Why, no matter how hard you try, passwords have never been weaker, and hackers have never been stronger. Ars talks about the amazing strides that attackers have made in password cracking over the past years. Do you think you can imagine how to find a safe area? The chances of you not doing it are quite high if you are technically competent despite all the effort. Used electronic versions of paper dictionaries to generate a prediction, as well as this number and display punctuation as they believed they were able to cooperate. However, in the 21st century, thanks to the many major compromises and many, many leaks of passwords that have been selected through the world wide web, they no longer belong to the theoretical corpus of possible passwords. Now they have a mass of millions of real passwords that have been developed in a wild nature. As it turns out, whatever system the viewer uses to generate passwords, if the rust is not random, someone will almost certainly use something along with it, it is most likely to actually be attacked. And crackers are now getting their way to previously unimaginable levels of computing power.It's gotten to the point where (at least) ten characters, truly random passwords, unique across the site, are required in such circumstances. In case you use your template at all, it's likely that a negligent student used it on a hacked service and the bad guys know about it. If your password hash eludes, at least considering current architectural practices at various large sites, there is no more than a 90% chance that the toy will be successfully guessed.Tl;dr version: not at all do not reuse the password. Always use at least ten characters. In the case where the user's memory is not too versatile, in other words, you need mechanical assistance both for random generation, but also for driving these passphrases. And don't forget that your keystore password, whether you're using a cloud service or a local program because of it, must be the best device you have in your closet. Posted by malor (179 comments in total) 75 percent of the regulars checked it's like a favourite Who do you call a cracker?Posted by rykey in several:41 on august 21, 2012. [Favorite 10]Well, sites should let people choose longer passwords. As long as there are sites that limit password length to 8 characters.Posted by renoroc at 5:42 am on 21 august 2012. [11 favorites]I have constant fears that somehow i will be blocked in 1password, and my entire online life will separate from me and go its own way.Posted by r. Shlok in several:43, august 21, 2012. [16 favorites] Listen to this founder.Posted by egg shen at a few:45 on 21 august 2012. [1 favorite]Secure password is your choice. Posted by rmd1023 at several:46, august 21, 2012. [4 favorites]Think you've seen how to order something safe? Yes.Whatever the visitor did not use the system to generate passwords, if the porn bunny is not accidental, then almost certainly the person uses something similar for himself Something random, but uses something like the following phrase and can accommodate other people's passwords in a file that is only in two places, which is hand-encrypted with some 24-c, probably a character password is enough.Published by king bee in several :47 august 21, 2012. [1 favorite]R.Schlock: stashing passwords in a safe place helps get away from this.Posted by rmd1023 at 5:48 aug 21, 2012. [1 favorite]Under no circumstances will i understand web pages (banks, i'm looking at your shoulders!) With an arbitrarily low maximum password length. I'm aware that the other measures are probably just pretty web interfaces for mainframe systems, but they're practically begging to be hacked. [3 favorites]Honestly, no matter how obfuscated your ten or even 20-character password is, if the server side of the equation doesn't include a salt for your own passwords, you're screwed. I don't think that producing wild passwords made the process so fast.Instead of "pin, and "password1", both of them would end up taking care of a rainbow table of all 10-digit passwords, have the attacker build a rainbow table for each 10-digit password plus a one-3 megabyte picture of the wife as the head of security's children.:49 am, august 21, 2012. [10 favorites]All my passwords are composed of pseudo-random combinations of numbers. These are the stats.Posted by blue_beetle at 5:50 am on august 21, 2012. [1 favorite]When steam was hacked, i cried with happiness as they announced the fact that you were immediately hacked and pointed out that their password hashes were salted.Sent kid charlemagne at about five:51 on august 21, 2012.Honestly, it doesn't matter how obfuscated your ten or even 20 character password is when server-side equations don't salt their passwords, you're screwed .Yes, you screwed up with this account, and more, you can not imagine if the account stores passwords without a salt, so in this material they say that good password hygiene is hidden in the question, to make sure none of your other passwords match the same pattern or the same pw.Posted by omiewise at a few:53, august 21, 2012.</>Tag required "correcthorsebatterystaple".Which was probably used by a huge number of people who didn't solve it.Posted by foosnark at 5:54:00, august 21, 2012. [14 favorites]The complexity of the password itself is a red herring. There is not the slightest reason why any system (including those used to protect password lists for journals) should allow more than a few attempts to access a practice before blocking people; and return to other means of identification. If it means in one way or another how one of the players has to physically go into the source of the information analysis and examine the closet, so be it. And there is certainly no reason why any system should allow successive practice access failures less than 5 seconds apart. Eliminate these two annoyances and each protect your family more from every computing power in the world.Posted by pipeski at a few:55 am, aug 21, 2012. [24 favorites] my new rule of thumb: if i can remember the password, it's too weak. Tools like keepass, lastpass, and 1password are your comrades, use them.Posted by tommasz at 5:55 aug 21, 2012. [3 favorites]My god, what am i done? I have to kill you all now.Posted by guiseroom at 5:56 aug 21, 2012. [2 favorites]My god, what have i done? I have to kill you all this minute.That's fine until one unsalted password cache is cracked.Posted by jaduncan on several:58, august 21, 2012. [3 favorites]</>I'm going to keep looking for password guardians, but i'm putting off the usual ones, because you can say that there are a great many of them, and i'm too lazy. I'll take this post as a sign and start investigating them today.Posted by amarynth at 6:01 am on aug 21, 2012. [2 favorites]I keep checking out password keepers, but keep postponing, most often it seems that they are decent, but i'm too lazy. I'll take this post as a sign and actually start researching them today.An alternative approach: use a password generator and generate a unique password based on the domain and personal secret password. The advantage is contained in this; the actual passwords are not stored anywhere, and any domain has its own password without any mental cost. There are free browser extensions - and smart apps - and there's no need to sync, so you don't have to worry about server compromise or incidental maintenance costs. [8 favorites]There is no reason why any system (including systems used to protect log password lists) should allow multiple attempts to crack a practice before a user is frozen and will return to other means of identification.Jesus christ, this. If a person can bypass "aaron" in a dictionary attack, then it is a security error, but the porn bunny is not on the user's side. You have the opportunity to either go to the unprepared masses so that you use passwords that cannot be remembered (however, their sysadmins in the regions will yell at them so that you don’t record porn models anywhere) and / or a pain in the ass, like lastpass, or you encourages prospective professionals to follow the basic tb rules when coding the login page. Really, which one do you think scales better?(Also, if you wish, you can generate a naturally random password using similar processes that a computer uses to generate its pseudo-random combinations of numbers - filling the algorithm with outrageous input information that cannot be obtained from easily accessible data, like old phones or a mailbox.When some hacker wants to do the research possible to find, for example, the phones of my childhood, and then uncover all the possible combinations that are based on the variation obtained from the original stolen hash, i'm much more useful than i thought.)Posted by singing fish holy zarquon at 6:07 am on aug 21, 2012. [7 favorites] Think you've been informed how to look for something safe? The odds are very high that you don't do that, even when you're technically competent.No, i don't think i know how to look for anything safe. So i delegate the task to keepassx, which makes a random picture password for me, and keeps it securely. Yes, if my keepassx infobase is compromised, i'm screwed, but neither way is considered entirely safe. The best thing i can do is to put all my eggs in 1 basket and then watch that basket. [3 favorites]Until now, they offer a huge abundance of portals and services that have arbitrary stops for the password period and content that cannot salt its hashes or otherwise does not protect its infrastructure; you need to hear the o'reillys and o'gradys of the world testify how a combination of lazy, ignorant programmers and sql syntax has turned the videos into unwitting pentesters when any information that the movies crave to produce is to enter their own real name.