News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Easiest way to make it easy for attackers

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Easiest way to make it easy for attackers

    Viewing 23 reply threads
    • Author
      Posts
      • #2312878 Reply
        Susan Bradley
        Da Boss
      • #2312884 Reply
        OscarCP
        AskWoody Plus

        I  entirely agree with Susan and cannot stress enough the need to get suitably caffeinated to be in proper shape to work out some close to unguessable passwords when opening an online account, setting up one’s computer login sequence, etc. In this respect, the current thinking seems to be that rather than very cryptic passwords with long strings of a mix of low case, capitals, numbers and special characters, simpler but longer (and easier to remember, when necessary) passwords might work even better:

        https://www.forbes.com/sites/daveywinder/2020/02/22/the-fbi-wants-you-to-stop-using-passwords-and-do-this-instead/

        Also there has been some serious talk of getting rid of passwords altogether, replacing them with secure pin-and-token and other authentication systems:

        https://www.theverge.com/2019/4/24/18514225/passwords-fido2-authentication-webauthn-security-key-cybersecurity-online-browser-web

        A closely related issue, recently under scrutiny, is the advisability of mandatory password changes at regular intervals, a long-time bugbear of many who have to use company or government computers, including yours truly:

        https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

      • #2312887 Reply
        Kirsty
        Da Boss

        This is a subject that has been discussed on AskWoody quite extensively, including:
        Let’s debate password managers
        by @michael432 / Michael Horowitz, and points to his “most important blog”:
        The world’s BEST password advice

        Also:
        Password Security Issues – New Guidelines

        2 users thanked author for this post.
      • #2312892 Reply
        NetDef
        AskWoody_MVP

        Via https://xkcd.com/936/

        password_strength

        ~ Group "Weekend" ~

        Attachments:
        1 user thanked author for this post.
      • #2312933 Reply
        anonymous
        Guest

        SIMPLE.

        Pull a book of the shelf, and improvise.
        Use your Home Utility Meter numbers, in part.
        Use info on the back of DVD/CD.
        Utilise your closest relatives info.
        Info on a packet in the larder.

        Many ways to create a password.

      • #2312936 Reply
        Paul T
        AskWoody MVP

        The best method is to use a password manager and let it generate passwords for your various logins. Then you only need to remember one batteryhorsestaple.

        cheers, Paul

        1 user thanked author for this post.
      • #2312937 Reply
        Seff
        AskWoody Plus

        Much depends on the user’s circumstances. If you’re working with others in an office environment then writing all your passwords in a book kept in your desk drawer doesn’t make any sense at all. However, it makes much more sense if you’re sitting on your own as the only computer user at home.

        I’ve never been a fan of regular password changes. If your password wasn’t hacked yesterday, what makes you think a different one will be safer today? I have seen admittedly anecdotal evidence that users have had their account hacked shortly after changing the password – probably because when you change a password it involves communication between you and the account database as well as a change of information stored on that database, creating potentially weak links in the security chain. Clearly, if you are notified that a database has been unlawfully accessed and you are advised to change your password then it is sensible to do so. In normal circumstances, however, I remain unconvinced of the need or benefit of doing so.

        Strong passwords that are unique to each application are the way to go. Whether you make them up, write them down, or use a password manager  etc will all depend on the circumstances. The chances are, however, that if you make them up in a form that is easy for you to remember then they will be easy for someone else to guess.

        1 user thanked author for this post.
      • #2312947 Reply
        lurks about
        AskWoody Plus

        I use a strong, unique password for every site I have an account. They are managed using a password manager. Others I know do the same thing but with pen and paper at home. The key is not to use guessable or easily cracked passwords and to not reuse a password. If a site I have credentials on has a hack the only login is for that site, I only have to update that site.

        This has been a problem from the beginning.

