Jump to content

  • These forums are for "after booking" trip communications, socializing, and/or trip questions ONLY.
  • You will NOT be able to book a trip, buy add-ons, or manage your trip by logging in here. Please login HERE to do any of those things.

Photo

The Advantage Of 'Strong' Passwords


  • Please log in to reply
27 replies to this topic

#1 shadragon

shadragon

    Tech Admin

  • Premier Member
  • PipPipPipPipPipPip
  • 3,055 posts
  • Location:On De Island...
  • Gender:Male
  • Cert Level:MSD / DM / Solo
  • Logged Dives:534' ish

Posted 13 December 2008 - 09:29 AM

While this is not directly linked to this board, I did have a question on passwords from a user I thought would be beneficial for everyone to see.

It regards 'Strong' passwords or passwords that will be harder to crack. Everyone should know what a password is at this point. It protects you from someone else logging on as you and using your account or info. With on-line banking becoming more prevalent, the damage someone can do by breaking your password is obvious.

Most people use 'weak' passwords. These are things that are easily guessed like your phone number (all numbers), a pets name or a common word found in the dictionary. Lets discuss a few things that will help you.

Password Length

I will only use numbers as a quick example. If you have a single character password, I have a 1 in 10 chance of guessing it as there can only be 10 possibilities (0 - 9).

With two numbers it becomes 1 in 100 chance (10 x 10)
With three numbers it is 1 in 1000 (10 x 10 x 10)
With four numbers it is 1 in 10000 (10 x 10 x 10 x 10)
...etc.

So as you can see, the longer the password the more time it will take to go through all the combinations. This is the same with letters. If I only use lower-case letters (a - z) then it is a 1 in 26 for chance for each character.

With two letters it becomes 1 in 676 chance (26 x 26)
With three letters it is 1 in 17576 (26 x 26 x 26)
With four letters it is 1 in 456976 (26 x 26 x 26 x 26)
...etc.

Use Multiple Character Types

Passwords can use numbers, special characters (#$%... etc.) and upper and lower case letters to form passwords. When they are all used together the combinations quickly rise and make it improbable that anyone can guess what you used.

There are password generators that make random passwords like tDI"60Hs7Q. The biggest objection people use to these 'strong' passwords is they are so weird they have to write them down to remember them and this is a valid observation. However, you can easily use all character types in a password and still make it usable. My best example is:

start with a simple word or phrase like: superman

add a special character at some point: superman#

capitalize the first part of the word: SUPerman#

...and replace a single character with a number: SUP4rman# and you now have a strong password that is both easy to remember and fast to type in.

OR

Take two unrelated words like tough and ladle

put them together: toughladle

add a special character: tough$ladle

make use of a few capital letters. tough$LADLE

and add a number: 8tough$LADLE

OR

Use a phrase like "Dogs and Cats always fight when you put them both together" and take the first letters of each word: DaCafwyptt

Then add a special character and number and you have your password.

I hope this helps answer some of the questions and helps you understand the need for strong passwords in your daily life.

There are many ways to do it so that you can remember them easily.

In depth article here
Remember, email is an inefficient communications forum. You may not read things the way it was intended. Give people the benefit of the doubt before firing back... Especially if it is ME...! ;)

Tech Support - The hard we do right away; the impossible takes us a little longer...

"I like ponies on no-stop diving. They convert "ARGH!! I'M GOING TO DIE" into a mere annoyance." ~Nigel Hewitt

#2 WreckWench

WreckWench

    Founder? I didn't know we lost her!

  • Owner
  • PipPipPipPipPipPipPip
  • 47,033 posts
  • Location:Miami, Ft. Lauderdale & Dallas, TX
  • Gender:Female
  • Cert Level:DM
  • Logged Dives:4000+

Posted 13 December 2008 - 09:43 AM

Simon this is extremely helpful...especially the part about how to CREATE a strong password!

Another tip I was given was to use a non-real word. That way the computer can not run a dictionary against your account breaking into it.

Contact me directly at Kamala@SingleDivers.com for your private or group travel needs or 864-557-6079 AND don't miss SD's 2018-2021 Trips! ....here! Most are once in a lifetime opportunities...don't miss the chance to go!!
SD Forms & Documents.... here !

Click here TO PAY for Merchandise, Membership, or Travel
"Imitation is the sincerest flattery." - Gandhi
"Imitation is proof that originality is rare." - ScubaHawk
SingleDivers.com...often imitated...never duplicated!

