How to Choose your Passwords [Tips & Guidelines]

kalel

kalel

Well-Known Member
Orange Room Supporter
How to choose a Password


In our modern society, just about everything is password protected, and it's no easy task to come up with a password that is both easy to remember and safe. Choosing the right password is something that many people find difficult, there are so many things that require passwords these days that remembering them all can be a real problem. Perhaps because of this a lot of people choose their passwords very badly. The simple tips below are intended to assist you in choosing a good password.



Before reading this post, take the time and visit http://www.passwordmeter.com/. By typing your password, you will get a full detailed rating and analysis of your password's strength, this will help you know how to strengthen.


Basics:

- Use at least eight characters, the more characters the better really, but most people will find anything more than about 15 characters difficult to remember.

- Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.

- Don't use a word found in a dictionary, English or foreign.

- Never use the same password twice.


Things to avoid:


- Don't just add a single digit or symbol before or after a word. e.g. "apple1"

- Don't double up a single word. e.g. "appleapple"

- Don't simply reverse a word. e.g. "elppa"

- Don't just remove the vowels. e.g. "ppl"

- Key sequences that can easily be repeated. e.g. "qwerty","asdf" etc.

- Don't just garble letters, e.g. converting e to 3, L or i to 1, o to 0. as in "z3r0-10v3"


Tips:


- Choose a password that you can remember so that you don't need to keep looking it up, this reduces the chance of somebody discovering where you have written it down.

- Choose a password that you can type quickly, this reduces the chance of somebody discovering your password by looking over your shoulder.



Bad Passwords:


- Don't use passwords based on personal information such as: name, nickname, birthdate, wife's name, pet's name, friends name, home town, phone number, social security number, car registration number, address etc. This includes using just part of your name, or part of your birthdate.

- Don't use passwords based on things located near you. Passwords such as "computer", "monitor", "keyboard", "telephone", "printer", etc. are useless.

- Don't ever be tempted to use one of those common passwords that are easy to remember but offer no security at all. e.g. "password", "letmein".

- Never use a password based on your username, account name, computer name or email address.


Protecting your password :


- Never store your password on your computer except in an encrypted form. Note that the password cache that comes with windows (.pwl files) is NOT secure, so whenever windows prompts you to "Save password" don't.

- Don't tell anyone your password, not even your system administrator

- Never send your password via email or other unsecured channel

- Yes, write your password down but don't leave the paper lying around, lock the paper away somewhere, preferably off-site and definitely under lock and key.

- Be very careful when entering your password with somebody else in the same room.


Remembering your password:


Remembering passwords is always difficult and because of this many people are tempted to write them down on bits of paper. As mentioned above this is a very bad idea. So what can you do?

- Use a secure password manager.

- Use a text file encrypted with a strong encryption utility.

- Choose passwords that you find easier to remember.



Bad Examples


- "fred8" - Based on the users name, also too short.

- "christine" - The name of the users girlfriend, easy to guess

- "kciredref" - The users name backwords

- "indescribable" - Listed in a dictionary

- "iNdesCribaBle" - Just adding random capitalisation doesn't make it safe.

- "gandalf" - Listed in word lists

- "zeolite" - Listed in a geological dictionary

- "qwertyuiop" - Listed in word lists



Good Example

"mItWdOtW4Me" - Monday is the worst day of the week for (4) me.



How would a potential hacker get hold of my password anyway?

Most common techniques hackers use to get hold of your password:

- Steal it. That means looking over your should when you type it, or finding the paper where you wrote it down. This is probably the most common way passwords are compromised, thus it's very important that if you do write your password down you keep the paper extremely safe. Also remember not to type in your password when somebody could be watching.

- Guess it. It's amazing how many people use a password based on information that can easily be guessed. Psychologists say that most men use 4 letter obscenities as passwords and most people use the names of their boyfriends/girlfriends, Spouse or children.

- A brute force attack. This is where every possible combination of letters, numbers and symbols are used in an attempt to guess the password. While this is an extremely labour intensive task, with modern fast processors and software tools this method is not to be underestimated. A Pentium 100 PC might typically be able to try 200,000 combinations every second this would mean that a 6 character password containing just upper and lower case characters could be guessed in only 27½ hours.

