The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time
http://gizmodo.com/the-guy-who-inven...now-1797643987

Very good password checker site,
https://howsecureismypassword.net/

seconds on the previous post about password "rules".

The problem with password "strength" is not, to me at least but also to a lot of other people" is not how complicated the password is but

a) the computing power of the people attempting to break the password.

which leads to:

b) the time between passwords are harvested from an intrusion and when "a useful password" in terms of financial gain or street cred in the hacker / whatever (government run) community or national news ...can be obtained to actually get at the goal desired by the hacker.

So, the college "used to" have us change our passwords maybe "yearly".

It is now down to six months.

In other words, the college is changing the amount of time that the hacker that might get into the system has to get "at" a useful password, such as a site administrator.

Here is an example from my bank.

I am now getting a new bank card for my checking account about every six months.

I am considering teaching on a certain online company which is specializing teaching... people in "mainland / Communist" China!

That got me to thinking because they are going to "direct deposit" into my account... hmmmm...okaaay...maybe the group for which I would teach ( private ) is legit but what about a "mole" that might get into it...after all...there HAS to be at least a few people who are AT LEAST "bilingual"...

Up until this point I have NEVER...done ANY kind of "financial transactions" online with my checking account except through PayPal which had a break in a few years ago when I put a credit card onto it after that.

So I go to my local bank building and inquire and the guy just laughed and said...of ALL THE PEOPLE...only YOU would come up with this concern! lol

Here is what he said:

a) your concern is valid because when your routing number "is out there" it is OUT THERE a password is somewhat worthless when they are ACTUALLY IN...an account...

that applies to the college, a business, etc.

b) that is why the bank uses a choice of PICTURES as the second check after one logs in with the password. In other words the hacker will not "necessarily" be able to "physically observe" the pictures and so won't know which to choose.

c) more importantly the three digit code on THE BACK of the card has been changed and the person has to have the physical card to actually see it...however, it could also be figured out by an algorithm...That is why the cards are being physically changed every six months...

and here are the two operative things...

d) the bank is insured by the government to pay you one hundred percent of your losses because the information is stored three times so that even if your account is rifled AND the information "removed" it is not removed from "the other storage place".

e)... The answer to this is quite simple and cheap for the bank...

WE WILL PROVIDE YOU ANOTHER ACCOUNT, put a hundred dollars in it and have the deposit made to it.

so...

WHAT I personally do on all of my hardware is to change the password every month...I have a PAPER list of words like Gef2elterf4arb

in which each one of the letters is changed out "in a random way" to capital and the digits are changed.

I would recommend that EVERYBODY get a "secondary" banking account that is NEVER ACCESSED EXCEPT BY WALKING INTO THE BANK and moving money in or out and KEEPING the stupid little piece of paper in a "safe place".

( this is kind of what Apple is getting at about "facial recognition"... now yes, the hacker could "hold a picture of you up"...but if one pays attention to what is being reported about "facial recognition software" it can also read "posture and gesture"...

https://www.icarvision.com/en/does-b...cognition-work

So, back to the college and the password changes.

After bowing to the realization that COLLEGE PROFESSORS ARE BONE LAZY AND INCOMPETENT outside of their "sphere of information"...

I mean people using 1234abc is an example this is a COLLEGE PROFESSOR...( not in one of the "hard sciences" btw)...

And the massive increase in computing power of the hackers now requires a password change every six months and requires:

7 "items" of which two must be numbers and two must be capital and gives an example.

7phYsic8al

so, the 7 and 8 can be when you were born,

a)the hacker does not know when you were born unless all of your records in the payroll department were also hacked.
b) a "thing" is a "thing" is a "thing" in terms of binary code it is all ons and offs whether it is a letter or a number
c) so the word physical is an ENGLISH word when the "foreign bad actor" is "probably" fluent in another language. So, the hacker once she or he has it is going to have to let the algorighm work it's magic and then enter the letter number combination which takes ...TIME...

