from having a simple password that i could remember to having to add capital letters, lower case letters, numbers and a symbol.. seriously? i'm all for privacy and everything, but it would be a lot easier if all sites would allow all characters. i make a password for one place that has all of the above and want to use it somewhere else but that site doesnt allow symbols.. so now i have a list of sites and passwords and i hate having that kind of information written down. what do you all do to keep track? i was thinking of making a spreadsheet and some sort of encrypting, but i would have to learn that because i know nothing of it haha sorry for the vent.

adam

Hopper
05-06-2009, 07:41 PM
Well, password 'strength' is nothing new. It's just that sites are now figuring out that people are lazy and put in 'convenient' passwords which then leads to accounts getting hacked which then requires more support and hassle for the vendor. It's actually cost effective for them and better for you. I know keeping passwords can be a pain but you should simply get used to it. If you are using the same password for multiple sites, you shouldn't. It's just common sense. A standard dictionary hack will break about 85% of web site passwords. And believe me .. it's soooooooo easy to do. I used to do it for a living (on the right side of the law that is - military contracts).

If you feel more comfortable using the same password, then use a derivation of it for each site using the site name for part of the password. That way you will always know what your password is, yet it will be different for every site.

jaf
05-06-2009, 07:48 PM
I use Roboform which I purchased several years ago. They used to have a free limited version -- don't know if that still exists.

Password strength has always been a concern.

My own rant is product serial numbers that use o and 0, i and l, in a font that makes them look nearly identical. Or serial numbers that are written in the xxxx-yyyy.... format but don't tell you to leave out the hyphen until you finish entering the whole string..

Then there's those bot screeners, some that use such warped characters you have to guess anyway. Or the sites where you enter everything but miss one required field and you get "please enter the xxx field." Then you notice they not only cleared the password field (which is proper) but they cleared out everything else!

I tried to register on a website the other day and it had the normal blank box for the password. There was no text or anything to click to give the password limits. So I entered a six digit password and got the "must be a minimum of 8 characters. Okay, I entered an 8 character password and got a "must contain a mixture of letters and numbers." So I entered a mixture and got a "at least one character must be uppercase." And this was a C# programming site that was supposed to make my coding efforts more efficient!

calilifestyle
05-06-2009, 07:49 PM
You could just buy one of those usb things that let you enter one password. but will store complex passwords for everything you tie the usb to.

AdamAvenali
05-06-2009, 08:22 PM
it's really not a gigantic problem, it's just going through the whole "Forgot Password" stuff was irritating me there for a sec haha it's really only a problem with sites i only use a few times a year, such as my web hosting company. i only really update my site a few times a year and it threw me for a loop.

Jockomo
05-06-2009, 08:54 PM
This is a great site that can help out sometimes with forced registration, not for what you are looking for but nevertheless:

bugmenot.com
Find and share logins for websites that make you register.

Hopper
05-06-2009, 09:18 PM
Yeah, the whole warped letter thing just chaps my ***. Half the time, I can't read them anyway. And then, like you said, it gives you shlt about entering it in wrong and puts you back to a half filled out form.

I just don't see how these developers can not see the obvious when it comes to spammers that try to auto-register. We modified our forum software to simply read an OnKeyPress event in the password field. Bots can't create and send a fake key press event. The form won't post until the event ocurrs. We have yet to have a single spam message.

BlueApple
05-06-2009, 09:28 PM
I need to copy two pages of login/password combinations every time I get a new sketchbook. Then I eat the last two pages of the old sketch book.

danielkaiser
05-06-2009, 11:24 PM
Use Fire Fox it will remember your passwords and has an option for a master password.

RebelHill
05-07-2009, 03:33 AM
these password strength things really work by looking at how random the set of characters is... but thats only one way to gague password strength...

for strong pass' which will work on any site, its best to stick to regular letters, but use combinations or strings of words especialy if they have no meaning... such as myhouseisabutter, or ieatconespeakers, etc

AdamAvenali
05-07-2009, 06:29 AM
thanks everyone for all the info. i have found that openoffice (and probably any decent spreadsheet program) has the option to save with a password, so i will probably be logging all of mine in a spreadsheet and then i will only need one to get into them. i mean most of them really are not important unless you want to hack my accoung with the post office and go on a mailing spree haha

Matt
05-07-2009, 07:13 AM
Dude, I know how you feel!

art
05-07-2009, 08:05 AM
I had exaclty same problems. Although I remember password for the websites that I use daily, I still have too many accounts at too many websites, different passwords registered with different usernames and emails etc. Username/password recovery works when needed but it is annoyance.

I usually have several levels of passwords (with derivations) with their strength depending on the criticality of the information contained on the website where I have the account. My NT forum password is easy to crack (don't you dare! :)) and my paypal account is 20 meaningless random characters.

