Modern survival isn't just about food, water and warmth. You have to protect yourself on the your computer and on electronic systems that control most of what goes on in modern life and the first line of defense is usually setting up a password. In this some are clearly better than others. Surprisingly longer is not always better, and harder to remember passwords are not necessarily any better than easy remember ones.

http://www.baekdal.com/tips/password-security-usability

Thanks, Art. I am in the throes of making a new computer operational, and that article is very enlightening, as I sit here, surrounded by passwords written on post-it notes......

Good article, thanks, I learned something in the second half when the article discussed 2 and 3-word passwords. I guess a space is a character that's hard to decipher.

Here's a more difficult technique I have used. Make a password. Then, mentally encrypt the password to generate an encrypted password in your head. The encrypted password should look like gibberish. Use such an encrypted password for important stuff. Don't write down your encrypted password or your encryption technique.

The human element is almost always the weakest link in computer security.

art, thanks for the link to that article. some food for thought.

Hmm - "None can remember a password like "J4fS<2", which evidently mean that it will be written on a post-it note."

Tend to disagree. I've been able to remember passwords incorporating 1-3 symbol characters for better than 25 years, without writing them on post-it notes. What it takes is another potential insecurity - settle on a symbol, settle on a typical sequence of letters and numbers, and settle on a contrary sequence of letters and numbers, said sequences meaning something only to you. You can then vary these sequences over time and mandatory password resets. This becomes potentially insecure if you allow anyone to watch you enter a password, or someone can get a keylogger on your system - you'll need to change your sequences.

Better still, I like two factor authentication, something you have like a smartcard, your thumbprint, a secure token, and something you know, like a password. Either the token or the password won't get you in, you need them both. That has also worked for me better than anything else.

The easiest way to get a password is just to ask for it. Most ISPs will tell you what a persons primary email password is or reset the password without too much hassle. Sometimes they will ask for a security phrase (e.g. your favourite colour or mothers maiden name) or a billing account number and or address (a little dumpster diving) and sometimes not at all (many an ISP chicken couldn't care less). Once you have gained the email password, you will most likely be able to access their web hosting server as well (they rarely change the FTP password). You can then order domains and have them hosted on their account as many business ISP accounts rarely query their billing account. You can then setup up criminal Phishing websites and spamming operations with very little traceability. Then you can go around and try your hand with some of the big retailers such as Amazon, Ebay etc, or just perform a password reset with these companies and capture those details using webmail in real time.

All because someones favourite colour is blue.

http://en.wikipedia.org/wiki/Gary_McKinnon

Even Gary was able to access high level Pentagon and NASA servers by writing a simple script to scan .mil web sites for UN=Admin and PW=NULL. He apparently was quite successful and wouldn't have even been caught had he used a Laptop and an unsecured Wireless Access Point (remember to spoof your MAC address and factory reset the unsecured router when finished) instead of a dial up connection. So it just goes to show that even a basic password such as 'qwerty' is better than none at all.

Wireless WEP encryption is basically useless and can be cracked in minutes using a netbook. All the other wireless encryption protocols are design to be cracked by the likes of the NSA and GCHQ using portable custom ASIC logic machines.

The local university offer graduate degrees in hacking and countermeasures, where they practice walking into businesses as the computer geek (nobody is interested in the computer geek ) .

This article was written in August of 2007. Computers are dramatically faster than they used to be. Also, some bad guys are using botnets for password cracking. This means that some bad guys can apply several orders of magnitude more computing power to password cracking than they were able to when the article was written.

Unfortunately that means that some of the conclusions of the article are dangerously wrong. It's hard to get a true consensus on passwords from the thought leaders in the IT security industry, but in general an eight character password with three out of the four possible types of characters (upper case, lower case, numbers, symbols) would be considered adequate for low-security applications. Privileged accounts and higher-value targets should use longer passwords or two-factor authentication.

It's worth noting that there's a significant difference in security between offline password cracking and online password cracking. In the latter, the attacker is subject to account lockout settings and access method limitations that usually increases the time needed to crack a password such that it becomes infeasible. In offline password cracking, the attacker is not subject to any of those limitations and password security needs to be significantly greater to prevent attacks from succeeding. Many authentication systems are subject to offline attacks.

When talking to customers I tell them that insecure encryption like WEP is worse than useless, as it provides a false sense of security.

I'd be interested to learn why you say that other encryption protocols are designed to be cracked by government cryppies.

The article recommends using 2 or more words. Unfortunately, a space has NOT been an acceptable character anywhere I use a password. I'm not talking about underscore "_", and the article is not talking about underscore either. The article is talking about 2 or more words with a space between words.

While I don't really use it at the moment my degree was in CompSci, and I still stay up to date with things. Even with the advance in computers, you can't check that many passwords a second, and most all systems have limits. There are at least 96 different characters you can type (lowercase, caps, numbers, symbols, and punctuation). So at 6 characters long, you're at 782,757,789,696 combinations. Even trying to brute-force at 1,000,000 passwords a second (completely infeasible on pretty much every system out there), your looking at days of time to crack it. Government agencies might be able to, depending on the system. If you're talking about data encryption, with reasonable key-length this is more than enough for a password (the math involved to check keys, or even to compute a key from a given password takes time).
If you're really paranoid, bump it up to 8 characters long (your up to hundreds of years at 1,000,000 a second). Just make sure its random. I know its hard to memorize, but just take some extra time. (I would also tend to disagree with his conclusion to use combinations of words).