Linked to in my post Tran.
| Lanys Forums http://www.lanysboard.com/forums/ |
|
| Securing Yourself Online (or: Don't use easy passwords) http://www.lanysboard.com/forums/viewtopic.php?f=19&t=8725 |
Page 1 of 1 |
| Author: | Vanamar [ Tue Nov 15, 2011 8:17 AM ] |
| Post subject: | Securing Yourself Online (or: Don't use easy passwords) |
First, a quick primer on what a secure password really is. A password like "F442lc!#e4ty" is not inherently more secure than something like "l4nysTvl1ru13z". The second password actually has a distinct advantage in that you can most likely remember it. Passwords should be easy to remember, but hard to guess. Don't use single words with numbers at the end as passwords, like "computer96" or even "Comput3r96" -- Common words with number<->letter substitutions and all conceivable numbers at the end, middle or beginning have already been calculated, and put into something that hackers and security researchers call "rainbow tables" --http://en.wikipedia.org/wiki/Rainbow_table -- A large text file containing both a list of easy to guess passwords along with common password hashes (used for server side password encryption), so if someone compromises the Lanys forums and they get a copy of the username/password database, all they have to do is to take the list of encrypted passwords and compare against the rainbow table. Forum software (and many other backend programs like shopping carts and online banking) get around this by using either a) a password algorithm developed in house and not revealed via their programming, or b) using something called a "salt", which they append to your password before running through a hashing algorithm. To create more secure passwords, you can string together four words that have nothing in common -- for example "globemotoroceancloud" or "correcthorsebatterystaple" ( http://xkcd.com/936/ ) ------------------------- A better option, and the one I use, is to use an encrypted password file. I use Keepass ( http://keepass.info/ ) This program creates a single file, protected by a single phrase (make it something hard to guess, as above, but something you can remember). Once you create/open the file, you can create random passwords of any length, containing any combination of characters you like. You can then, without actually exposing the password to yourself, copy and paste this password into login fields for any website or application. I use this to generate passwords for my email, bill payments and online banking sites, along with any other account with sensitive information like Amazon, Newegg or even battle.net ------------------------- If you have the option for two factor authentication (example: a battle.net authenticator token/smartphone program), then you should definitely take advantage of it. Except in exceedingly rare cases where the entire backend is compromised (see the RSA hack from earlier this year), two factor authentication is completely unbreakable. Many banks now offer tokens to allow for two factor authentication to be used to secure your bank accounts. Blizzard and Trion offer tokens and smartphone programs to do two factor for WoW/SC2 and Rift (and Bioware/EA are shipping a token with the SW:TOR CE, I'm not sure about the standard edition) Even GMail supports two factor authentication via smartphone app (Android and iPhone, not sure about other smartphones) ------------------------- You should also always have completely up to date antivirus software. If you run Windows XP, Vista or 7, then I highly recommend Microsoft Security Essentials. It is a very well done (and free) antivirus program. I can no longer in good conscience recommend AVG as a free solution as they have had some nasty QA problems with their stuff in recent months. For paid solutions, Kapersky, Avira or NOD32 are good options. Norton and McAfee are also "okay", but I consider them to be too expensive for what they provide relative to the three cheaper options I listed first. |
|
| Author: | Venen [ Thu Nov 17, 2011 4:44 PM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
Great tips, thanks. Curious about one thing though, and would be interested in your take on it. Copy/pasting passwords seems like a really common tactic from what I've heard around forums and amongst friends... I find it concerning because I've heard a few stories about trojans and other hacks that were able to grab the clipboard easily enough and get the password when you copy/paste. Another idea that seems more effective is to find a program where you point and click your password. At the very least, the hacker would need to know the specific mouse coords assuming they were logged somehow. I've known a few people who use this method as well. Totally agree with the two-factor key though; Seems nearly foolproof(assuming someone doesn't find out the algorithms using the time stamps, I'm guessing). |
|
| Author: | Vanamar [ Thu Nov 17, 2011 6:34 PM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
It's easier to hijack a program that hooks into the mouse click API than it is to steal info from the clipboard, and Keepass clears the clipboard of all data after it detects a paste. |
|
| Author: | Tranthas [ Tue Nov 22, 2011 6:09 AM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
http://xkcd.com/936/ |
|
| Author: | Vanamar [ Tue Nov 22, 2011 6:13 AM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
Linked to in my post Tran.
|
|
| Author: | Miramicha at Work [ Tue Nov 22, 2011 12:37 PM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
The full top 25 list of the worst online passwords, according to SplashData: password 123456 12345678 qwerty abc123 monkey 1234567 letmein trustno1 dragon baseball 111111 iloveyou master sunshine ashley bailey passw0rd shadow 123123 654321 superman qazwsx michael Football |
|
| Author: | Tranthas [ Tue Nov 22, 2011 4:57 PM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
Dammit! So it is. It's brilliant. |
|
| Author: | Sarissa [ Tue Nov 22, 2011 5:19 PM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
Lots of those are 8 characters or fewer as well; that's trivial to brute force. There are statistical engines that can cut guessing time in half. People are just more likely to pick certain letters, numbers, and symbols over others. It's spooky but it works. Login attempt limits keep folks with shitty passwords semi-safe, but when you hear about a database being stolen or a hashdump it's a big deal. Even a good password should be changed when that happens. Gmail has pretty strong two-factor authentication now and is great to use as a registration address for sites. Your login ID is also part of your password. Protect it. Don't use a character name. That's why they let you choose a forum name separate from your account name. Also, the holidays are coming up. If you feel the urge to open up the latest trojaned turkey catapult or elf punching game you got passed on email... don't. Or at least do it in a virtual machine. |
|
| Author: | Tranthas [ Wed Nov 23, 2011 4:25 AM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
That virtual machine thing is total illusion. Stolen information remains stolen when you wipe the VM. |
|
| Author: | Sarissa [ Wed Nov 23, 2011 5:06 AM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
True, so don't access anything important after punting unicorns in the VM. Just shut it down or reboot the ISO. The internet AIDS remains contained to that session. |
|
| Author: | Vanamar [ Wed Nov 23, 2011 7:00 AM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
Non-persistent virtual machines are an advanced topic outside of the scope of my original post. I use them semi-religiously myself. |
|
| Author: | Vanamar [ Fri Oct 25, 2013 7:50 AM ] |
| Post subject: | Re: Securing Yourself Online (or: Don't use easy passwords) |
I've recently stopped using Keepass and have moved on to Dashlane, because it removes the necessity of having to keep my database file updated via Dropbox, and supports two factor authentication. |
|
| Page 1 of 1 | All times are UTC - 7 hours [ DST ] |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|