Forced Password Resets

[SeinSchatten01]

In response to post #41099430. #41111490, #41138445 are all replies on the same post.

Thandal wrote:

Ummm... guys;

 

As usual, xkcd got it right years ago:

 

Bjornir90 wrote: Hum actually, while troubador is not extremely safe, correct horse isn't that safe, since a dictionnary bruteforce, and by that i mean trying all words in a dictionnary, would still get it right somewhat fast. And the informations shown here is only right (entropy) if the attacker know what the pattern of your password is, which he shouldn't unless he already know your password, in which case he doesn't need the pattern.
The only way to be safe is to use a password manager, such as lastpass or keepass. That way you can have very long passwords, and that is important because length + variety of characters used is what matters. That's why troubador isn't that bad, it isn't very long but it uses a lot of different "class" of characters (number, letters both capitals and not, and symbols) So the entropy for the first password here would be closer to 2^616 assuming 20 symbols.
26 letters + 10 digits + 20 symbols * 11 characters = 616

mytigio wrote: Dictionary attacks run on the assumption of single modified words (like the troubador example above) or common word combinations, not on every possible combination of every possible word.

If you choose 4 random words and use them in a random order, it's perfectly fine (although most password strength checkers require additional symbol categories and will bounce the password back)

password attacks include nowadays much more than you think, mytigio.

With the vast, nigh unlimited amount of leaked passwords, todays algorithm to guess a password include much more. Attackers have created their own algorithm that are vastly more complex that just append a number at a word.

Chances are if an attacker gets all your passwords minus one he can brute force your last password in no time. The reason is that humans, subconciously, creates the password with a sample in mind. Not random like a password generator.

edit: It's german but interesting. http://www.heise.de/ct/ausgabe/2013-3-Die-Tools-und-Techniken-der-Passwortknacker-2330451.html Edited August 6, 2016 by Sein_Schatten

[hioctane321]

In response to post #41092740. #41123235, #41131075 are all replies on the same post.

bben46 wrote:

@CG123

 

Yeah, decrypting passwords should not be possible, if stored properly in the database. How come?

Ask Yahoo. They are the latest victim of a password stealing database hack. I hope you didn't use the same password for your bank account that you used for your Yahoo account.

 

BTW, the Nexus hack was THREE YEARS AGO and they are just now getting the passwords they hacked THREE YEARS AGO decrypted.

If you have changed your password anytime in the last three years you are not hacked.

Mitsurugi2424 wrote: But, if your old pw is still used on other sites, those might be at risk

garbalen wrote: They got ahold of a 3 year old database. The breach was more recent.

LOL, I forgot my Yahoo password, maybe the hackers can sell it back to me. Hey Putin I have 5000 emails on yahoo can you help me retrive my password so I can get them back. Edited August 6, 2016 by hioctane321

[Deleted28905070User]

In response to post #41097055. #41098705, #41108050, #41131275, #41131535, #41138630 are all replies on the same post.

MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event

xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.

jesusristus wrote: ...hae9dUve&eD...
Too short.

garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.

garbalen wrote: Got me looking at KeePass's built in generator.

1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð
^ one of the passwords it came up with. That one is pretty dang secure :)

erelde wrote: So secure I'm not sure some websites would accept it ^^
I know for a fact that Google (gmail) doesn't want accentuated 'E' as of 6 six months ago.

Facebook on the other hand will happily take anything.

You should use a password like this :D
kfjjkjvbnfbnzdflkjgbnlgkjfdlkgndzflbkngfbnbzlknzlbkjnzcvlbnf1hhg1f6csfafdfdfdsfml;lbmr;okmfd;lakn;lfn bjm;lglgmflmfzldm'zfbmf;fz;mf;zlmz;mgh;mzd;lm
l;,fadfm,lgmg;lmfs;dlm,hsdf;lhmmsdhf;l
mdlkfgn;lkjgmf;jklfgx,lg'd,j';lkusotpmfzdh/m;lkfnmhkldml
l,Gkfm;ozjg'fxhk;l,'hg;l,k;l,nvc';jgzckm;hfldkm Edited August 6, 2016 by Guest

[trabpukcip]

In response to post #41097055. #41098705, #41108050, #41131275, #41131535, #41138630, #41173615 are all replies on the same post.

MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event

xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.

jesusristus wrote: ...hae9dUve&eD...
Too short.

garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.

garbalen wrote: Got me looking at KeePass's built in generator.

1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð
^ one of the passwords it came up with. That one is pretty dang secure :)

erelde wrote: So secure I'm not sure some websites would accept it ^^
I know for a fact that Google (gmail) doesn't want accentuated 'E' as of 6 six months ago.