      • #2312957 Reply
        WCHS
        AskWoody Plus

        I take a long sentence from an article I’ve read, for example:”I use a strong, unique password for every site I have an account.” Then, I create a password from it by using the first letter of every word and include the punctuation. Since a password often requires that there be a number in it, I usually put a number at the beginning. So, this password would be “8Iuas,upfesIhac.” It’s not difficult to remember the sentences for them and they would be difficult for anyone to guess, if the sentences associated with them were not known. I keep them in a hiding place. Since I don’t have a lot of online accounts and since I am the only one in my house, this works for me. It’s safer and simpler than a password manager, I think.

        Offline: Win7Pro/SP1/x64 ∙ i5-3320M-Ivy Bridge ∙ 8GB/320GB HD
        Online: Win10Pro/x64 ∙ i7-6500U-Skylake ∙ 12GB/512GB SSD ∙ Firefox ∙ McAfee ∙ Defender
        Online: Win10Pro/x64 ∙ i7-8565U-WhiskeyLake ∙ 16GB/512GB SSD ∙ Firefox ∙ McAfee ∙ Defender
              GP=2 / TRV=1909 ∙ GUI: FU=1 / QU=0

      • #2312958 Reply
        doriel
        AskWoody Lounger

        I’ve never been a fan of regular password changes. If your password wasn’t hacked yesterday, what makes you think a different one will be safer today?

        Agreed. It just makes users forget their passwords frequently. I also have to work in Diamler, BMW and VW portals. These portals are even worse, forcing us to chnage pw every three months! Not kidding. Even if they use 2- factor security. Its oversecured and its very unpleasant to use that.
        Whats the difference with upper case, lower case, numbers and symbols? Robot will try every “char” (character) from ASCII/UNICODE, but P30pl3 C4NT r3m3mb3r these strings. 🙂

        I always put long password, but its unpleasant to write it on the cell phone.
        PS – you should see our production WiFi password. Its so difficult to write it on the touch display that I really hate it 🙂

        Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        • #2312961 Reply
          cyberSAR
          AskWoody Plus

          Can’t tell you how many laptops I service with their password taped or sticky note stuck to it just for this reason. Would really be fun on their network if the laptop was lost or stolen!

          1 user thanked author for this post.
          • #2313082 Reply
            doriel
            AskWoody Lounger

            Yes, but sticking passwords to user monitor does not help hackers to crack the password remotely 😉 unless they steal the PC 🙂

            Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

            HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

            • #2313084 Reply
              OscarCP
              AskWoody Plus

              Doriel: “Yes, but sticking passwords to user monitor does not help hackers to crack the password remotely

              This is more of a problem in offices, where a someone who wants to break into computers of a company or organization could come in to the work station and read what is in the sticky note: those with very good memory need nothing more; those with not so good memory might have to write down the password in a moment when nobody is around, for example. So sticking a note with the computer password to the monitor is not always such a good idea. Especially for people who would prefer to keep their jobs.

              Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

              • #2313087 Reply
                doriel
                AskWoody Lounger

                I do not like these stickers too. I consider it as big risk, especially, when people (who do not have their own account) can access the network. Im not saying that sometimes it did not help me, if I want to do something on their computer. But it definatelly this shouldnt be the default behaviour.

                Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

                HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          • #2313312 Reply
            Seff
            AskWoody Plus

            I assume you’ve discounted the possibility that you’ve received a laptop for servicing with a note containing the password attached to it because the customer knows that the engineer carrying out the servicing will need to know the password?

            • #2313321 Reply
              cyberSAR
              AskWoody Plus

              Yep. We get those too. I am specifically refering to clients that do it because they get frustrated having to change their passwords so often and can’t remember them. Heck, my father did it while working for a state agency! I always explain the ramifications but they seem to not really care.