- A dictionary attack. A more intelligent method than the brute force attack described above is the dictionary attack. This is where the combinations tried are first chosen from words available in a dictionary. Software tools are readily available that can try every word in a dictionary or word list or both until your password is found. Dictionaries with hundreds of thousands of words, as well as specialist, technical and foreign language dictionaries are available, as are lists of thousands of words that are often used as passwords such as "qwerty", "abcdef" etc.
 
  • Advertisement
  • Nayla

    Nayla

    Legendary Member
    Orange Room Supporter
    The problem with the excellent passwords is that I keep forgetting them LoL
     
    kalel

    kalel

    Well-Known Member
    Orange Room Supporter
    The problem with the excellent passwords is that I keep forgetting them LoL
    Surely you can come up with something like this.. maybe a favorite quote ? bring it down to the first characters..


    Good Example

    "mItWdOtW4Me" - Monday is the worst day of the week for (4) me.
     
    Nayla

    Nayla

    Legendary Member
    Orange Room Supporter
    Surely you can come up with something like this.. maybe a favorite quote ? bring it down to the first characters..
    You're right!!! But I chose finally something easier and I won't tell you what it is :biggrin:
     
    Isabella

    Isabella

    The queen of "Bazella"
    Orange Room Supporter
    I have one basic password, it's a combination of letters and numbers that mean something to me, I always use a variation of this password by adding .,*; or switching the order of the letters! It always takes me about an hour to guess a password I had forgotten, I always end up pressing forgot your password :p
     
    Chris306

    Chris306

    Member
    I never forget a password...

    I've always used bizarre stuff, like b98sa6Fd (means something to me....)

    For my secret answers, I'd make something irrelevant so people could never guess, with a similar ^ answer. Never failed me yet.

    Nowadays, you can add your cellphone # for recovery and often see the last IPs who logged into your account...really has come along way.

    I remember 8th grade library class, I got to be the 'librarians helper', which meant I got to access the administrative computer. Well, with the help of a couple of classmates, I managed to get just about every teachers password at the school. Most used their names, their spouses name, or their kids name. I was able to add so many leisure programs to our, then, limited menu (had to be scholastic to be on our access list) and could even access our report cards and get tests before they came out. lol.

    At the end of the short lived glory run,he Librarian discovered something was up (i was never implicated), I ended up hacking his personal administrator account and sending a message that appeared on all school computers simultaneously that he was gay. He was not a well liked teacher, for pretty justifiable reasons.

    But that was 14-years ago :) I wouldn't do that now of course :)
     
    Leb_Rebel

    Leb_Rebel

    Legendary Member
    Orange Room Supporter
    How about creating a thread on hacking/phishing.... passwords :sneaky2:
     
    kalel

    kalel

    Well-Known Member
    Orange Room Supporter
    I have one basic password, it's a combination of letters and numbers that mean something to me, I always use a variation of this password by adding .,*; or switching the order of the letters! It always takes me about an hour to guess a password I had forgotten, I always end up pressing forgot your password :p
    Thing is that not all services would allow u to use .,*; in the password field so it becomes a harder task to pick a password. My advice.. stick to a pattern you and only you are familiar with.. oh and God bless "Forgot your password" button :p
     
    kalel

    kalel

    Well-Known Member
    Orange Room Supporter
    I never forget a password...

    I've always used bizarre stuff, like b98sa6Fd (means something to me....)

    For my secret answers, I'd make something irrelevant so people could never guess, with a similar ^ answer. Never failed me yet.

    Nowadays, you can add your cellphone # for recovery and often see the last IPs who logged into your account...really has come along way.

    I remember 8th grade library class, I got to be the 'librarians helper', which meant I got to access the administrative computer. Well, with the help of a couple of classmates, I managed to get just about every teachers password at the school. Most used their names, their spouses name, or their kids name. I was able to add so many leisure programs to our, then, limited menu (had to be scholastic to be on our access list) and could even access our report cards and get tests before they came out. lol.

    At the end of the short lived glory run,he Librarian discovered something was up (i was never implicated), I ended up hacking his personal administrator account and sending a message that appeared on all school computers simultaneously that he was gay. He was not a well liked teacher, for pretty justifiable reasons.

