Password Strength

no the Alt Gr key.
It doesn’t access any alternative graphics in Windows

1 Like

Nope, they are all just random strings. That’s what password managers are for! (And they can apply in most circumstances these days)

Rule-based passwords reduce the strength of the password. Although it probably doesn’t matter that much in some circumstances, it all depends on what kinds of attacks are likely to be thrown at the account. Passwords to your encrypted hard disk, for example, ought not to be weakened as they would then become much easier to brute force. Passwords for a random Joe to a website where there’s nothing especially sensitive to protect, where ordinarily the number of attempts at the password would be limited or other easier targets would exist, would be less important. But then, they would be less often used, so a password manager is still necessary.

It can be helpful to think of a clue to help remember any random password that needs to be typed in by hand, which can be anything from a word that looks similar to something that’s a similar shape, a pattern on the keyboard, etc. I don’t have a formula for that, though, other than using my imagination :slight_smile:

And yes, all of this is inconvenient. But it’s more inconvenient to put up with accounts getting hacked…

2 Likes

It depends on your region. It is used for a lot of characters over here, in Germany. ^ ² ³ { } } \ @ ~ | for example are all only available thorugh AltGr.

1 Like

Um that key doesn’t exist on any of my keyboards… that’s an international feature not available to most people in North America.

I borrowed some images from WASD Keyboards to hilight the difference between a 104 and 105 key keyboard. I am no expert having never used such a keyboard, but it looks to me like the left hand SHIFT key is split into two keys.
Keyboard104vs105

Edit: Well I guess I got that wrong, when I looked at the blown up keyboard, it appears (for theirs anyway) that ALT-GR is replacing the second ALT key on the right hand side that I have on my keyboards. The other difference appears to move the vertical pipe to the left from the right above Enter and allows the Enter key to be taller but narrower on the bottom, which allows an extra punctuation key to exist beside Enter.

2 Likes

I use the environment around myself at the time of producing a pass word for a sign in. Five human senses, and my mood at the time of setting up an account on a website. Something that is a part of my being at that time and space, at that moment. That only my brain cells can reproduce in my weird way of thinking. Then mix them up with Caps, numbers and symbols, then reverse the order sometimes.

1 Like

I use KeePass for password management and sync across devices via NextCloud. I use passwords lengths towards the maximum allowed. Not always the max allowed as that makes brute forcing easier if the password length is know.

Firefox also now has(or I have just noticed) an option when you right click a password field to auto generate a unique password and automatically store the new password / user in to Firefox. Firefox can also sync across your devices running Firefox. Other browsers may do this too. This is very convenient but using your internet facing browser as your password manager carries a lot of risk from remote exploit kits and local stealers/evil maid attacks etc.

Unique passwords for each account is best practice. You can use a Password manger / service to generate these or you can use your own formula. Your own formula is weaker as an adversary could decipher the formula and breach further assets. Depending on your threat model this may be an issue or not. If you are a low value target the risk is low of a adversary paying enough attention to see two account breaches and link them to you and notice you have used a formula to devise passwords, even a simple one like 123google123 for google and 123reddit123 for reddit etc as they are just spamming brute force credential databases against targets. Higher value targets is a different story. On the other hand having all your passwords in a password manager is also a single point of failure that gives your adversary all the keys to the kingdom. 2FA I find very irritating.

You can check your logins against KNOWN breaches on Troy Hunt’s website “haveibeenpwned.com”.

Check if your email(s) has been in a known breach: https://haveibeenpwned.com/

Check if your password(s) has been found in a known breach: https://haveibeenpwned.com/Passwords

3 Likes

I find it very interesting how a lot of us are willing to use the internet and services provided on it without really knowing what is going on. Troy Hunt, who’s website “haveibeenpwned.com” even mentions this in his blog in respect to his website’s services. To quote him, “Do not send any password you actively use to a third-party service - even this one!” and " If you’re worried about me tracking anything, don’t use the service. That’s not intended to be a flippant statement, rather a simple acknowledgment that you need to trust the operator of the service if you’re going to be sending passwords in any shape or form". I like his openness and honesty in respect to the fact that services like his could do a lot more than most of us know about if the creator wants it to, and we chose to trust them. And, I think it is true of almost everything we do on our devices that are provided by others.
We make decisions, both consciously and unconsciously to use these devices and applications. Some of us realise what we are putting at risk, and chose to do it. Others go out of their way to try to protect themselves. And I think the vast majority chose to do it because of the convenience it affords them.

4 Likes

Exactly, we really just do not know. And there is not enough time in the world to read every word of every services terms and conditions and check if it is real and they abide by it and the full legal ramifications and then research the backgrounds of everyone involved in the business etc etc.

For example I thought for a reasonable amount of time on whether to put “haveibeenpwned.com” links in my reply above. As you allude to, I do not know Troy Hunt personally and have not checked his service infrastructure for security and checked every line of the code of his software stack etc. I often think about these things in depth at least relative to my thinking.

So we tend to use generalized rules so we can actually get things done. So my thought process was that I have heard and read much about Troy Hunt from him other people I “trust”. So I am willing to take the calculated risk that he is a “good” person with good intentions and that his infrastructure is secure to a reasonable standard. And that posting the links to his website would outweigh the potential risk of this not being true for the benefit of someone checking their credentials and may be changing their password habits for the better security and maybe not losing control of some account and the hassle involved with that. I did originally write “use at your own risk” but decided to take that out due to the scare factor. I also started to think that I should say not to put your actual password in and use a SHA1 hash of your password that the website allows for better protection. But then I thought that if people knew what that meant then they probably should already know what good passwords are and people that may benefit from “haveibeenpwned.com” would not go / lose interest. Then I started thinking that SHA1 is not secure now either so… on it goes.