I used to keep the less used password in a simple txt file. Then I briefly moved to some password managers. I needed a decent search capability and better usability tailored to my needs and I ended up writting my own tiny web application that is always available online. I use it to store not only passwords, but also phone numbers, adresses, links, pieces of information etc. It can optionally encrypt the data being stored too (I don't trust my ISP ;)) and the encryption, if selected, happens in the browser and no clear data is being transfered.

Its not perfect but works for me and I do not have to remember to keep the password file with me all the time.

Matt
05-07-2009, 08:49 AM
What's more annoying is when you decide upon a really strong one with numbers and everything in it, then you come to a site that has a maximum of 8 characters only!

AdamAvenali
05-07-2009, 09:02 AM
What's more annoying is when you decide upon a really strong one with numbers and everything in it, then you come to a site that has a maximum of 8 characters only!

that was the major problem was that some accept numbers and symbols and other dont

art
05-07-2009, 09:25 AM
yup, happened to me too. I tried to be nice and secure, but a site would not allow more than 8 characters (letters and numbers only!).

I also hate it when they force you to enter hints that have no meaning to you. For example "what's your favo(u)rite movie/techer" etc. Even if I thought I had one, i might not remember what I entered a year or two from now. Most sites have a hint that I will remember, but some ask for hints that I do not have a clear answer to.

Tom Wood
05-07-2009, 10:50 AM
I have pages and pages of password/usernames written down. All stapled together. Some pages are covered with the stuff written at different angles and ink. I started making a separate sheet for each site as I revisit. Then I bought a file cabinet....I feel so organized now.

BeeVee
05-07-2009, 02:47 PM
I use KeePass ("http://keepass.info/download.html). It's an open source password database available for lots of OSes. Best of all it works in PortableApps, so I just have it on my USB key and have access to it anywhere I go.

B

zapper1998
05-07-2009, 03:16 PM
Use fire fox..
In the firefox you can see your passwords and I usually do 5 letters and 5 numbers..
Firefox can keep track of passwords very well..
I take a screenshot everytime I add a new password..

I use 6 different passwords with varrying numbers and letters

I Write them down in my little Spiral pad, its black and small with a nice lable "Do Not Lose" password book..

works out nice...

BeeVee
05-07-2009, 03:41 PM
Oh for sure use Firefox, but then you're not supposed to write down your passwords and there's always the trade-off between security and ease-of-use. If you have a master password in Fx, then how strong your individual passwords are will matter not a jot if your master password is weak. The same might be said of not writing down my passwords in KeePass, but at least *that* list is also password-protected, something that a notepad is not...

Cryptonomicon (http://www.nealstephenson.com/crypt/) by Neal Stephenson is a great story that also talks about the security of passwords, thoroughly recommended.

B

Kuzey
05-07-2009, 03:47 PM
If you have an iPod touch or iPhone you could download a free app called "1Password" to store your passwords. I just installed it and only have two passwords in there at the moment but it seems to be a cool little app.

Kuzey

IMI
05-07-2009, 04:12 PM
I keep all my passwords in a text file in a rar archive. I just update it every time I have a reason to make a new password and I change my passwords for places like newegg, paypal and Amazon regularly.
Yes, the rar file is password-protected. But that password I just have written down on a sticky on my monitor. ;)

Been meaning to try out Vista's bit locker thingy, to see if that's a viable alternative to the rar file, but I don't even know how to use it yet.

don_culbertson
05-07-2009, 04:41 PM
I use KeePass ("http://keepass.info/download.html). It's an open source password database available for lots of OSes. Best of all it works in PortableApps, so I just have it on my USB key and have access to it anywhere I go.

B

:thumbsup: I, too, like KeyPass - I especially like the password generation feature and the portability.

Don

[edit] Another advantage is that I can give my wife the KeyPass pw and should anything happen to me, she can access accounts etc.

BeeVee
05-07-2009, 04:45 PM
Yup, it's handy to get those automatically-generated passwords, or course it does mean that you get dependant on KeePass working since without it you would have no hope of remembering the passwords: "Now, hang on, I'm sure it started Q4j9ll2... just another fifteen characters to remember". ;)

B

don_culbertson
05-07-2009, 04:47 PM
... "Now, hang on, I'm sure it started Q4j9ll2... just another fifteen characters to remember". ;)

B

Yeah, I've reached the point in life that I'm just glad I can remember my name :D

Don

AdamAvenali
05-07-2009, 05:05 PM
haha thanks everyone. i am still trying to figure out what sites i actually have login info for

Hopper
05-07-2009, 08:03 PM
What's more annoying is when you decide upon a really strong one with numbers and everything in it, then you come to a site that has a maximum of 8 characters only!
Exactly .. and those are the sites that get hacked regularly. There is a good reason that "8 characters or more" is considered to be a fairly strong password. The reason is that placeholders given - both cases of letters, numbers, and "special" keys on a keyboard comes out to a LOG function of n-LOG-10,000,000 (10 to the 7th power). At worst case, this will take an incremental password cracker about 30 minutes or so to solve given a fairly decent CPU. Thus, 9 placeholders will take over 9 times longer, 10 will take over 100 times longer, etc... Newer algorithms use a multithreaded hash that can crack them quicker, but most household hackers are pretty stupid and don't understand how to do it. They just download "bob's brand" hack tool and go at it.

