Easiest way to make it easy for attackers

Topic

New Reply

https://www.zdnet.com/article/the-worst-passwords-of-2020-show-we-are-as-lazy-about-security-as-ever/
[See the full post at: Easiest way to make it easy for attackers]

Susan Bradley Patch Lady/Prudent patcher

8 users thanked author for this post.

Tom-R, SueW, lurks about, doriel, Fred, NetDef, OscarCP, Elly

Reply | Quote

Replies

I  entirely agree with Susan and cannot stress enough the need to get suitably caffeinated to be in proper shape to work out some close to unguessable passwords when opening an online account, setting up one’s computer login sequence, etc. In this respect, the current thinking seems to be that rather than very cryptic passwords with long strings of a mix of low case, capitals, numbers and special characters, simpler but longer (and easier to remember, when necessary) passwords might work even better:

https://www.forbes.com/sites/daveywinder/2020/02/22/the-fbi-wants-you-to-stop-using-passwords-and-do-this-instead/

Also there has been some serious talk of getting rid of passwords altogether, replacing them with secure pin-and-token and other authentication systems:

https://www.theverge.com/2019/4/24/18514225/passwords-fido2-authentication-webauthn-security-key-cybersecurity-online-browser-web

A closely related issue, recently under scrutiny, is the advisability of mandatory password changes at regular intervals, a long-time bugbear of many who have to use company or government computers, including yours truly:

https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

This is a subject that has been discussed on AskWoody quite extensively, including:
Let’s debate password managers
by @michael432 / Michael Horowitz, and points to his “most important blog”:
The world’s BEST password advice

Also:
Password Security Issues – New Guidelines

2 users thanked author for this post.

wavy, doriel

Reply | Quote

Via https://xkcd.com/936/

~ Group "Weekend" ~

1 user thanked author for this post.

doriel

Reply | Quote

SIMPLE.

Pull a book of the shelf, and improvise.
Use your Home Utility Meter numbers, in part.
Use info on the back of DVD/CD.
Utilise your closest relatives info.
Info on a packet in the larder.

Many ways to create a password.

Reply | Quote

The best method is to use a password manager and let it generate passwords for your various logins. Then you only need to remember one batteryhorsestaple.

cheers, Paul

1 user thanked author for this post.

wavy

Reply | Quote

Much depends on the user’s circumstances. If you’re working with others in an office environment then writing all your passwords in a book kept in your desk drawer doesn’t make any sense at all. However, it makes much more sense if you’re sitting on your own as the only computer user at home.

I’ve never been a fan of regular password changes. If your password wasn’t hacked yesterday, what makes you think a different one will be safer today? I have seen admittedly anecdotal evidence that users have had their account hacked shortly after changing the password – probably because when you change a password it involves communication between you and the account database as well as a change of information stored on that database, creating potentially weak links in the security chain. Clearly, if you are notified that a database has been unlawfully accessed and you are advised to change your password then it is sensible to do so. In normal circumstances, however, I remain unconvinced of the need or benefit of doing so.

Strong passwords that are unique to each application are the way to go. Whether you make them up, write them down, or use a password manager  etc will all depend on the circumstances. The chances are, however, that if you make them up in a form that is easy for you to remember then they will be easy for someone else to guess.

1 user thanked author for this post.

OscarCP

Reply | Quote

I use a strong, unique password for every site I have an account. They are managed using a password manager. Others I know do the same thing but with pen and paper at home. The key is not to use guessable or easily cracked passwords and to not reuse a password. If a site I have credentials on has a hack the only login is for that site, I only have to update that site.

This has been a problem from the beginning.

Reply | Quote

I take a long sentence from an article I’ve read, for example:”I use a strong, unique password for every site I have an account.” Then, I create a password from it by using the first letter of every word and include the punctuation. Since a password often requires that there be a number in it, I usually put a number at the beginning. So, this password would be “8Iuas,upfesIhac.” It’s not difficult to remember the sentences for them and they would be difficult for anyone to guess, if the sentences associated with them were not known. I keep them in a hiding place. Since I don’t have a lot of online accounts and since I am the only one in my house, this works for me. It’s safer and simpler than a password manager, I think.

