Security: Is your password secure?

[N9ne]

N9ne submitted a new Article:

Security: Is your password secure?

[article] Password Security Measures

Have you made sure your password is secure?

- Does it contain at least 10 characters?
- At least 40% of which are numbers?
- There are no dictionary words at all?
- Is just a random mix of numbers and letters?
- You changed it in the last month or two?
- You haven't told anyone it or written it down where someone else may see it?

A lot of people make big mistakes with passwords. They keep the same password for years, never changing it, and put in some dictionary word, so 'they can remember it easily'. I mean OK, partly that's the point, something they can remember, but if you think about it, anyone else can easily remember it too - it's dangerous - there are brute force attackers out there which would easily crack your password within hours if not minutes if it's just a dictionary word.

I believe this is something that should be posted on all communities too, reminding people that passwords are important and should be entirely random and secure and regularly changed. - This is especially important for forums with members that aren't so computer-savvy as you and me, they may not know the full picture of the dangers of insecure passwords, they may not know about brute force attacks.

More information about brute force attacks (or cracking) can be found here.

Read more about this article here...

 

[Ogden2k]

Mine equals all of those. I remember them all too, which is good. No writting down. I just came up with a really good password for my public forums.

 

[The Sandman]

Do you think the biometrics will replace passwords anytime soon?

 

[Ryan Crocker]

Soon? I don't think Soon, but I think sometime in the future Biometrics will replace passwords.

 

[revolution]

I am reminded of that tv commercial (for who i cant remember) where a guy sits back down at his desktop pc and is asked for a password, handprint, retina scan, then a hair sample which the camera pulls out to a full shot of him where he is completely bald from head to toe.


oh and i use the same few passwords for alot of things, but they meet all the requirements except being changed regularly.

 

[silver_2000]

Have you made sure your password is secure?

- Does it contain at least 10 characters?
- At least 40% of which are numbers?
- There are no dictionary words at all?
- Is just a random mix of numbers and letters?
- You changed it in the last month or two?
- You haven't told anyone it or written it down where someone else may see it?

A lot of people make big mistakes with passwords. They keep the same password for years, never changing it, and put in some dictionary word, so 'they can remember it easily'. I mean OK, partly that's the point, something they can remember, but if you think about it, anyone else can easily remember it too - it's dangerous - there are brute force attackers out there which would easily crack your password within hours if not minutes if it's just a dictionary word.

I believe this is something that should be posted on all communities too, reminding people that passwords are important and should be entirely random and secure and regularly changed. - This is especially important for forums with members that aren't so computer-savvy as you and me, they may not know the full picture of the dangers of insecure passwords, they may not know about brute force attacks.

More information about brute force attacks (or cracking) can be found here.

While I agree that password security is important. Most systems including VB have password security that effectively prevents brute force attacks.

If you have EVER actually done a brute for type or dictionary attack you will know that the basis of those attacks is attempting passwords thousands or millions of times... If you VB is set to warn you if an attack is made against any admin accounts. Mine is set to disable the account after 5 wrong passwords.. So how many millions of years would a brute force attack take ?
Most corporate user accounts have similar security for the same reasons. The ONLY way you can brute for the accounts is if you have local access to the SAM or user database and if you have local access to the database then the single user account is no longer an issue... You have MUCH bigger problems.

 

[silver_2000]

I just checked - My VB is set to disable the access for 15 minutes after 5 bad passwords. Effectively that means a brute force attack would be done 1 password attempt every 3 minutes on average.....

If my numbers are right that is over 5.7 years to attempt 1 million passwords...

And if your password is simply numbers and lower case letters there are 36*36*36*36*36*36*36*36=2,821,109,907,456 possible combinations. At 3 min per attempt that would be a really LONG time.....

The only effective way to do an attack of that magnatude is to have local access to the DB itself. If that is the case then htaccess on your amincp folder isnt what you need to concentrate on .. It is the access to the mysql tools

I am no security expert - Please post if I have made a flawed logical assumption... Or a math error...

