5 Tips For An Unbreakable Password

[zorg222]

zorg222 submitted a new Article:

5 Tips For An Unbreakable Password

5 Tips For An Unbreakable Password

To hack your board, someone may be able to do something like guess a password and in an instant, your board is lost. These are ways to keep your passwords safe and therefore, keep your board safe.

Despite the current wave of identity theft and corporate security breaches it's amazing how very few people treat their passwords with any level of seriousness. Most computers users, both at home and in the office, see passwords as a nuisance and therefore make them as easy to remember as possible. This can be a catastrophic mistake.

There are certain specific guidelines you need to follow to choose a safe and secure password. Use the following tips as a "how to" on making your password secure.

1. Your password must be alphanumeric. That simply means a mixture of numbers and letters such as xpf2778z. Why? When a hacker tries to break into a system they often use what are called dictionary or brute force hacks. A dictionary hack is an application that simply uses standard words and word combinations in an attempt to guess your password. For example many computer users use the word "password" as their actual password. A dictionary hack would crack that password in a few moments. Using alphanumeric passwords increases the number of possible password combinations by millions.

2. It should be 6 - 8 characters in length. The longer the password the harder it is for a hacking program to get around. If your password was abc then there are 6 possible password combinations. If your password was abc123 there are now over 720 password combinations possible. If your password was abc1234 there are now almost 6,000 possible combinations. Never, ever use a short password only comprised of letters.

3. Never use personal details in your password. People often use their home address, their age, husband or wives name, their social security number or their date of birth. These are incredibly easy to get access to by either a fellow employee or potential system hacker. Your password needs to be secure and hard to guess and personal details meet neither of these criteria.

4. Do not write your password down anywhere. Keeping a record of your password for somebody to find is dangerous. Create a memorable password that you'll have no problem recalling. This is not as hard as it sounds and if you jot some password ideas down you'll quickly come up with some good ones. Obviously burn the piece of paper you...

Read more about this article here...

 

[Sculli]

6-8 character passwords are pretty weak, especially when stored in MD5 hashes. Any monkey can crack a 8 character alphanum password within a few minutes using lookup tables that are readily available online. Of course they need the hash, but for some boards that is easy to obtain.

12 character alphanum password is what I would consider strong.

 

[WiZu]

Ah yes, even a monkey.

 

[Nbleven]

Great Article. Longer would be needed...

 

[ChrisOdd]

I never thought of changing a password so frequently, but the others rules I've always followed. Great article.

 

[Tha Champ]

I never thought of changing a password so frequently, but the others rules I've always followed. Great article.

Hey! I never noticed this article section was soo helpful! Propz man!

 

[Methos]

One thing I found with vBulletin is the ability to use passwords with symbols, it can also accept ansi key chars.

With the ability to set the length of your max chars used for a password one can create true 128bit security for there accounts, below is a list of passwords generated useing a password generator (alphanumericsymbolic), a couple where created with ansi key chars as well, which makes useing a program to hack/crack your forum password even that much harder.

n´[-0;r}N/eW0,,AB´]6]p"`!i
TrohFko³EAY9#_"m`&_4p[h,-a
l{d4`DX)7,;V#R³_gjh802f\sS
B`´)]rBncjNnZKszO#8E:SYQ,$
v:hY§4]S+XjdM7e%659=uZKTj3
&DD4iCN3"q4§V$MLIG²34R9_N)
pXla\!lIm/[X,0upXksw{³iMO[
,LJR(§Z87!6;DG\UbA&&S+,0DG
y´sCo1$\WK#}O5zjk]w´pJG&´1
4TXOmZq;pnAd#u}#ZGof-!^u4h

This also makes it harder for the person who owns the account to even remember there password, I never "type" my password in anyways, I have an excel sheet with all my passwords in it, I simply copy/paste my passwords where I need to. Doing this method also stops keyloggers from obtaining your passwords when entered onto webpages or online forms.

 

[ANGELEYES ZONE]

thnx 4 this

 

[Basto]

One thing I found with vBulletin is the ability to use passwords with symbols, it can also accept ansi key chars.

With the ability to set the length of your max chars used for a password one can create true 128bit security for there accounts, below is a list of passwords generated useing a password generator (alphanumericsymbolic), a couple where created with ansi key chars as well, which makes useing a program to hack/crack your forum password even that much harder.

n´[-0;r}N/eW0,,AB´]6]p"`!i
TrohFko³EAY9#_"m`&_4p[h,-a
l{d4`DX)7,;V#R³_gjh802f\sS
B`´)]rBncjNnZKszO#8E:SYQ,$
v:hY§4]S+XjdM7e%659=uZKTj3
&DD4iCN3"q4§V$MLIG²34R9_N)
pXla\!lIm/[X,0upXksw{³iMO[
,LJR(§Z87!6;DG\UbA&&S+,0DG
y´sCo1$\WK#}O5zjk]w´pJG&´1
4TXOmZq;pnAd#u}#ZGof-!^u4h

This also makes it harder for the person who owns the account to even remember there password, I never "type" my password in anyways, I have an excel sheet with all my passwords in it, I simply copy/paste my passwords where I need to. Doing this method also stops keyloggers from obtaining your passwords when entered onto webpages or online forms.

I considered having my password stored on my PC but im to paranoid that I would fall victim to bieng hacked the next day. Though thats unlikely considering I use a firewall and generally avoid dogy sites.

Also great article some interesting stuff there

 

[Libertate]

It is unfortunate but most identity thefts have absolutely nothing to do with passwords.

