NEWS : Call to improve password security

BBC News - Call to improve password security

 

wow. interesting and scary at the same time.
after all the money i've spent on a fast(ish) computer and os, and streamlining startup times the 12 character password puts me 5 steps back
thats if i can even remember it

 

wow that is scary! how long before we have to type out a whole book just to be safe!

On a side note....tinderbox....who is that in your display pic? shes pretty hot! haha

 

Because dictionary attacks have to use words and numbers.
Because created tables have to use words numbers and special character mixes.
Because the increasing computing powers have to use longer and longer ones ...

Truecrypt/pgp/.. full disc encryption with keyfiles
Need a long password and a few small files or generated keys or tokens.
It will take a bit longer to brake those encryption.

wep/wpa tkip cracked rest in the process, now gsm network is cracked to listen in to any mobile phone conv. ....
It all just takes time, and time getting shorter after every new generation of cpu/gpu ...

I just started to use password keeping software no way to remember it all.

Actually you got the right idea there, keep 1 book and just use lines form pages you chose, 100th page 10th line ...

but as the password is only used in an algorithm it can be directly attacked too without the need of trying the passwords (passwords generates hash codes)

 

question is rather - how can we memorize several passwords... I can't...

(and use the same or variations of the same)

Humans aren't made to remember passwords... alternatively I could just cellotape a piece of paper with all passwords to my laptop... that would work...

 

I think it is up to the service provider to make brute force attacks hard or impossible. A bank card pin or sim card pin is only 4 digits but after 3 tries it is locked. No brute force possible.

For web pages something like gmail does that if you enter the wrong password 3 times you need to wait a few minutes to try again can also make brute force impossible since it eliminates parallel processing.

The only place where this cannot be done is encrypting data on a hard drive or such. But for this there are many good solutions such as USB tokens or smart cards which are need in addition to a normal password.

The biggest risk to normal users in my opinion is using the same password in different places. If one platform is 'weak' and hacked by brute force or some security hole, the password can be taken and used in other places.

 

http://thedaily.com/Articles/WiWas-TwoFactor-.aspx is a fun read on this concept, but the linked pdf within it probably more useful. Bank Cards are an example of a two-factor authentication - you need the physical card to access your account, as well as a PIN. Passcards + biometrics + a pin are getting popular in high security areas as well, although all 3 aren't always implemented concurrently if there's no significant threat.

A password alone will never be totally secure. Adding symbols, spaces, numbers, and capital letters only makes brute forcing take longer, it doesn't make it any more secure. I think it's ridiculous that people will store passwords in a program (KeyPass is a popular one) that is itself only secured by a single password. Come on. If anyone gets through that one (and I bet you it's just as insecure as the passwords it protects), it's open season on all related accounts. KeyPass is at best a useful tool, but hardly security.

 

Ya know what... After reading this, I thought it'd be a dandy idea to change my password, problem was, I forgot what I changed it too. I spent 6 hours trying to remember it... The password was 1234567910...

 

Really?
A 16-character password with symbols, spaces and numbers that takes years/decades to brute-force, is not more secure?

If you only have to remember one, just one password, so you can use different ones for everything else, surely most folks can come up with something better than 1234 or p@ssword...

 

If all it takes is throwing more computer power at it, even if it's a ridiculous amount, I consider it only moderately more secure. I'd take a second factor over a long password that's easy to typo and that encourages locking yourself out any day of the week. Also consider: If all I need to do to work around your 16-character password is hit "forgot password?" and lookup your profile on facebook/social networking/other resources, that's absolutely not sufficient. In many cases, even if you're paranoid, the security questions are the most obvious and the few pieces of information are the least often secured - maiden name, birthdate, hometown, maybe education or workplace. Profile picture? I'd say there's at least a decent chance of your favorite color being in your clothing. Relying only on known information is fallible.

Sure, that one password is probably at least as strong any it protects. But you've also chosen to reduce your information security to a single point of failure.

 

A previous poster has in sorted.

 

I think the best solution is for our passwords to be only part of the link as opposed to the entire link. If some one manages to crack the password, it won't be any use to them without the second part which will be a one time generated sequence so won't be able to be used a second time anyway. This is what is used in online banks when they employ password and ''offline'' pin machines.

As others have mentioned, I also agree that the responsibility should lie in the service providers or websites. Brute force is only possible because they allow many password retries. I think each time we enter any password, it should be in a random order i.e you are asked to enter the 1st, 3rd, 8th, 5th and the 9th character and this changes each time.

 

yes, that would be good. and also helps stop keyloggers.
biggest risk to password security, imho, is the ''post-it sticker''
you can look around most peoples desks and find the password you need on a yellow post-it, including my previous office main server (no, it wasnt me). ok, it was in a 'secure' room but the password was stuck on the side of the console rack

 

And why do people do that - because they can't remember all of them.
They need to keep them somewhere - and they just expect their office colleagues not to break into "their" computer.

It would be a greater problem on a laptop - or would it? Unless people can find out which username to use it's not too bad - because random people will not know you.