Doug

 

[KeithMcL]

I've always found a good password to use is your car registration number. Here in Ireland they consist of two numbers then a letter and then 4 more numbers. I change mine from my car to my dads, then my sis', then my bro's and so forth

 

[Meltingfire]

Take any dictionary word:
"forumboard"
make it into leet-speak (1337-speak)
"f0rum804rd"

- Does it contain at least 10 characters? Yes
- At least 40% of which are numbers? Yes
- There are no dictionary words at all? Yes
- Is just a random mix of numbers and letters? Well...
- You changed it in the last month or two? Yes
- You haven't told anyone it or written it down where someone else may see it? Yes

Thats how i remind my words =) Then ofcourse you can have diffrent degrees of leet-speak, thats harder to understand etc )

 

[floris]

I hope so!

Each week I set a new password to each admin account that I have. And none of my passwords are unique. I really don't understand why some users have the same email/forum and online banking password!!

So far, (and not asking users to!@) no abuse yet, only attempts (which are always reported).

 

[N9ne]

I just checked - My VB is set to disable the access for 15 minutes after 5 bad passwords. Effectively that means a brute force attack would be done 1 password attempt every 3 minutes on average.....

If my numbers are right that is over 5.7 years to attempt 1 million passwords...

And if your password is simply numbers and lower case letters there are 36*36*36*36*36*36*36*36=2,821,109,907,456 possible combinations. At 3 min per attempt that would be a really LONG time.....

The only effective way to do an attack of that magnatude is to have local access to the DB itself. If that is the case then htaccess on your amincp folder isnt what you need to concentrate on .. It is the access to the mysql tools

I am no security expert - Please post if I have made a flawed logical assumption... Or a math error...

Doug

But we have to remember that there are other forum softwares out there too, many which may not have the functionality that vB does.

And also, these rules apply to any password, anywhere.

 

[floris]

But you have to admit, it is confusing if you come here through vBadmins.com and end up on a general site

 

[Kathy]

test

 

[Wired]

Leet speak is decent in its use of password protection. Funny thing is is that at work, a general password we all use for a particular app is in leet speak. The good thing about it is that there are varying levels of it.

 

[Ian Griffiths]

The only effective way to do an attack of that magnatude is to have local access to the DB itself.

Or acquisition of the hash via cookie, browser cache etc. Hash can be worked on offline in that case.

 

[Zachery]

in vB that hash would take eons to break

md5( md5(password)md5(licensenumber)) or somthing like that

 

[Ian Griffiths]

I like the nested technique, means that your first brute force on the compromised hash has to find a password of 32 chars, which although its only hex and not a full char set is I'd guess preferable to something plaintext and short.

 

[Mok]

they say to try to use stuff like this also:

mary had a little lamb

mhall

 

[Lugh]

I hear your mother's maiden name is secure

What I use for important passwords is a combo of Roboform and typing. This gets around my main problem, how to remember which long obscure password is for which site.

I enter my obscure string--eg E4gjm8sych04y--into Roboform as my default password. Then I only have to click a toolbar button to enter it.

I then type in the short memorable part of the password. So eg my password for here might be
E4gjM8sycH04yTheAZ

I change the obscure string regularly, and keep a note of it [split onto 3-4 pieces of paper] in my wallet in case I need it when traveling etc.

I find this an efficient combo for entering and changing passwords. You guys see any flaw in it?

Before Roboform I used combos of addresses and names usually as the obscure bit, with something about the site I'm visiting [like "TheAZ" in the example above] as the easily memorable bit. So I might have had
PENnSyLvanIa1600AvETheAZ
where each uppercase letter corresponds to a prime number position in the obscure bit.

 

[Daijoubu]

I just use my old ISP randomly generated usernames, since I still remember them

- Does it contain at least 10 characters? 8 only
- At least 40% of which are numbers? No...
- There are no dictionary words at all? YES
- Is just a random mix of numbers and letters? YES
- You changed it in the last month or two? YES
- You haven't told anyone it or written it down where someone else may see it? Of course!