Tips for a Secure password

Hi,

I've read a couple of posts about secure passwords and "hacking". Whilst true hacking and vulnerabilities are down to LL (which to be fair they have kept informed) something can be done about secure passwords. Take on board the advice so far such as changing them frequently.

There is a technique to secure your own password that's pretty universal. Some people use a very basic password such as "secret", "password" or "RANDOMWORD123- I kid you not and dont look embarrassed if *yours* is that at the moment! Also passwords can be "dictionary attacked" i.e Literally a dictionary is used to guess your password - so if your password appears in the dictionary it stands a good chance of being "cracked"

So.... the technique - its very very simple - choose your word or passphrase, for example I'll use the word "password" Theres no need for numbers or anything complicated at this stage as you will see - keep it as simple as you'd like the whole idea is "simple but effective"

now when typing it in on the keyboard, use the key thats up and to the right of the letter - so the "p" will become a "-" the "a" will become a "w" - simply look at the keyboard whilst typing and "offset" your key pushes

so "password" now becomes
"-wee305r"

another example :-

"helloworld" becomes
"u4pp0305pr"

which as you can see is far harder to guess - but also very easy to remember using the "key offset" when typing it in. in fact most of the time you never actually see what the password is because its starred out and you dont need to remember the "actual" password as you know the phrase that is offset to create it - so if some asks you what your password is - 99% you can reply "I dont know!"

if you have any queries or comments to make about this - please IM me in world or simply reply!

(NOTE: this works great on *most* keyboards, but I appreciate some non UK/US keyboards may represent a problem - simply try it in a new notepad or something 1st to see how easy it is!)

PPS - someone just asked me what a "space" would be - well you can choose! it can be anything - just make it consistant it doesnt matter if its a "1" or a "h" or anything - just remember which key! or dont use a password with a space

Regards

Norf Lundquist

Another one I've seen (I don't know what my friend actually typed, just how he did it) is to have two words and type them as follows:

"password" and "123"

type p-a-s-s-w-o-r-d
then hit the left key twice
1
then hit the left key thrice
2
then hit the left key thrice
3

in the end you get "pa3ss2wo3rd" as a password and you don't know that! You just know the two words and the spacing.

That kind of password will get hacked in seconds by a dictionary search attack, and is no more secure than "password323".

You want a good password?

Make sure it has the following attributes:

1: Absolutely NO dictionary words. Preferably not even in foreign languages.
2: At least one capital letter.
3: At least one lower case letter.
4: At least one numeric digit.
5: At least one "special character" such as a dash, colon, asterisk, or exclamation point.
6: At least eight characters in length.

Not all password systems will allow all of these atrtibutes, but the more of them that you include, the better your defense against being hacked.

Ah, but how the heck am I supposed to remember a password that looks like "Ai1wtUf1!"?

Make up a nonsense phrase, preferably one you can associate with a silly image. For example, picture Alice in Wonderland, standing at a classroom blackboard, and teaching a class in UNIX. Make a phrase about that, and use the first letters of the phrase, sometimes capitalized, sometimes numeric equivalents, as the password. "Alice in Wonderland will teach UNIX for once!" Becomes "Ai1wtUf1!".

I've tested this technique in professional computer security courses, where as a lab assignment we made what we hoped would be good passwords, then used the hottest hacker tools to break them all. My method never got cracked.

By "word" I meant things you can remember. Not nessessarily an actual WORD.

The main issue isn't in having your passwords 'hacked', but stolen. If a vulnerability allows the password to be seen then that is very bad indeed. One of the things that is bad about LL's set-up is that everybody knows our usernames! Really we should have a username AND an SL name. Our SL name would be what shows up in the forums, on JIRA etc., but when we log-in to anything we would use our username, which would be different.
That way a script-kiddy can only 'crack' your password if they know your username

For passwords, I made myself a simple widget for OS X (won't distribute it, sorry) where I just type in a password and it gives me the result as a modified* SHA1 hash which I then use enter into a web-site. So I can pick anything as a password, even really obvious things, but it's then encoded in a way specific to me using a random hash I generated for myself. The result; completely unreadable passwords but I only have to remember really simple ones =)

*by modified I mean it combines it with another hash specific to me, then goes through turning the 64-bit encoding into printable characters using the full ASCII range, so I get a nice lump of symbols and things mixed in with it.

It's extremely unlikely anyone has one of those in their dictionary =)

The thing that causes me the most grief are web-sites which are stupid enough to limit passwords to 8 characters or some other figure. Bigger passwords are typically better as a random combination cracker can get really short ones if a dictionary fails.
So in those cases I have to generate one then just copy the first 8 characters

I usually recommend passphrases and the use of occassional number substitution and caps, if the system is sensitive to them.

Examples...

Pi11arF0urty2thouz4ND
KAbb4GEh33dst1NKz
L3tZCy0Ugu3sSTH1S0NE

=D

*shudders as memories of moderating starkingdoms.com when people though 'leet' speak was cool*

Can still read it though

I'm not sure letter substitution is that strong however, as there are only so many combinations. Unless you went all out and tried:
|_3|-ZCUG|_|3sS|-|-|1s0|\|e
But you'd have to copy/paste it anyway

There's really good suggestions here - I wonder how many people have taken note and actually done something and changed there password!

My password I keep on a post-it note on the screen - but by using some of the techniques here - its still "secure"

Bring on Biometric "passwords" but the price is still prohibitive in some areas (and in some cases not compatible?)

Thanks for the input folks!


Regards

Norf

Exploit that was fixed would have been able to grab your username too.



Why does that remind me of the error:
"Your password is too short, please choose one of at least 13,892* characters and can't be the same as your previous 31,767 passwords."

*I know it was ~13,000 but not exactly. 31,767 based on the largest number that fits within 1/2 an integer (65353) because that number was ~30,000.

Classic!

Yes, well, that exploit is more commonly known as Internet Explorer. If you want your passwords to be secure, then you shouldn't be using IE...or Windows.

Use non-dictionary words...that is dictionary in the "general sense".

I have to use "strong passwords" at work, and they change every 90 days. I pick an obscure word out of J.R.R. Tolkien's works and substitute numbers and characters to complete the password.

Example:

Iant Iaur becomes 1ant*Iaur. That satisfies the need for at least one numeral, one capital letter, lower case letter, and a character or symbol.

How many people know what "Iant Iaur" means? <grin> Would anyone know where to find it?

Oh yea. IE, fulled of bug and security holes and every body still using it. I still don't get it.

Even more, the MS claimed it is the software's false and not themself, that the exploit exists, even when their exploits cause all other's problems.

yeah browser security is important but we can't do a lot about "closed source" stuff such as IE - Firefox has released several versions over the last 12 months, but as it becomes more popular, more "vulnerabilties" are found (more people looking for them?)

There are a few password plugins for firefox that auto generate passwords as well - might be worth checking it out (for the uninitiated!)

http://www.mozilla.com

Regards

Norf

PS - password addons are :-
https://addons.mozilla.org/en-US/firefox/addon/135
https://addons.mozilla.org/en-US/firefox/addon/469
https://addons.mozilla.org/en-US/firefox/addon/874
and plenty more...

(not endorsing any!)

My guess is that they randomly generate passwords, which are not easy to remember (unlike "-wee305r" used in the first post).

.

how about ...

just close your eyes and and let your fingers
randomly tap the keyboard ...

password example one *zzzzZIP* ... jq0t9voaepjvfsad
password example two *zzzzZIP* ... 034y80fwhefwedj98
password example three *zzzzZIP* ... nv3fnu08wfh42peio
(then you might want to add some caps and symbols afterwards for good measure)


you see ... those randomly typed passwords are not based on:

stupid little formulas any hacker would know
obscure words from books hackers could know
and variations of words based on mathematical formulas or keyboard steps
that most hackers would know...

and if any hacker did not know of any of the suggestions offered in this thread,
they certainly have learned some of the possibilities now

besides, anyone can buy a hackers guide on Ebay


.

Wasnt the poitn of this thread to create EASY TO REMEMBER passwords that were secure, not random gobly-de-goop?

.


no it wasnt ...

the point of this thread was to, create a password that you will remember,
then create a key pattern of your password that you will remember,
and then to remember to type that exact key pattern of your original password
without any typos, which will then form your new secret password,
and that you actually can remember that this is now your new secret password,
from whence you had originally typed out the key pattern presumably correctly ...

but what if you had originally typed out the key pattern incorrectly,
and you now discovered that your newly created secret password is wrong,
and you also cant remember what the incorrect password was,
that you used to log on with?


i prefer the gobly-de-goop any day

there's not as much to remember

and besides gobly-de-goop is just as EASY TO REMEMBER as ABC's

remember?


.

I always thought the way to make a password was the name of the street You grew up on, plus the name of your first pet. Oh wait, thats the formula for creating Your porn star name. Never mind.

I know I'm not going to remember q0t9voaepjvfsad. You try it.

...Another worthy note is to use your ABC

which is AGE, BIRTHDATE, COLLEGE

so if you were born on 28th July 1978 and went to Central college it would be

27280774central

or something like that

Regards

Norf