User Panel
User Panel
User Panel
|
Posted: 1/4/2021 1:57:31 PM EDT
[#1]
Use song lyrics..the longer the better.
Use book titles or movie titles or characters, longer is better. Use whatever is at hand that you can recall with some ease. Add numbers or characters as needed. If you back it up with an encrypted file, make sure you have the password for that or you are up shit creek. |
|
|
|
Posted: 1/4/2021 1:59:16 PM EDT
[#2]
Quote HistoryQuoted: 2nd vote for MFA to solve the issue Quote HistoryQuoted: Quoted: I work in IT, too. And I think this whole discussion is a waste of LOTS of peoples time caused by laziness and incompetence in IT departments. Logging and Multi Factor Authentication are the answer to this. You should be able to use whatever stupid/short/simple password you want to use because the thing you authenticating to requires multiple types of authentication that are convenient for the user. And failed login attempts are logged and responded to quickly and effectively. The people that spend their days implementing technology are the ones that should be required to implement effective security measures because they have and use the skills to do so -- presumably. 2nd vote for MFA to solve the issue I love my systems that have a 6-8 digit number to log into. It physically pains me to log into something that still uses passwords. 
|
|
|
|
Posted: 1/4/2021 2:00:50 PM EDT
[#3]
I was in IT for 25 years. Forced password changes are a horrible idea.
What inevitably happens is that many will just write the new password down on a piece of paper and stick it somewhere in a drawer close by. This makes it LESS secure than staying with the same password for years. Can not tell you how many times I have been to a service call and passwords were taped to the monitors or on a yellow sticky note. Some were in medical buildings. HIPPA much? |
|
|
|
Posted: 1/4/2021 2:01:33 PM EDT
[#4]
Quoted: So it's time for password changes... I do not want to use a password manager.... I prefer to keep an updated list on an encrypted drive. That said, in doing some research it seems like instead of a combination of letters and characters—which are usually much harder to remember—if one were to use a long string of words that actually makes sense (and would be easier to remember) the password is much harder to crack based simply on the total number of characters involved. For example, on Kaspersky's password strength checker HERE I get the following results... %#Arfcom35 shows as broken by brute force attacks using the average home computer in two months. Whereas... iwillnotletthepenguinbanme would require 10,000 centuries from the average home computer. For those of you that have much more knowledge on password strength than I do (everybody)... Is my line of thinking correct? In terms of password strength, yes, your line of thinking is correct. Not wanting to use a password manager is questionable, though. |
|
|
|
Posted: 1/4/2021 2:05:00 PM EDT
[#5]
Quote HistoryQuoted: I was in IT for 25 years. Forced password changes are a horrible idea. What inevitably happens is that many will just write the new password down on a piece of paper and stick it somewhere in a drawer close by. This makes it LESS secure than staying with the same password for years. Can not tell you how many times I have been to a service call and passwords were taped to the monitors or on a yellow sticky note. Some were in medical buildings. HIPPA much? Or they just iterate it. K1nd@$trongPa$$w0rd. K1nd@$trongPa$$w0rd1. K1nd@$trongPa$$w0rd2. If somebody has gotten their hands on your password, mandatory changes aren't any good if they can just change the last digit. |
|
|
|
Posted: 1/4/2021 2:06:16 PM EDT
[#6]
Quote HistoryQuoted: If every damn thing locks your account after 3 tries what exactly does it matter? That's not really what you're protecting against. You're protecting against the whole hashed password database getting stolen ala Linkedin 2016. Then they take that password database and start running brute force attacks on in en masse. When passwords fall out, they take the email address associated with them and start running it through Paypal, etc. That's why you don't share passwords between sites, and that's why you need complicated passwords. |
|
|
|
Posted: 1/4/2021 2:06:28 PM EDT
[#7]
The problem is we have basically trained everyone to use Password1! as their password or a variation of it. Usually being a common word followed by a number which will incrementally go up as the user is forced to change their password every X amount of day finished off with !.
I can used 20+ character passwords that are super simple to remember incorporating caps, lower case, special characters, numbers, and spaces. Yes a really good password should have 2 spaces or more. Take for instance "July F0urth, $eventeen76!" or "FNH SC@r 17s .IIIZero@te!" |
|
|
|
Posted: 1/4/2021 2:07:01 PM EDT
[#8]
yes, the person that proposed the stupid rules that Corp America is embracing, said it was a mistake. Entropy is a real thing. Pass phrases are far more secure and less likely to require you to write them down.
besides, if I wanted to break into your stuff, I'd kidnap you and beat you with a hammer until you gave up all your passwords. It's far easier and faster. 
|
|
|
|
Posted: 1/4/2021 2:10:14 PM EDT
[#9]
Quote HistoryQuoted: besides, if I wanted to break into your stuff, I'd kidnap you and beat you with a hammer until you gave up all your passwords. It's far easier and faster. Doesn't count you didn't post the comic. |
|
|
|
Posted: 1/4/2021 2:14:08 PM EDT
[#10]
Quote HistoryQuoted: The problem is we have basically trained everyone to use Password1! as their password or a variation of it. Usually being a common word followed by a number which will incrementally go up as the user is forced to change their password every X amount of day Oh and btw worth mentioning - brute force apps *20 years ago* were capable of running the entire dictionary and an entire list of names with a suffix of a single numeral through it in minutes. dictionary1 calculator7 Doesn't matter that those are 11 character passwords with both letters and numbers. They'd be unscrambled in minutes. https://nakedsecurity.sophos.com/2012/06/06/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked/ |
|
|
|
Posted: 1/4/2021 2:14:20 PM EDT
[#11]
Quote HistoryQuoted: CPE 1704 TKS 
|
|
|
|
Posted: 1/4/2021 2:16:03 PM EDT
[#12]
Why not use a password manager that stores itself and the password file on the USB flash drive? Best of both worlds.
Also, USB flash drives aren't especially reliable - keep a backup. |
|
|
|
Posted: 1/4/2021 2:17:06 PM EDT
[#13]
TheQuickBrownFoxJumpedOverTheLazyDog
10,000 Centuries
|
|
|
|
Posted: 1/4/2021 2:19:20 PM EDT
[#14]
Quote HistoryQuoted: Oh and btw worth mentioning - brute force apps *20 years ago* were capable of running the entire dictionary and an entire list of names with a suffix of a single numeral through it in minutes. dictionary1 calculator7 Doesn't matter that those are 11 character passwords with both letters and numbers. They'd be unscrambled in minutes. Trust me I know. We run brute force attacks on all admin accounts where I work. We have successfully cracked peoples passwords multiple times. It is funny because I helped our security officer set up the system and have looked at what some people use as passwords. We have also from time to time done password dumps where we can see people's password but not associated with user ID's. Some people use profanity and just in general really really poor passwords. |
|
|
|
Posted: 1/4/2021 2:19:31 PM EDT
[#15]
Quote HistoryQuoted: Use song lyrics..the longer the better. Use book titles or movie titles or characters, longer is better. Use whatever is at hand that you can recall with some ease. Add numbers or characters as needed. If you back it up with an encrypted file, make sure you have the password for that or you are up shit creek. Or movie quotes? Mycatcaneatawholewatermellon |
|
|
|
Posted: 1/4/2021 2:21:56 PM EDT
[#16]
My problem is I let my phone do it with Face ID and I can’t login anywhere else because of the 27 character alphanumeric bullshit my phone came up with
|
|
|
|
Posted: 1/4/2021 2:22:30 PM EDT
[#17]
Quote HistoryQuoted: Trust me I know. We run brute force attacks on all admin accounts where I work. We have successfully cracked peoples passwords multiple times. It is funny because I helped our security officer set up the system and have looked at what some people use as passwords. We have also from time to time done password dumps where we can see people's password but not associated with user ID's. Some people use profanity and just in general really really poor passwords. Quote HistoryQuoted: Quoted: Oh and btw worth mentioning - brute force apps *20 years ago* were capable of running the entire dictionary and an entire list of names with a suffix of a single numeral through it in minutes. dictionary1 calculator7 Doesn't matter that those are 11 character passwords with both letters and numbers. They'd be unscrambled in minutes. Trust me I know. We run brute force attacks on all admin accounts where I work. We have successfully cracked peoples passwords multiple times. It is funny because I helped our security officer set up the system and have looked at what some people use as passwords. We have also from time to time done password dumps where we can see people's password but not associated with user ID's. Some people use profanity and just in general really really poor passwords. You mean "(companyname)admin" isn't an appropriate AD Domain Admin password?  |
|
|
|
Posted: 1/4/2021 2:23:36 PM EDT
[#18]
The real trick is to misspell the words in odd ways.
