Security: Is your password secure?

N9ne

Adherent
Joined
Jan 6, 2004
Messages
274
N9ne submitted a new Article:

Security: Is your password secure?

[article] Password Security Measures

Have you made sure your password is secure?

- Does it contain at least 10 characters?
- At least 40% of which are numbers?
- There are no dictionary words at all?
- Is just a random mix of numbers and letters?
- You changed it in the last month or two?
- You haven't told anyone it or written it down where someone else may see it?

A lot of people make big mistakes with passwords. They keep the same password for years, never changing it, and put in some dictionary word, so 'they can remember it easily'. I mean OK, partly that's the point, something they can remember, but if you think about it, anyone else can easily remember it too :eek: - it's dangerous - there are brute force attackers out there which would easily crack your password within hours if not minutes if it's just a dictionary word.

I believe this is something that should be posted on all communities too, reminding people that passwords are important and should be entirely random and secure and regularly changed. - This is especially important for forums with members that aren't so computer-savvy as you and me, they may not know the full picture of the dangers of insecure passwords, they may not know about brute force attacks.

More information about brute force attacks (or cracking) can be found here.

Read more about this article here...
 
Last edited by a moderator:

Ogden2k

01001111
Joined
Jan 6, 2004
Messages
1,116
Mine equals all of those. I remember them all too, which is good. No writting down. I just came up with a really good password for my public forums.
 

The Sandman

Administrator
Joined
Jan 1, 2004
Messages
29,140
Do you think the biometrics will replace passwords anytime soon?
 

Ryan Crocker

Participant
Joined
Jan 8, 2004
Messages
76
Soon? I don't think Soon, but I think sometime in the future Biometrics will replace passwords.
 

revolution

Aspirant
Joined
Jan 7, 2004
Messages
24
I am reminded of that tv commercial (for who i cant remember) where a guy sits back down at his desktop pc and is asked for a password, handprint, retina scan, then a hair sample which the camera pulls out to a full shot of him where he is completely bald from head to toe. :)


oh and i use the same few passwords for alot of things, but they meet all the requirements except being changed regularly.
 

silver_2000

Neophyte
Joined
Jan 14, 2004
Messages
7
N9ne said:
Have you made sure your password is secure?

- Does it contain at least 10 characters?
- At least 40% of which are numbers?
- There are no dictionary words at all?
- Is just a random mix of numbers and letters?
- You changed it in the last month or two?
- You haven't told anyone it or written it down where someone else may see it?

A lot of people make big mistakes with passwords. They keep the same password for years, never changing it, and put in some dictionary word, so 'they can remember it easily'. I mean OK, partly that's the point, something they can remember, but if you think about it, anyone else can easily remember it too :eek: - it's dangerous - there are brute force attackers out there which would easily crack your password within hours if not minutes if it's just a dictionary word.

I believe this is something that should be posted on all communities too, reminding people that passwords are important and should be entirely random and secure and regularly changed. - This is especially important for forums with members that aren't so computer-savvy as you and me, they may not know the full picture of the dangers of insecure passwords, they may not know about brute force attacks.

More information about brute force attacks (or cracking) can be found here.

While I agree that password security is important. Most systems including VB have password security that effectively prevents brute force attacks.

If you have EVER actually done a brute for type or dictionary attack you will know that the basis of those attacks is attempting passwords thousands or millions of times... If you VB is set to warn you if an attack is made against any admin accounts. Mine is set to disable the account after 5 wrong passwords.. So how many millions of years would a brute force attack take ?
Most corporate user accounts have similar security for the same reasons. The ONLY way you can brute for the accounts is if you have local access to the SAM or user database and if you have local access to the database then the single user account is no longer an issue... You have MUCH bigger problems.
 

silver_2000

Neophyte
Joined
Jan 14, 2004
Messages
7
I just checked - My VB is set to disable the access for 15 minutes after 5 bad passwords. Effectively that means a brute force attack would be done 1 password attempt every 3 minutes on average.....

If my numbers are right that is over 5.7 years to attempt 1 million passwords...

And if your password is simply numbers and lower case letters there are 36*36*36*36*36*36*36*36=2,821,109,907,456 possible combinations. At 3 min per attempt that would be a really LONG time.....

The only effective way to do an attack of that magnatude is to have local access to the DB itself. If that is the case then htaccess on your amincp folder isnt what you need to concentrate on .. It is the access to the mysql tools

I am no security expert - Please post if I have made a flawed logical assumption... Or a math error...

