My Password Practices

Printable View

26.11.17, 21:46
Master Razor

My Password Practices
Hello,

Here are my current security guidelines for generating and using passwords. Hope it helps some of you.

Always remember:
1. A good password is one you cannot remember.
2. The human brain is horrible at generating random sequences.
3. Security at the expense of usability comes at the expense of security.
4. If someone wants to hack an account, there is nothing that can stop them.
DO NOT:
- create password made from famous quotes, phrases, lyrics, song names, bands, food, etc. Some people may know you, know your habbits/tendencies and could easily guess the password. Common items in your life are dead giveaways.
- develop a template that is applicable to all sites with small changes in characters from domain name, user, or similar. If one account is compromised, then all other accounts are the compromised as well.
- use the same password twice. Again, if one is comprimised...
- write the password down on sticky notes, text file, qr codes.
DO:
- generate a random password for all your accounts at the maximum possible length supported by a given system. In 2017, about 80% of the web have no maximum password length policy. So you are free to try this. Some sites truncate passwords automatically if they are too long, or do not sanitize their inputs (\% is interpreted differently on such systems). On such systems, the newly configured password does not work anymore even though a success message appeared. It's trial and error I'm affraid.
- generate a strong main password and remember it. Use it everyday, write it 50 times a day on a piece a paper, and also type it and in one week it will be as natural as ABC. Writing and typing are two different things, and they both should be performed.
- generate and remember a separate password for each os you use. On Windows any password will do, on Linux you must use a non-dictionary password, on MAC the same. Remember, to use KeePass or any other password manager, you first need to login, so...
- As hardware performance is getting faster and faster, your password length should also grow.
As an example, I need to remember 5 passwords: passwords manager, windows, linux, emails (used for quick android configuration and cannot use keepass), work password.
27.11.17, 06:00
anon
Quote:

Originally Posted by Master Razor

A good password is one you cannot remember.
Quote:
DO NOT:

write the password down on sticky notes, text file, qr codes.
Quote:
DO:

generate a strong main password and remember it. Use it everyday, write it 50 times a day on a piece a paper
:unsure:
27.11.17, 06:38
H265

I generate strong passwords in the lastpass extension. Isn't that enough?
27.11.17, 06:44
Cr@zYiNsEiN

Good tutorial! However, I should remind you that remebering such long and sophisticated passwords is not going to be easy. Besides I would never rely on password generators because the chances of the exploiter having the same dictionary of words are high. If an individual is being targeted one's web footprints can easily point out to what tool is being used to generate the password.

What I basically do is use long passwords generated from random things I observe in my daily life and store it on a encrypted USB drive. I'd rather take chance over probability.

~cloud99
27.11.17, 09:31
Master Razor

Quote:

Originally Posted by anon

:unsure:

You write it in order to remember it, but you do not keep the paper after writing it. You destroy it.

Quote:

What I basically do is use long passwords generated from random things I observe in my daily life and store it on a encrypted USB drive. I'd rather take chance over probability.

That's good but at some point your random things will form a pattern. Most times unaware of.
29.11.17, 08:09
Renk

Quote:

Originally Posted by Master Razor

You write it in order to remember it, but you do not keep the paper after writing it. You destroy it.

That's good but at some point your random things will form a pattern. Most times unaware of.

You can ShaShaSha the random things and normally the possible patterns are gone.
30.11.17, 03:35
anon

SHA³ is too complicated, I hash all my passwords with Double ROT13 =]
27.04.22, 11:06
Rupel89yt

1 Attachment(s)

Attachment 21262

I got this from somewhere, maybe this can help someone better protect there password.

This bascially talks about password entropy and how we should move away from password to passphrases.

Edward snowden has actually a video of it on youtube: https://www.youtube.com/watch?v=yzGzB-yYKcc if you are interested

And a very long article that I do think people should read to better their privacy and online security: https://theintercept.com/2015/03/26/...rs-cant-guess/

This practises if implemented can prove to be very good.
28.04.22, 00:48
anon

The most important rules are 1. generate a strong password that's not in any public wordlist; 2. don't reuse it anywhere no matter what, because said wordlists grow with every major database breach.

I've been using this for more than a decade. The code is even older, and it shows... but still works. Add a good login database protected with a strong password or phrase you can remember (KeePass is my choice, but anything that's free software and offline is fine), and you're set.

HTML Code:

<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>JavaScript Password Generator</title> <script> function getRandomNum(lbound, ubound) { return (Math.floor(Math.random() * (ubound - lbound)) + lbound); } function getRandomChar(number, lower, upper, other, extra) { var numberChars = "0123456789"; var lowerChars = "abcdefghijklmnopqrstuvwxyz"; var upperChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; var otherChars = "`~!@#$%^&*()-_=+[{]}\\|;:'\",<.>/? "; var charSet = extra; if (number == true) charSet += numberChars; if (lower == true) charSet += lowerChars; if (upper == true) charSet += upperChars; if (other == true) charSet += otherChars; return charSet.charAt(getRandomNum(0, charSet.length)); } function getPassword(length, extraChars, firstNumber, firstLower, firstUpper, firstOther, latterNumber, latterLower, latterUpper, latterOther) { var rc = ""; if (length > 0) rc = rc + getRandomChar(firstNumber, firstLower, firstUpper, firstOther, extraChars); for (var idx = 1; idx < length; ++idx) { rc = rc + getRandomChar(latterNumber, latterLower, latterUpper, latterOther, extraChars); } return rc; } </script> </head> <body> <center> <table width="80%" border="0"> <tr align="center"> <td> <form name="myform"> <table border="0"> <tr> <td>First character can be:</td> <td> <input type="checkbox" name="firstNumber" checked>Number <input type="checkbox" name="firstLower" checked>Lowercase <input type="checkbox" name="firstUpper" checked>Uppercase <input type="checkbox" name="firstOther" checked>Other </td> </tr> <tr> <td>Latter characters can be:</td> <td> <input type="checkbox" name="latterNumber" checked>Number <input type="checkbox" name="latterLower" checked>Lowercase <input type="checkbox" name="latterUpper" checked>Uppercase <input type="checkbox" name="latterOther" checked>Other </td> </tr> <tr> <td>Password length:</td> <td><input type="text" name="passwordLength" value="16" size="3"></td> </tr> <tr> <td>Extra password characters:</td> <td><input type="text" name="extraChars" size="20"></td> </tr> </table> </td> </tr> <tr align="center"> <td>New password: <input type="text" name="password" size="20"><br> <input type="button" value="Generate password" onClick="document.myform.password.value = getPassword(document.myform.passwordLength.value, document.myform.extraChars.value, document.myform.firstNumber.checked, document.myform.firstLower.checked, document.myform.firstUpper.checked, document.myform.firstOther.checked, document.myform.latterNumber.checked, document.myform.latterLower.checked, document.myform.latterUpper.checked, document.myform.latterOther.checked);"> </form> </td> </tr> </table> </center> </body> </html>
08.05.22, 23:39
Master Razor

I'm surprised to see this old thread. I've learned much since then, but the information written is actually correct.

This was written in 2017, and still some sites do not accept special characters, not to mention restricting length.

@anon
Fully agreed. On Linux, passwd stops you if the password contains a dictionary word.
09.05.22, 04:13
anon

Quote:

Originally Posted by Master Razor

@anon
Fully agreed. On Linux, passwd stops you if the password contains a dictionary word.

So do cabal trackers. Who would have known "password" and "123456" weren't secure, even when fused together!