Kamala Shadduck c/o SingleDivers.com LLC
2234 North Federal Hwy, #1010 Boca Raton, FL 33431
formerly...
710 Dive Buddy Lane; Salem, SC 29676
864-557-6079 tel/celfone/office or tollfree fax 888-480-0906

#3 secretsea18

secretsea18

    I spend too much time on line

  • Member
  • PipPipPipPipPipPip
  • 1,007 posts
  • Location:NYC when not diving!
  • Gender:Female
  • Cert Level:AOW
  • Logged Dives:1062

Posted 13 December 2008 - 09:44 AM

Simon,
While your point is well taken, how do you remember each and every one of your "strong" passwords when you have over a hundred of them???
Upcoming trips: July 2010 Halmahera-Sulawesi on Mandarin Siren, + Lembeh, Indonesia !!; September 2010 Sydney, Australia; September 2010 Boston; October 2010 Atlanta -Road Warrior Training!; November 2010 Anilao, Philippines!; December 2010 Cabo San Lucas, Mexico; Feb 2011 Philippines Cebu - mission- + Anilao!!; April 2011 Puerto Rico - for a meeting - double wow!; April 2011 Chicago

#4 shadragon

shadragon

    Tech Admin

  • Premier Member
  • PipPipPipPipPipPip
  • 3,055 posts
  • Location:On De Island...
  • Gender:Male
  • Cert Level:MSD / DM / Solo
  • Logged Dives:534' ish

Posted 13 December 2008 - 11:07 AM

While your point is well taken, how do you remember each and every one of your "strong" passwords when you have over a hundred of them???

I work in senior roles as an IT Manager and it is not without exaggeration when I say I have at least 35 - 40 active work passwords in my brain at any given time. I do use a few tricks though to cut down on the noodle scratching. :dancing:
For example, on a file or FTP server exposed to the Internet I definitely use a strong password for the root account. The best ones are phrases with random letter/number combos. However, I make sure the phrase is related to that server for easy recall. If I spent a weekend working on that particular server for some issue I can use "blasted Server cost me a weekend with a Cute Redhead" (!bScmawwaCR!) I added a few exclamation points and there it is; tough to guess, but easy to remember.

For something behind a secure firewall I would use the 'two word' style password I described above. On a senior management data folder I used 4BiGWiG$, in sales/marketing I used LotsHotAir?? or something like that. WW is right, you should use non-dictionary words as well. Foney instead of Phoney, Tcheeze instead of Cheese, etc. It is not hard to do if you think about it. :thankyou:

You can use common passwords between several areas, but take care not to do that too much. Your on-line banking password should not be the same as your email password (which is usually broadcast in the clear on the Internet), for example. Hope that helps...
Remember, email is an inefficient communications forum. You may not read things the way it was intended. Give people the benefit of the doubt before firing back... Especially if it is ME...! ;)

Tech Support - The hard we do right away; the impossible takes us a little longer...

"I like ponies on no-stop diving. They convert "ARGH!! I'M GOING TO DIE" into a mere annoyance." ~Nigel Hewitt

#5 peterbj7

peterbj7

    I spend too much time on line

  • Premier Member
  • PipPipPipPipPipPip
  • 2,068 posts
  • Location:San Pedro (Belize) & Oxford (UK)
  • Gender:Male
  • Cert Level:Instructor
  • Logged Dives:over 4000

Posted 13 December 2008 - 11:26 AM

I always use the same passwords for several applications. That said, I have a standard collection of five or six, all of them generated roughly as Simon suggests, and I defy anyone to guess them. I also drop certain passwords periodically and replace them with fresh ones. This way I can remember these passwords and don't have to write them down anywhere. I use far more complex and unpredictable ones for sites that have financial implications than I do for straightforward chat areas, like this one. The complex ones are made up of acronyms that mean something to me but won't to the majority of people, usually in pairs with numbers and other characters embedded.

For some years I worked developing new computer systems for a government department. I had fundamental and public disagreements with the policy setters for computer security, and this was one reason I finally left. Not only was the password randomly generated (once weekly for relatively insensitive applications, daily for more critical ones) but so was the user id. And each was at least 16 characters. This was done for each of the several applications a typical person would have to access. No-one had a hope of remembering these access codes, and universally they were written down. It was common to write the user id on a post-it and stick it on the side of the monitor, and to write the password on another post-it and put it into a desk drawer. This was the practice of staff at all levels, from junior clerks all the way up to directors.