Moral of the story .... Use at least 9 characters and you're less likely to get hacked by your average script kiddie 12 year old with outdated tools. :D

dwburman
05-07-2009, 11:37 PM
Xmarks started as a bookmark sync tool for firefox (used to be foxmarks). They've since expanded it to work with Safari and Internet Explorer. The Firefox version can also store and sync your passwords. I don't use that feature but it's nice having the same bookmarks on all four of the computers I use.

My current strategy is to have one password that is slightly different from site to site based on it's name. I haven't gone through and updated every site with the new method though and sometimes I end up trying several variations before I hit the right one. I also substitute numbers or punctuation marks for letters when I can. Basic 7337 5P34|<. (LEET SPEAK... I've never been a part of that subculture, so I'm not fluent in the dialect... haha)

It's really annoying when the site locks you out after 3 tries and you can't remember the exact password.

Ember
05-08-2009, 12:43 AM
What's more annoying is when you decide upon a really strong one with numbers and everything in it, then you come to a site that has a maximum of 8 characters only!

I have to say that the programmer who did decide that 8 characters is the maximum length for the password should be shot. 8 characters in lower case characters only is nothing for modern computers when using brute force for password decryption. Having 10 characters in your password makes a whole world of difference and using lower and upper case characters, numbers and special characters will make even more difference. Typing 'password' or 'pA$5w0rd' is very different. The latter is mere 88 million times more complex to break in brute force. See below.

8 characters with all ASCII characters = 18 446 744 073 709 551 616 different combinations, 10 characters = 1 208 925 819 614 629 174 706 176 - that's 65536 times more combinations! Oh and if you'll use just lower case US/UK characters: 8 characters = 208 827 064 576 and with 10 = 141 167 095 653 376.

The difference is staggering, add upper case characters and special characters into your password and you can keep it shorter. Just my two cents into this discussion :P

IMI
05-08-2009, 02:42 AM
Moral of the story .... Use at least 9 characters and you're less likely to get hacked by your average script kiddie 12 year old with outdated tools. :D

In other words, we do still have to fear the above average 19 year old outcast, can't-get-a-date-to-save-his-life, college computer geek with advanced hacking tools? ;)

Just curious - is any password within reason completely safe? Obviously our chances would be better if we're using a hundred character password, but most of us aren't going to do that even if there were no character limit.

But is there anything that CAN'T be cracked? I find it difficult getting my head around the possibility even software can figure out even an eight character password within any reasonable time period. How many possible combinations are there in 8 characters, given 26 letter in the English alphabet and 10 digits, plus cases and special characters?

Lightwolf
05-08-2009, 06:54 AM
In other words, we do still have to fear the above average 19 year old outcast, can't-get-a-date-to-save-his-life, college computer geek with advanced hacking tools? ;)
Yup: http://3.14.by/en/md5

Cheers,
Mike

AdamAvenali
05-08-2009, 07:21 AM
wow, i started a thread that made it to three pages! that's a first haha

art
05-08-2009, 07:24 AM
Yup: http://3.14.by/en/md5

Cheers,
Mike
Hmm, interesting. It is using GPU, am I reading it right?

IMI
05-08-2009, 07:30 AM
Hmm, interesting. It is using GPU, am I reading it right?

Yeah that's right. Probably the same deal as the [email protected] project which uses your GPU during down time.

Lightwolf
05-08-2009, 07:53 AM
Hmm, interesting. It is using GPU, am I reading it right?
Yup, including SLI/multi-GPU set-ups - and as many CPU cores as the system provides. Mind you, computing md5 hashes is very trivial to run in parallel.

Basically all it does is compute the md5 has for a sequence of characters and see if it matches the md5 you entered as the target (pass words as usually stored as md5 hashes - which is like an advanced kind of checksum really). Then it tries a different sequence of characters.

Cheers,
Mike

art
05-08-2009, 08:19 AM
I think I need to increase the lenght of my passwords by a few characters :)

Ember
05-08-2009, 09:21 AM
How many possible combinations are there in 8 characters, given 26 letter in the English alphabet and 10 digits, plus cases and special characters?

