Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : more secure passwords

[projo]

I have read that using non-alphanumeric characters can make a password much more difficult in a brute-force attack.

So I added a $ at the end. Then I got to thinking. If the brute-force approach is one of simple iteration a dollar sign at the end may succumb fairly soon.

The question is: Does position make a difference for placing an uncommon symbol in the password?
Gary

[jtan15]

Yes, it certainly does. With the high powered CPUs there are there today, passwords are getting hard to manage. Having "sparky" as your password can no longer suffice. Now root passwords have to be something like "H9cEk$m0". That is a good password.

I actually run a program called "pgen" which simply generates a random password, e.g.:

2ivdz9zr: 2 ignorant vultures dimly zap 9 zany rabbits
8fiolapx: 8 fast iguanas openly liberate active purple xenops
1dux8azc: 1 dumb unicorns xerophytically 8 active zany cats
lmpng2yd: laughing magical penguins nimbly greet 2 yellow dogs
wfnad9gl: warm fast newts actively divide 9 green lions

These types of random passwords are used for anything and everything. They have proven to be most secure.

[cperciva]

My last root password was 4a@ws8k$dF(8Rd and before that it was 8W)mTs4}dH1f. Any passwords with less entropy than those are dangerous.

Now, if your (encrypted) password list is secure, then you're reasonably safe: any attempt to break your passwords will have to go through normal authentication, which (hopefully) will trigger a warning pretty quickly.

On the other hand, if your encrypted password list is readable (which could result from any number of security holes discovered over the past decade) the security of your machine depends upon how much computational power the attacker has available. Given that a modern PC could test about 1E10 possible passwords per day, to be "secure" a password should really have at least 55 bits of entropy.

If your passwords consist of random lower-case letters, this requires a password 12 characters long. If you use upper and lower case characters, your password should be 10 characters long. If you use all the symbols available on a standard keyboard, your password should be at least 9 characters long.

Naturally, since even the "hit keys at random" approach to creating passwords isn't entirely random, you should really add at least 3-4 characters beyond the values I just gave.

Incidentally, this means that old systems which use only the first 8 characters of a password make it impossible to have secure passwords... UPGRADE THOSE SYSTEMS!

[Vortech]

Does any one know where i could find a program like pgen for windows or if pgen is for windows where i could find it?

Just need some thing that can make really good passwords and can work on windows. If its free its better if not that ok to.

[kunal]

If you use passwords generated by a program, brute force becomes easier, even though the password looks more complicated to us. Its all a question of what kinda of algorithm you are using to generate the password. I think the most secure password is the one you create, and change every week.

[Chicken]

Don't listen to Kunal, we just keep him around here because he's good looking and thus he's a babe magnet for the board. I have a wonderful password keeper/generator that I can't remember where I got but it was freeware so I uploaded it for you.

It keeps 'em and generates 'em based on random, or specific patterns you set:

http://www.bytezilla.com/wht/whisper.zip

Ohhh, and by the way, listen to Kunal and change your passwords often.

[kunal]

hmmmmm....

[Vortech]

Thanks a lot Chicken just what i needed. A place to keep the info and make the passwords fo rme thanks a ton.