Menu
What's new
By:
Filters

Native Instruments Acct. Stolen! (again)

Random dictionary words are not good advice. 3 words can be brute forced in seconds. 4 words in a few days. Determined hackers will gain access to your account if they really want to. Password managers are the best solution.

paul.reviews

Passwords: Using 3 Random Words Is A Really Bad Idea!

In 2015, the UK government released an article advocating the use of 3 random words in passwords, citing "pragmatism and algorithmic strength against common issues like brute force attacks". #Thinkrandom when creating passwords – #use3randomwords to make them https://t.co/6BlS8EqK7v...
paul.reviews paul.reviews

His TL;DR Summary:
“Don't use words in passwords. Ever.
Don't try coming up with secure passwords, apart from the one protecting your password manager.
After adopting a solid password manager, don't give passwords another thought... let it do the hard work for you.
If you insist on tweeting "3 random word" advice, provide evidence to substantiate its security.”

_____________________________

A better solution is coming (both Apple and Google are actively working towards improving account security from a user’s perspective):

screenrant.com

How Apple Plans To Replace Passwords On iPhones, iPads & Macs

Eliminating passwords is becoming a trend.
screenrant.com screenrant.com
 
Zedcars said:
Random dictionary words are not good advice. 3 words can be brute forced in seconds. 4 words in a few days. Determined hackers will gain access to your account if they really want to. Password managers are the best solution.

paul.reviews

Passwords: Using 3 Random Words Is A Really Bad Idea!

In 2015, the UK government released an article advocating the use of 3 random words in passwords, citing "pragmatism and algorithmic strength against common issues like brute force attacks". #Thinkrandom when creating passwords – #use3randomwords to make them https://t.co/6BlS8EqK7v...
paul.reviews paul.reviews

His TL;DR Summary:
“Don't use words in passwords. Ever.
Don't try coming up with secure passwords, apart from the one protecting your password manager.
After adopting a solid password manager, don't give passwords another thought... let it do the hard work for you.
If you insist on tweeting "3 random word" advice, provide evidence to substantiate its security.”

_____________________________

A better solution is coming (both Apple and Google are actively working towards improving account security from a user’s perspective):

screenrant.com

How Apple Plans To Replace Passwords On iPhones, iPads & Macs

Eliminating passwords is becoming a trend.
screenrant.com screenrant.com
Click to expand...
And Microsoft. But reality is what it is and this will take time before normalized and the kinks are worked out so common sense/best practices still apply for the time being...
 
The Paul reviews article uses an example of offline brute force attack where the actual hashed password database is stolen and brute forced offline (using some very powerful computational horsepower). In a brute force attack against an actual live system your three or four words are going to be secure for a long time (assuming you avoid password re use, let’s leave 2FA out of this for a moment and focus on passwords alone)

Which brings me to the point, in cyber security there is a concept known as ‘assume breach’ we use the methodology to design systems that can minimise damage when you get hacked. Note I say when! Assume Breach means in simple terms you will be compromised at some point so assume the attacker is already in your systems and design your defenders around that.

Applying this methodology to passwords means in simple terms do not re-use passwords on multiple systems (sites) and implement a second factors of authentication where possible.

A stolen password hash can’t be partial matched only fully matched so with three words for example dogfishmarmot if and attacker try’s dogcatporpoise they don’t know they have got dog correct and must try every permutation until a full match is achieved.

TLDR Three words is fine, four is better five better still. Just DO NOT REUSE PASSWORDS! And use a password manager.
 
PrimeEagle said:
It’s not better than a password manager. But for people that won’t use one, it is way better than usual passwords people pick, though. It’s also an option for the master password, since that is one that can’t be stored in the password manager. I personally use LastPass.
Click to expand...
good points.
 
PrimeEagle said:
People can steal just your password, or the database of all passwords from a site. Ideally, most sites keep their list of passwords encrypted, but there are always ones that don't.