My stance, which I got into trouble for constantly re-iterating and for mentioning outside the department, was that the user id's had no embedded security and people should be allowed to use their names, and that they should be allowed to choose their own passwords, under the sort of guidance that Simon has given. Otherwise the system was as secure as the piece of paper the access info was written on, or the computer systems supervisor who had access to all the information.

I was even threatened with prosecution under draconian Official Secrets legislation when I reported this overall practice to our external auditors, in an effort to force a change. That never happened, but that is when I resigned. They were quite happy with what they were doing and didn't need someone like me.

Since divulging that there had been a security breach was itself an Official Secrets offence, no-one had any idea how often sensitive systems were penetrated by inappropriate people, and the extent of any financial or security losses. It was an offence to tell the external auditors, which of course makes a mockery of the audit process. But the whole system was designed to enable inefficient and ineffectual people to shelter behind, not to provide any actual security. To put this in perspective, one of the systems I was concerned with recorded amongst other things the nature and exact location of critical items of equipment to a total value of several billion dollars.

Just writing this could get me into trouble if I were back home.

#6 shadragon

shadragon

    Tech Admin

  • Premier Member
  • PipPipPipPipPipPip
  • 3,055 posts
  • Location:On De Island...
  • Gender:Male
  • Cert Level:MSD / DM / Solo
  • Logged Dives:534' ish

Posted 13 December 2008 - 03:38 PM

Since divulging that there had been a security breach was itself an Official Secrets offence, no-one had any idea how often sensitive systems were penetrated by inappropriate people, and the extent of any financial or security losses.

Ahh, the OSA... What a lovely document that is. 10 years in jail and $100,000 fine per offense. :P
Remember, email is an inefficient communications forum. You may not read things the way it was intended. Give people the benefit of the doubt before firing back... Especially if it is ME...! ;)

Tech Support - The hard we do right away; the impossible takes us a little longer...

"I like ponies on no-stop diving. They convert "ARGH!! I'M GOING TO DIE" into a mere annoyance." ~Nigel Hewitt

#7 Scubatooth

Scubatooth

    I spend too much time on line

  • SD Partners
  • PipPipPipPipPipPip
  • 2,678 posts
  • Location:Dallas / Plano, TX & Houston / Baytown, TX
  • Gender:Male
  • Board Status:Saving Lives!
  • Cert Level:Rec: DM -- Tec: Ext Range
  • Logged Dives:500+

Posted 13 December 2008 - 04:07 PM

Simon

very good advice to give out. I do the very close to the same thing except for that i use a strange but very hard to crack method of building passwords. now i have a couple of levels of passwords. I have simple ones that i use for non-secure non sensitive places like here on SD. those arent easy to crack unless you know me very very very very well. There are a couple of areas inbetween where i make thepassswords complicated to the point where a bruteforce cracking will take a very long time and not be worth the effort. Now on my top level passwords I drive security specialists nuts with because the odds of it being cracked are very very x 500 low. here is a example of a password i use

1. Take a word in english. for example "Red October" like the tom clancy book "Hunt for Red October"

2. Translate the word in english to a foreign langauge that isnt that common. Lets use Russian so Red October translate to (with english reversal) comes out as Red Octobra

3. Third step is to misspell a word in the phrase in thar foreignso "Red Octobra" becomes "Rde Octabre"

4th and final step is to alpha numeric everything so "Rde Octabre" now becomes "Rd8 0(zero)cta6r8. now you have a very secure password.

Now this is just a example my passwords are much longer and more complicated then this and i use very uncommon languages and dialects for translation to complicate things even farther. At minimum my secure passwords are 15 characters and minimum of 5 numbers. Have i confused you all yet.

My dad and I have had security specialists from fortuene 50 companies try to break these passwords and they have given up because they didnt have enough time, energy, dictionaries, or cracking power to break them. how bout them apples.

A Novus Dies Has Adveho.... Occupo Dies

Where in the World is Tooth? ... Catch Me It You Can!

Traveling the World, Diving, and Photography, on my days off from saving lives as a Paramedic


#8 Latitude Adjustment

Latitude Adjustment

    I spend too much time on line

  • Premier Member
  • PipPipPipPipPipPip
  • 2,658 posts
  • Location:Work in and live near Lakehurst, NJ
  • Gender:Male
  • Cert Level:EanX
  • Logged Dives:600+

Posted 13 December 2008 - 04:49 PM

Simon,
While your point is well taken, how do you remember each and every one of your "strong" passwords when you have over a hundred of them???