Facebook on the other hand will happily take anything.

Mort65 wrote: You should use a password like this :D
kfjjkjvbnfbnzdflkjgbnlgkjfdlkgndzflbkngfbnbzlknzlbkjnzcvlbnf1hhg1f6csfafdfdfdsfml;lbmr;okmfd;lakn;lfn bjm;lglgmflmfzldm'zfbmf;fz;mf;zlmz;mgh;mzd;lm
l;,fadfm,lgmg;lmfs;dlm,hsdf;lhmmsdhf;l
mdlkfgn;lkjgmf;jklfgx,lg'd,j';lkusotpmfzdh/m;lkfnmhkldml
l,Gkfm;ozjg'fxhk;l,'hg;l,k;l,nvc';jgzckm;hfldkm

You just mashed the keyboard didn't you?

[Ruftinator]

wait... so everyone who made an account after the mentioned date above doesn't have to change their password (if they don't want to)?

[Obscerno]

In response to post #41097055. #41098705, #41108050, #41131275, #41131535, #41138630, #41173615, #41174715 are all replies on the same post.

MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event

xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.

jesusristus wrote: ...hae9dUve&eD...
Too short.

garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.

garbalen wrote: Got me looking at KeePass's built in generator.

1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð
^ one of the passwords it came up with. That one is pretty dang secure :)

erelde wrote: So secure I'm not sure some websites would accept it ^^
I know for a fact that Google (gmail) doesn't want accentuated 'E' as of 6 six months ago.

Facebook on the other hand will happily take anything.

Mort65 wrote: You should use a password like this :D
kfjjkjvbnfbnzdflkjgbnlgkjfdlkgndzflbkngfbnbzlknzlbkjnzcvlbnf1hhg1f6csfafdfdfdsfml;lbmr;okmfd;lakn;lfn bjm;lglgmflmfzldm'zfbmf;fz;mf;zlmz;mgh;mzd;lm
l;,fadfm,lgmg;lmfs;dlm,hsdf;lhmmsdhf;l
mdlkfgn;lkjgmf;jklfgx,lg'd,j';lkusotpmfzdh/m;lkfnmhkldml
l,Gkfm;ozjg'fxhk;l,'hg;l,k;l,nvc';jgzckm;hfldkm

trabpukcip wrote: You just mashed the keyboard didn't you?

Obligatory xkcd: https://xkcd.com/936/

[Loxus]

In response to post #41097055. #41098705, #41108050, #41131275, #41131535, #41138630, #41173615, #41174715, #41181405 are all replies on the same post.

MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event

xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.

jesusristus wrote: ...hae9dUve&eD...
Too short.

garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.

garbalen wrote: Got me looking at KeePass's built in generator.

1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð
^ one of the passwords it came up with. That one is pretty dang secure :)

erelde wrote: So secure I'm not sure some websites would accept it ^^
I know for a fact that Google (gmail) doesn't want accentuated 'E' as of 6 six months ago.

Facebook on the other hand will happily take anything.

Mort65 wrote: You should use a password like this :D
kfjjkjvbnfbnzdflkjgbnlgkjfdlkgndzflbkngfbnbzlknzlbkjnzcvlbnf1hhg1f6csfafdfdfdsfml;lbmr;okmfd;lakn;lfn bjm;lglgmflmfzldm'zfbmf;fz;mf;zlmz;mgh;mzd;lm
l;,fadfm,lgmg;lmfs;dlm,hsdf;lhmmsdhf;l
mdlkfgn;lkjgmf;jklfgx,lg'd,j';lkusotpmfzdh/m;lkfnmhkldml
l,Gkfm;ozjg'fxhk;l,'hg;l,k;l,nvc';jgzckm;hfldkm

trabpukcip wrote: You just mashed the keyboard didn't you?

Obscerno wrote: Obligatory xkcd: https://xkcd.com/936/

First rule is to use unique passwords everywhere.

[TheForkOnTheLeft]

In response to post #41097055. #41098705, #41108050, #41131275, #41131535, #41138630, #41173615, #41174715, #41181405, #41185030 are all replies on the same post.

MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event

xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.

jesusristus wrote: ...hae9dUve&eD...
Too short.

garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.

garbalen wrote: Got me looking at KeePass's built in generator.

1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð
^ one of the passwords it came up with. That one is pretty dang secure :)

erelde wrote: So secure I'm not sure some websites would accept it ^^
I know for a fact that Google (gmail) doesn't want accentuated 'E' as of 6 six months ago.