Reply | Quote

I’ve never been a fan of regular password changes. If your password wasn’t hacked yesterday, what makes you think a different one will be safer today?

Agreed. It just makes users forget their passwords frequently. I also have to work in Diamler, BMW and VW portals. These portals are even worse, forcing us to chnage pw every three months! Not kidding. Even if they use 2- factor security. Its oversecured and its very unpleasant to use that.
Whats the difference with upper case, lower case, numbers and symbols? Robot will try every “char” (character) from ASCII/UNICODE, but P30pl3 C4NT r3m3mb3r these strings. 🙂

I always put long password, but its unpleasant to write it on the cell phone.
PS – you should see our production WiFi password. Its so difficult to write it on the touch display that I really hate it 🙂

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Can’t tell you how many laptops I service with their password taped or sticky note stuck to it just for this reason. Would really be fun on their network if the laptop was lost or stolen!

Never Say Never

1 user thanked author for this post.

doriel

Reply | Quote

Yes, but sticking passwords to user monitor does not help hackers to crack the password remotely 😉 unless they steal the PC 🙂

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Doriel: “Yes, but sticking passwords to user monitor does not help hackers to crack the password remotely”

This is more of a problem in offices, where a someone who wants to break into computers of a company or organization could come in to the work station and read what is in the sticky note: those with very good memory need nothing more; those with not so good memory might have to write down the password in a moment when nobody is around, for example. So sticking a note with the computer password to the monitor is not always such a good idea. Especially for people who would prefer to keep their jobs.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I do not like these stickers too. I consider it as big risk, especially, when people (who do not have their own account) can access the network. Im not saying that sometimes it did not help me, if I want to do something on their computer. But it definatelly this shouldnt be the default behaviour.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

I assume you’ve discounted the possibility that you’ve received a laptop for servicing with a note containing the password attached to it because the customer knows that the engineer carrying out the servicing will need to know the password?

Reply | Quote

Yep. We get those too. I am specifically refering to clients that do it because they get frustrated having to change their passwords so often and can’t remember them. Heck, my father did it while working for a state agency! I always explain the ramifications but they seem to not really care.

Never Say Never

Reply | Quote

Going back to the article linked in:

Kirsty wrote:

Also:
Password Security Issues – New Guidelines

Re pasting p/w, I always paste in the p/w first and then the username so there is no password in the clipboard to steal. I also avoid clipboard ‘managers’ for this reason, I have been thinking of going to keeppass for most p/ws which would perhaps mean clipboard ‘managers’ might be an option for me.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

2 users thanked author for this post.

doriel, OscarCP

Reply | Quote

For years working for a .gov we had password changes foisted upon us for ‘security’. I just a added a 1 in front of the password I had memorized each time we had to change, when the strings of 1s got too long I changed to 2s and so on. Eventually so ‘bright’ IT corrected this. no wonder 123456 is a fav. Poorly imagined security is worse than none sometimes.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

2 users thanked author for this post.

lurks about, OscarCP

Reply | Quote

Too many policies are the ‘we must do something’ type because those demanding the policy do not understand the real issues. These policies are often counter productive because they unintentionally make the victims do something very similar to what you want to avoid.

2 users thanked author for this post.

OscarCP, wavy

Reply | Quote

Canada Revenue Agency had that problem about two months ago and had to suspend online service for days. The news was about 50K accounts had been hacked that way.

Reply | Quote

Whenever I’m forced to sign up for access to a site I don’t care about and know I won’t be going back to I tend to use a throw away e-mail address and a simple password.

(It the way I protect my main e-mail from corporate data leeks and spam)

So I wonder how many of these the easy passwords are for garbage accounts.

Reply | Quote

I use a password-protected Excel spreadsheet as my password manager.  I generate passwords by randomly typing a string of gibberish (including numbers, caps and special characters) into the password field.  I don’t try to memorize them.