</> In other words, look for whatever reasonable password you are interested in, it is capable of excluding values. Of course, all the current responsibility for password security lies on the server side, not on the client side.My policy in the forum is to use fairly complex passwords sda steam in one or another password storage system. - The firefox password manager and sync service see me intelligently in case i find a place that arbitrarily restricts what text must be in the password column, i primitively don't use this service. every time when a spectator learns "your password can't use @, #,%," certification usually and tends to be a maximum of a dozen characters, you need to correctly guess who is stable, in a hundred% of situations it means "lol i don't understand the hash, imma got this" - just in db in typical text bitches".Posted by mhoye at 6:16am 21 aug 2012. [38 favorites]I use the same login for a lot of people, but i adding a unique id suffix to all depending on where i log in. Let's say my base password is pumpk!Nmuff!N666.My unique metafilter login will be pumpk!Nmuff!N666 mifi. Why just a suffix, why don't you alternate the address of a resource with a single password? Pumpk!Nmuff!N666 the metafilter becomes pmuemtpakf!Inlmtuefrf!N666 i use striping myself, however, i don't include a common login for every resource, and my string striping method is not character-by-character. Posted by jpfed at 6:17, aug 21 2012. [Chosen 2]Lord jesus, this. If a person can bypass "aaron" in a dictionary attack, then the issue is in the security system, but not on the user's side.I believe that the problem is beyond the scope of the law. Group attacks. Their concern is not that attackers will hit the portal home page 40 million times to hack accounts, but that users will hack into the resource and acquire password registries to function with later. , 2012 [10 favorites]If a hacker can bypass "aaron" in a dictionary attack, then this is certainly a security breach, but the belt is not on the user's side.</>I don't realize that bruteforcers are actually polling the server billions of times per second. Correct me if i'm wrong, but i believe the hacking trucks relying on drawing proces operate with lists of hashed passwords that have been leaked for a long time. These people are trying to reverse engineer passwords from the specified list, but fail to break the login account.In preview, as promised by gjc.Posted by echo target at 6:19 am on aug 21, 2012. [2 favorites]Mat honan's story with the hack discussed using email to reset your password, which doesn't become your daily email address, but an address you need specifically to improve your password. Does anyone do all of this, and if so, what are the best practices for doing so? (I'm assuming that using the mail address of the domain you manage is better than the free email service, will the customer be banned from it?)Posted by gen at 6:22 am, aug 21, 2012.Yeah, but it absolutely goes beyond the concept of "secure" passwords - if a person gets the platform's registry and cracks the hash, they get your password, in either 12345 or y634qe9`3%;;px . The idea is that you will have to think about a collection of passwords, not only do they vary between sites, but they are also so random that a hacker who gets one of the gamers cannot extrapolate others. I say that in the situation where it is possible to check these extrapolations on the next portal, then the security of our site is terrible in almost every detail (and what a useful thing for anyone who believes that a hacker will spend so much time on them it is easier to own a much larger number of yachts, than me). ).Posted by holy zarquon's singing fish at 6:26 am on august 21, 2012. [1 favorite]I use long strings of nonsensical syllables that are hard to remember - - but easy to type! All preparations are written down, except for the same meaningless prefix, which is common to such passwords and is exclusively in my head. The prefix protects my passwords in case the list is stolen, but it's easy enough to remember since i use it everywhere.The prefix trick was recommended by my favorite university of helsinki, and it's pretty cute. Neat.Posted by anything at 6:27, august 21, 2012. [4 favorites]Server locks and delays do not matter when the password information archive is compromised, which has often been required to be interpreted as an important consideration.Holy zarquon: i'm saying that if it's possible to test these extrapolations on a subsequent resource, then the security of our site is terrible in almost every sense (and what a useful thing, anyone who intends that a hacker will take such minutes, it is best for us to have a significantly more diverse yachts, than me).I suspect that hackers rely on easy-hanging fruits that: 1: most passwords are