+ Reply to Thread
Results 1 to 11 of 11

Thread: My Password Practices

  1. #1

    My Password Practices

    Hello,

    Here are my current security guidelines for generating and using passwords. Hope it helps some of you.


    Always remember:
    1. A good password is one you cannot remember.
    2. The human brain is horrible at generating random sequences.
    3. Security at the expense of usability comes at the expense of security.
    4. If someone wants to hack an account, there is nothing that can stop them.



    DO NOT:
    • create password made from famous quotes, phrases, lyrics, song names, bands, food, etc. Some people may know you, know your habbits/tendencies and could easily guess the password. Common items in your life are dead giveaways.
    • develop a template that is applicable to all sites with small changes in characters from domain name, user, or similar. If one account is compromised, then all other accounts are the compromised as well.
    • use the same password twice. Again, if one is comprimised...
    • write the password down on sticky notes, text file, qr codes.



    DO:
    • generate a random password for all your accounts at the maximum possible length supported by a given system. In 2017, about 80% of the web have no maximum password length policy. So you are free to try this. Some sites truncate passwords automatically if they are too long, or do not sanitize their inputs (\% is interpreted differently on such systems). On such systems, the newly configured password does not work anymore even though a success message appeared. It's trial and error I'm affraid.
    • generate a strong main password and remember it. Use it everyday, write it 50 times a day on a piece a paper, and also type it and in one week it will be as natural as ABC. Writing and typing are two different things, and they both should be performed.
    • generate and remember a separate password for each os you use. On Windows any password will do, on Linux you must use a non-dictionary password, on MAC the same. Remember, to use KeePass or any other password manager, you first need to login, so...
    • As hardware performance is getting faster and faster, your password length should also grow.


    As an example, I need to remember 5 passwords: passwords manager, windows, linux, emails (used for quick android configuration and cannot use keepass), work password.
    i iz a pirate. i haz peg leg. arrr!
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    latres (30.11.17)

  3. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    38,546
    Activity Longevity
    10/20 19/20
    Today Posts
    1/5 ssss38546
    Quote Originally Posted by Master Razor View Post
    A good password is one you cannot remember.
    DO NOT:
    • write the password down on sticky notes, text file, qr codes.
    DO:
    • generate a strong main password and remember it. Use it everyday, write it 50 times a day on a piece a paper
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  4. #3
    H265's Avatar
    Join Date
    26.05.13
    Location
    Tengoku
    P2P Client
    ¯\_(ツ)_/¯
    Posts
    410
    Activity Longevity
    0/20 12/20
    Today Posts
    0/5 ssssss410
    I generate strong passwords in the lastpass extension. Isn't that enough?
    Reply With QuoteReply With Quote
    Thanks

  5. #4

    Join Date
    06.04.17
    Posts
    276
    Activity Longevity
    0/20 8/20
    Today Posts
    0/5 ssssss276
    Good tutorial! However, I should remind you that remebering such long and sophisticated passwords is not going to be easy. Besides I would never rely on password generators because the chances of the exploiter having the same dictionary of words are high. If an individual is being targeted one's web footprints can easily point out to what tool is being used to generate the password.

    What I basically do is use long passwords generated from random things I observe in my daily life and store it on a encrypted USB drive. I'd rather take chance over probability.

    ~cloud99
    Reply With QuoteReply With Quote
    Thanks

  6. Who Said Thanks:

    Evadjc (08.10.22) , H265 (27.11.17)

  7. #5
    Quote Originally Posted by anon View Post
    You write it in order to remember it, but you do not keep the paper after writing it. You destroy it.

    What I basically do is use long passwords generated from random things I observe in my daily life and store it on a encrypted USB drive. I'd rather take chance over probability.
    That's good but at some point your random things will form a pattern. Most times unaware of.
    Last edited by Master Razor; 27.11.17 at 09:32.
    i iz a pirate. i haz peg leg. arrr!
    Reply With QuoteReply With Quote
    Thanks

  8. Who Said Thanks:

    (12.10.22) , cloud99 (28.11.17)

  9. #6
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    577
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss577
    Quote Originally Posted by Master Razor View Post
    You write it in order to remember it, but you do not keep the paper after writing it. You destroy it.


    That's good but at some point your random things will form a pattern. Most times unaware of.
    You can ShaShaSha the random things and normally the possible patterns are gone.
    Reply With QuoteReply With Quote
    Thanks

  10. #7
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    38,546
    Activity Longevity
    10/20 19/20
    Today Posts
    1/5 ssss38546
    SHA³ is too complicated, I hash all my passwords with Double ROT13
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  11. #8

    Join Date
    04.04.22
    Location
    Isle de peurt
    P2P Client
    qbit
    Posts
    45
    Activity Longevity
    1/20 1/20
    Today Posts
    0/5 sssssss45
    password_strength.png

    I got this from somewhere, maybe this can help someone better protect there password.