If someone has your password only, changing it will remove access from them. If an entire site is hacked, they usually get just a snapshot of the password list at that moment in time, so if you change yours after that, they will no longer have access to your account.
Click to expand...
I guess it's something like your quote but if you consider items purchased that can be pretty costly, you need to stop the hacker from using that software for free, plus the disruption, and stress, these things can course, any website needs to be a very safe place if there are any transaction with money, so yes maybe a password change here and there but it all must rely on the security of the web page,
 
dzilizzi said:
This is where being into scifi helps. Misspelled scifi names. Best thing ever.
Click to expand...
my only problem would be I would forget how I misspell them. :emoji_blush:

I have over 300 websites with logins. Many I haven't visited in years. I have one long cryptic master password if I need to change, lookup, a specific password. I let the password manager manage it. Its not a perfect system, but if one of these mom and pop sites gets hacked, the unique password the hacker now has is only good for the site they just hacked none of the others.

this works better for me than something like NostrommoDeethStarGalileoSeven7
Some sites require special characters etc.



My method DOES NOT WORK if you are on a public computer or common computer where someone you work with or the next person using your computer has access to it.

I also don't use my phone to login anywhere.

I think the advice given above about assume your password has been hacked and act appropriate is good advice.

thanks.
 
novaburst said:
I guess it's something like your quote but if you consider items purchased that can be pretty costly, you need to stop the hacker from using that software for free, plus the disruption, and stress, these things can course, any website needs to be a very safe place if there are any transaction with money, so yes maybe a password change here and there but it all must rely on the security of the web page,
Click to expand...
It's two different things. For someone hacking a website, it's entirely up to them to be more secure to try and prevent that. But for someone hacking your password only, it's mostly on you.
 
JokerOne said:
My method DOES NOT WORK if you are on a public computer or common computer where someone you work with or the next person using your computer has access to it.
Click to expand...
It should work. One thing you can do is use Incognito mode, so the browser doesn't save any cookies. Another is to clear the browser cache when you're done. And of course, make sure you're logged out of your password manager. Another option is to use the password manager app on your phone and type it in manually, which is a pain but it works.
 
JokerOne said:
my only problem would be I would forget how I misspell them. :emoji_blush:

I have over 300 websites with logins. Many I haven't visited in years. I have one long cryptic master password if I need to change, lookup, a specific password. I let the password manager manage it. Its not a perfect system, but if one of these mom and pop sites gets hacked, the unique password the hacker now has is only good for the site they just hacked none of the others.

this works better for me than something like NostrommoDeethStarGalileoSeven7
Some sites require special characters etc.



My method DOES NOT WORK if you are on a public computer or common computer where someone you work with or the next person using your computer has access to it.

I also don't use my phone to login anywhere.

I think the advice given above about assume your password has been hacked and act appropriate is good advice.

thanks.
Click to expand...
I'm thinking more Lord of the Rings Elven names. Nothing from movies. You have to go to the books. Or create your own language. Then you don't need too fancy a password.
 
PrimeEagle said:
It should work. One thing you can do is use Incognito mode, so the browser doesn't save any cookies. Another is to clear the browser cache when you're done. And of course, make sure you're logged out of your password manager. Another option is to use the password manager app on your phone and type it in manually, which is a pain but it works.
Click to expand...
those are two things I always forget to do. :emoji_blush:
 
dzilizzi said:
I'm thinking more Lord of the Rings Elven names. Nothing from movies. You have to go to the books. Or create your own language. Then you don't need too fancy a password.
Click to expand...
Pretty much every movie / tv show / book / musical artist / video game / song title and lyrics are in the 'hackers database' already, as are most conceivable date combinations, name spelling variations, and slang words etc. You need pretty convoluted strings of random characters to safeguard nowadays. Don't forget theres a HUGE scene working on this day in, day out, and have been for the past 30 years.

Safest thing you can do is use 'password' as your password, but don't tell the hackers.

Seriously though, use a different password for every single account you own online and keep them in a secure document, or use 1passsword etc.
 
Interesting discussion.

Why cant you use special characters form the character map? Does that not make passwords more secure?
 
You must log in or register to reply here.
Top Bottom