This is sort of a two-factor sticky note approach.  My PC is in my home, so no snoopers have easy access, one must know my PC password, that the spreadsheet exists, the name of the spreadsheet (I have many dozens of spreadsheets, and the name of this one is not “passwords”), and be able to guess the password, which is not a “word”; it’s also a random collection of characters, and the only one I need to memorize.

All my “critical” websites employ two-factor identification, and have lockouts of 24 hours (or a call to the site administrator) after three failed login attempts, which eliminates brute force attacks.  My financial institution uses “registered access”, meaning that if I login from a different computer, I have to go through my security questions/answers before I get passed on to the actual login screen, which is two-factor.

I’m quite comfortable with this arrangement.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

2 users thanked author for this post.

lurks about, doriel

Reply | Quote

[Paul T]

You need this in your sheets: =CHAR(RANDBETWEEN(65,90))&CHAR(RANDBETWEEN(65,90))&RANDBETWEEN(100,999)&CHAR(RANDBETWEEN(65,90))

More here.

cheers, Paul

• This reply was modified 3 years ago by Paul T.

2 users thanked author for this post.

doriel

Reply | Quote

Thank you, this is very good tool!

But it is exactly what @NetDef was talking about: these passwords are insanely hard to rememeber for humans and not so hard to crack for bots. He mentioned in the awesome picture above.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Paul T wrote:

You need this in your sheets:

Thanks, but I already have the passwords, I don’t need to generate a whole new set.  I’m of the opinion that periodically changing passwords serves no useful purpose.

For those few sites that require one to signup for access, I have several throw-away email addresses and passwords that I can copy/paste.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

bbearren wrote:

I use a password-protected Excel spreadsheet as my password manager

from office 97.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

wavy wrote:

bbearren wrote:

I use a password-protected Excel spreadsheet as my password manager

from office 97.

No, from Office (now Microsoft) 365.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

bbearren wrote:

office 97

office 97 still works for me 🙂

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I never liked the idea of trusting passwords to any software manager; what happens when IT goes on the fritz, eh?

I keep a paper book; but the English/Latin passwords are translated into one of several-odd obscure languages with some odd characters and squirrel noises thrown in (not the last one, ha-ha), and finally they’re written out in a foreign script, like, Armenian, Coptic, Arabic, Telugu, Sanskrit, etc.

Good luck to the crook who gets it!

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"Nine out of 10 doctors say Acid Reflux is mainly caused by computers."

1 user thanked author for this post.

RockE

Reply | Quote

Nibbled To Death By Ducks wrote:

I never liked the idea of trusting passwords to any software manager; what happens when IT goes on the fritz

When is that likely to happen?

More importantly, that is why you have a backup that you have tested by opening on another machine / system. This is one reason I use an open source PM, I can open my passwords on any other device I can lay my hands on, even in a browser.

cheers, Paul

Reply | Quote

Paul T wrote:

When is that likely to happen?

Software corruption by either a malfunctioning OS, another piece of software, or a hardware failure? Well, I’ve been using PC’s since the days of the Trash-80, and built a few since then, plus one workstation…and I’ve seen this happen quite a bit, actually, at work and at home.

Paul T wrote:

More importantly, that is why you have a backup that you have tested by opening on another machine / system. This is one reason I use an open source PM, I can open my passwords on any other device I can lay my hands on, even in a browser

That works too. It’s a matter of personal preference.

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"Nine out of 10 doctors say Acid Reflux is mainly caused by computers."

Reply | Quote

Nibbled To Death By Ducks wrote:

Software corruption by either a malfunctioning OS, another piece of software, or a hardware failure?

Hopefully you have any important data in more than one place. Backups, always!

I have my passwords on multiple PCs (I have three that I use each day), stored on encrypted volumes. If one PC’s password store was to be lost, I have two more PCs with the same data, not to mention the backups of all three of them, also encrypted, in case of theft of any of the devices.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

Reply | Quote

I know we’re talking paranoia squared here, but I can’t help but feeling that one way to help keep your passwords secure, is to not reveal the methodology you’ve used to create them, on a public site like… um… this one, for example

2 users thanked author for this post.

doriel, wavy

Reply | Quote

🙂 agreed but not a single user posted his password here, methodology is not enough to crack the password itself. You still need to brute-force attack through the password.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Paul T wrote:

More importantly, that is why you have a backup that you have tested by opening on another machine / system. This is one reason I use an open source PM, I can open my passwords on any other device I can lay my hands on, even in a browser.