Doug
 

KeithMcL

Freelance Web Designer
Joined
Jan 12, 2004
Messages
5,728
I've always found a good password to use is your car registration number. Here in Ireland they consist of two numbers then a letter and then 4 more numbers. I change mine from my car to my dads, then my sis', then my bro's and so forth :D
 

Meltingfire

Aspirant
Joined
Jan 10, 2004
Messages
18
Take any dictionary word:
"forumboard"
make it into leet-speak (1337-speak)
"f0rum804rd"

- Does it contain at least 10 characters? Yes
- At least 40% of which are numbers? Yes
- There are no dictionary words at all? Yes
- Is just a random mix of numbers and letters? Well...
- You changed it in the last month or two? Yes
- You haven't told anyone it or written it down where someone else may see it? Yes

Thats how i remind my words =) Then ofcourse you can have diffrent degrees of leet-speak, thats harder to understand etc ;))
 

floris

Habitué
Joined
Jan 17, 2004
Messages
1,342
I hope so!

Each week I set a new password to each admin account that I have. And none of my passwords are unique. I really don't understand why some users have the same email/forum and online banking password!!

So far, (and not asking users to!@) no abuse yet, only attempts (which are always reported).
 

N9ne

Adherent
Joined
Jan 6, 2004
Messages
274
silver_2000 said:
I just checked - My VB is set to disable the access for 15 minutes after 5 bad passwords. Effectively that means a brute force attack would be done 1 password attempt every 3 minutes on average.....

If my numbers are right that is over 5.7 years to attempt 1 million passwords...

And if your password is simply numbers and lower case letters there are 36*36*36*36*36*36*36*36=2,821,109,907,456 possible combinations. At 3 min per attempt that would be a really LONG time.....

The only effective way to do an attack of that magnatude is to have local access to the DB itself. If that is the case then htaccess on your amincp folder isnt what you need to concentrate on .. It is the access to the mysql tools

I am no security expert - Please post if I have made a flawed logical assumption... Or a math error...

Doug
But we have to remember that there are other forum softwares out there too, many which may not have the functionality that vB does.

And also, these rules apply to any password, anywhere.
 

floris

Habitué
Joined
Jan 17, 2004
Messages
1,342
But you have to admit, it is confusing if you come here through vBadmins.com and end up on a general site ;)
 

Wired

Enthusiast
Joined
Feb 18, 2004
Messages
182
Leet speak is decent in its use of password protection. Funny thing is is that at work, a general password we all use for a particular app is in leet speak. The good thing about it is that there are varying levels of it.
 

Ian Griffiths

Habitué
Joined
Nov 27, 2004
Messages
1,126
silver_2000 said:
The only effective way to do an attack of that magnatude is to have local access to the DB itself.
Or acquisition of the hash via cookie, browser cache etc. Hash can be worked on offline in that case.
 

Zachery

Moo
Joined
Feb 3, 2004
Messages
2,593
in vB that hash would take eons to break

md5( md5(password)md5(licensenumber)) or somthing like that o_O
 

Ian Griffiths

Habitué
Joined
Nov 27, 2004
Messages
1,126
I like the nested technique, means that your first brute force on the compromised hash has to find a password of 32 chars, which although its only hex and not a full char set is I'd guess preferable to something plaintext and short.
 

Mok

TorontoGolfNuts.com
Joined
Oct 12, 2004
Messages
252
they say to try to use stuff like this also:

mary had a little lamb

mhall
 

Lugh

Habitué
Joined
Mar 18, 2004
Messages
1,814
I hear your mother's maiden name is secure :D

What I use for important passwords is a combo of Roboform and typing. This gets around my main problem, how to remember which long obscure password is for which site.

I enter my obscure string--eg E4gjm8sych04y--into Roboform as my default password. Then I only have to click a toolbar button to enter it.

I then type in the short memorable part of the password. So eg my password for here might be
E4gjM8sycH04yTheAZ

I change the obscure string regularly, and keep a note of it [split onto 3-4 pieces of paper] in my wallet in case I need it when traveling etc.

I find this an efficient combo for entering and changing passwords. You guys see any flaw in it?

Before Roboform I used combos of addresses and names usually as the obscure bit, with something about the site I'm visiting [like "TheAZ" in the example above] as the easily memorable bit. So I might have had
PENnSyLvanIa1600AvETheAZ
where each uppercase letter corresponds to a prime number position in the obscure bit.
 

Daijoubu

Speed & scalability...
Joined
Oct 30, 2004
Messages
318
I just use my old ISP randomly generated usernames, since I still remember them :)

- Does it contain at least 10 characters? 8 only
- At least 40% of which are numbers? No...
- There are no dictionary words at all? YES
- Is just a random mix of numbers and letters? YES
- You changed it in the last month or two? YES
- You haven't told anyone it or written it down where someone else may see it? Of course! ;)
 
Top