Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Naked Security)   Security Protip: before being interviewed on TV, wipe passwords off whiteboard   (nakedsecurity.sophos.com) divider line 33
    More: Dumbass, Graham Cluley, red team, tv crew, SOPHOS, passwords, Stephen Fry, screenshot  
•       •       •

4092 clicks; posted to Geek » on 24 Aug 2012 at 11:11 AM (2 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



33 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2012-08-24 09:51:59 AM  
Of course I write down my password. The nerds in the IT closet make me change it every 6 weeks.
 
2012-08-24 09:53:33 AM  
Security Protip: Don't write your passwords down. If you must, write them somewhere discreet.
 
2012-08-24 10:10:39 AM  

Tr0mBoNe: Of course I write down my password. The nerds in the IT closet make me change it every 6 weeks.


I'd almost guess that was a joke, but I've seen places that do it every 30 days. it's a bit excessive. 90 days is recommended. depends on the industry.
 
2012-08-24 10:47:35 AM  
When employees are forced to change their password often they will use easily guessed passwords. It's high time companies invested in other means for authentication that don't rely on passwords.
 
2012-08-24 11:03:49 AM  
Perhaps people should write their passwords down where no one will ever see it but them. Take your average IT guy, for example. If they're going to write down a password, they'll choose somewhere that only they will be guaranteed to ever see it. Their penis.
 
2012-08-24 11:04:37 AM  
I've got so many logins and passwords I HAVE to write them down. My little black book, in other words. It's either that, or use the same login and password for every program/website/computer I use which is just stupid.

Usually i just pick a random name from history and add a couple of numbers to it, eg. Methuselah206. Who the hell is going to guess that?
 
2012-08-24 11:13:08 AM  

gopher321: Usually i just pick a random name from history and add a couple of numbers to it, eg. Methuselah206. Who the hell is going to guess that?


I usually pick a random word from the dictionary. As far as I'm concerned, if they can guess "banana", then they've earned the right to my bank account.
 
2012-08-24 11:17:02 AM  
i1156.photobucket.com

...but understandable. I've got at least twelve passwords for various systems at work, each of which requires me to change the password every 90 days, many of them don't allow for any previously used passwords to be used and a few of the systems talk to each other to confirm you're not using the same password for multiple systems. I downloaded a password keeper app (which of course requires a password to enter) to help keep everything straight but when I go into my coworkers offices it's common to see a password or two written on a post-it note on the bottom of the screen.
 
2012-08-24 11:21:48 AM  
www.heartsandlaserbeams.com
Phases that are in front of me. like GreenTallLamp then a number and symbol, though not all sites let me to the symbol thing.
 
2012-08-24 11:28:45 AM  
Memes as passwords...

'Imnotsayingitwasaliens'
'thislooksshopped'
'theytoldmeIcouldbeanything'
'itsastreetlamp'
'brokeupwithTomCruise'
 
2012-08-24 11:31:58 AM  

gopher321: I've got so many logins and passwords I HAVE to write them down. My little black book, in other words. It's either that, or use the same login and password for every program/website/computer I use which is just stupid.

Usually i just pick a random name from history and add a couple of numbers to it, eg. Methuselah206. Who the hell is going to guess that?


If the hackers are guessing, they're doing it wrong.

Longer is better, and hopefully whoever is storing the password is responsible about it.

/fark you, LinkedIn
 
2012-08-24 11:34:47 AM  
I just did an online password security training... gotta take it every year. I think just about everyone within a radious of 3 cubicles heard me mumble BS when I read meat@35 is more secure than mycatsnameistimmy because the latter did not have any symbols.
 
2012-08-24 11:36:10 AM  
imgs.xkcd.com


//caliente
 
2012-08-24 11:39:59 AM  
Lastpass

You're welcome.
 
2012-08-24 11:42:42 AM  
Try logging into a corporate bank account. Four different user-id or password fields including the last field, which requires you to enter your own password with one that you have to read from a token key (if you can find it).
 