    This bascially talks about password entropy and how we should move away from password to passphrases.

    Edward snowden has actually a video of it on youtube: if you are interested

    And a very long article that I do think people should read to better their privacy and online security: https://theintercept.com/2015/03/26/...rs-cant-guess/

    This practises if implemented can prove to be very good.
    Last edited by Rupel89yt; 27.04.22 at 11:18. Reason: Added an article
    Reply With QuoteReply With Quote
    Thanks

  12. Who Said Thanks:

    Davidmyx (08.10.22)

  13. #9
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    38,546
    Activity Longevity
    10/20 19/20
    Today Posts
    1/5 ssss38546
    The most important rules are 1. generate a strong password that's not in any public wordlist; 2. don't reuse it anywhere no matter what, because said wordlists grow with every major database breach.

    I've been using this for more than a decade. The code is even older, and it shows... but still works. Add a good login database protected with a strong password or phrase you can remember (KeePass is my choice, but anything that's free software and offline is fine), and you're set.

    HTML Code:
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
    <title>JavaScript Password Generator</title>
    <script>
    function getRandomNum(lbound, ubound) { return (Math.floor(Math.random() * (ubound - lbound)) + lbound); }
    function getRandomChar(number, lower, upper, other, extra) {
    var numberChars = "0123456789";
    var lowerChars = "abcdefghijklmnopqrstuvwxyz";
    var upperChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
    var otherChars = "`~!@#$%^&*()-_=+[{]}\\|;:'\",<.>/? ";
    var charSet = extra;
    if (number == true)
    charSet += numberChars;
    if (lower == true)
    charSet += lowerChars;
    if (upper == true)
    charSet += upperChars;
    if (other == true)
    charSet += otherChars;
    return charSet.charAt(getRandomNum(0, charSet.length));
    }
    function getPassword(length, extraChars, firstNumber, firstLower, firstUpper, firstOther, latterNumber, latterLower, latterUpper, latterOther) {
    var rc = "";
    if (length > 0)
    rc = rc + getRandomChar(firstNumber, firstLower, firstUpper, firstOther, extraChars);
    for (var idx = 1; idx < length; ++idx) {
    rc = rc + getRandomChar(latterNumber, latterLower, latterUpper, latterOther, extraChars);
    }
    return rc;
    }
    </script>
    </head>
    <body>
    <center>
    <table width="80%" border="0">
    <tr align="center">
    <td>
    <form name="myform">
    <table border="0">
    <tr>
    <td>First character can be:</td>
    <td>
    <input type="checkbox" name="firstNumber" checked>Number
    <input type="checkbox" name="firstLower" checked>Lowercase
    <input type="checkbox" name="firstUpper" checked>Uppercase
    <input type="checkbox" name="firstOther" checked>Other
    </td>
    </tr>
    <tr>
    <td>Latter characters can be:</td>
    <td>
    <input type="checkbox" name="latterNumber" checked>Number
    <input type="checkbox" name="latterLower" checked>Lowercase
    <input type="checkbox" name="latterUpper" checked>Uppercase
    <input type="checkbox" name="latterOther" checked>Other
    </td>
    </tr>
    <tr>
    <td>Password length:</td>
    <td><input type="text" name="passwordLength" value="16" size="3"></td>
    </tr>
    <tr>
    <td>Extra password characters:</td>
    <td><input type="text" name="extraChars" size="20"></td>
    </tr>
    </table>
    </td>
    </tr>
    <tr align="center">
    <td>New password: <input type="text" name="password" size="20"><br>
    <input type="button" value="Generate password" onClick="document.myform.password.value = getPassword(document.myform.passwordLength.value, document.myform.extraChars.value, document.myform.firstNumber.checked, document.myform.firstLower.checked, document.myform.firstUpper.checked, document.myform.firstOther.checked, document.myform.latterNumber.checked, document.myform.latterLower.checked, document.myform.latterUpper.checked, document.myform.latterOther.checked);">
    </form>
    </td>
    </tr>
    </table>
    </center>
    </body>
    </html>
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  14. Who Said Thanks:

    Master Razor (08.05.22) , BrianBosworth (04.05.22)

  15. #10
    I'm surprised to see this old thread. I've learned much since then, but the information written is actually correct.

    This was written in 2017, and still some sites do not accept special characters, not to mention restricting length.

    @anon
    Fully agreed. On Linux, passwd stops you if the password contains a dictionary word.
    Reply With QuoteReply With Quote
    Thanks

  16. #11
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    38,546
    Activity Longevity
    10/20 19/20
    Today Posts
    1/5 ssss38546
    Quote Originally Posted by Master Razor View Post
    @anon
    Fully agreed. On Linux, passwd stops you if the password contains a dictionary word.
    So do cabal trackers. Who would have known "password" and "123456" weren't secure, even when fused together!
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •