Passwords security

Notepad_Phil

RG2015 said:

Billxx said:

RobM99 said:

OK thanks, I was thinking more of special characters that don't appear on a keyboard. I'd have thought they'd be a tad more secure.   ß ◙ ì  

I doubt it.  "Brute force" password cracking programs will cycle through all the known ASCII characters and other variants.

Presumably this means that all the known ASCII characters and variants have the same value to a brute force password cracking program. The only benefit would be that it could not be guessed by a person as it spelled out gobbledegook.

On a related issue though, don't banks have a limit to the number of failed attempts, thus rendering a brute force method ineffective?

re brute force and failed attempts - the issue comes when the hackers somehow know the coded value of your password and they run a brute force of every variant until they match the code they have. Hopefully a bank's security means that the likelihood of that happening from their systems is very remote, however if someone uses the same password across their logins then the chances rise that one of the systems you access has lax security. The hackers then have your password for all the systems you access with the same password.

k_man

Deleted_User said:

... but you can take something like Sausagedog22!? (16 years to crack) and make it way harder just by putting something on the front unique for each site e.g. MSSausagedog22!? (14 thousand years!) for MSE or HOSausagedog22!? for Hotmail etc - not wonderful to use the same password format but if no-one knows it or the coding convention then it's better than the minimum

The use of patterns like this effectively reduces the password strength to that of the unique part (2 characters, relating to the site, in these examples) in the event of a breach of one password, from one site or system where these are used.

E.g. if MSE have a security breach involving these credentials a hacker can now guess the password for most other sites

jbrassy

I would recommend using a password manager like Lastpass or One Password. Then you can create randomised passwords which are 16+ characters long which you don't need to remember. Just as important is to use 2 factor  authentication.

RG2015

jbrassy said:

I would recommend using a password manager like Lastpass or One Password. Then you can create randomised passwords which are 16+ characters long which you don't need to remember. Just as important is to use 2 factor  authentication.

Many banks ask for random characters so a password manager would not work.

I do use 2 factor authorisation when required. I am not aware of any banks that have optional 2FA.

uk1

Ebe_Scrooge said:

A good trick for making passwords easy for you to remember but impossible (for a human) to guess is to use a phrase (apologies if I'm teaching granny to suck eggs, but it might be helpful for some folk).  Pick a phrase that means something to you, for example "My dog is called Arthur and he wakes me up at 6am every morning with his barking!"  Take the first letter from each word, giving you a password of "MdicAahwmua6amemwhb!".

Not directly related to the original question I realise - but it's a handy little tip.

I have what I believe to be a slightly improved version of this approach where I use such a phrase - in my case my favourite record title and add to it the specific website and then my name.  i might use a similar approach with my wife’s name for her accounts.  

This means that I have a very memorable but unique password but it is different and unique for every different account. So in the event that one account is compromised it wouldn’t mean all are.

So for example if it were Chase and my favourite record is You heard it through the Grapevine” my password might be “Uh1tTgchasejohn!”  

400ixl

A password manager would work for random characters, rather than just having oit automatically fill it in, you have it display the password and you transpose the correct characters. Works just fine.

Most do indeed use 2FA these days to log in, but many utilise the password for doing certain tasks such as setting up new payee's or even when you do a transfer, so the password is not dead yet.

I wouldn't recommend anyone who is not already invested in Lastpass to use that. It was one of the leaders, but has become so commercialised now and getting worse it is not worth getting into. The most popular one used / recommended by techology and security specialists is Bitwarden these days.

tempus_fugit

Deleted_User said:

You could test your password strength online easily enough but a longer one, rather than special characters, is actually far better - I had an old wifi password which was over 50 characters (might even have been over 100) as it was a long sentence. The new router refused to accept it as it didn't have upper case letters and numbers despite the acceptable password being only 12 characters or something silly.

Password123!?

Would take 0.23 seconds to crack 

Yet

mynameisfarfetchandipostonmoneysavingexpertwebsite
 
would take 1 thousand trillion years despite no numbers, capitals or special characters

I tend to use the firefox or google generated ones, usually 16-20 characters of randomly generated letters but you can take something like Sausagedog22!? (16 years to crack) and make it way harder just by putting something on the front unique for each site e.g. MSSausagedog22!? (14 thousand years!) for MSE or HOSausagedog22!? for Hotmail etc - not wonderful to use the same password format but if no-one knows it or the coding convention then it's better than the minimum

You're right. There is a maxim, "length trumps complexity" that applies here.

tempus_fugit

RG2015 said:

jbrassy said:

I would recommend using a password manager like Lastpass or One Password. Then you can create randomised passwords which are 16+ characters long which you don't need to remember. Just as important is to use 2 factor  authentication.

Many banks ask for random characters so a password manager would not work.

I do use 2 factor authorisation when required. I am not aware of any banks that have optional 2FA.

I'm confused as to what you mean by the bit in bold. I use a password manager and it works fine, it's the whole point in that you can create random passwords rather than memorable ones and store them in the password manager. 

Or re you referring to the bit where they ask for characters 1, 3 and 7 of your memorable information? In that case I also store it in the password manager but obviously have to enter them manually as I haven't discovered a way yet that the password manager can fill these in automatically. It doesn't mean a password manager cannot be used to manage them though.

RG2015

tempus_fugit said:

RG2015 said:

jbrassy said:

I would recommend using a password manager like Lastpass or One Password. Then you can create randomised passwords which are 16+ characters long which you don't need to remember. Just as important is to use 2 factor  authentication.

Many banks ask for random characters so a password manager would not work.

I do use 2 factor authorisation when required. I am not aware of any banks that have optional 2FA.

I'm confused as to what you mean by the bit in bold. I use a password manager and it works fine, it's the whole point in that you can create random passwords rather than memorable ones and store them in the password manager. 

Or re you referring to the bit where they ask for characters 1, 3 and 7 of your memorable information? In that case I also store it in the password manager but obviously have to enter them manually as I haven't discovered a way yet that the password manager can fill these in automatically. It doesn't mean a password manager cannot be used to manage them though.

Yes, the second bit.

I have enough trouble remembering a familiar password’s 7th, 10th and 12th characters. I would struggle with a complex one unless the PM does this for you.

I do see now though that contrary to my initial statement that a PM would work to store the password.

sausage_time

I use PasswdSafe and it let's me display random characters (3, 7, 10 say).  Won't autotype them.