On 31 Jan 2013 at 14:16, David Lum wrote:
>
> I have seen a few articles on password cracking and using unrelated words,
> so I have a question Given the "Making complex passwords" section here:
> http://www.digitaltrends.com/mobile/crack-this-how-to-pick-strong-password
> s-and-keep-them -that-way/ Could you use a fairly simple method to
> identify what the password is for and still have it tough to crack? I'm
> guessing no, but have to ask For a twitter account: Twitter1 vodka eagles!
> Then for a Facebook account:Facebook2 vodka eagles! Ebay: Ebay3 vodka
> eagles! Then follow that same pattern for the various accounts. While it
> seems like bad practice to include the service name as part of the
> password I thought I'd ask your guys' opinion. It's at least better than
> using the same password for everything...or is it?
It is. But I would recommend using a password manager like LastPass or KeePass
with one very strong password to access it rather than worry about individual
passwords and patterns.
FWIW, I came across this earlier today:
More interesting news: passPHRASES aren't more secure, since the
dictionary attacks now use them as well.
Grammar badness makes cracking harder the long password | Ars Technica
When it comes to long phrases used to defeat recent advances in
password cracking, bigger isn't necessarily better, particularly when
the phrases adhere to grammatical rules. ... A team of Ph.D. and grad
students at Carnegie Mellon University and the Massachusetts
Institute of Technology have developed an algorithm that targets
passcodes with a minimum number of 16 characters and built it into
the freely available John the Ripper cracking program. The result: it
was much more efficient at cracking passphrases such as
"abiggerbetter password" or "thecommunistfairy" because they followed
commonly used grammatical rules-in this case, ordering parts of
speech in the sequence "determiner, adjective, noun." When tested
against 1,434 passwords containing 16 or more characters, the
grammar-aware cracker surpassed other state-of-the-art password
crackers when the passcodes had grammatical structures, with 10
percent of the dataset cracked exclusively by the teamĀ“s algorithm.
See:
http://arstechnica.com/security/2013/01/grammar-badness-makes-cracking-harder-the-long-password/
One thing I do to mitigate dictionary attacks: m11spelll wuurds wh33n EEYYEE
yuuse tthheemm iiNn P@@ssww00rdd5z....not sure how long the black hats will
take to add stuff like this ;-) but it's just an arms race.
--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
