News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Are Strong Passwords Necessary?

    Home Forums AskWoody support Windows Are Strong Passwords Necessary?

    Tagged: 

    • This topic has 29 replies, 13 voices, and was last updated 1 month ago.
    Viewing 11 reply threads
    • Author
      Posts
      • #2346782
        Drcard:))
        AskWoody Lounger

        The short answer is YES.

         

        Longer answer:

         

        A dark web monitoring company, ID Agent, analyzed over 3 million stolen passwords for sale on the dark web in 2020 (Link to ID Agent Report).  This analysis demonstrates the common characteristics of these weak, stolen passwords:

        • People’s names, sports, food, places, animals, and famous people/characters are used as passwords
        • 59% used a person’s name or birthday in the password
        • 33% based the password upon a pet’s name
        • 22% based the password upon their own name
        • The average user reuses a bad password 14 times

        Side Note:

        For those that don’t know, the dark web is part of the deep web that does not get indexed and can’t be found with a search engine.  The only way to connect to the dark web is thru a special browser that provides anonymity to the users and web sites.  This is why cybercriminals use it to sale the items they hacked, such as passwords.  What is really appalling is a hacked social security number (main item needed in identity theft), costs only $4 – $8 on the dark web.

         

        These most common characteristics of these stolen passwords is the main reason they were stolen.  Users use these personal names and numbers to make their passwords so it will be easy to remember even when they have been told they shouldn’t use such information for their passwords.  Most are unaware of just how much using the easy to remember data weakens their passwords.  It is estimated that a brute force hash attack on an 8 character password containing 96 character set (upper & lower case numbers, numbers, and special characters) that was selected randomly will take a robust system 45.2 years to test all possible 6.6 x 10^15 passwords.  Turn that 8 character password into a variation of your favorite sport, pet, famous name, or birth date as the password will severely limit the different character possibilities, resulting in only a few possible passwords to test before finding the password.   Such a weaken password can be cracked in 15 minutes to 1 hour depending if a GPU is used (GPUs calculate hashes faster than CPUs).  These times could be drastically shortened if a botnet or supercomputer is used.

         

        Hackers use software (also sold on the dark web) to rapidly test passwords that are just variations of names and dates, and seldom try brute force hash attacks on random created passwords unless the prize warrants it.  For many users, having passwords that don’t contain names and dates makes their password not worth hacking and keeps their data safe.

         

        Yes, a strong password is necessary.  A strong password needs to be at least 10 characters (the more the better), consisting of a 96 character set (upper & lower case letters, numbers, and special characters), randomly selected, and containing no names or date formats.  This takes right back to where we were when we weakened our passwords…..how to remember a strong password.

         

        There is a way to make strong passwords easy to remember based upon initialism and it is easy to learn.  Initialism is a type of acronym where only the first letter in each word of a phrase is used.  Example: CBC for Complete Blood Count.

         

        Here’s how to make a strong password easy to remember using initialism:

         

        Create a sentence about yourself that you will remember that includes numbers and punctuation.

        Example:  How many cars have I owned? I don’t know! 5 I guess.

        Take the first letter in the case it is for each word, include all numbers and punctuation.

        This would yield a password from the Example statement of: HmchhIo?Idk!5Ig.

         

        A strong password that will be easy to remember.  Even if you use personal information to make remembering the statement easier, that personal information won’t be disclosed with initialism.  So take a little time and make your passwords stronger.

        HTH, Drcard:))

        2 users thanked author for this post.
      • #2346828
        Alex5723
        AskWoody Plus

        Solarwinds user’s password solarwinds123 was the key for the huge systems hack.

        Former SolarWinds CEO blames intern for ‘solarwinds123’ password leak

        • This reply was modified 1 month, 1 week ago by Alex5723.
        1 user thanked author for this post.
        • #2346830
          Susan Bradley
          Manager

          Any IT admin worth their salary can set up a mandatory password policy for the firm.  The CIO said it was an intern and quickly changed (yeah, so how was your intern able to set up the password in the first place.

          That said, if you read other reports – “Neither the password nor the stolen access is considered the most likely source of the current intrusion, researchers said.”

          No where that I’ve read indicated that the horrible password was the method that the attacks were able to enter the system.

          Susan Bradley Patch Lady

          1 user thanked author for this post.
      • #2346838
        Alex5723
        AskWoody Plus

        No where that I’ve read indicated that the horrible password was the method that the attacks were able to enter the system.

        There are no other indications that it was not.

      • #2346839
        DrBonzo
        AskWoody Plus

        I’m curious about arguments that talk about brute force password attacks. On most accounts I have, and particularly financial accounts, after three failed password entry attempts the account is blocked, frozen, temporarily suspended, etc. (terminology seems to vary). That would seem to make brute force password cracking of limited value. What am I missing here?

        I’m not arguing against strong passwords. I just want to learn more.

        • #2346851
          Drcard:))
          AskWoody Lounger

          This is the best way I can explain it.

          A password is hashed which means the characters in the password are passed thru a math function to be stored as a random sequence of numbers.  It’s not reversible so passing the numbers thru the function will not yield the password.  The only way to match that random sequence of numbers (and open the door) is entering the correct characters in the correct sequence, AKA the correct password.