      • #2312967 Reply
        wavy
        AskWoody Plus

        Going back to the article linked in:

        Also:
        Password Security Issues – New Guidelines

        Re pasting p/w, I always paste in the p/w first and then the username so there is no password in the clipboard to steal. I also avoid clipboard ‘managers’ for this reason, I have been thinking of going to keeppass for most p/ws which would perhaps mean clipboard ‘managers’ might be an option for me.

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        2 users thanked author for this post.
      • #2312971 Reply
        wavy
        AskWoody Plus

        For years working for a .gov we had password changes foisted upon us for ‘security’. I just a added a 1 in front of the password I had memorized each time we had to change, when the strings of 1s got too long I changed to 2s and so on. Eventually so ‘bright’ IT corrected this. PITA no wonder 123456 is a fav. Poorly imagined security is worse than none sometimes.

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        2 users thanked author for this post.
        • #2313143 Reply
          lurks about
          AskWoody Plus

          Too many policies are the ‘we must do something’ type because those demanding the policy do not understand the real issues. These policies are often counter productive because they unintentionally make the victims do something very similar to what you want to avoid.

          2 users thanked author for this post.
      • #2312979 Reply
        anonymous
        Guest

        Canada Revenue Agency had that problem about two months ago and had to suspend online service for days. The news was about 50K accounts had been hacked that way.

      • #2313104 Reply
        anonymous
        Guest

        Whenever I’m forced to sign up for access to a site I don’t care about and know I won’t be going back to I tend to use a throw away e-mail address and a simple password.

        (It the way I protect my main e-mail from corporate data leeks and spam)

        So I wonder how many of these the easy passwords are for garbage accounts.

      • #2313129 Reply
        bbearren
        AskWoody MVP

        I use a password-protected Excel spreadsheet as my password manager.  I generate passwords by randomly typing a string of gibberish (including numbers, caps and special characters) into the password field.  I don’t try to memorize them.

        This is sort of a two-factor sticky note approach.  My PC is in my home, so no snoopers have easy access, one must know my PC password, that the spreadsheet exists, the name of the spreadsheet (I have many dozens of spreadsheets, and the name of this one is not “passwords”), and be able to guess the password, which is not a “word”; it’s also a random collection of characters, and the only one I need to memorize.

        All my “critical” websites employ two-factor identification, and have lockouts of 24 hours (or a call to the site administrator) after three failed login attempts, which eliminates brute force attacks.  My financial institution uses “registered access”, meaning that if I login from a different computer, I have to go through my security questions/answers before I get passed on to the actual login screen, which is two-factor.

        I’m quite comfortable with this arrangement.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

        2 users thanked author for this post.
        • #2313136 Reply
          Paul T
          AskWoody MVP

          You need this in your sheets: =CHAR(RANDBETWEEN(65,90))&CHAR(RANDBETWEEN(65,90))&RANDBETWEEN(100,999)&CHAR(RANDBETWEEN(65,90))

          More here.

          cheers, Paul

          • This reply was modified 2 weeks ago by Paul T.
          2 users thanked author for this post.
          • #2313140 Reply
            doriel
            AskWoody Lounger

            Thank you, this is very good tool!

            But it is exactly what @NetDef was talking about: these passwords are insanely hard to rememeber for humans and not so hard to crack for bots. He mentioned in the awesome picture above.

            Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

            HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          • #2313206 Reply
            bbearren
            AskWoody MVP

            You need this in your sheets:

            Thanks, but I already have the passwords, I don’t need to generate a whole new set.  I’m of the opinion that periodically changing passwords serves no useful purpose.

            For those few sites that require one to signup for access, I have several throw-away email addresses and passwords that I can copy/paste.

            Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
            "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
            "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      • #2313168 Reply
        wavy
        AskWoody Plus

        I use a password-protected Excel spreadsheet as my password manager

        from office 97.

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        • #2313207 Reply
          bbearren
          AskWoody MVP

          I use a password-protected Excel spreadsheet as my password manager

          from office 97.

          No, from Office (now Microsoft) 365.

          Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
          "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
          "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      • #2313213 Reply
        wavy
        AskWoody Plus

        office 97

        office 97 still works for me 🙂

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
      • #2313216 Reply

        I never liked the idea of trusting passwords to any software manager; what happens when IT goes on the fritz, eh?

        I keep a paper book; but the English/Latin passwords are translated into one of several-odd obscure languages with some odd characters and squirrel noises thrown in (not the last one, ha-ha), and finally they’re written out in a foreign script, like, Armenian, Coptic, Arabic, Telugu, Sanskrit, etc.

        Good luck to the crook who gets it!

        Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Patch List", Multiple Air-Gapped backup drives in different locations, "Don't auto-check for updates-Full Manual Mode." Linux Mint Greenhorn
        --
        "A committee is the only known form of life that can have least four legs and no brain."

        -Robert Heinlein

        1 user thanked author for this post.
      • #2313252 Reply
        Paul T
        AskWoody MVP

        I never liked the idea of trusting passwords to any software manager; what happens when IT goes on the fritz

        When is that likely to happen?

        More importantly, that is why you have a backup that you have tested by opening on another machine / system. This is one reason I use an open source PM, I can open my passwords on any other device I can lay my hands on, even in a browser.

        cheers, Paul

      • #2313267 Reply

        When is that likely to happen?

        Software corruption by either a malfunctioning OS, another piece of software, or a hardware failure? Well, I’ve been using PC’s since the days of the Trash-80, and built a few since then, plus one workstation…and I’ve seen this happen quite a bit, actually, at work and at home.

        More importantly, that is why you have a backup that you have tested by opening on another machine / system. This is one reason I use an open source PM, I can open my passwords on any other device I can lay my hands on, even in a browser

        That works too. It’s a matter of personal preference.

        Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Patch List", Multiple Air-Gapped backup drives in different locations, "Don't auto-check for updates-Full Manual Mode." Linux Mint Greenhorn
        --
        "A committee is the only known form of life that can have least four legs and no brain."

        -Robert Heinlein

        • #2313567 Reply
          Ascaris
          AskWoody_MVP

          Software corruption by either a malfunctioning OS, another piece of software, or a hardware failure?

          Hopefully you have any important data in more than one place. Backups, always!

          I have my passwords on multiple PCs (I have three that I use each day), stored on encrypted volumes. If one PC’s password store was to be lost, I have two more PCs with the same data, not to mention the backups of all three of them, also encrypted, in case of theft of any of the devices.

           

          Group "L" (KDE Neon Linux 5.20.4 User Edition)

      • #2313269 Reply
        NaNoNyMouse
        AskWoody Lounger

        I know we’re talking paranoia squared here, but I can’t help but feeling that one way to help keep your passwords secure, is to not reveal the methodology you’ve used to create them, on a public site like… um… this one, for example

        2 users thanked author for this post.
        • #2313671 Reply
          doriel
          AskWoody Lounger

          🙂 agreed but not a single user posted his password here, methodology is not enough to crack the password itself. You still need to brute-force attack through the password.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

      • #2313270 Reply
        mn–
        AskWoody Lounger

        More importantly, that is why you have a backup that you have tested by opening on another machine / system. This is one reason I use an open source PM, I can open my passwords on any other device I can lay my hands on, even in a browser.

        Some password managers also have a capability to optionally print out the list of passwords. Naturally that’s an ultra-high sensitivity paper document then (and hopefully your printer won’t expose it…), but at least it ought to be readable 😉

        I can’t help but feeling that one way to help keep your passwords secure, is to not reveal the methodology you’ve used to create them, on a public site like… um… this one, for example

        Well yes, but that depends on the method. If you use a known method it becomes easy, and for personal mental associations a person who knows you well enough might be able to backtrack those at least somewhat, but a sufficiently random password isn’t meaningfully compromised by either.