2012-08-24 11:53:27 AM  

Saiga410: I just did an online password security training... gotta take it every year. I think just about everyone within a radious of 3 cubicles heard me mumble BS when I read meat@35 is more secure than mycatsnameistimmy because the latter did not have any symbols.


Well, there are a lot of variables to the "how secure is it?" question. Does your attacker have access to your hash and therefore unlimited attempts to solve for it? Does your attacker know that you use only letters? Do you, in fact, have a cat named "timmy"?

Given a brute-force password cracker and nothing else, yes, more is better, typically without regard to complexity. Given an attacker with insider knowledge, though, complexity and obscurity wins the day. Though, ultimately, both will fail without adherence to proper security procedures such as safeguarding and aging.
 
2012-08-24 11:55:04 AM  
As the network admin, I have to remember dozens of passwords. If you can't remember 2-3 passwords you're an idiot. If any of the desktop support techs sees a written password on a post-it or hidden under the keyboard I've instructed them to lock the user's account immediately and change it.

Here's a tip: use sentences. For example, This1is2my3gmail4account5Password6. Really long, so it is very difficult to crack. Easy to remember.
 
2012-08-24 11:58:04 AM  

MusicMakeMyHeadPound: If the hackers are guessing, they're doing it wrong.


While true, it's good practice to avoid anything that a person with access to your Facebook page might be able to guess. For instance, if you are a member of a duck hunting club and Like (TM) Ducks Unlimited, a password such as "huntingducksiscool" may not be the wisest choice.
 
2012-08-24 11:59:32 AM  

WinoRhino: Here's a tip: use sentences. For example, This1is2my3gmail4account5Password6. Really long, so it is very difficult to crack. Easy to remember.


I like to use movie quotes Example:

Andp1eased0ntc4llmeShirly
 
2012-08-24 12:08:16 PM  
That article also appears to be illustrating another common security failure, and this one isn't sitting behind the keyboard.

No human being would ever, ever, ever have chosen that random mishmash of a password. That suggests to me that the admin of this system is from the school of thought that says 'Users, left to their own devices, choose shiatty passwords. I do not want shiatty passwords. Therefore, I will not allow users to choose their passwords. I will randomly generate uncrackably-complex passwords and assign them to the users.'

The result is that the user is issued a string of characters that he or she is required to use on a daily basis, and that he or she is never going to be able to memorize in a million years. And the inevitable result is that he or she writes the password down.

At which point the admin will blame the user for poor password security.
 
2012-08-24 12:15:52 PM  

Tom_Slick: WinoRhino: Here's a tip: use sentences. For example, This1is2my3gmail4account5Password6. Really long, so it is very difficult to crack. Easy to remember.

I like to use movie quotes Example:

Andp1eased0ntc4llmeShirly


I do the same thing! Only I only use quotes from pron movies

0h0h0hyeahb@bydoitdoitdoit
 
2012-08-24 12:23:23 PM  

KickahaOta: That suggests to me that the admin of this system is from the school of thought that says 'Users, left to their own devices, choose shiatty passwords


He's right.

Have you ever run an audit on user passwords in an organization? My experience has always been that > 25% of passwords are weak enough to be broken by tools like Cain or l0phtcrack in less than 48 hours.

KickahaOta: At which point the admin will blame the user for poor password security.


With the exception of a few more sensitive users, I have no problem with people writing down their passwords, however, they are clearly told that they are entirely responsible for the physical security of that password and they are responsible by policy for the implications of it being misused if its lost or stolen, so they better damn well lock it up if they write it down.
 
2012-08-24 12:28:01 PM  
Back when I was an Admin I developed a system that 1) Allows you to "write" down the password, 2) Change the password, 3) Not be easily crackable to someone "seeing" the password

Write up a grid like a number keypad, assigning 3 random letters to each part of the grid.

X3k 4nZ e&s

evS qDF Wx6

Az2 4bJ Sq6

You then make up password by remembering their position on the grid, such as 4nZ evS 4bJ Sq6 Wx6

You could theoretically store the numeric equivalent to these in a safe somewhere if you have to have a backup.
 