Some password managers also have a capability to optionally print out the list of passwords. Naturally that’s an ultra-high sensitivity paper document then (and hopefully your printer won’t expose it…), but at least it ought to be readable 😉

NaNoNyMouse wrote:

I can’t help but feeling that one way to help keep your passwords secure, is to not reveal the methodology you’ve used to create them, on a public site like… um… this one, for example

Well yes, but that depends on the method. If you use a known method it becomes easy, and for personal mental associations a person who knows you well enough might be able to backtrack those at least somewhat, but a sufficiently random password isn’t meaningfully compromised by either.

So yeah, http://keithieopia.com/post/2017-12-13-passwd-crack-time/ says that a hacker who knows to expect the Xkcd method and that you’re using it in English, could be expected to crack the “4 words concatenated, all lowercase” password in ~7 hours.

Fully random and sufficiently long passwords are effectively immune to that.

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

… oh and passwords modified from a previous password by incrementing a number, adding a short prefix or suffix or some such are NOT sufficiently random if there’s a significant chance that a previous one in the sequence has been leaked, even if the starting point was fully random originally.

Known leaked passwords + simple permutations on those is not much more of a dictionary attack than one based on a real dictionary.

Reply | Quote

NTDBD: “… that a hacker who knows to expect the Xkcd method and that you’re using it in English, could be expected to crack the “4 words concatenated, all lowercase” password in ~7 hours.”

One could also make a several-words-long password mixing words in different languages, couldn’t one? Say English and Rumanian, or Japanese, for example? Without diacritic marks and, if the latter, in Roman alphabet transliteration, of course to make it easier to type with any regular Western  keyboard.

In fact, I think that there is an equation yet to be written where the degree of unbreakability of a password is proportional to some power n > 1 of the interest the average criminal hacker might have in getting to your stuff by figuring out your password.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Fred

Reply | Quote

Some password managers also have a capability to optionally print out the list of passwords. Naturally that’s an ultra-high sensitivity paper document then (and hopefully your printer won’t expose it…), but at least it ought to be readable 😉

To be honest I never use these. All I store is password for my email in Chrome. No Sticky password, no a single pw manager on my PCs.

And remember when printing such list on a big multifunction device (printer/scanner), that these devices have HDD, where printed documents can be stored. I recommend to encrypt these HDDs (Konica Minolta does this for us) or better: DO NOT PRINT YOUR PASSWORDS ON A OFFICE PRINTER 🙂

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

My standard methods:

1. Use passphrases. Turn them into “L33tSp3@k” and capitalize each word in the phrase. This makes them long, complex, hard to break, yet memorable. Example: T0B30rN0tT0B3Th@t!sTh3Qu3st!0n
2. Use MFA on every site you’re allowed to do so. We use Duo at work, but for other things I use Authy, which has the benefit both of some push options like Duo, doesn’t cost anything, and supports apps that support Google Authenticator as well.
3. I use a different password for every site. Keeping things the same is asking for trouble, we all know that. It’s just good sense
4. We’ve debated them, but I’ve become a fan of password managers, again, using a secure passphrase and MFA. I like LastPass, but plenty of people like 1Password or others. Using a passphrase means I can generally get a password that’s 120+ bits in complexity, and yet I still can remember it -and then there’s the second protection of MFA. Further, it makes having separate passwords for each site far easier, facilitating better security.

At work, we go one further – for clients, we have reverse multi-factor authentication.  Client calls in and needs a password reset? We send them a push through Duo they need to acknowledge (which they can’t if not enrolled) so we can see it’s them. This nearly eliminates social engineering issues.