|
|
|
|
Posted: 1/4/2021 2:24:55 PM EDT
[#19]
Quote HistoryQuoted: all my passwords are at least 256 characters...for my online banking it's 512 characters. This is all stored on an air gapped jump drive that is stored in an old microwave at all times. i just write mine on my forearm. |
|
|
|
Posted: 1/4/2021 2:24:56 PM EDT
[#20]
So “Opensaysme” isn’t good enough for you? Damn millennials.
|
|
|
|
Posted: 1/4/2021 2:25:30 PM EDT
[#21]
|
|
|
|
Posted: 1/4/2021 2:26:52 PM EDT
[#22]
Oops. Beat like a stapled horse.
|
|
|
|
Posted: 1/4/2021 2:26:54 PM EDT
[#23]
I just came here to post...CorrectHorseBatteryStaple !
|
|
|
|
Posted: 1/4/2021 2:27:20 PM EDT
[#24]
January2021
Change it every year. 
|
|
|
|
Posted: 1/4/2021 2:27:23 PM EDT
[#25]
Quote HistoryQuoted: and password?  Quote HistoryQuoted: Quoted: So 1234567 or abcdefg are both out? and password? I always use Password1 as a lot of places require a capital and a #. |
|
|
|
Posted: 1/4/2021 2:27:24 PM EDT
[#26]
Quote HistoryQuoted: You mean "(companyname)admin" isn't an appropriate AD Domain Admin password? The two domain admins we have are really good at what they do. They also have to check out domain admin rights before the domain admin accounts have priv so it will require DUO authentication and the rights are only for the time they check the rights out for. So if someone did get the password the rights are safeguarded as the person who cracked the account would also need to be able to activate rights on the account. One of our workstation admins had a ridiculously easy password and was one that got cracked within an overnight scan. It was a common person's name Jennifer followed by a number and ! they lost rights for a few weeks till they took a security training course. |
|
|
|
Posted: 1/4/2021 2:30:24 PM EDT
[#27]
Most secure password ever.
 Data uses most secure code ever Star Trek TNG (Blu Ray HD) |
|
|
|
Posted: 1/4/2021 2:34:52 PM EDT
[#28]
hunter2 has never failed me.
|
|
|
|
Posted: 1/4/2021 2:38:10 PM EDT
[#29]
Not IT, but I have been the "guy" by default many times in the past.
Whenever I had to reset someone's password because they forgot or locked themselves out I would reset it to: Fuck(persons name)!x2 A lot of them left it if I didn't force a change and they rarely forgot it. |
|
|
|
Posted: 1/4/2021 2:38:20 PM EDT
[#30]
This checker allows you to see the strength against a supercomputer.
https://www.grc.com/haystack.htm |
|
|
|
Posted: 1/4/2021 2:40:54 PM EDT
[#31]
I gave up trying to remember them aside from a handful of frequent use.