But, since we are talking about passwords, minimum password complexity I recommend are:

• Minimum 8 character length
• Must contain at least one upper, and one lower case letter
• Must contain at least one number
• Must contain at least one symbol other then letter or number
• Cannot be a dictionary word (i.e. something comming within the primary language)
• Cannot contain other personal identifying information (nick names, location, etc.)

As others have said it before, MD5 hashes are not too hard to crack, although salting them helps.

Copy/Paste regarding key logger - I can not just log your key strokes, but mouse movements, clipboards and any app streams. But why bother? I just steal your completely unsecure Excel spreadsheet.

Firewalls protecting you from dodgy sites - Firewalls in general do not protect you from application layer attacks. Although some malware protection software provides blocking, it is not too complicated to circumvent or avoid detection.

Heck, software firewalls and antivirus can be turned off, and you wouldn't even know it. But why bother? A completely separate TCP/IP stack can be installed, then the machine, the OS, and the software would never ever know. Or you.

12 character passwords - although it might be stronger as far as cracking directly, it exposes an other problem. Users will write it down, making it simpler to acquire.

This is a current pet peeve of mine, so bear with me...

Vendors and government organizations (FFIEC ahem) pushing various encryptions and such. Why? Who gives a flying monkey if the data is encrypted? Take a look current trend in the attack vectors and anyone can see it has absolutely nothing to do with cracking an encrypted password, or splicing into an SSL tunnel and decrypting it.

Why bother with that, when a simple application sitting on the victims machine will allow forwarding? The app just waits for the log in, conveniently providing the app with a password and the secure pipe to whatever it is attacking! Now, the pipe is encrypted, and there is not even a way to see if there is an attack inside it because it is encrypted!

Secure the ends first, then worry about the cracking, and man-in-the-middle.

If one wanted to hack someone's web site, one would NOT try to crack their password. One would drop a keylogger (complex way), or simply wait till they log in, then create a forwarder from their machine back to the server. Now One has a secure connection from the trusted user's machine to the server, it is encrypted, and is logged in. Wham, bam, thank you ma'am.

Don't misunderstand me. Passwords are a good way to avoid casual attacks.

 

[Quillz]

Does anyone know if WinXP features a password generator? I think I recall being able to do something like this in the command prompt once, and it generated for me a nice and secure 15-character password.

 

[Zaigham]

Thanks fro sharing nice tips.

best regards,

Zaigham

 

[sygtech]

another trick that i use in some of my forums :
protect the phpbb/admin folder with a passwrod from your hosting cpanel
and even if somebody will get in your forum as admin he cant go to the administrator panel wiothout knowing the password of the cpanel its great try it out

 

[DaiTengu]

I found a site a few years back that I use just about every day in my job.
http://www.winguides.com/security/password.php

Awesome password generator.

 

[KAZ]

I always use letters, numbers and characters like !,@,#,$,%,^,&,*,(,),_,-,=,+ in my passwords so no bruteforce software can crack my pass.

 

[ILTK]

I use roboform, it has a password generator that can create strong passwords in a single click, it even shows the bit strength of the generated password, it then remembers that password in an encrypted database with a master password that I also generated, it also protects against keyloggers because I don't type the passwords in, so keyloggers that hooks the keyboard or clipboard won't get anything.

It's great because I can now use strong passwords everywhere, most people use weak passwords because they can't remember something like "$CWh4cmqtIh0^w9K"

 

[DaiTengu]

I always use letters, numbers and characters like !,@,#,$,%,^,&,*,(,),_,-,=,+ in my passwords so no bruteforce software can crack my pass.

eh, that's not true. Enough processing power and enough time can crack a password even with those characters.

 

[KevinJB]

This also makes it harder for the person who owns the account to even remember there password, I never "type" my password in anyways, I have an excel sheet with all my passwords in it, I simply copy/paste my passwords where I need to. Doing this method also stops keyloggers from obtaining your passwords when entered onto webpages or online forms.

Until the owner of the keylogger notices that before you enter passwords, you always open up one file and copy something, then paste it, and so he picks this up from your computer. Oops, guess he now has access to every 'protected' account you own.

I always use letters, numbers and characters like !,@,#,$,%,^,&,*,(,),_,-,=,+ in my passwords so no bruteforce software can crack my pass.

Except for the software that uses letters, numbers and characters like !,@,#,$,%,^,&,*,(,),_,-,=,+.

I'm not trying to be harsh, but thinking you are secure when you aren't is far worse than just plain being unsecure. Common sense is your strongest defense, use it.

I considered having my password stored on my PC but im to paranoid that I would fall victim to bieng hacked the next day. Though thats unlikely considering I use a firewall and generally avoid dogy sites.

Avoiding dodgy sites makes you alot more secure than any firewall can make you.

 

[Mephisteus]

I use roboform, it has a password generator that can create strong passwords in a single click, it even shows the bit strength of the generated password, it then remembers that password in an encrypted database with a master password that I also generated, it also protects against keyloggers because I don't type the passwords in, so keyloggers that hooks the keyboard or clipboard won't get anything.

And then it gets transmitted in a nice type="password" field (or a type="hidden" field if its a decent login) and boom your done and all your protection just went out the window (don't even need a man-in-the-middle state for that).

The only advantadge I see is that there is unique random password for each site which means if a site is sloppy and has the passwords unencrypted in the database you can happily move on without being comprimised on any sites that matter.

Good passwords (unique, random, passwords per site/location/anything) are key to protecting yourself best though

 

[ILTK]

And then it gets transmitted in a nice type="password" field (or a type="hidden" field if its a decent login) and boom your done and all your protection just went out the window (don't even need a man-in-the-middle state for that).

Nope, since I use proxomitron to change type=hidden to type=text I allways know what's on a page.