    But that was 14-years ago :) I wouldn't do that now of course :)


    I never set a secret answer and if i am asked too.. i ll just write gibberish..

    Your password pattern works well and the best trick to never forget it is to remember how it sounds.. Sound patterns are easily memorized faster than visual ones..
     
    neutral

    neutral

    Legendary Member
    What I consider a good password is a password I can actually remember
     
    EuroMode

    EuroMode

    Active Member
    Heartbleed bug: Am I at risk and do I really have to change my password?

    The discovery of Heartbleed, a flaw in one of the most widespread encryption standards used online, has panicked webmasters and users alike.

    The bug has gone unnoticed for more than two years and could have potentially given hackers access to an unlimited array of secure data – everything from passwords and login details to credit card numbers and addresses.

    READ MORE: WHAT IS HEARTBLEED? 'ON THE SCALE OF 1 TO 10, THIS IS AN 11'

    Although it’s difficult to say exactly how many websites have been exposed, the lower estimates are around 500 million with a large number of major web companies (Google, Facebook, Yahoo, etc) all forced to update their software to protect against the bug.

    However, there have been quite a lot of mixed messages as to whether or not users should change their passwords, with some outlets urging that you should create new ones immediately while others are advising that you wait.

    To add to the confusion there’s also been reports of hackers sending out phishing emails related to Heartbleed - in order to trick users into giving up passwords that have yet to be compromised. Be on the look out for these and don't follow any links in suspicious looking emails - if you want to change a password go to the site directly.



    Which sites are affected?

    Most Google sites and services (including Gmail and YouTube - but not Chrome) were affected, as were sites maintained by Yahoo (including Tumblr and Flickr). Facebook was also hit by the bug although Twitter and LinkedIn were not.

    Other big sites that have confirmed that they weren’t affected include Amazon, Hotmail and Outlook, eBay, PayPal and all of Apple’s properties – including iCloud and iTunes. If you want to check whether or not a site you use is still affected then you can do so here – just enter the URL.

    Another big worry is for online banking, but thankfully we have some good news in that department. Lloyds, HSBC, RBS, Natwest, Santander and the Co-Op have all confirmed that they were not affected by the bug (they were using different encryption standards). Barclays has yet to issue a statement.

    However, this does not mean that your credit card details are completely safe – as they could have been compromised via your Gmail or another third-party site. The security of mobile banking apps is still a developing situation as well.



    So do I need to change my passwords?

    In a word: yes. For the sites we’ve listed above as being affected (including Gmail, Yahoo, Tumblr, Flickr, Facebook) it definitely won't hurt to change your password some time in the next couple of weeks.

    Although security experts have warned that you shouldn't be too quick to change passwords, this is because not all website have patched their servers and changing your password before this happens could make matters worse. The sites we've listed above have patched their servers and if you want to check one we've not mentioned - click here and enter the URL.

    Unfortunately, some sites (including Google) have specifically said that users don't need to change their passwords. While it's true that some sites are confident that they fixed the bug a while back, as most of us are guilty of changing our passwords less frequently than we should do (aka never) we think that this is as good an opportunity as ever to be a bit more security-conscious.



    What should my new password be?

    In lists of the most frequently used passwords online there’s some obvious clangers that we know you’re too smart to use (these include old stand-bys such as ‘123456’ and ‘password’ itself) but just because a password doesn’t look obvious to you that doesn’t make it safe.

    This means that you shouldn’t really use any single words that are found in the dictionary, any words connected to you (place of birth or pets' names), nor should you use any obvious ‘substitutions’ (eg pa55w0rd- more complicated variations are required) or patterns derived from your keyboard layout (eg ‘1qaz2wsx’ or ‘zxcvbnm’).

    READ MORE: THE 25 WORST PASSWORDS REVEALED - IS YOURS ON THE LIST?

    It’s wise to use a variety of characters in your password (including upper and lower case as well as numbers) but an easy way to get more secure is to start thinking of your password as a passphrase.

    The easiest way of increasing the difficulty of a password is by simply making it longer – so try combining multiple words together and then adding in numbers between them.

    You could pick a number of some significance to you (for example a loved one’s birthday, ie 12/08/1970) and then splicing this with a nonsensical phrase (‘shoesplittingwatchwizard’) to get a suitably difficulty password: Shoe12Splitting08Watch1970Wizard.

    Other suggested methods for making a strong and memorable password include taking a sentence or a favourite line from a song as a starting point. So you might take the line "When you call my name it's like a little prayer" and turn it into wuCmNilaLP. Madonna is optional of course, but we think this a fun method - especially if you can work in numbers somewhere.

    You should also use different passwords for your different accounts (perhaps the most difficult piece of advice to follow of all) and if you want to be really secure you should also set up two-step authentication where available.

    source independent
     
    EuroMode

    EuroMode

    Active Member
    Cybersecurity Passé words

    More momentum in the crusade to reduce reliance on [email protected]$w0rd$



    PASSWORDS are not all that fit for purpose: they are easily lost, forgotten, stolen or duplicated. As such, they are widely reviled. Though cheerful reports of the password's imminent death have been made time and again (perhaps most famously in 2004 by Bill Gates, then-boss of Microsoft), all have turned out to be premature. However, a few devices on show last week at CES, a big technology exhibition, hint that the password's star may finally be fading.

    One wouldn't have guessed. Passwords still have the leading role in what is called multi-factor authentication. A password, as security folk put it, is "something you know"; multi-factor approaches pair this with "something you have", such as a device or app that generates a unique code with a short period of validity, or "something you are", such as an analysis of your voice or fingerprint. (These biometric approaches have been sprouting up as fast as the trade press can describe them—alternatives range from software that analyses patterns of users' veins to chairs that sense the shape of a user's bottom.)

    A consortium of firms called the Fast Identity Online (FIDO) Alliance is still trying to turn this arrangement on its head. Formed in 2012, the alliance has been building an impressive roster of members, including hardware-makers such as Lenovo, Samsung and ARM, payments firms PayPal, Visa and MasterCard, and e-commerce giants such as Alibaba.

    FIDO relies on public-key cryptography, a bit of applied mathematics that already underpins a lot of the web's security infrastructure. The scheme uses two cryptographic keys—vast strings of numbers—one public and safe to share, and one private. Any person or website in possession of the public key can verify that a digital signature has come from someone in possession of the private one, but cannot guess what that key is. Similarly, using only the public key, a person or service can encrypt a document such that only the possessor of the private key can decrypt it.

    The good news, for those with a fear of extravagantly long numbers, is that all this is done behind the scenes; the FIDO protocol's chances rely largely on its simplicity. The alliance's proposed technical details were first published in February 2014, and at last week's CES, prototypes of what they call "FIDO-ready" devices were on show in force.

    The idea is that a device would, on request, create a pair of keys, public and private. It would pass the public key to, for example, an online retailer, which then associates the key with an account. On the next login, the identity check works both ways: a faked version of the retailer's website will not have the public key the FIDO software is looking for, and the retailer can check that the login has been performed by the holder of the associated private key.

    Permitting access to FIDO via a device's native security features, such as a fingerprint reader, adds the something-you-are to the FIDO key's something-you-have. No longer, the idea goes, does it require something you know. (The alliance also proposes a second protocol in which the FIDO software resides on a dedicated USB stick or the like, and which would only be used after logging into a given site with a PIN—a solution that borders on password territory, but that is more easily remembered.)

    This sort of thing has been tried before, because password fatigue has been long in coming. A "Petition Against Passwords", backed rather unsurprisingly by start-ups that offer alternatives to them, was launched in 2013, but it died on the vine. Such efforts have resulted in a panoply of small-scale security standards that do not work together. The danger is in unseating the password, only to replace it with an endless set of apps, hardware and procedures that are actually less convenient and more trouble.

    It is the backing and the cooperation of big industry names that gives the FIDO Alliance a fighting chance to rise above the jangling of these other online keyrings. Its members agree to share patents, and chips and hardware made by members can be used by others without a license.

    Bruce Schneier, a security guru, says it won't be easy to cast passwords aside because, as with a fence surrounding a nuclear facility, they provide a gate-keeping function and first line of defence. But he says the FIDO Alliance and similar efforts to reduce passwords' primacy are as inevitable as they are desirable. FIDO's rise is not an assurance of the password's fall, but the forgetful and the security-conscious can live in hope.

    source economist
     
    kalel

    kalel

    Well-Known Member
    Orange Room Supporter
    Cybersecurity Passé words

    More momentum in the crusade to reduce reliance on [email protected]$w0rd$



    PASSWORDS are not all that fit for purpose: they are easily lost, forgotten, stolen or duplicated. As such, they are widely reviled. Though cheerful reports of the password's imminent death have been made time and again (perhaps most famously in 2004 by Bill Gates, then-boss of Microsoft), all have turned out to be premature. However, a few devices on show last week at CES, a big technology exhibition, hint that the password's star may finally be fading.

    One wouldn't have guessed. Passwords still have the leading role in what is called multi-factor authentication. A password, as security folk put it, is "something you know"; multi-factor approaches pair this with "something you have", such as a device or app that generates a unique code with a short period of validity, or "something you are", such as an analysis of your voice or fingerprint. (These biometric approaches have been sprouting up as fast as the trade press can describe them—alternatives range from software that analyses patterns of users' veins to chairs that sense the shape of a user's bottom.)

    A consortium of firms called the Fast Identity Online (FIDO) Alliance is still trying to turn this arrangement on its head. Formed in 2012, the alliance has been building an impressive roster of members, including hardware-makers such as Lenovo, Samsung and ARM, payments firms PayPal, Visa and MasterCard, and e-commerce giants such as Alibaba.

    FIDO relies on public-key cryptography, a bit of applied mathematics that already underpins a lot of the web's security infrastructure. The scheme uses two cryptographic keys—vast strings of numbers—one public and safe to share, and one private. Any person or website in possession of the public key can verify that a digital signature has come from someone in possession of the private one, but cannot guess what that key is. Similarly, using only the public key, a person or service can encrypt a document such that only the possessor of the private key can decrypt it.

    The good news, for those with a fear of extravagantly long numbers, is that all this is done behind the scenes; the FIDO protocol's chances rely largely on its simplicity. The alliance's proposed technical details were first published in February 2014, and at last week's CES, prototypes of what they call "FIDO-ready" devices were on show in force.

    The idea is that a device would, on request, create a pair of keys, public and private. It would pass the public key to, for example, an online retailer, which then associates the key with an account. On the next login, the identity check works both ways: a faked version of the retailer's website will not have the public key the FIDO software is looking for, and the retailer can check that the login has been performed by the holder of the associated private key.

    Permitting access to FIDO via a device's native security features, such as a fingerprint reader, adds the something-you-are to the FIDO key's something-you-have. No longer, the idea goes, does it require something you know. (The alliance also proposes a second protocol in which the FIDO software resides on a dedicated USB stick or the like, and which would only be used after logging into a given site with a PIN—a solution that borders on password territory, but that is more easily remembered.)

    This sort of thing has been tried before, because password fatigue has been long in coming. A "Petition Against Passwords", backed rather unsurprisingly by start-ups that offer alternatives to them, was launched in 2013, but it died on the vine. Such efforts have resulted in a panoply of small-scale security standards that do not work together. The danger is in unseating the password, only to replace it with an endless set of apps, hardware and procedures that are actually less convenient and more trouble.

    It is the backing and the cooperation of big industry names that gives the FIDO Alliance a fighting chance to rise above the jangling of these other online keyrings. Its members agree to share patents, and chips and hardware made by members can be used by others without a license.

    Bruce Schneier, a security guru, says it won't be easy to cast passwords aside because, as with a fence surrounding a nuclear facility, they provide a gate-keeping function and first line of defence. But he says the FIDO Alliance and similar efforts to reduce passwords' primacy are as inevitable as they are desirable. FIDO's rise is not an assurance of the password's fall, but the forgetful and the security-conscious can live in hope.

    source economist
    Got a bunch of the FIDO keys a while back. They support the Google services as well as can be implemented on offline services in need for authentication such as hidden containers, lockers, phone wallets etc..
    Good initiative but still needs to mature and cant see it replacing passwords completely, might replace the SMS or google authenticator though.
     
    E

    Elyas Daher

    New Member
    the most random combination of letters and numbers will do
    after that u can memorize easily
     
    S

    Stephanie Harmon

    New Member
    Mines are always with numbers and other characters.
     
    Top