I do not know what the answer is and that people do do things for convenience but there is no other option as we have to take these shortcuts to get things achieved and hope that we have applied enough due diligence not to get bitten. As I try to think these things through in my day to day life my procrastination becomes epic :crazy_face:

1 Like

There is no need for consternation with passwords if you make a unique password for each site or service. You are basically trading the site a bit of random text for access. There is nothing they can do with that information if it doesn’t apply to anything anywhere else. Be more worried about which services you give personally identifiable information (I’m looking at you FaceBroke.)

3 Likes

In places where I can’t use LastPass I use a keyboard sequence like:4321 #@!, then hop to another part of the keyboard and do something similar. I only have to remember the starting point(s). Example ends up being something like:76543&^%#UyTrE

1 Like

Don’t use my father’s middle name as your password

SvAJioD

4 Likes

This sounds like “keyboard trails” kind of password generation. Most of the password crackers know people do this and they have keyboard trails sequences loaded in their databases too. (In another life, where I was in charge of development for embedded security for a product, I actually wrote a detector for keyboard trails in potential passwords.)

4 Likes

Yeah, I suspect that sequence-approach is considerably less secure that a random 8-10 char password. The first time I read that I thought you were suggesting something more complex until I looked at my keyboard.

If you’re going to do something like that, a non-key-position-base “prefix” plus some other per-use code is a “better” idea. But if the pwd were to be compromised, you’re still screwed if you use that approach on other sites.

1 Like

I recently signed up for iDrive. (Some day I’ll write a review of that experience.) When it came time to come up with an encryption key I thought, what the heck, I can just store this in LastPass so I had LastPass come up the key for me. 45 characters. Downloaded the software. Had to enter the encryption key. It wouldn’t let me cut and paste. I had to manually enter the 45 character key. :crazy_face: Got it right on the second try. Now it lets me cut-and-paste.

2 Likes

I think that speaks to iDrive’s idea of security. How could they expect you to enter a long/complex key without copy/paste. I guess they don’t! Just use your mother’s maiden name or high school mascot – you’ll be fine. :wink: Or maybe it was just a bug?

There are a lot of misguided ideas about security. Like sites that make you change your password every 60-120 days. Stupid, yet it’s a policy certain government agencies had in place some years ago.

I’ve experienced problems filling on sites with LastPass, but those have been more and more mitigated or fixed over past few years.

1 Like

Our card merchants PCI DSS compliance portal makes me do this every time I log in to run the network scans. The NIST guidelines changed a while back now saying that password expiry is not recommended now as it once was.

NIST:

" Q-B05:

Is password expiration no longer recommended?

A-B05:

SP 800-63B Section 5.1.1.2 paragraph 9 states:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.

This was also interesting:

Q-B06:

Are password composition rules no longer recommended?

A-B06:

SP 800-63B Section 5.1.1.2 paragraph 9 recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected because users tend to use predictable methods for satisfying these requirements when imposed (e.g., appending a ! to a memorized secret when required to use a special character). The frustration they often face may also cause them to focus on minimally satisfying the requirements rather than devising a memorable but complex secret. Instead, a blacklist of common passwords prevents subscribers from choosing very common values that would be particularly vulnerable, especially to an online attack.

Composition rules also inadvertently encourage people to use the same password across multiple systems since they often result in passwords that are difficult for people to memorize.

1 Like

Some random thoughts on this topic:

  1. I use Dashlane for all logons EXCEPT financial sites (banks etc.) which I (a) remember and (b) have recorded in a safe place. No objection to LastPass etc. I just got to Dashlane first thanks to David Pogue.
  2. I never use the same password twice.
  3. Most passwords are composed of a string of memorable words. I keep a list of password in an online (password protected) file in code form, e.g., “town of birth” + “best friend’s nickname” (don’t use either in reality), so that I can easily reconstruct the password but almost no one else can.
  4. Most of the time one is forced to use an e-mail address as user id. I have an address which does not include personal information. Otherwise I never use the same user id twice.
  5. I don’t bother too much about computations of password “strength”. When passwords are at least 16 characters I feel I’m pretty safe.
  6. Composition rules are counter-productive and reveal the ignorance of the web site managers.
  7. Being forced to change passwords regularly is equally counter-productive (I’m looking at you www.socialsecurity.gov).
2 Likes

I like your approaches, they seem very thorough, except perhaps #1. Hopefully you select “memorable” passphrase with sufficient entropy; maybe you have a really good memory. I’ve considered maintaining two different password vaults to provide an additional layer of security, but the complexity seems more than I want to pursue.

I do like the idea of writing down passwords vs a password vault, which limits exposure to online attacks. Each approach has different vulnerabilities. The main challenge to writing-down is user diligence. Some people I know write down passwords of about 12 chars or so, with not-great entropy. The second problem is managing the volume of passwords. And higher entropy pwds become much less convenient to manually enter.

A large unknown is the security of the sites that authenticate your login. Obviously storing salted passwords hashes is too much trouble for many (most?) sites. So if you have any pattern to your passwords, the pattern could be inferred from leaked passwords – especially if pwd is connected to your identity. (I appreciate that’s not that likely)

Saguaro,
Just following up…
On my first item, the passwords I memorize are around 20 characters long and do not include dictionary words. There are very few of them and I use them every day so it really isn’t a difficult feat of memory. I used Steve Gibson’s Password Haystacks tool to check that the entropy is sufficiently high.
I agree that one has no idea about the security of the sites one logs on to but I trust that using unique user ids and unique, long, passwords is the best defense.

1 Like

Will be a lot more inconvenient having your identity stolen. Would rather be inconvenienced with a password manager and 2FA.

1 Like