Welcome to 12 character passwords

[IndyColtsFan]

You'd be surprised (or then again, maybe you wouldn't) at the sheer number of wannabe IT consultants/employees who are utterly clueless when it comes to even the most basic security steps. A few years ago, one of those worms (Code Red maybe?) was spreading like wildfire, so I decided to check my ISA logs periodically to get the IPs of systems trying to infect us. You would be shocked at the number of users running various versions of Windows Server at home with RDP enabled and a blank admin password. I connected to several on the first try. It was incredible.

 

[Modelworks]

Places I had to access that stored things as high security required 3 things to access the system.
1 - you had to be marked as present at the front desk. If someone tried to access the account, for example at night or after hours, days you were not supposed to have access, it would be flagged.
2 - Personal smart card inserted in slot at pc - if card was lost/stolen account would be disabled and you could not log off without removing the card first so no forgetting it
3 - personal password

There was also no physical access to any of the hardware. All each user had access to was keyboard with integrated card reader, mouse, monitor. No cdrom, usb, power, or ports. Everything else was behind a locked wire cage under the desk.
The network also had no access to the internet. If you wanted to use the internet to do research or email you left your workstation and went to a pc designed for that task. They were not even going to take the chance that a firewall or some other security appliance could be defeated.

The problem with passwords for the average person though is there are so many of them to remember. When I ask family members what passwords they want to use they almost always give me things like dogs names, birthdays, etc , all the stuff that someone wanting access is going to try first. If I suggest something strong like mixed characters and symbols they get upset.

 

[First]

If you use special characters, numbers, and upper/lower-case letters at least 8 characters long, you won't be able to brute force the password. I use 3 pws myself; a 6 number/letter password for basic accounts, a 10 number/letter/symbol for important accounts, and a 12 and 36 character number/letter/symbol password for precious data on backup and WPA2 APs. 2-factor authentication via biometrics is also quite sufficient, though expensive and cumbersome if you also need a HID keycard (which, btw, are easily hackable so they become useless, and some biometrics aren't much better).

 

[Svnla]

Why this is in P&N and not in Off Topic? Just wondering.

OTOTH, I always use passwords that are NOT in English or even a word, therefore, dictionary based crack won't work.

 

[First]

^ rofl, being in English or not makes no difference to a dictionary attack.

 

[drinkmorejava]

lol, the DOD has pretty much given up on passwords. Everything has been slowly transitioning to CAC only. Many of the sites that still let you use passwords are min 15 characters, so it still ends up being easier to enter giberish, and then turning on CAC authentication and forgetting about it.

 

[shira]

In other news hacking/unauthorized access skyrockets due to people writing down their passwords on stickies and leaving them on the desk.

This is why cheat-sheets for passwords should be encoded in terms of personal information that only the owner knows. If a hacker got a hold of my cheat-sheet, it would do them absolutely no good.

 

[Bateluer]

You'd be surprised (or then again, maybe you wouldn't) at the sheer number of wannabe IT consultants/employees who are utterly clueless when it comes to even the most basic security steps. A few years ago, one of those worms (Code Red maybe?) was spreading like wildfire, so I decided to check my ISA logs periodically to get the IPs of systems trying to infect us. You would be shocked at the number of users running various versions of Windows Server at home with RDP enabled and a blank admin password. I connected to several on the first try. It was incredible.

This is something I've commented on before. The combination of Facebook, no privacy controls, a user's lack of knowledge, and a user's apathy is going to cause a disaster. And it won't be localized either. There's another article on CNN about Facebook where it states the average FB user has 130 friends. Thats 130 people with their front doors open, who each have 130 friends, also with their front doors open, and so on.

 

[Babbles]

Lately I've been using passwords randomly generated by KeePass. I feel that the password to my KeePass file is strong enough, however it is sort of putting all of my eggs in one basket. If that gets cracked then 99.9% of my username & passwords are accessible.

I don't keep my banking password in KeePass - or anywhere for that matter - and it is (for now I suppose) a rather "secure" password combination found only in my head.

 

[William Gaatjes]

Passwords have gotten longer over time, and security experts are already recommending that people use full sentences as passwords.

Here's one suggested password-sentence from Carnegie Mellon University:

"No, the capital of Wisconsin isn't Cheeseopolis!"

Or maybe something that's easier to remember, like this:

"I have two kids: Jack and Jill."

I do not find this save. People will use common words. All the password cracker has to is look for words. Family names and so on. Knowing how the human brain works, these kind of passwords will be easier to crack then any random 12 character password.

People will use phrases as for example " My wedding date with Jill is march 24 1995."

This is convenient not to forget the wedding date and the password.
Social engineering is all thats needed. And that will be easy through social sites and online phonebooks.

A sentence of 7 words might be for example 27 characters but only 7 words.
And how many people are going to make up a language ?
Might as well just use a 12 character password then.

Places I had to access that stored things as high security required 3 things to access the system.
1 - you had to be marked as present at the front desk. If someone tried to access the account, for example at night or after hours, days you were not supposed to have access, it would be flagged.
2 - Personal smart card inserted in slot at pc - if card was lost/stolen account would be disabled and you could not log off without removing the card first so no forgetting it
3 - personal password

There was also no physical access to any of the hardware. All each user had access to was keyboard with integrated card reader, mouse, monitor. No cdrom, usb, power, or ports. Everything else was behind a locked wire cage under the desk.
The network also had no access to the internet. If you wanted to use the internet to do research or email you left your workstation and went to a pc designed for that task. They were not even going to take the chance that a firewall or some other security appliance could be defeated.

The problem with passwords for the average person though is there are so many of them to remember. When I ask family members what passwords they want to use they almost always give me things like dogs names, birthdays, etc , all the stuff that someone wanting access is going to try first. If I suggest something strong like mixed characters and symbols they get upset.

This is a great example how it should be done. Security from multiple angles.
I get the same response from people when thinking of passwords though...

 

[Matthiasa]

Eh 12 characters isn't that hard to remember.
Well as long as it does change much.

 

[Bateluer]

I do not find this save. People will use common words. All the password cracker has to is look for words. Family names and so on. Knowing how the human brain works, these kind of passwords will be easier to crack then any random 12 character password.

People will use phrases as for example " My wedding date with Jill is march 24 1995."

This is convenient not to forget the wedding date and the password.
Social engineering is all thats needed. And that will be easy through social sites and online phonebooks.

A sentence of 7 words might be for example 27 characters but only 7 words.
And how many people are going to make up a language ?
Might as well just use a 12 character password then.

Agreed, though you could throw some special characters or add in some numbers(not l33tsp3ak), make it harder. That'd be perfectly fine for most home users.

This is a great example how it should be done. Security from multiple angles.
I get the same response from people when thinking of passwords though...

True, but I think this article is geared for the home individual accessing their home PC, their Facebook page, their online bank site, etc. To go that far for the home PC is overkill, you do have to strike a balance between accessibility and security. I'm not going to have a single PC in my house connected to the Cloud while the others are internal only and not connected physically to the outside. That's idiotic in the house. Even in a corporate setting, that still may not be feasible.

A 12 character, alphanumeric password isn't that difficult to create, remember, and modify as needed. You could do something like ghUY$&lk2548 and then switch it to 2548$&lkghUY, simply flipping the groups of four characters around. Trying to brute force either of those two is equally difficult, I would think. If you hit a time limit on a website or system for the password, rotating sets of characters has always worked well for me. Although, it has gotten more complicated over the past 8 years. Started with incrementing a single digit, now its incrementing several digits and changing the order of sets of characters.