Secure internet passwords - at one point does it not matter any more?
Assuming a person is not a total idiot – using a password like “password” or “user12345” or “abcdefg” – I wonder how much it sense it makes to create these ever more complicated password combinations.
For example, my bank says – at least one upper case, at least one punctuation mark, at least one number .. so 32!!busRide would be OK. Other sites required things like BigRedRidingHood28B__ (again, combinations of punctuation and upper and lower case)
But I’m operating under the assumption that machines are doing most of the cracking of passwords. And a machine doesn’t particularly care about lower/upper/numeric characters – to a machine, those are all just ASCII characters (one of 128) and have no inherent meaning. If the algorithm is checking combinations, then one ASCII character is as meaningless as another.
So does it make any sense to do the hard-to-remember combinations noted above? Why not do something like A3333333333! ?
Is this another example of “security theater” where we think we are more secure but we really aren’t?
Observing members:
0
Composing members:
0
9 Answers
@elbanditoroso The cracking programs are using dictionaries of millions of known existing passwords plus algorithms that manipulate the existing ones (substitute O’s of 0’s, 1’s for l’s etc.).
What they’re going to do is hack a low-security website (e.g. I just had to register a username and password for a photographer’s website) through a easy exploit and then crack all of the passwords in their database. From there they’ll try those same combinations of username and password on other sites like banks, email accounts, retirement fund accounts, etc (since most people use the same username and password on all sites).
I use an app called 1password to manage and generate different random passwords for every login I have. I only have to remember the master password. I think there are free alternatives out there too. It’s a much more secure way to handle this. Here’s an example of a secure password it generates: Du3aWMWp6Lfp28k%.@ra[ioiKd I’ll never have to remember that or ever type it in anywhere, and if some hacker manages to crack that password it’ll be worthless to them because it’s used nowhere else on the internet.
Most of the systems I log into kick out my ID after so many failed attempts. So a mixing in of characters, numbers, and uppercase seems to get attacks to the point of blocking the log-on ID.
@Mariah – that cartoon made my point far better than I did. Thanks
@Mariah and @elbanditoroso you’re both right in that length is critical as cracking times increase exponentially. But something like A3333333333! is very insecure despite it’s length. Those kinds of passwords are checked for in modern password cracking tools very early (right after “abcdefg” and “password1234”) before moving onto other common ones like “ILoveBieber16”.
If anyone’s interested, here’s an article about how it’s done: How I became a Password Cracker. It’s moderately technical, but a smart reader should be able to follow along and get the gist of things.
Too complicated passwords decrease security, because sooner or later they end up on a piece of paper.
Choose a complex password and write it down. Stick on your non-computer sticky board or whatever u use to organise real stuff.
Turns out cybercriminals can’t read cork boards and physical criminals can’t associate words on a cork board with internet passwords.
Response moderated (Spam)
Answer this question 
This question is in the General Section. Responses must be helpful and on-topic.
Composing members:
0