2012-08-24 12:28:45 PM  

SnarfVader: When employees are forced to change their password often they will use easily guessed passwords. It's high time companies invested in other means for authentication that don't rely on passwords.


Two factor works pretty good, but employees lose shiat constantly. The last place I was at had that for certain IT workers, and even they lost the damn things. Nerds / geeks who know how important the stuff is can't keep track of it? You're doomed with regular users.
 
2012-08-24 12:30:17 PM  
I write my passwords out in the open, but in a code that only makes sense to me.

For example,BD WBD school #1. That's short for birthday, wife's birthday, first school I attended. Or 2309Jefferson. (the real ones are a little tougher for somebody to figure out)
 
2012-08-24 01:49:57 PM  
www.spkaa.com
 
2012-08-24 03:04:09 PM  

Tr0mBoNe: Of course I write down my password. The nerds in the IT closet make me change it every 6 weeks.


Yeah, what they don't realize is that when you require an uppercase letter, number, 12 digits in length, a non-standard character, make you change it every month, every tool you use has a different login and password, and they won't allow you to reuse any of your last two dozen passwords that people all but have to write passwords down and put them on a sticky on the corner of their monitor.

Achieves the exact opposite of what they were going for.
 
2012-08-24 03:38:23 PM  

jbtilley: Tr0mBoNe: Of course I write down my password. The nerds in the IT closet make me change it every 6 weeks.

Yeah, what they don't realize is that when you require an uppercase letter, number, 12 digits in length, a non-standard character, make you change it every month, every tool you use has a different login and password, and they won't allow you to reuse any of your last two dozen passwords that people all but have to write passwords down and put them on a sticky on the corner of their monitor.

Achieves the exact opposite of what they were going for.


Well, to be fair, what 'they' are going for is to show they have some security plan in place. It's the users fault for having the password posted on the monitor. Welcome to the corporate C.Y.A. world.
 
2012-08-24 03:59:35 PM  

unlikely: Security Protip: Don't write your passwords down. If you must, write them somewhere discreet.


I write mine on my ballsack where everybody can see it. With a sharpie. By the time I remember it its washes off and have to change it anyway.
 
2012-08-24 04:00:29 PM  
Using the first letter of each word in a common phrase or song works too.

"Just sit right back and you'll hear a tale, a tale of a fateful trip"
turns into
"Jsrbayhatatoaft"

Add in some numbers, say like sandwiching it between your four digit year of birth:
"19Jsrbayhatatoaft71"

And if you're feeling really creative, enclose all that in between some characters - Shift 1, 2, and 3 is easy to remember....
"!@#19Jsrbayhatatoaft71#@!"

Pretty easy to remember, but I would imagine that a password cracking program would struggle with this for a while.
 
2012-08-24 07:32:19 PM  

Vegan Meat Popsicle: Have you ever run an audit on user passwords in an organization? My experience has always been that > 25% of passwords are weak enough to be broken by tools like Cain or l0phtcrack in less than 48 hours.


Which is why you limit the system to one attempt per second (or 2). The user won't notice and you just made brute forcing it take 20000001 times as long. A 15 minute lock out at 3 errors and it will take over two hour to guess the super safe password "t".

1 figure calculated using cop math.
 
2012-08-24 09:30:17 PM  
KeePass

That runs on pretty much and PC or cell phone including old phones that can only run java apps.
 
2012-08-24 10:33:34 PM  

gopher321: I've got so many logins and passwords I HAVE to write them down. My little black book, in other words. It's either that, or use the same login and password for every program/website/computer I use which is just stupid.

Usually i just pick a random name from history and add a couple of numbers to it, eg. Methuselah206. Who the hell is going to guess that?


Go and get Password Safe from SourceForge and thank me later. It can be installed either on a machine or thumbnails.
 
Displayed 33 of 33 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
On Twitter





In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report