found using a very small dictionary 2: the mass of visitors will only use the same password in different parts.Limited number of attempts for a single mail or social network? Is not difficult, you have a list of 2-4 thousand combinations of viewer name and password, just visit the column for a new username.Limited number of attempts only for ip-address? Elementary, use a botnet.Posted by cbrachyrhynchos at 6:34 am on august 21, 2012. [1 favorite]Well, websites should let people choose longer passwords. There are still sites that limit the password length to 8 characters.Many sites are reluctant to give the length of the password, but for some reason they don't tell you.Posted by churchhatesucker at 6:35 am august 21, 2012. [1 favorite]I can start jotting down items in a toy notebook that i hide in my bra.Posted by joanarkham aug 21 6:35 am, 2012 [2 favorites]The last paragraph in the op clearly explains how exactly this idea "is definitely not accepted by friends, except for 5-10% of the regulars of the world wide web. This is a geeky solution that only other geeks will use. And really note, it seems like the real question comes down to what security protocols can (or can't) look like on the job site on the server side and db, but not on the end user side. Posted by thorzdad at 6:36:00, august 21, 2012 [1 favorite]My new rule of thumb: if i can remember the password, it's too weak.Unfortunately, it's not really so. Very wrong. As xkcd and so on pointed out, thirty years of rampant superstition about password security has led customers to all we demand are passwords that are almost impossible for citizens to remember but computers can find. This is entirely true (to the best of my ability to find out). As far as brute force knows, "!Ty" on walks a couple of jumps from "safety". Similarly, people scoff at word string passwords because they are so easy to guess and because these drugs think a hacker will be able to tell when they have entered the first word correctly. It's not the same as breaking into a tv safe - they don't hear the glasses falling.The conventional wisdom about password security is, of course, security theater.Posted by gjc at 6: 36 am, august 21, 2012. [Top 10]You are also required to run certain security questions/answers for each portal. Until the current period, when the archive of blizzard information, including tips for security questions, was hacked and stolen.I don't care about my blizzard password since it's personal and i can easily generate another one, but i almost believe these stolen security questions have been used by other sites and i can't change them for every site that uses them. (I can momentarily remember which security questions blizzard used because they don't show up on my mail or social media pages at all when i log in).Posted by longdaysjourney at 6:37 am, aug 21, 2012.fix these two complaints and we will protect your device to some extent from any computing power on earth.No. Never.Many authentication schemes (eg http digest) are built around the idea that the buyer and server hash shared secrets (eg passwords) and then exchange those hashes online word for word. Access is based on a locally computed hash that matches the hash received from the remote computer. Visitor security is based on the fact that it is extremely difficult for any interceptor watching how hashes fly over the internet to match them with the original secrets from which they were generated.But in case you are an interceptor , you personally have offline quick and hassle-free access to exchange hashes. You have the ability to put all the computing power in the world to crack these secrets, and then follow them to get the entrance to the site on the 1st try with no guessing requirements. Limiting failed login attempts will not prevent clients from having your password. [2 favorites]I just use "shaft" as a detailed advice on any "secret questions" as far as i can remember.Posted by thelonius at 6:40 21 aug 2012. [5 favorites]I i'm just a plain old web programmer, but i'm curious if the following routine would make password hashing less accessible to the gpu: set pws = concatenate password and salt set hash = pws for x = 1 to line of rounds set bittocheck = x hash mode.Length, if bittocheck-th bit in hash is set, set hash = scrypt(hash), else set hash = pbkdf2(hash) return hashposted by jpfed at 6 :41, august 21, 2012.Mat honan's hack story discussed the use of email to normalize a password, which is not your daily email address, but an address that is only needed to acquire a password . Does anyone do hacking, and if so, what are the best practices for doing so? (I'm assuming that using the email address of the domain you manage is better than the free email service you get banned from?)I don't think so for the script. Useful. If a person has access to your regular registration, how much access