Comments on: Passwords and PINs: the worst choices http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: David Harley http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-4452 Thu, 26 Dec 2013 09:23:00 +0000 http://blog.eset.com/?p=13106#comment-4452 Well,that;s pretty much what the letters are there for. However, if the word or phrase is a common one (LOVE for 5683 is a common, simple example) it increases the risk that it’s one of the passphrases an attacker will try.

]]>
By: Alicia Webley http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-4448 Mon, 23 Dec 2013 23:43:00 +0000 http://blog.eset.com/?p=13106#comment-4448 i like to spell a word or a name by using the letters on a phone keypad.
its simple. and numbers for words like 4 for and b be 2 to or too c see and make up a phrase i would remember.

]]>
By: David Harley http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-4443 Sat, 21 Dec 2013 14:29:00 +0000 http://blog.eset.com/?p=13106#comment-4443 Ah, the Jenny number. That still is quite a high scorer according to some lists..

]]>
By: Jocelyn Baker http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-4441 Sat, 21 Dec 2013 13:06:00 +0000 http://blog.eset.com/?p=13106#comment-4441 They need to add 8675309 to the common list.

]]>
By: Shailesh Tripathi http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-4398 Thu, 05 Dec 2013 05:36:00 +0000 http://blog.eset.com/?p=13106#comment-4398 Thank god my password do not belong to them.

]]>
By: teenygozer http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-4021 Sun, 12 May 2013 18:18:00 +0000 http://blog.eset.com/?p=13106#comment-4021 My husband and I like to use a combination of character names from old, obscure shows we used to watch as kids… sadly, every time they reboot one of our fav old shows and launch it into pop culture popularity, we have to change all our passwords.

]]>
By: Avinash Sawant http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-909 Wed, 08 Aug 2012 04:55:25 +0000 http://blog.eset.com/?p=13106#comment-909 @David Harley, I agree with you on this. Passphrases combined with special characters / Uppercase, Lowercase characters / numbers makes a good string which makes it tough to crack! Also newer options like an OTP (One Time Password) and hard tokens which are used as a second layer of security makes good sense!

]]>
By: Jen http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-908 Sat, 28 Jul 2012 18:18:26 +0000 http://blog.eset.com/?p=13106#comment-908 Thanks, I will now try these to hack into my husbands computer

]]>
By: Michael http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-907 Wed, 25 Jul 2012 13:12:09 +0000 http://blog.eset.com/?p=13106#comment-907 I think the most worrying thing about this list in the damning indictment it represents of how the vast majority of men are such simpletons. Pussy, baseball and football being topped only by dragons (assumingly because everyone is watching Game of Thrones). There really is no hope for us as a species…

]]>
By: David Harley http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-906 Sun, 24 Jun 2012 11:06:25 +0000 http://blog.eset.com/?p=13106#comment-906 @Pallab, I’m not familiar enough with Lastpass to recommend it personally, but password management/generation software in general is certainly an option that may help some people. Obviously, some are better and safer than others.

]]>
By: David Harley http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-905 Sun, 24 Jun 2012 10:47:40 +0000 http://blog.eset.com/?p=13106#comment-905 @Henry, I agree that passphrases can be better than passwords, depending on how well-known they are and what additional transformative strategies are used. That applies not only as regards storing a hardcopy version of the passphrase, but also as regards the exact form and format of the passphrase itself.

]]>
By: Pallab http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-904 Sat, 23 Jun 2012 21:31:06 +0000 http://blog.eset.com/?p=13106#comment-904 My security strategy is simple: Let Lastpass generate a password for me.

]]>
By: Henry http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-903 Fri, 22 Jun 2012 02:03:50 +0000 http://blog.eset.com/?p=13106#comment-903 I use a string of two or more words (and sometimes numbers) from my profession, and write down a coded version of them in my wallet, etc. The codes I use sometimes look like common terms or company names, so I would guess that makes them even stronger. If a password gets old, I abandon it, and reach even farther into my profession for new compound passwords.

]]>
By: David Harley http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-902 Fri, 15 Jun 2012 05:32:42 +0000 http://blog.eset.com/?p=13106#comment-902 @Michael, while your strategy may work against someone sitting there trying to guess your password and entering it manually, it won't necessarily work against an automated attack: dictionary attacks don't only run through English words. They also use dictionaries from other languages and common transforms such as words where numbers are substituted for letters. If your wife's native language was something really unusual rather than (say) Spanish, that may be less relevant, though.