For online banking and shopping I use a word common to me that is not in the dictionary and then subsitute numbers and characters for the letters and then enclose it in something "1e++er5" and leave a clue to each in my favorites.
I, Latitude Adjustment (insert log in name), do hereby swear, (politely), that I shall not hold SingleDivers, (SD), nor any SD poster, (real or imagined), liable, nor shall I seek legal restitution, (real or imagined), for any perceived, (real or imagined), offenses I may incur, (or Incurrrrrrrrrr on talk like a pirate day), that may or may not be posted on this or any SCUBA related board, (real or imagined), by anyone, (real or imagined), anywhere, (real or imagined). Further, I void any right to privacy, (real or imagined), as it may, or may not relate to any posting, (real or imagined), about me, to me, for me, because of me, all about me, my dog, my cat, my bird, my monkey, my family, (real or imagined), my friends, (real or imagined), or my world, (real or imagined).

By all that is wet, I do hereby swear, (politely), and attest, upon pain of never diving again, (real or imagined), that I understand and affirm, that I agree to the above.

_________________________________________(log in name signature)
Signed and Dated

#9 Scubatooth

Scubatooth

    I spend too much time on line

  • SD Partners
  • PipPipPipPipPipPip
  • 2,678 posts
  • Location:Dallas / Plano, TX & Houston / Baytown, TX
  • Gender:Male
  • Board Status:Saving Lives!
  • Cert Level:Rec: DM -- Tec: Ext Range
  • Logged Dives:500+

Posted 13 December 2008 - 05:16 PM

Robin

I think simon might be slightly dyslexic which as much as it is a problem it also has its good sides in that dyslexics (raises hand) have a penchant for useless trivia and remembering lots of odd ball items and facts as compensating mechanism. Its like how at work i practically have our whole ground and air protocols memorized almost verbatim, including very complicated formulas for some of the med drips we haul. because of this I have been given the name booksmart because ofhow much i read and odd ways i retain it.

Tooth

A Novus Dies Has Adveho.... Occupo Dies

Where in the World is Tooth? ... Catch Me It You Can!

Traveling the World, Diving, and Photography, on my days off from saving lives as a Paramedic


#10 Bubbles

Bubbles

    I spend too much time on line

  • Member
  • PipPipPipPipPipPip
  • 1,380 posts
  • Location:Hartford, CT
  • Gender:Female
  • Cert Level:Advanced Open Water, Nitrox
  • Logged Dives:400-ish

Posted 13 December 2008 - 09:28 PM

I work in senior roles as an IT Manager and it is not without exaggeration when I say I have at least 35 - 40 active work passwords in my brain at any given time. I do use a few tricks though to cut down on the noodle scratching. :P

I too work in an IT Manager role, but lucky for me I don't have to remember quite as many passwords. We have implemented this really great Single Sign On (SSO) application in our hospitals which has eliminated the need for remembering a majority of passwords. Most of the applications that are not SSO driven use Active Directory authentication, but I still need to remember at least a dozen for work. Then on top of that I have all my personal online accounts, and most of them do not support strong passwords. I don't get quite as creative as shadragon and Scubatooth on my passwords. Most of them are variations on my pet's names with special characters, capitalization and numbers thrown in. Even though I start with three base words, I still get them confused from time to time.
"If life gives you limes, make margaritas." Jimmy Buffett

#11 Scubatooth

Scubatooth

    I spend too much time on line

  • SD Partners
  • PipPipPipPipPipPip
  • 2,678 posts
  • Location:Dallas / Plano, TX & Houston / Baytown, TX
  • Gender:Male
  • Board Status:Saving Lives!
  • Cert Level:Rec: DM -- Tec: Ext Range
  • Logged Dives:500+

Posted 13 December 2008 - 10:03 PM

Bubbles

Not all of my passwords are like that only ones that really need to be secure, and those are my credit-card(s), bank(s), professional License(s), education records, and client and model records. I do this because of the sensitive data in those profiles. In some of my accounts there are triple challenge numbers via a special key fob which really makes things interesting when i forget to bring it with me. The rest of my passwords ratch back a notch or three to simple alpha numerics. Then there is my online bulliten boards and netowrking sites and then the passwords are down to 8 character or less and may or may not have numberd attached to it, but then again i have a password manager for these type sites on my laptop but that requires my fingerprint to get access to so there is a bit of protection. Since this thread just popped up i went and looked at my password list and found out that its over 900 entries deep and less then 15% of the entries have common passwords or usernames. now thats scary, thank goodness for that password program.