          Trying every possible combination of characters for a password is called a brute force attack.

          Hackers use several different ways to circumvent this lock out after several attempts feature depending on the media they are hacking the password for.  Hackers can buy on the dark web software that circumvents the lock out function at many web sites and deals directly with the final door access and knows when the key turns.  Most of these lock out after so many tries functions are geared for passwords entered onto the web page portal.  Hackers by pass these portals and thus the lock out feature.  Getting pass that lock out feature is what their hacking is all about and is what makes it work.

           

          HTH, Dana:))

          5 users thanked author for this post.
          • #2346876
            DrBonzo
            AskWoody Plus

            Thanks, that helps a lot. I was unaware of the dark web software that circumvents various functions. I’ve had a lot of people ask me about the 3 tries and you’re out set-up and now I have a much better answer for them.

        • #2347033
          doriel
          AskWoody Lounger

          I know that this happened to ATM machines in the past: they were vulnerable to this brute kind of attacks, even when there was limited number of attempts, why?

          Because ATM machines deducted the attempt after the PIN check.
          Hacker tried the PIN and recieved CORRECT/INCORRECT answer, before he lost attempt. Then he used something like IRQ is and killed the password check routine, if password was wrong.
          Thats how he managed to get infinite number of attempts. Clearly those hackers were really sophisticated and knew something from inside 🙂

          So in today modern ATM systems, the attempt is deducted before password/PIN check is done and ATMs cant be hacked with brute force.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          3 users thanked author for this post.
      • #2346842
        Bob99
        AskWoody Plus

        Here’s a tool from Steve Gibson that lets you see just how long it might take for a potential password to be “cracked”, or figured out successfully by the bad guys. There are three different scenarios shown, from a “mere” 1000 guesses per second to 100 trillion guesses per second. Of course, these scenarios presume that one’s account won’t be locked out after a certain number of unsuccessful attempts.

        https://www.grc.com/haystack.htm

        The sample password given by OP @wsdrcard above would allegedly take at least 1.41 hundred million centuries to successfully guess.

        By Steve’s own admission on that page, this little tool is NOT a password strength meter, and he explains just why right below that statement. This statement and the subsequent explanation are just below the table with the results of how long it would take to guess a password.

        1 user thanked author for this post.
      • #2346928
        brian1248
        AskWoody Lounger

        There are dangers in any method. Always double check the password when creating it. What you wrote for the password “HmchhIo?Idk!5Ig.” does not match the pass phrase that you selected.

        It should be “HmchIo?Idk!5Ig.”

        You duplicated the “h” for “have” in the passphrase when constructing the password.

        If you set this up, you would be wondering why it did not work when you tried to sign in.

        It is still one of the best methods, and one that I have used.  Whoever uses it just needs to get it right.

         

        • This reply was modified 1 month, 1 week ago by brian1248.
        • This reply was modified 1 month, 1 week ago by brian1248.
      • #2346981
        Paul T
        AskWoody MVP

        This would yield a password from the Example statement of: HmchhIo?Idk!5Ig.

        That is too complex to remember IMO.
        It’s much easier to remember some familiar things and string them together.
        Dog: Fido
        Holiday: Paris
        Job: Macas
        Friend: Alice

        Fido.Paris93macas17Alice

        A 24 character password that you can only brute force because the length and structure are unknown to an attacker. Brute force would take several thousand centuries, so you are probably safe. 🙂

        cheers, Paul

        1 user thanked author for this post.
        • #2347039
          doriel
          AskWoody Lounger

          Its not wise to share our password methods here, but … I also used those “qwerty” passwords as a strong one. For example:

          ZXCvbnmASDfghjkl123

          -two bottom lines of keyboard, first three of each uppercase, add simple number. Then I just remember visually, not the password itself.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        • #2348742
          opti1
          AskWoody Plus

          (Sorry this was supposed to be a reply to Paul_T’s post #2346981 which is two up from where I think this post will end up)

          Curious. Would you create a unique password using this method for every instance where you need a password, or would you reuse this one as is, or modified in some way?

          • This reply was modified 1 month ago by opti1.
          • #2348989
            Paul T
            AskWoody MVP

            I created one password for my password manager.
            The password manager is then used to generate passwords for everything else and store all the gumph sites require. (I rarely use real information for registration and a password manager provides a great place to record that info.)

            Never reuse passwords.

            cheers, Paul

            • #2349169
              opti1
              AskWoody Plus

              Right, of course (don’t reuse passwords). I was confused because I didn’t realize when I wrote that that you were speaking in the context of having just one master password for use with a password manager which of course makes perfect sense. 🙂

      • #2347135
        OscarCP
        AskWoody Plus

        Strong passwords are necessary. Mine are at least 12 characters long and a mix, sometimes, of actual words with punctuation marks and numbers that seem randomly sprinkled in between the letters of those words, where some of those letters are upper and some of them lower case, something that makes sense only to me and also covers the usual requirements. I think the acronym method is also a good one and easier for some to remember passwords made according to it.

