What's a strong password .. really ?

  • Michael Valentine Jones

    SSC Guru

    Points: 64818

    Michael Valentine Jones (5/20/2009)


    Ten Windows Password Myths

    http://www.securityfocus.com/infocus/1554

    So would this be a strong 15 character password?

    My1stPassword!!

  • Rudyx - the Doctor

    SSC-Forever

    Points: 43696

    Lots of good stuff here. Pass-phrases really work well. They are virtually uncrackable.

    Capitalization and letter/number substitution are cool as well when you mix in case sensitivity.

    Personally, use 16 character passwords. This gets you by the readily available NTLM password hash tables since 14 is the limit there. 16 character passwords generally are not crackable either !

    Now onto my secrets ...

    They all have at least ...

    - 2 upper case characters

    - 2 lower case characters

    - 2 numbers

    - 2 special characters

    - sometimes even leading and embedded spaces !

    I look at the keyboard and characters as a 4x16 dot matrix pattern augmented with shift and space as appropriate. I cannot tell you what my passwords are. I never write them down either !

    Imagine that, not knowing your own password nor having to remember it !

    Oh for those who want to test how strong 16 characters really is ... download the demo of L0ftCrack and ALL of the hash tables for a windows password crack - the last security project I did all 3 of my 16 character passwords could not be cracked even after quad core 3.0 Gh xeon ran nothing but L0ftCrack for 2 weeks (this was in an AD environment with 2000+ users - 80% of the passwords were cracked in less than a day, the remainder in less than a week, lest my 3).

    As for SQL Server, try NGS SQL Crack - again we killed it after 2 weeks of not getting mine. But, we did crack every other SQL password on 24 SQL Servers in less than a week - all 3000+ of them.

    RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."

  • paul.goldstraw

    SSCrazy

    Points: 2626

    The way I compose my passwords is as follows

    First I pick a reasonably short word or combination of letters, so for instance, my initials, perhaps a short name like John or Ray, or maybe another abreviation such as SSC. Whatever it is, it just needs to be something memorable

    I then take each of the letters and apply a phonetic alphabet to them, so SSC becomes

    sierrasierracharlie

    I might uppercase some of the letters if i think I can remember it, so perhaps the last letter in each of the words, I might selectively apply numbers and other characters to the 0's, a's, e's etc.

    Finally, I add some numbers at the end that mean something to me or are memorable, and put a further piece of punctuation between the numbers, so I might pick my birthday

    5i3rrAsierr@ch@rl1e28*12

    I therefore have a prompt to remember the basic structure, SSC+my birthday, all i have to remember now is what letters I turned into numbers, the key I believe is to make passwords reasonably memorable without making them breakable or guessable. Doing it this way allows you to easily add a reasonable number of characters simply by adding a letter or two to the starting set of letters, and still maintain a reasonably memorable password

  • Steve-3_5_7_9

    SSChampion

    Points: 10832

    From TechNet

    The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3

    The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3

    The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3

    http://technet.microsoft.com/en-us/library/cc512613.aspx

  • Tim Walker.

    SSCertifiable

    Points: 5173

    What I've learnt from this thread is:

    (1) When using windows, there are good techical reasons for using a password of 15 or more characters because they are less esily compromised (backward compatibility reasons)

    (2) Most posters agree that completely random passwords are a bad idea.

    (3) Everyone has there own 'system', and long may this continue, as it increases security.

    Fascinating contributions, thanks

    Tim

    .

  • SC-1110407

    SSC Enthusiast

    Points: 185

    I typically use +14 characters with a multitude of words/letters.

    The best security breach in my life involved me in high school: my ex-girlfriend's AIM account... the password was her name. Talk about making it really too easy.

  • lucidspoon

    SSC Veteran

    Points: 280

    mark.dalley (5/20/2009)


    My favorite mnemonic method is to take a quote, e.g. "To be or not to be, That is the question."

    With a few obvious substitutions, this converts naturally to the following inscrutable password:

    "2bon2b,Titq."

    I use this method as well. Although, I've been using the same mnemonic for everything for the past 10 years... I have a simple one for things like most forums, where security isn't as important and you only need 4 or 5 characters. Then, I have "extended" versions of the same password that I use when you need 8 characters or numbers.

    So basically, I'm using a good idea, but in a bad way. 😛

  • sqlstad

    SSCrazy

    Points: 2435

    In my company passwords are created randomly and every serviceaccount or login has a different password. We do store the passwords but we use KeePass to store them in.

    In the simplest way it only asks you for a password but is also supports keyfiles so the security is even better.

    You can organise your passwords in groups and create new passwords if you want to.

    If you want to check it out you can find it here: http://keepass.info/

Viewing 8 posts - 31 through 38 (of 38 total)

You must be logged in to reply to this topic. Login to reply