2011-08-26, 10:35 PM
2011-10-19, 11:30 PM
2012-01-23, 05:51 AM
Although I enjoyed and benefited from your overall Tutorial, I have to disagree with the uber-strong password advice, because as you say, you have to write them down and then carry a piece of paper with you.
This means that if you are ever mugged or lose your wallet or whatever, not only do you lose access to your sites (unless you have multiple copies, also multiplying the chance of them being stolen), you also just gave access to whoever has them now.
You personally may be very careful not to carry anything that would tell the mugger what sites the PW's are for, but most people would have the Username/website listed with it, and most people that use Uber-PW's write the PW's on a post-it and stick it on the monitor or in the top desk drawer anyway. So while it may work for you, most would lose security if they tried it.
If you look around, you will find several good articles that have recently been written on Best Practices for password security, and they pretty much all agree that it has to be able to be remembered by the user, or it isn't secure.
Yes, you can use the password manager programs, but then you are limited to where you can log in from, and if you have breach on one of those devices, you may lose ALL your details in one fell swoop.
(with keyloggers and other monitoring software being common, for both computers and smartphones, even an uber-PW won't keep you safe from all attacks, and since writing it down opens up a wide attack vector, it greatly reduces the actual security.)
The current recommend Best Practice seems to be a long random string of words that is easy to remember, but has nothing to do with your life. Adding some un-related numbers and symbols increases it exponentially.
Also, you have to remember that a lot of people are logging in via a mobile device, where entering a long random string of Upper and lower and Alt characters is a major pain, and thus they are likely to shorten such a string.
A series of words with just a Cap at the beginning and maybe a few symbols/numbers salted in it is easy to remember and type, but practically impossible to hack.
On latest myBB install, which will have some sensitive patient/client data on it, I have it set to require 8 characters, including a number and a non-word/non-numeric character (!@#$%^&*()<>?,./;':"[]{} etc).
(I have always hated upper-case rules!
One of the most important things is not to re-use the same PW across multiple sites, because if you are using it at one that gets hacked, they now have your access info for all the others, which may be more important.
I good method for this would be to use the same base password as discussed above, and then modify it for each site, maybe taking the 2nd-4th characters of the site URL and adding them in the middle of your base PW, or something like that. Then you can still remember it, even though it is different for each site.
Most people don't get hacked, and they look at uber-PWs with fear and hatred because they are a pain to enter, not to mention remember or store or write down, and so they use the 25 most common PW's and hope they don't get hacked.
Those that have been hacked and lost business, lost websites, lost accounts, lost money and lost loads of time put higher value on security, but you have to find some middle ground for the average user. (or even the average Admin...)
I have implemented some of your other suggestions and tips, so I thank you for them!
Ben~
This means that if you are ever mugged or lose your wallet or whatever, not only do you lose access to your sites (unless you have multiple copies, also multiplying the chance of them being stolen), you also just gave access to whoever has them now.
You personally may be very careful not to carry anything that would tell the mugger what sites the PW's are for, but most people would have the Username/website listed with it, and most people that use Uber-PW's write the PW's on a post-it and stick it on the monitor or in the top desk drawer anyway. So while it may work for you, most would lose security if they tried it.
If you look around, you will find several good articles that have recently been written on Best Practices for password security, and they pretty much all agree that it has to be able to be remembered by the user, or it isn't secure.
Yes, you can use the password manager programs, but then you are limited to where you can log in from, and if you have breach on one of those devices, you may lose ALL your details in one fell swoop.
(with keyloggers and other monitoring software being common, for both computers and smartphones, even an uber-PW won't keep you safe from all attacks, and since writing it down opens up a wide attack vector, it greatly reduces the actual security.)
The current recommend Best Practice seems to be a long random string of words that is easy to remember, but has nothing to do with your life. Adding some un-related numbers and symbols increases it exponentially.
Also, you have to remember that a lot of people are logging in via a mobile device, where entering a long random string of Upper and lower and Alt characters is a major pain, and thus they are likely to shorten such a string.
A series of words with just a Cap at the beginning and maybe a few symbols/numbers salted in it is easy to remember and type, but practically impossible to hack.
On latest myBB install, which will have some sensitive patient/client data on it, I have it set to require 8 characters, including a number and a non-word/non-numeric character (!@#$%^&*()<>?,./;':"[]{} etc).
(I have always hated upper-case rules!
One of the most important things is not to re-use the same PW across multiple sites, because if you are using it at one that gets hacked, they now have your access info for all the others, which may be more important.
I good method for this would be to use the same base password as discussed above, and then modify it for each site, maybe taking the 2nd-4th characters of the site URL and adding them in the middle of your base PW, or something like that. Then you can still remember it, even though it is different for each site.
Most people don't get hacked, and they look at uber-PWs with fear and hatred because they are a pain to enter, not to mention remember or store or write down, and so they use the 25 most common PW's and hope they don't get hacked.
Those that have been hacked and lost business, lost websites, lost accounts, lost money and lost loads of time put higher value on security, but you have to find some middle ground for the average user. (or even the average Admin...)
I have implemented some of your other suggestions and tips, so I thank you for them!
Ben~
2012-02-06, 12:25 PM
2012-02-06, 12:35 PM
2012-02-07, 12:56 AM
2012-02-12, 05:12 AM
Thanks bro gonna try this out
2012-04-19, 10:40 AM
2012-04-19, 06:57 PM
2012-04-21, 10:21 PM