        What is probably not necessary and has been repeatedly recommended that be discontinued, is the widespread practice of making people change their passwords every x weeks, or y months, because this is known to lead to lapses that weaken security, not quite what is intended.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        2 users thanked author for this post.
        • #2348835
          wavy
          AskWoody Plus

          What is probably not necessary and has been repeatedly recommended that be discontinued, is the widespread practice of making people change their passwords every x weeks, or y months, because this is known to lead to lapses that weaken security, not quite what is intended.

          The worst ‘best practice’ ever. This has been a pet peeve of mine for decades. Just when you finally memorize your password, you have to change it!

          🍻

          Just because you don't know where you are going doesn't mean any road will get you there.
          3 users thanked author for this post.
      • #2347190
        Michael432
        AskWoody_MVP

        All passwords are not the same. Some a not very important, most a pretty important and one or two are really really important. One solution is always going to be wrong.

        We all need 328 different passwords. How we generate them and recall/retrieve them is a matter of opinion. There is no one right answer for everyone. Personally, I use three different schemes for my passwords.

        For more, see my blog

        https://michaelhorowitz.com/BestPasswordAdvice.php

        Get up to speed on router security at RouterSecurity.org

        3 users thanked author for this post.
      • #2347143
        anonymous
        Guest

        the only thing that’s similar about our passwords is the program used to generate them, one password, one program that generates multiple passwords using high encryption levels.

        It’s easier to remember one password 12+ characters long

      • #2347388
        Paul T
        AskWoody MVP

        You do not need to remember more that one password, the one for your password manager. The manager remembers the rest.

        cheers, Paul

        2 users thanked author for this post.
      • #2347397
        WSaltamirano
        AskWoody Lounger

        Is it dangerous to use a browser that “remember” passwords ?

        Can the browser be hacked ?

        • #2347413
          Paul T
          AskWoody MVP

          Not dangerous, but the default is not password protected and you can’t use it for non browser data or other things you need to remember that go along with the account. It’s also less easy to use across devices and backup is more difficult.

          Anything can be hacked, including a password manager.

          cheers, Paul

          1 user thanked author for this post.
        • #2347417
          doriel
          AskWoody Lounger

          In Chrome and Vivaldi, stored passwords are protected with your current Windows User account password. You have to enter your Windows password in order to see stored passwords in those browsers.
          In Edge and IE, passwords are stored in “credential manager” in control panels. Also protected by the Windows account password.
          I consider those methods fairly safe. Just dont log in with your Google/Microsoft/Apple account on devices, that you dont trust! such as public internet cafés or airport terminals.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          1 user thanked author for this post.
          • #2347628
            OscarCP
            AskWoody Plus

            Doriel, What is a “Windows account?” I have no idea of what that is. As far as I know, I have passwords on several online accounts but no “Windows account” with or without password. I’ve never heard before of a “Windows account” password  (unless it is something that has to do with MS Windows? But if, so, with Windows 10? (certainly not with Win 7)).

            It sounds like something that works with a browser. I have Chrome, for example, one browser that you have mentioned, but no “Chrome password”, at least that I am aware of.

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

            • #2347639
              WSaltamirano
              AskWoody Lounger

              He’s talking about your Windows password when you power on your PC or when you close a session or when you change the user in the Start/stop options.

              There is some tweaks that can skip this and your password is not asked.

              1 user thanked author for this post.
              • #2347640
                WSaltamirano
                AskWoody Lounger

                It is not a Windows account password, it is a Windows “user” account.

                1 user thanked author for this post.
              • #2347654
                OscarCP
                AskWoody Plus

                WSaltamirano: Thank you for completely explaining this to me. So that is s Windows PC login password, I gather?

                By the way: I am not a Windows’ user (formerly I was).

                So I wonder if this is also how it works with my Mac, with my Mac password, of course.

                Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

            • #2347701
              doriel
              AskWoody Lounger

              I meant password for logging into your Windows machine, of ourse. Read my post carefully. It makes sense, others understood it. I should apologize, im from Czech Republic, so sometimes Im lost in translation and I understand, that if you dont use Windows anymore, you want to know how it works.
              I wrote:

              In Chrome and Vivaldi, stored passwords are protected with your current Windows User account password.

              In Edge and IE, passwords are stored in “credential manager” in control panels. Also protected by the Windows account password.

              You wrote:

              but no “Chrome password”, at least that I am aware of.

              I dont use Mac, so I dont know how it works with Macs. But Chrome does not use its own password. It uses password of the user, that is logged into operating system (iOS, Windows, GNU/Linux), I think.

              Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

              HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

            • #2347706
              doriel
              AskWoody Lounger

              Im sorry for my anxious answer, I have health issues in my family now. Next time I will try to explain better, I promise.

              Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

              HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

              • #2347710
                OscarCP
                AskWoody Plus

                doriel: Please, don’t worry about this. It is clear to me now what you meant. Actually I could have figured it out by myself from a more careful and thoughtful reading of what you wrote. Take care of your family and best of luck to all of you.

                Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

                1 user thanked author for this post.
    Viewing 11 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Are Strong Passwords Necessary?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.