        So yeah, http://keithieopia.com/post/2017-12-13-passwd-crack-time/ says that a hacker who knows to expect the Xkcd method and that you’re using it in English, could be expected to crack the “4 words concatenated, all lowercase” password in ~7 hours.

        Fully random and sufficiently long passwords are effectively immune to that.

        1 user thanked author for this post.
        • #2313275 Reply
          mn–
          AskWoody Lounger

          … oh and passwords modified from a previous password by incrementing a number, adding a short prefix or suffix or some such are NOT sufficiently random if there’s a significant chance that a previous one in the sequence has been leaked, even if the starting point was fully random originally.

          Known leaked passwords + simple permutations on those is not much more of a dictionary attack than one based on a real dictionary.

        • #2313603 Reply
          OscarCP
          AskWoody Plus

          NTDBD: “… that a hacker who knows to expect the Xkcd method and that you’re using it in English, could be expected to crack the “4 words concatenated, all lowercase” password in ~7 hours.

          One could also make a several-words-long password mixing words in different languages, couldn’t one? Say English and Rumanian, or Japanese, for example? Without diacritic marks and, if the latter, in Roman alphabet transliteration, of course to make it easier to type with any regular Western  keyboard.

          In fact, I think that there is an equation yet to be written where the degree of unbreakability of a password is proportional to some power n > 1 of the interest the average criminal hacker might have in getting to your stuff by figuring out your password.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

          1 user thanked author for this post.
        • #2313674 Reply
          doriel
          AskWoody Lounger

          Some password managers also have a capability to optionally print out the list of passwords. Naturally that’s an ultra-high sensitivity paper document then (and hopefully your printer won’t expose it…), but at least it ought to be readable 😉

          To be honest I never use these. All I store is password for my email in Chrome. No Sticky password, no a single pw manager on my PCs.

          And remember when printing such list on a big multifunction device (printer/scanner), that these devices have HDD, where printed documents can be stored. I recommend to encrypt these HDDs (Konica Minolta does this for us) or better: DO NOT PRINT YOUR PASSWORDS ON A OFFICE PRINTER 🙂

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

      • #2313560 Reply
        LoneWolf
        AskWoody Plus

        My standard methods:

        1. Use passphrases. Turn them into “L33tSp3@k” and capitalize each word in the phrase. This makes them long, complex, hard to break, yet memorable. Example: T0B30rN0tT0B3Th@t!sTh3Qu3st!0n
        2. Use MFA on every site you’re allowed to do so. We use Duo at work, but for other things I use Authy, which has the benefit both of some push options like Duo, doesn’t cost anything, and supports apps that support Google Authenticator as well.
        3. I use a different password for every site. Keeping things the same is asking for trouble, we all know that. It’s just good sense
        4. We’ve debated them, but I’ve become a fan of password managers, again, using a secure passphrase and MFA. I like LastPass, but plenty of people like 1Password or others. Using a passphrase means I can generally get a password that’s 120+ bits in complexity, and yet I still can remember it -and then there’s the second protection of MFA. Further, it makes having separate passwords for each site far easier, facilitating better security.

        At work, we go one further – for clients, we have reverse multi-factor authentication.  Client calls in and needs a password reset? We send them a push through Duo they need to acknowledge (which they can’t if not enrolled) so we can see it’s them. This nearly eliminates social engineering issues.

        We are SysAdmins.
        We walk in the wiring closets no others will enter.
        We stand on the bridge, and no malware may pass.
        We engage in tech support, we do not retreat.
        We live for the LAN.
        We die for the LAN.

        1 user thanked author for this post.
        • #2313675 Reply
          doriel
          AskWoody Lounger

          Use passphrases. Turn them into “L33tSp3@k” and capitalize each word in the phrase. This makes them long, complex, hard to break, yet memorable.