Everything else gets reset every time. |
|
|
|
Posted: 1/4/2021 2:49:28 PM EDT
[#32]
Quote HistoryQuoted: lol, I knew at least 3 people would post "correct horse battery staple". OP, the only thing that really matters is length. 14 characters or longer and you'll be fine. Thieves tend to be an impatient lot, they'll take the stuff they can get quickly and leave the stuff it would take weeks or months to get. Idiots requiring special characters or a mix of characters, letters and numbers are what makes this annoying. Well, at least until quantum computing is a thing, then no one's password will be safe. Using different account names and definitely different passwords on different sites is key. After that, you have a gambit of dumb password restrictions to deal with. I use phrases with numbers and letters added. Also, I type them into an encrypted file on my phone Notes feature. Doing stuff online plus work systems means having 50 or 90 logins to use, so remembering them is out. |
|
|
|
Posted: 1/4/2021 2:50:09 PM EDT
[#33]
 Username is Password - Silicon Valley |
|
|
|
Posted: 1/4/2021 2:50:10 PM EDT
[#34]
Quote HistoryQuoted: 2nd vote for MFA to solve the issue Quote HistoryQuoted: Quoted: I work in IT, too. And I think this whole discussion is a waste of LOTS of peoples time caused by laziness and incompetence in IT departments. Logging and Multi Factor Authentication are the answer to this. You should be able to use whatever stupid/short/simple password you want to use because the thing you authenticating to requires multiple types of authentication that are convenient for the user. And failed login attempts are logged and responded to quickly and effectively. The people that spend their days implementing technology are the ones that should be required to implement effective security measures because they have and use the skills to do so -- presumably. 2nd vote for MFA to solve the issue So something like a yubi key? Or the standard text or phone authenticator app? |
|
|
|
Posted: 1/4/2021 2:51:18 PM EDT
[#35]
Quote HistoryQuoted: I work in IT, too. And I think this whole discussion is a waste of LOTS of peoples time caused by laziness and incompetence in IT departments. Logging and Multi Factor Authentication are the answer to this. You should be able to use whatever stupid/short/simple password you want to use because the thing you authenticating to requires multiple types of authentication that are convenient for the user. And failed login attempts are logged and responded to quickly and effectively. The people that spend their days implementing technology are the ones that should be required to implement effective security measures because they have and use the skills to do so -- presumably. Not giving out a unique code to some app on my phone either, fuck that also. When they start fucking paying me to use my personal data, I might participate... nah, fuck that too. |
|
|
|
Posted: 1/4/2021 3:02:12 PM EDT
[#36]
Quote HistoryQuoted: Trust me I know. We run brute force attacks on all admin accounts where I work. We have successfully cracked peoples passwords multiple times. It is funny because I helped our security officer set up the system and have looked at what some people use as passwords. We have also from time to time done password dumps where we can see people's password but not associated with user ID's. Some people use profanity and just in general really really poor passwords. IT Guy: "What's your password?" Me: "Take a step back, and fuck your own FACE!" IT Guy: "Nevermind..." |
|
|
|
Posted: 1/4/2021 3:03:04 PM EDT
[#37]
Quote HistoryQuoted: This checker allows you to see the strength against a supercomputer. https://www.grc.com/haystack.htm Just checked one of my passwords on that site. Have no IT knowledge at all. Seems like a pretty strong one by the results.  Attached File |
|
|
|
Posted: 1/4/2021 3:03:32 PM EDT
[#38]
Quote HistoryQuoted: So something like a yubi key? Or the standard text or phone authenticator app? Quote HistoryQuoted: Quoted: Quoted: I work in IT, too. And I think this whole discussion is a waste of LOTS of peoples time caused by laziness and incompetence in IT departments. Logging and Multi Factor Authentication are the answer to this. You should be able to use whatever stupid/short/simple password you want to use because the thing you authenticating to requires multiple types of authentication that are convenient for the user. And failed login attempts are logged and responded to quickly and effectively. The people that spend their days implementing technology are the ones that should be required to implement effective security measures because they have and use the skills to do so -- presumably. 2nd vote for MFA to solve the issue So something like a yubi key? Or the standard text or phone authenticator app? Yes. All of the above. For enterprises RSA tokens are a rather common implementation as well. |
|
|
|
Posted: 1/4/2021 3:04:46 PM EDT
[#39]
Quote HistoryQuoted: This checker allows you to see the strength against a supercomputer. https://www.grc.com/haystack.htm Not today glowie! |
|
|
|
Posted: 1/4/2021 3:05:00 PM EDT
[#40]
Quote HistoryQuoted: Yeah, not giving out my phone number to a bunch more sites. Fuck that. Not giving out a unique code to some app on my phone either, fuck that also. When they start fucking paying me to use my personal data, I might participate... nah, fuck that too. You may want to look into how things like Google Authenticator work before you rail about giving them personal data. 