At work its a totally different story our IT guy is a ex-black hat hacker (illegal hacker) turned white hat hacker (security specialists that look out for you) that believes in very strong passwords so they are 10 character alpha numeric and no password can be reused in a 5 year period, and there are regular brute force security audits. there are items that arent allowed for passwords like anypart of your name, birthdate, certification numbers, drivers license or passport, and are changed every 30days through our network log in. I really have to get creative with those passwords its a pain to come up with as there borderline my top tier passwords; Then again this is necessary for the data we handle through our accounts due to the electronic charting which if leaked would be a HIPAA violation and they are not cheap and are career killer.

A Novus Dies Has Adveho.... Occupo Dies

Where in the World is Tooth? ... Catch Me It You Can!

Traveling the World, Diving, and Photography, on my days off from saving lives as a Paramedic


#12 Bubbles

Bubbles

    I spend too much time on line

  • Member
  • PipPipPipPipPipPip
  • 1,380 posts
  • Location:Hartford, CT
  • Gender:Female
  • Cert Level:Advanced Open Water, Nitrox
  • Logged Dives:400-ish

Posted 13 December 2008 - 10:13 PM

Then again this is necessary for the data we handle through our accounts due to the electronic charting which if leaked would be a HIPAA violation and they are not cheap and are career killer.

Yeah...that HIPAA stuff can be a real pain in the butt! Do you know which group gives gives us the hardest time with password rules compliance....the physicians. I know we have several MDs that participate in this board and maybe they can give me some onsight on this. Every time I sit down to review new/upgraded computer applications with our MDs they complain about remembering their passwords. How can they remember all these complex diagnoses and their associated treatments, but a computer password throws them into a tailspin.
"If life gives you limes, make margaritas." Jimmy Buffett

#13 Scubatooth

Scubatooth

    I spend too much time on line

  • SD Partners
  • PipPipPipPipPipPip
  • 2,678 posts
  • Location:Dallas / Plano, TX & Houston / Baytown, TX
  • Gender:Male
  • Board Status:Saving Lives!
  • Cert Level:Rec: DM -- Tec: Ext Range
  • Logged Dives:500+

Posted 13 December 2008 - 10:21 PM

Bubbles - That would be the mega-god dysfunction anything that doesnt make things easy for them isnt necessary. maybe you should remind them of the criminal and civil penalties for failure to comply, that should make most of them have a pucker factor of 50. Then again what do i know im just a lowly paramedic (don't you dare call me a ambulance driver) what could i possible know.

If i can nearly memorize verbatim 800 pages of protocols then remembering a password should be a breeze for a doctor, but i wont hold my breath.

A Novus Dies Has Adveho.... Occupo Dies

Where in the World is Tooth? ... Catch Me It You Can!

Traveling the World, Diving, and Photography, on my days off from saving lives as a Paramedic


#14 Landlocked Dive Nut

Landlocked Dive Nut

    I need to get a life

  • Inactive
  • PipPipPipPipPipPipPip
  • 6,543 posts
  • Location:Kansas City, MO
  • Gender:Female
  • Cert Level:SSI Master Diver
  • Logged Dives:448

Posted 13 December 2008 - 10:44 PM

Simon, I appreciate the info you've provided. It gave me some insight into how I can increase my security without driving myself crazy! I will have to change some of my passwords into a "tiered" system like what ScubaTooth was talking about. Right now, the majority of my passwords (both work & home) are all the same, and I can make them more complex very easily. My financial data password(s) have always been the more complex ones, but can still be improved using your methods.

Thanks!
Posted Image

#15 shadragon

shadragon

    Tech Admin

  • Premier Member
  • PipPipPipPipPipPip
  • 3,055 posts
  • Location:On De Island...
  • Gender:Male
  • Cert Level:MSD / DM / Solo
  • Logged Dives:534' ish

Posted 14 December 2008 - 08:02 AM

I think simon might be slightly dyslexic

I an NOT slighyl delexic... :teeth:

:P

I do have an eidetic memory and that does help a lot.

Foreign words are excellent password bases too. Any password can be broken. Same as encryption. You can delay access to the file, but not stop it completely. You should change passwords at least every year in non-urgent areas. :tears:
Remember, email is an inefficient communications forum. You may not read things the way it was intended. Give people the benefit of the doubt before firing back... Especially if it is ME...! ;)

Tech Support - The hard we do right away; the impossible takes us a little longer...

"I like ponies on no-stop diving. They convert "ARGH!! I'M GOING TO DIE" into a mere annoyance." ~Nigel Hewitt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users