Pass Words and Security Questions

[GreatLakes]

^^ And each website has their own rules about the password, including length. Usually they now require 1 number, 1 special symbol and some mixture of upper/lower case along with a min/max length. Websites also typically lock you out if you type the wrong password 3 times. So unless someone is running this algorithm offline, I don't get how any of this matters.

Most passwords aren't cracked because an attacker attempts to log into a website trillions of times. Most cracks are done by attacking the hashed password offline. They get the hashed password a variety of ways like breaches or intercepted traffic.

Cracking though isn't how most passwords get compromised. That happens one of two ways. From reuse because people reuse them at multiple places and one of those places is compromised. And people just willingly give it out. This is done by clicking on malicious links or not inspecting the certificate a site provides before logging in and falling for a spoofed login page. This is all a form of social engineering and more information is compromised by social engineering than any cracking array.

 

[mrodgers]

Ours change every 30 days. I have to keep a book on mine.

At work every time we get a new computer, the security reverts to every 2 weeks. It takes months and months for us to convince IT to fix it when it happens to you.

I would just change the number at the end. My current password is xxxxxxxxx63. That's 63 times every 2 weeks I had to change my password before IT got around to fixing it.

Worst part is, I work on a equipment control computer so get my email over the web on this machine. Can't change the password through the webmail, and I'm never in my office, so I would have to run to my office, fire up my office computer, wait the 20 minutes it took to boot up, then change my password and turn it back off.

 

[_19disnA]

Cracking though isn't how most passwords get compromised. That happens one of two ways. From reuse because people reuse them at multiple places and one of those places is compromised. And people just willingly give it out. This is done by clicking on malicious links or not inspecting the certificate a site provides before logging in and falling for a spoofed login page. This is all a form of social engineering and more information is compromised by social engineering than any cracking array.

For all of those examples, it wouldn't matter what your password is or how complicated you make it.......they basically 'found' your password because you unknowingly gave it to them or by them intercepting web traffic.

 

[GreatLakes]

For all of those examples, it wouldn't matter what your password is or how complicated you make it.......they basically 'found' your password because you unknowingly gave it to them or by them intercepting web traffic.

That's isn't true. Most breached password are hashed meaning they need to be broken. The strength of the password is your only defense at that point.

If the breach is passwords in the clear or you give it to them unencrypted then the strength doesn't matter but the randomization does. If that one password is breached and was never used anywhere else then your other services are safe. If is was reused, or you have a password "system" that is predictable then that one breach can leak all your other passwords.

Bottom line. Make each password as strong as possible (true random string) and make no two passwords alike in any way (every password is independent of each other). If an in the clear password is stolen, or a weak one cracked, then it should only compromise that one service.