|
|
|
|
Posted: 1/4/2021 3:10:09 PM EDT
[#41]
We've been programmed to make passwords that are easy to crack but hard to remember. Made up words are best. Random are second. Milk. Hasbro. Goonies would take a billion years or the like at a 1 attempt per second or was it 3 seconds? program.
|
|
|
|
Posted: 1/4/2021 3:10:46 PM EDT
[#42]
Quote HistoryQuoted: ... and collects new passwords for dictionary attacks. Not today glowie! Quote HistoryQuoted: Quoted: This checker allows you to see the strength against a supercomputer. https://www.grc.com/haystack.htm Not today glowie! Meh. I checked it out. If they collect passwords, congratulations to them. They now have my password to Netflix.
|
|
|
|
Posted: 1/4/2021 3:11:23 PM EDT
[#43]
Longer is better. Period.
Use a password manager. |
|
|
|
Posted: 1/4/2021 3:20:49 PM EDT
[#44]
You're much better off realizing that your passwords will almost never be cracked. But, your password will be breached at multiple companies that you do business with each year.
|
|
|
|
Posted: 1/4/2021 3:23:22 PM EDT
[#45]
Also, MFA is good, but it's not the end all of security. MFA can and has been hacked numerous different ways.
SolarWinds breach used SAML tokens to bypass MFA. Get a free password manager. Create a very long, strong MASTER PASSWORD, such as "Pissing on an electric fence is stupid." Save every password you have in the manager over time. Then change them all to be random characters at least 24 characters long. You don't need to remember the passwords....just the master password. Don't bother changing them after that. Doesn't do any good anyway. |
|
|
|
Posted: 1/4/2021 3:30:41 PM EDT
[#46]
You could combine a bunch of weak passwords. Like maybe I have used Cfd54mmd arrtrevu Iigstrdss. Maybe I have used them for years so I know them by heart. I want a strong password I combine them and I just write down the first letter of each of those. So maybe one site is “cal” and another “alc”, and I have entered those three passwords so many times I just need to remember the order.
|
|
|
|
Posted: 1/4/2021 3:34:38 PM EDT
[#47]
1password literally changed my life. Do not resist a password manager - it's by far the best solution to passwords.
|
|
|
|
Posted: 1/4/2021 3:37:11 PM EDT
[#48]
Yes.a but, NSA can crack it in 22 seconds, hackers using distributed bots would take 45 seconds. You need 2 or 3 factors for security.
AKA MFA for the MFW. |
|
|
|
Posted: 1/4/2021 3:41:37 PM EDT
[#49]
Quote HistoryQuoted: Don’t be a tit. Use a password manager. This is a far more extensible and useable solution than a list on an encrypted drive. Use Keepass and make it portable. This is the correct answer. If it makes you feel better put your keepass database on an encrypted drive. Also, yes passphrases are better than short "Complex" passwords. However, you are not as random as you think you are. https://www.wired.com/2014/08/passwords-microsoft/ |
|
|
|
Posted: 1/4/2021 3:50:48 PM EDT
[#50]
There are two factors at work
First: The "search space" for each character. Did you use upper and lowercase, special characters and numbers. Second: The length of the password. The total possible combinations is basically the "search space" raised to the "length" power. Shorter passwords with large "search space" are usually harder to remember, sometimes already included in pre-calculated lists of password hashes, and just generally WORSE. "HorseBatteryBuggyStaple" is a much stronger password than "YT$%432123" Passwords that are re-used between sites/systems, or written down, are much bigger issue than someone "cracking" your password. |
|
|
Win a FREE Membership!
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.