I already answered (http://www.newtek.com/forums/showpost.php?p=881661&postcount=29) to that question. It's easy enough to calculate. With extended ASCII you have 256 differenct characters in use. So, with one character you'll have 256 different combinations. With two characters you'll have 256*256 combinations etc. So you can count the amount of combinations simply with a formula:


combinations = 256^x, where x = amount of characters

Thus with 8 characters you'll have 256^8 = 18 446 744 073 709 551 616 possible combinations. So if one would use BarsWF (350 million tries per second) for brute force MD5 cracking it would take (in worst case scenario) approximately 1671 years and some months more. But if you use only lower case characters then your password would crack in little less than 10 minutes in the worst possible scenario (for the cracker that is).

Remember folks though, if you are using normal words which can be found from a dictionary or which are common names etc your password WILL break in no time.

Lightwolf
05-08-2009, 09:36 AM
8 characters with all ASCII characters = 18 446 744 073 709 551 616 different combinations, 10 characters = 1 208 925 819 614 629 174 706 176 - that's 65536 times more combinations! Oh and if you'll use just lower case US/UK characters: 8 characters = 208 827 064 576 and with 10 = 141 167 095 653 376.

The difference is staggering, add upper case characters and special characters into your password and you can keep it shorter. Just my two cents into this discussion :P
The problem is you won't be able to use all 256 characters, more like the alphabet, numbers and common extra characters (roughly 20 or so)... which leaves us with 82 characters or so... heck, make it 100 (most will be filtered out and the others depends heavily on the character set used and aren't really safe unless you've tested them in the system, i.e. ).

Currently with GPUs you can compute 2 billion hashes per second per 1000US$ invested. 8 characters as described above takes roughly max. 33 days (probably less, I've got the numbers for a slightly slower app), on average half of that though.

Anything with more than 10 characters is still fairly secure though.

Cheers,
Mike

Ember
05-08-2009, 09:48 AM
The problem is you won't be able to use all 256 characters, more like the alphabet, numbers and common extra characters (roughly 20 or so)... which leaves us with 82 characters or so... heck, make it 100 (most will be filtered out and the others depends heavily on the character set used and aren't really safe unless you've tested them in the system, i.e. ).

Very true, that's why I stated "in the worst possible scenario". :) It's theoretically possible to use the full extended ASCII range but in practice no one will use it. And if you want to go wild you'll use UTF-8 in all it's glory (or heck, even UTF-32!). Typing only strange special symbols as your password in UTF-8 you'll most likely prevent all possible cracking attempts. The fact that you won't most likely remember your password after that is a completely different matter :D

BeeVee
05-08-2009, 03:11 PM
That's why I use KeePass' password generator. It makes a password of whatever legnth you like composed of characters like this: XEA3ne9vPkGy0rjYaVdv (an actual password, but I'm not saying which site for... ;)) and then for ones I need to remember and not just store, I use a line from a poem or song, or quote from a film - something on the order of 30 chars or so. Sure it's words, but using Camel case or l33t number transposition helps.

B
PS. I can thoroughly recommend xmarks too!

Hopper
05-08-2009, 04:35 PM
But is there anything that CAN'T be cracked? I find it difficult getting my head around the possibility even software can figure out even an eight character password within any reasonable time period.
Like I told some students a while back - If it's turned on... it can be hacked. When it's not turned on... it can be stolen (then hacked). If someone wants the information bad enough, they can get it.

With the right equipment I can grab everything off your system even if it's not connected to a network. If I can get close enough, I can take it while sitting in your driveway eating a ham sandwich.

AdamAvenali
05-08-2009, 07:06 PM
I can take it while sitting in your driveway eating a ham sandwich.

Note to self: do not invite hopper to my driveway with ham sandwich

Hopper
05-09-2009, 10:48 AM
Note to self: do not invite hopper to my driveway with ham sandwich
:lol:

No worries.. I no longer use my powers for evil. :cool: I got a little overconfident in college once and got caught. They put me on the "bad list of boys and girls". I was too pompus to consider that there might be someone out there smart enough to catch me. Live and learn. There's always someone out there that's better.

IMI
05-09-2009, 05:00 PM
I wanna know where the ham sammich comes in, why it's been apparently revealed as necessary, and what hardships are created for the hacker if you substitute ham with turkey.

Hopper
05-09-2009, 11:31 PM
I wanna know where the ham sammich comes in, why it's been apparently revealed as necessary, and what hardships are created for the hacker if you substitute ham with turkey.
Hacking without a sandwich is sacrilege. Technically it should be a cheese sandwich (ala Hitchhikkers Guide), but I prefer the pig. You wouldn't want a hungry hacker anyway. A hungry hacker soon gets grumpy and turns into an a-ss hat and causes damage. :) Ahhh the days when hacking was a respectable endeavor. It had an understood civility to it. I miss those days. Now the term is fraught with implications of thievery and destruction. 'Real' hackers used to get into places they weren't supposed to be just for the fun of it, leave a little calling card and call it a day. Now it's all about stealing and destroying nformation and monetary gain. What a shame.