A member wrote me and asked " But what if, after some time, you receive a notice from one of your banks, or other institutions, telling: «OOPS, we are hacked, probably all data of our clients and customers are stolen.» A couple of things to add here. The first benefit of the Strategy approach is that although the hackers broke into this site, they only got ONE of your passwords. That can mean a lot. Secondly, most websites, including QRZ, don't store your password! Instead, we save the PASSWORD HASH, which is a cryptographic signature. It is a very interesting technology. Let's look at a bit of it: Suppose your password is "1.Hate.Blank.QSLs". It's a damned good password, according to the chart. When they give it to the website, it is put through a cryptographic hashing program like md5sum. It's a simple program that takes the password as input and outputs the hash. The hash returned in this example is 5d3d22f99ae01db8968a83c1fef068a4. This number is saved in our database. The fascinating thing about programs like md5sum is that they are one-way hashes. This means that you can hand the hash to someone, and they won't be able to learn anything from it. It cannot be converted back into the original password by any known method. So what use is that? Pretty useful, really; when the site asks for your password, you give it, and the system feeds it to md5sum. Then, they compare that result with the saved hash. If they match, then access is granted. So, when a hacker has stolen 1 million hashes, all it really means is that he has a lot of work to do. Here's how that process works: The hacker's system contains a large file called a dictionary, filled with known, previously used passwords. Whenever they see a password, they add it to their collection. The system will take each saved password and generate a md5sum for it. Then, it just looks for a match among the stolen hashes. It probably won't find one immediately, but in a few minutes, some results will begin to emerge. These will be the simple, short passwords first. Then, more complex ones from the dictionary are found. Finally, when the list of known passwords is exhausted, the system will try every known combination, one after the other. That's where it begins to take the billion years that we've been talking about, and why, that even if the site is hacked, you'll be okay if you're using a strong password. The hackers usually give up after a remarkably short time since, within a few hours, they'll have cracked thousands of them. They will have cracked all the easy ones. The hard ones, like ours, remain safe. Don't be an easy hash!
Some users have mentioned Password Manager programs. Yeah, they work to create great, forgetable passwords. Don't lose the Manager!
You don't need to. Fred mentions XKCD as inspiration. Here's that XKCD piece on password strength: https://xkcd.com/936/ Snag with many password systems is that they don't allow the entry of long-enough passwords for one to be able to use the XKCD strategy; many, many orgs and sites are stuck in the "make passwords easy to guess for machines, hard to remember for humans" mode. A critical aspect to keep in mind is that you should expect bad PW tries to be harvested and used. If, for instance, you have a super-critical work PW -- multi-factor auth in play or not -- and you mistakenly submit it to a publicly accessible site, you should immediately change that work PW because we must expect that Bad Guys are harvesting even bad PW tries in every site we visit and "triangulating" those inputs across usernames, identifies, and other sites.
Algorithms used to crack passwords use common words just as it does a unique character. Just having 18 characters and a few symbols mixed in does not provide the security that chart suggests. Those calculations assume random passwords and the years calculated assume going through all possabilites. this!is&A&crappy44password!!!!!!
Or, add a number or two to supercalifragilisticexpialidocious. If you were deprived of Disney movies as a kid, you wouldn't understand. Paul, W9AC
I often find logging in to some sites or pages requires re-entering one's password but does not allow for a password fill-in from something like Avast password saver. So in these cases I do need to know or remember by heart, as far as I can determine.
This is all true when the password hashes are stolen from a site... With the LastPass breech this something entirely different. This was the backup copies of actual password vaults that stored the actual passwords not just hashes. Granted they were still encrypted, but the thing with physical security is once you've lost it you've lost security. They then had all the time in the world to brute force decrypt starting with the weakest vault passwords first. These vaults don't just hold one site password, they hold all the sites. That's why I no longer recommend LastPass as a password manager option.
I don't use a password manager, and only rarely use sites' Remember Me functionality, because I want my memory to keep working.
I swore I wasn't going to post anymore on here. Anyway, I've used this for years. It has adequate or very strong alphanumeric string shuffling, encrypting & case settings. It doesn't have any 'instal' as such. This is ideal for any desktop https://www.majorgeeks.com/files/details/edxor.html Downloading EDXOR 1.65 EDXOR is a versatile, convenient and optimal text editor and file processor. Author: Dariusz Stanislawek Date: 10/16/2015 Size: 77 KB License: Freeware Requires: Win 10 / 8 / 7 / Vista / XP Becomes as complicated or as simple as you like. This is the above converted to Base64. It can do anything to any text. It's almost as much fun as a good night out with granny big boy. Has no 'instal' as such, in that it don't alter anything in your registry. Drag and drop the .chm help file over to your Start-Menu programs list, Dude. Admittedly getting some organisation into your life, or desktop, risks displacing some of that chaos, illogic and pride you flash around town. For you; - I think it's worth the investment of 5 or ten minutes. You can make a system-restore-point before you do but it really doesn't merit it. It's simply an executable in a folder of your choice. I use \utilities\EDXOR.
I made my own password manager app in visual studio and keep it on a thumb drive. It isn't finished yet (meaning I still need to make the program encrypt the file that stores the accounts), but it works. It asks for a pin (useless until encrypted), then the program starts and has 24 account slots. One button serves as the label and program button, two others allow for the computer to type out the information and hit enter. So, when I go to log in, I just put my cursor in the password field, go to my app, click the pw button for that account, then return to the log in window. It enters it and hits enter for you by sending the corresponding keystrokes. Its like you typed it in yourself, so there is no compatability issues.. Some day I will finish it so it encrypts the account file.
ALWAYS use a mix Now that passwords are on my mind, I have some old data encrypted with PGP from MIT and used a 29 character passphrase in 4096 but IDK my password LMAO HOW BIG IS YOUR HAYSTACK?
XYL and I have used Lastpass for years. Several hundred complex passwords are just a click away on all of our devices, pc's, tablets, phones.
I like the colorful chart, but the utility in it is primarily its ability to grab attention. The web page provided at the bottom of the chart is very clear on the reality that password hash security is a secondary concern, the first concern being the security of the hashed password data itself. An average user might believe that this chart means that a hacker can use software/hardware to break into an otherwise secure system through the front door in that amount of time, which is fantasy. In reality the time figures shown are based on several other things happening first (which also take time, skill, luck, etc.) If you're reading here, rest assured that the world hasn't gotten so insane that anyone can break in through the front door in seconds. It's not going to happen that way. Follow the link, patronize hivesystems, they have some great info. Then go and grab a beverage of your choice, sit back and enjoy your life without worrying. All things considered, security breeches happen all the time so the password strength recommendation is valuable. The strategy in red might well be the most valuable: "It is absolutely essential that you have a different password for every website you frequent." If you do this, when someone does get a hold of your hashed password, your potential exposure will be limited to one website (or whatever it is, some of us still use public access pubnix systems you know!) Your secondary effort, of setting strong passwords, will shield you from anything happening even on that one website.
One more thought, in the form of an analogy: Imagine you have a tiny box of valuables, locked with a generic luggage key lock. "IT'S INSECURE!" Now, imagine your little box sitting inside a safe deposit box, inside a vault, inside a bank, in a city with a solid police force patrolling the streets around the bank. How secure is your little box with the luggage lock? Pretty secure. Certainly follow the advice and set secure passwords, just in case. And most especially, follow the advice of setting different passwords for each site. But don't stress if your password isn't in the 10-gazillion-year category. Doesn't need to be, you'll be fine. 73!