We are SysAdmins.
We walk in the wiring closets no others will enter.
We stand on the bridge, and no malware may pass.
We engage in support, we do not retreat.
We live for the LAN.
We die for the LAN.

1 user thanked author for this post.

doriel

Reply | Quote

Use passphrases. Turn them into “L33tSp3@k” and capitalize each word in the phrase. This makes them long, complex, hard to break, yet memorable.

You really consider this memorable? I think you just need to “recreate” pw in your mind every time you want to enter it. Nobody remembers that, good that you used well known phrase, but…
T0B30rN0tT0B3Th@t!sTh3Qu3st!0n
You can make a rule, that every e=3, but then it does not make any sense. You just used character 3 instead of e. You found the way how to protect against dictionary attack and you just made it difficult to remember, but complexity is the same.
Strong password but I can guarantee, that one day you will regret setting this password, no matter where.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

doriel wrote:

You just used character 3 instead of e. You found the way how to protect against dictionary attack

… actually… I’m fairly sure that there are dictionary attack tools that use the capitalization and character substitution rules from “L33tSp3@k”.

Because I’ve run into a password checker that used those. Feeding stuff from a randomizer to the new-password field, it told me that it wasn’t allowed because it was “based on a dictionary word with known substitutions”.

(Funny thing that – theoretically, disallowing any “too simple” passwords reduces the overall complexity that can be achieved…)

Also related to password complexity – it’s really difficult to determine the overall effective complexity of a given Unicode string with non-USASCII characters, because the normalization rules are sort of opaque and most folks don’t actually document what normalization they’re using. And not doing normalization is just asking for trouble.

2 users thanked author for this post.

LoneWolf, doriel

Reply | Quote

… actually… I’m fairly sure that there are dictionary attack tools that use the capitalization and character substitution rules from “L33tSp3@k.

I think its as easy to crack as substitution cyphering. I think Ceasar (Romans) were first to introduce this type of cyphering – Using one character instead of another does not make password harder to crack, if you substitute ALL e with 3. If not all e are converted to 3, complexity is greater, thus harded to crack.

Two factor is the safest. Interesting is for example little utility called WinAuth – opensource utility available on GitHub for example.
We use that for entering suppliers portals. It generates token, which has time-limited validity for example.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

doriel wrote:

… actually… I’m fairly sure that there are dictionary attack tools that use the capitalization and character substitution rules from “L33tSp3@k.

I think its as easy to crack as substitution cyphering. I think Ceasar (Romans) were first to introduce this type of cyphering – Using one character instead of another does not make password harder to crack, if you substitute ALL e with 3. If not all e are converted to 3, complexity is greater, thus harded to crack.

Two factor is the safest. Interesting is for example little utility called WinAuth – opensource utility available on GitHub for example.
We use that for entering suppliers portals. It generates token, which has time-limited validity for example.

Here’s the thing.

By itself, the l33tsp3@k thing would be nothing. That’s true.

However, what it does is add additional complexity to a passphrase. The key being “passphrase” not “password”.  A long phrase you can remember is difficult, but is still dictionary words (e.g., “correcthorsebatterystaple” like our old xkcd).  Adding capitals is another layer of complexity. Then substitute numbers for letters, and you’ve got another complexity.  Then substitute a ! for every i, and an @ for every a, and you add more.

Such methods matter little in an 8-character password, which is limited enough that a good multi-gpu cracking rig can get through it in a matter of hours. But make it a long enough passphrase, and you change the game.

Also, note that nowhere did I say “don’t use MFA”.  Certainly, do use MFA if it is available. In fact, as part of the same post, I said,

Use MFA on every site you’re allowed to do so. We use Duo at work, but for other things I use Authy, which has the benefit both of some push options like Duo, doesn’t cost anything, and supports apps that support Google Authenticator as well.

So, by using a complex passphrase (with a password vault if needed) *and* MFA, you’ve just made every aspect of someone else getting in harder.

 

We are SysAdmins.
We walk in the wiring closets no others will enter.
We stand on the bridge, and no malware may pass.
We engage in support, we do not retreat.
We live for the LAN.
We die for the LAN.

Reply | Quote