Thus the push to having a RELATIVELY simple password THAT IS EASILY REMEMBERED BY THE USER being changed REGULARLY...over a relatively short period of time...

I generated a series of such words a couple of years ago and I change them ON ALL MY HARDWARE...every month...

and not all of the hardware has the same change...

Why?

The router does not need for me to "log in" every day...

But the computer does.

woodsmoke

Diceware is very effective. I have also created my own word lists by combining columns from a Shakespeare insult generator and a book I was given on "Creative Cursing." While the phrases are quite memorable, admittedly, it does decrease the randomness.

The suggestion given by xkcd is what I use to form my passwords.

Also, why would anyone post their password to an Internet website claiming to be a password strength tester?

GG and SpecialEd

ROTFL

woodguffawsmoke

PS - my passwords are generally over 40 characters long but very easy to type rapidly, if one doesn't have a slight case of age-related tremors.

And that's the key, this is one area where length is definitely superior. Of course most people can't be bothered with passwords over 8-10 characters long, let alone phrases.

You wouldn't. But to get a better idea on what is harder to crack, this can be a useful tool.
Az541-8! would take 9 hours to crack
teknology4! is 5 years
winnie the pooh (yes there are spaces in there) will take 5 million years
pickles-and-vodka 2 billion years
peas-and-carrots 51 million years
peas-8-and-8-carrots 11 quadrillion years

This gives you an idea about the order of things that allows you to pick different words and combinations. It also is a way to make it more memorable. notice how replacing the - in peas-and, to -8- in peas-8-and changes the security. plus it is easy to memorize. Something very easy like, cat-hat-blue-shoe-enter is 10 quintillion years. Which is more secure and easier to remember than Hx4*Vn7#38lj which is 34 thousand years to crack.

It's a good tool to play with. It gives you ideas. I would never put an actual password in there that I was going to use. And I would never take the time it shows (51 million years) as an absolute. It's just a guideline that lets you make a more secure passphrase.

I wanted to mention Security Questions. I never choose or answer security questions that have anything to do with me, in order to make them more secure. If my dog was named sparky, I would never use the dog question or sparky in any security question. I would instead choose "favorite teacher" and the answer might be yellow. I've never had a favorite teacher and yellow is not a person's name. This is also helpful for someone asking you who you favorite teacher is IRL that may be fishing for your personal data. The point is, choose a security question that is not related to you. If you are allergic to dogs, choose the dog question. And make your answer something very odd, like cucumber, keyboard, 555-1212, goMets! or kubuntu.

These are unlikely dog names and only you can know the randomness of it. Favorite teacher? Volkswagen. Mother's maiden name? Australia. These are completely random and disassociated from the actual question, but easier for the individual to remember.

Not all so-called password strength testers are equal either. Some put more importance on the use of punctuation characters and letter case than then they do for entropy.

Not so sure about the accuracy of this. A lot of more advanced password crackers look for dictionary words so things like 'peas-and-carrots' would take a lot less than 51 million years and I think would be much simpler to crack than something like 'Az541-8!' that is totally random and uses numbers and symbols...

"Furthermore, it has been demonstrated that it takes longer for computers to crack a random mix of words - such as "pig coffee wandered black" - than it does for them to guess a word with easy-to-remember substitutions - such as "br0k3n!"."

Interesting. I still say using a password manager with long randomly generated strings is best.

Password managers themselves need to be secured, and the more platforms you need passwords on (I use four regularly) the larger the attack surface is. They're also a point of failure for some systems that can be personally very important, so a backup method to access your passwords is needed...

I use the long phrase method, mixing languages and with a weird salt. But, I can only remember a few and use a password manager.

A spying scandal has just broken in my country. Ordinary people like me have been under serious well-funded surveillance for a long time. I wonder what passwords they use?

Regards, John Little

Mixing languages is a very smart thing to do. I do that from time to time. Most people expect to crack a password that is mostly in your native language. No one expects you to write French, English, Finnish and Russian all in the same passphrase.