Quote from Ashlander

I use pretty much the same password for everything. I hate when websites give you strict guidelines that you need to follow (have a capital letter, number, AND a special charactor, etc). Since every site has different requirements, I end up needing to guess which variation of it it is. Fuck off and let us just use what we want. If we get hacked, it's no-ones fault but our own (and the hacker obvs).

This isn't to say I don't see the value in using caps and numbers and shit in your password. I don't think everyone should just go and use their first name as the pass to their bank account.






...actually everybody please do. Also, just out of curiosity, what is all your first names?

He's a hackor, its a trap.

this is the kind of password i use for places where i'm actually concerned about security. my wifi password for example is a string of 6 words alternating all-caps and no-caps with a few numbers and symbols at the start and end. the string of words is generated randomly from some website, and i modify it to make it into a memorable passphrase.

i've also got two generic passwords that i use for most other stuff; one low-security 6 character string of letters and numbers that i use anywhere that i don't give a fuck about the account or don't feel that additional security is necessary, and one medium-security 14 character password with caps, nocaps, symbols, and numbers, for general use and websites with annoying password requirements.

there's other neat stuff you can do for protecting your computer, such as requiring a physical (USB) key to be plugged in before you're even allowed to attempt to log on. been meaning to set this up for a while but i've been busy

Quote from Scarecrow

there's other neat stuff you can do for protecting your computer, such as requiring a physical (USB) key to be plugged in before you're even allowed to attempt to log on. been meaning to set this up for a while but i've been busy

I never understood why people get so tight about the security on their home computer/laptop. I have nothing incriminating on there, I don't have stolen FBI files or child pornography hiding anywhere to be found. What do I care if a friend or family member opens it up to watch youtube or play a game? I can understand if it's like used as parental controls or something, but just trying to you laptop that secure just oozes that someone's trying to hide something or is just plain paranoid.

I do have a password on my laptop, but that's just because I have it linked to my Microsoft account, and it sets it to that password on by default.

Quote from Ashlander

I never understood why people get so tight about the security on their home computer/laptop. I have nothing incriminating on there, I don't have stolen FBI files or child pornography hiding anywhere to be found. What do I care if a friend or family member opens it up to watch youtube or play a game? I can understand if it's like used as parental controls or something, but just trying to you laptop that secure just oozes that someone's trying to hide something or is just plain paranoid.

well, apart from all the drug-related stuff, my search history, and porn that's illegal in australia, yeah, i am a bit "just plain paranoid". my brother's an IT security expert and he's breached my privacy more times than i can count just for the fun of it.

but aside from that, simply put it's just good practice to keep your data as secure as possible. you never know when that funny photo of you and your mate smoking cones together might suddenly become incriminating evidence against the guy because he decided to get into politics.

Anyone already tried going on charry's account?

Quote from poppetje3D

Anyone already tried going on charry's account?

My account is as impenetrable as an iron thong.

Quote from Charry

My account is as impenetrable as an iron thong.

And smoking saves lives

Quote from DiPi

And smoking saves lives

It does.

Password security is a far more complex issue than is covered in this thread. The XKCD article that everyone likes to bring up when discussing password strength is actually very misleading and probably shouldn't be taken at face value. Password strength shouldn't be only measured by how much entropy it has. Entropy matters in a brute force attack, but brute force isn't as much of a problem in this day and age given the proclivity of password hashing functions like bcrypt. The time complexity for brute force is often too high to be worth it for an attacker.

Similarly, password validation rules can also be problematic from a user experience perspective. Forcing a certain password format unintentionally incentivises the use of common workarounds to make their password easier to remember, such as replacing certain letters with numbers or symbols (o as 0, a as 4 or @, for example) just to meet the requirements, which makes them more vulnerable to statistical dictionary based attacks. Attackers are well aware of this already. For example, 'password' is an easy to guess password. 'P@ssw0rd' is just as easy, despite following common validation rules. Sadly there isn't really a way to have a password to be both secure and easily memorized for most people.

Right now password security should be determined by how often a password is used in general. That's obviously a difficult thing to know, you can't just magically tell how often your desired password has been used. The current best practice is to use a secure password manager. It solves the problem for the majority of use cases: each password is unique and you only need to memorize the master password. As long as your master password is unique and protected against dictionary based attacks, you should be fine. For stronger security a two-factor authentication process would be even better, but for most people that's over kill.

Jeff, can you shed some more light on password managers? They're something I've not really understood and more or less overlooked.

I've always thought they were an ease-of-use thing that would simply make you dependent on using an application for your passwords, and at the same time make it possible for one password to be enough to access all of your accounts. How is that more secure? How would you access accounts from different locations, for example at a university computer or on your phone?

Quote from Charry

My account is as impenetrable as an iron thong.

It clearly hasn't been tested by the Iron Dong.

Quote from Scarecrow

Jeff, can you shed some more light on password managers? They're something I've not really understood and more or less overlooked.

I've always thought they were an ease-of-use thing that would simply make you dependent on using an application for your passwords, and at the same time make it possible for one password to be enough to access all of your accounts. How is that more secure? How would you access accounts from different locations, for example at a university computer or on your phone?

I'm not sure if this is what Jeff means, but having a password manager would make passwords more secure because it removes the necessity of memorizing the password. You can have like 0W43S7dt%dn3940N7t9*^B(D&a6fDd5&*B5 or some other randomly generated string that's hard to crack as your password and store it in the password manager where you can fetch it from when you need to. I use KeyPass, and it's more secure because not only does it require a master password, it also requires a certain file first before I can open it. If I want to beef up my security I can put this file in a flash drive and hide it somewhere.

Also I think the idea is that you won't use it anywhere else but your own device. Password managers are supposed to facilitate in security, and using someone else's device isn't really something that a program should help you with if the program is all about security. Of course if it's just Stickpage then you probably don't need it, but if it's your PayPal account then that's probably the time you should use password managers because you probably don't want to use it on a public system where your account can be easily compromised.