          You really consider this memorable? I think you just need to “recreate” pw in your mind every time you want to enter it. Nobody remembers that, good that you used well known phrase, but…
          T0B30rN0tT0B3Th@t!sTh3Qu3st!0n
          You can make a rule, that every e=3, but then it does not make any sense. You just used character 3 instead of e. You found the way how to protect against dictionary attack and you just made it difficult to remember, but complexity is the same.
          Strong password but I can guarantee, that one day you will regret setting this password, no matter where.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          • #2313700 Reply
            mn–
            AskWoody Lounger

            You just used character 3 instead of e. You found the way how to protect against dictionary attack

            … actually… I’m fairly sure that there are dictionary attack tools that use the capitalization and character substitution rules from “L33tSp3@k”.

            Because I’ve run into a password checker that used those. Feeding stuff from a randomizer to the new-password field, it told me that it wasn’t allowed because it was “based on a dictionary word with known substitutions”.

            (Funny thing that – theoretically, disallowing any “too simple” passwords reduces the overall complexity that can be achieved…)

            Also related to password complexity – it’s really difficult to determine the overall effective complexity of a given Unicode string with non-USASCII characters, because the normalization rules are sort of opaque and most folks don’t actually document what normalization they’re using. And not doing normalization is just asking for trouble.

            2 users thanked author for this post.
            • #2313705 Reply
              doriel
              AskWoody Lounger

              … actually… I’m fairly sure that there are dictionary attack tools that use the capitalization and character substitution rules from “L33tSp3@k.

              I think its as easy to crack as substitution cyphering. I think Ceasar (Romans) were first to introduce this type of cyphering – Using one character instead of another does not make password harder to crack, if you substitute ALL e with 3. If not all e are converted to 3, complexity is greater, thus harded to crack.

              Two factor is the safest. Interesting is for example little utility called WinAuth – opensource utility available on GitHub for example.
              We use that for entering suppliers portals. It generates token, which has time-limited validity for example.

              Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

              HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

      • #2314227 Reply
        LoneWolf
        AskWoody Plus

        … actually… I’m fairly sure that there are dictionary attack tools that use the capitalization and character substitution rules from “L33tSp3@k.

        I think its as easy to crack as substitution cyphering. I think Ceasar (Romans) were first to introduce this type of cyphering – Using one character instead of another does not make password harder to crack, if you substitute ALL e with 3. If not all e are converted to 3, complexity is greater, thus harded to crack.

        Two factor is the safest. Interesting is for example little utility called WinAuth – opensource utility available on GitHub for example.
        We use that for entering suppliers portals. It generates token, which has time-limited validity for example.

        Here’s the thing.

        By itself, the l33tsp3@k thing would be nothing. That’s true.

        However, what it does is add additional complexity to a passphrase. The key being “passphrase” not “password”.  A long phrase you can remember is difficult, but is still dictionary words (e.g., “correcthorsebatterystaple” like our old xkcd).  Adding capitals is another layer of complexity. Then substitute numbers for letters, and you’ve got another complexity.  Then substitute a ! for every i, and an @ for every a, and you add more.

        Such methods matter little in an 8-character password, which is limited enough that a good multi-gpu cracking rig can get through it in a matter of hours. But make it a long enough passphrase, and you change the game.

        Also, note that nowhere did I say “don’t use MFA”.  Certainly, do use MFA if it is available. In fact, as part of the same post, I said,

        Use MFA on every site you’re allowed to do so. We use Duo at work, but for other things I use Authy, which has the benefit both of some push options like Duo, doesn’t cost anything, and supports apps that support Google Authenticator as well.

        So, by using a complex passphrase (with a password vault if needed) *and* MFA, you’ve just made every aspect of someone else getting in harder.

         

        We are SysAdmins.
        We walk in the wiring closets no others will enter.
        We stand on the bridge, and no malware may pass.
        We engage in tech support, we do not retreat.
        We live for the LAN.
        We die for the LAN.

    Viewing 23 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Easiest way to make it easy for attackers

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.