Facebook on the other hand will happily take anything.

Mort65 wrote: You should use a password like this :D
kfjjkjvbnfbnzdflkjgbnlgkjfdlkgndzflbkngfbnbzlknzlbkjnzcvlbnf1hhg1f6csfafdfdfdsfml;lbmr;okmfd;lakn;lfn bjm;lglgmflmfzldm'zfbmf;fz;mf;zlmz;mgh;mzd;lm
l;,fadfm,lgmg;lmfs;dlm,hsdf;lhmmsdhf;l
mdlkfgn;lkjgmf;jklfgx,lg'd,j';lkusotpmfzdh/m;lkfnmhkldml
l,Gkfm;ozjg'fxhk;l,'hg;l,k;l,nvc';jgzckm;hfldkm

trabpukcip wrote: You just mashed the keyboard didn't you?

Obscerno wrote: Obligatory xkcd: https://xkcd.com/936/

Loxus wrote: First rule is to use unique passwords everywhere.

you gotta put the whole story of ann frank in one word and one number in the middle or end

[reaper66689]

mine all ready been changed twice i forgot my old one

[TerminusVitae]

In response to post #41097055. #41098705, #41108050, #41131275, #41131535, #41138630, #41173615, #41174715, #41181405, #41185030, #41185770 are all replies on the same post.

MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event

xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.

jesusristus wrote: ...hae9dUve&eD...
Too short.

garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.

garbalen wrote: Got me looking at KeePass's built in generator.

1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð
^ one of the passwords it came up with. That one is pretty dang secure :)

erelde wrote: So secure I'm not sure some websites would accept it ^^
I know for a fact that Google (gmail) doesn't want accentuated 'E' as of 6 six months ago.

Facebook on the other hand will happily take anything.

Mort65 wrote: You should use a password like this :D
kfjjkjvbnfbnzdflkjgbnlgkjfdlkgndzflbkngfbnbzlknzlbkjnzcvlbnf1hhg1f6csfafdfdfdsfml;lbmr;okmfd;lakn;lfn bjm;lglgmflmfzldm'zfbmf;fz;mf;zlmz;mgh;mzd;lm
l;,fadfm,lgmg;lmfs;dlm,hsdf;lhmmsdhf;l
mdlkfgn;lkjgmf;jklfgx,lg'd,j';lkusotpmfzdh/m;lkfnmhkldml
l,Gkfm;ozjg'fxhk;l,'hg;l,k;l,nvc';jgzckm;hfldkm

trabpukcip wrote: You just mashed the keyboard didn't you?

Obscerno wrote: Obligatory xkcd: https://xkcd.com/936/

Loxus wrote: First rule is to use unique passwords everywhere.

TheForkOnTheLeft wrote: you gotta put the whole story of ann frank in one word and one number in the middle or end

first rule is uniquity; make them all different, so that if they steal one, they don't have them all.

second rule is long length, and high character complexity, but that is conditional on rule three, which is memorizability.
as the obligatory xkcd (i know which one, without even clicking) states, we've trained ourselves to pick short, symbol complex passwords that are hard for humans to remember, but easy for computers to guess. short? too few different character types? easy for computer to guess by brute force trial and error. too many random symbols? you'll have trouble remembering it, or worse, your keyboard might not support it's characters, and you're royally screwed. but xkcd messed up, on this one, sadly; actual word? dictionary attack'll force that open, in a similar way, probably even faster. the xkcd actually sets you right up for a dictionary attack, so while it's good inspiration for an actually good plan, (and generally an awesome webcomic) it in itself is a bad plan.

i avoid most of these issues, with my technique; i create a suitably long nonsense word that doesn't exist, but is easily pronouncable. example, right off the top of my head... "Gablorfingloingy." just made it up, have never used it; feel free, since i definitely won't use this publicly posted one, now... :P if you need inspirational nonsense, calvin, morty, rick, and hobbes are your new best friends. anywho, capitalize the word, give it a punctuation character that changes the tone of it's pronunciation, and slap some numbers on it. you're done! it's long, because it's a long word, it's dictionary immune because it doesn't actually exist, and it's hard to brute force because of its length and because it always has at the very least four different types of characters, uppercase, lowercase, the punctuation and the numbers. (Brute forcers slow down immensely the more characters they have to try per spot, so more types = much longer to crack. complexity is your friend.) and best of all, it's easy to remember, because your mind can simply say it in your head, complete with "tone of thought" reminder about the accompanying grammar. perfect score, 5/7; highly recommend.