[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 03/11/12 13:12, Daniel Robinson wrote: > > *Passwords* > > One password for computer login > One password for mail servers > One password for trusted sites > One password for untrusted sites > > obviously use the strongest and most memorable passwords possible The anecdote that kills this one is the guy at ICL who used the same password (in an allegedly drunken evening of game playing) on an online MUD as he used for root on a system, only to have it drop out of "crack" when the next upgrade. The MUD passwords were used to seed the database used by crack. I use to do something like this, then my Twitter account was abused (possibly by some other method, possibly the password was guessed, I couldn't tell). Thus I had to give a new password to several hundred low priority web sites. Sure I could risk them all being abused, the risk is small, but the consequences of inaction would add up. Now all my online properties have a unique password of 16+ (where allowed) letters, characters and numbers, they are kept in a password manager. I appreciate the password manager is a weak spot in this configuration, but it is probably better at spotting fake password forms than I am, it can certainly type quicker. I record password recovery information in a file kept with strong encryption, for each site answers to security questions like "What is your mother's maiden name" are long random strings similar to a password. crack also tries trivial variants on the passwords it knows about, you can be sure the bad guys will too if they get your password plaintext and your method of salting is too obvious they'll just add it to the tool set they use. The assumptions many of us have made in the past about passwords and encryptions keys are probably obsolete. "âA 384-bit key I can factor on my laptop in 24 hours,â he says. âThe 512-bit keys I can factor in about 72 hours using Amazon Web Services for $75." http://dropsafe.crypticide.com/article/9014 Similar comments apply to password length. freerainbowtables.com and the like will ship you 3 x 3TB hard drives full of rainbow tables if you ask them to and supply Â800. That there is enough interest for a market should worry people using passwords under about 12 characters. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq