Passwords security

SiliconChip

RG2015 said:

jbrassy said:

I would recommend using a password manager like Lastpass or One Password. Then you can create randomised passwords which are 16+ characters long which you don't need to remember. Just as important is to use 2 factor  authentication.

Many banks ask for random characters so a password manager would not work.

Interestingly I've had an email from Co-op Bank this week to say that they may now ask for the full VbV password rather than 3 random characters - that seems to me to be a less secure method as it means a keylogger would intercept the full password.

sausage_time

It also means that the coop will likely no longer store your password in plain text.  That should give you some comfort in case thier systems are hacked.

k_man

uk1 said:

Ebe_Scrooge said:

A good trick for making passwords easy for you to remember but impossible (for a human) to guess is to use a phrase (apologies if I'm teaching granny to suck eggs, but it might be helpful for some folk).  Pick a phrase that means something to you, for example "My dog is called Arthur and he wakes me up at 6am every morning with his barking!"  Take the first letter from each word, giving you a password of "MdicAahwmua6amemwhb!".

Not directly related to the original question I realise - but it's a handy little tip.

I have what I believe to be a slightly improved version of this approach where I use such a phrase - in my case my favourite record title and add to it the specific website and then my name.  i might use a similar approach with my wife’s name for her accounts.  

This means that I have a very memorable but unique password but it is different and unique for every different account. So in the event that one account is compromised it wouldn’t mean all are.

So for example if it were Chase and my favourite record is You heard it through the Grapevine” my password might be “Uh1tTgchasejohn!”  

As above, this is effectively password reuse.
One compromised /leaked password makes guessing all others very easy.
Even worse if your favourite song is very common or known by anyone who knows you (e.g on your social media profile).

ETA: for completeness, this method is slightly better than reusing the same password, e.g  against automated attacks.
But for something more targeted, e.g. identity theft, where some human effort is included, one compromised account could open up one/all.

[Deleted User]

k_man said:

Deleted_User said:

... but you can take something like Sausagedog22!? (16 years to crack) and make it way harder just by putting something on the front unique for each site e.g. MSSausagedog22!? (14 thousand years!) for MSE or HOSausagedog22!? for Hotmail etc - not wonderful to use the same password format but if no-one knows it or the coding convention then it's better than the minimum

The use of patterns like this effectively reduces the password strength to that of the unique part (2 characters, relating to the site, in these examples) in the event of a breach of one password, from one site or system where these are used.

E.g. if MSE have a security breach involving these credentials a hacker can now guess the password for most other sites

I agree it's not ideal but if someone is going to use the same password on every site at least making it more complex makes it better. You don't even need to have an obvious format, MSE could be MS, Mo, Mt whatever works, particularly if it's ambiguous. Or fiddle around with it MSE = 3 letters so MSSausagedog3!? but Hotmail is 7 so 7!? etc etc

The idea is to make it so passwords are complex but the system isn't so much work people will just give up and use their dog's name and birth year on everything 

km1500

For a brute force dictionary attack this is equivalent to a 13 length password

my name is far fetch and i post on money saving expert website

The 19 character password elephantrhinocerous is equivalent to a length 2 password for brute force attacks ie you might just as well use the password '12'

RG2015

SiliconChip said:

RG2015 said:

jbrassy said:

I would recommend using a password manager like Lastpass or One Password. Then you can create randomised passwords which are 16+ characters long which you don't need to remember. Just as important is to use 2 factor  authentication.

Many banks ask for random characters so a password manager would not work.

Interestingly I've had an email from Co-op Bank this week to say that they may now ask for the full VbV password rather than 3 random characters - that seems to me to be a less secure method as it means a keylogger would intercept the full password.

I have some questions here.

How does a keylogger gain access to your computer and how would you know if they had?

Is a bank requiring 3 random characters more secure than one asking for the full password?

jon81uk

Deleted_User said:

You could test your password strength online easily enough but a longer one, rather than special characters, is actually far better - I had an old wifi password which was over 50 characters (might even have been over 100) as it was a long sentence. The new router refused to accept it as it didn't have upper case letters and numbers despite the acceptable password being only 12 characters or something silly.

Password123!?

Would take 0.23 seconds to crack 

Yet

mynameisfarfetchandipostonmoneysavingexpertwebsite
 
would take 1 thousand trillion years despite no numbers, capitals or special characters

That is pretty much summed up by this cartoon xkcd: Password Strength

binao

RG2015 said:

SiliconChip said:

RG2015 said:

jbrassy said:

I would recommend using a password manager like Lastpass or One Password. Then you can create randomised passwords which are 16+ characters long which you don't need to remember. Just as important is to use 2 factor  authentication.

Many banks ask for random characters so a password manager would not work.

Interestingly I've had an email from Co-op Bank this week to say that they may now ask for the full VbV password rather than 3 random characters - that seems to me to be a less secure method as it means a keylogger would intercept the full password.

I have some questions here.

How does a keylogger gain access to your computer and how would you know if they had?

Is a bank requiring 3 random characters more secure than one asking for the full password?

A keylogger is basically a small program that you are tricked into  installing.

Security software will help.

Your comp will also tend to run slower because the keylogger is running in the background. 

There are many answers to your question.

Be suspicious plus common sense is the best defense, as for scams. 

km1500

Often a bank will ask you to input something like a password or a memorable data using drop down boxes rather than a keyboard as a keylogger would be unable to log the drop down boxes

RG2015

km1500 said:

Often a bank will ask you to input something like a password or a memorable data using drop down boxes rather than a keyboard as a keylogger would be unable to log the drop down boxes

This is very interesting and something I had not considered while still using my keyboard rather than my trackpad.

In a similar vein, does this mean keylogging would not work on a tablet screen keyboard?