]]>
By: michael smith http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-901 Fri, 15 Jun 2012 02:02:04 +0000 http://blog.eset.com/?p=13106#comment-901 My password strategy is this;
My late wife was from another country so I use words from her native language as my passwords. I am not fluent by any means in her native tongue but I know enough to be able to use words that even if the word itself is hacked the spelling of that word is not what an English speaking person would normally be able to discerne

]]>
By: David Harley http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-900 Thu, 14 Jun 2012 09:21:12 +0000 http://blog.eset.com/?p=13106#comment-900 @Reed, SSNs aren't as secure as you suggest: http://go.eset.com/us/resources/white-papers/EsetWP-SocialSecurityNumbers20090810.pdf

]]>
By: David Harley http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-899 Thu, 14 Jun 2012 09:16:43 +0000 http://blog.eset.com/?p=13106#comment-899 Garry, 15 years ago I was talking about password strategies, and people were telling me that biometrics had rendered them obsolete. Well, biometric devices are much more in use now, often as a component of multi-factor authentication, but passwords and passcodes haven’t disappeared. And much of the reason for that is economic. A poor technology (by itself, at any rate), but cheap to implement.

]]>
By: Garry http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-898 Thu, 14 Jun 2012 09:12:32 +0000 http://blog.eset.com/?p=13106#comment-898 How 'bout a thumb scanner or eyeball scanner?
 

]]>
By: Reed Crawford http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-897 Wed, 13 Jun 2012 22:51:59 +0000 http://blog.eset.com/?p=13106#comment-897 I write all my passwords down so that they can be remembered easily. But in a different way. For example:
If I used my name as a password (never use your name)
Reed     – is four letters long. the letter R = 18 E = 5 and D = 4. My system sees this as 18104 because each extra letter gets multiplied (5×2 for 2 comes from the E's). Then 18104 is multiplied by 4 from the original word length to get 72416. This is then appended as a suffix to the word and thus generates the complete password. This isn't a complete example however. Other rules apply for my own personal use. And if someone were to use this method, I recommend incorporating other transformations to make it as unique to you as possible. 

As far as PINs go, ATM's only use a four digit PIN. Thus there are only 10,000 possible combinations of numbers that could be correct. Most theives will not get this many attempts to guess, but under the right circumstances or with the right tools, it could be guessed using such a straight forward approach as guessing 0000 – 9999. Being that they are four digits long for the reason of simplicity and therefore easy to memorize it seems like it would be better if a person had to use their social security number in conjuction with a pin. Unless you had your social caught in a fishing scam or some other highly compromising scheme, it would be almost impossible to guess a 13 digit random number that only you should know.

]]>
By: Synfluent http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-896 Mon, 11 Jun 2012 17:57:07 +0000 http://blog.eset.com/?p=13106#comment-896 What scares me most is: how you know this?

]]>
By: ForeverSPb http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-895 Mon, 11 Jun 2012 13:48:24 +0000 http://blog.eset.com/?p=13106#comment-895 my favorite stratagy is to use parts of phone numbers as pins. all I have to do is to memorize who's number I used for what site.

]]>
By: David Harley http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-894 Sun, 10 Jun 2012 09:46:34 +0000 http://blog.eset.com/?p=13106#comment-894 Thanks, Stephen.

Actually, I looked briefly at the Fibonacci sequence in the PIN paper. 4-digit Fibonacci numbers generally score quite low in the Amitay data, but: if they’re used untransformed, the available quantity of numbers is pretty low for passcodes of four digits or less: if someone has reason to think that an individual is likely to use a Fibonacci strategy, an untransformed number could be surprisingly unsafe. A transformative strategy of the type you suggest is likely to be much more effective. As long as the output doesn’t coincide with a number that might be very commonly chosen for other reasons, of course.

]]>
By: Stephen http://www.welivesecurity.com/2012/06/07/passwords-and-pins-the-worst-choices/#comment-893 Sun, 10 Jun 2012 02:31:58 +0000 http://blog.eset.com/?p=13106#comment-893 Number 25 caught my eye. For I have a few friends that think using mathmatical gimmicks, such as Fibonachi numbers. These “clever” password generators are not always so clever. I use certain physics formulas, however, the numbers representing the solving of the formula have their own system. One site it might be the square root of the combbined value of the diagnal size of my 2 monitors, then, maybe the grade in school during which I first gained interest in the subject of the site. I use 5 main formulas and a memorized system for filling in the formulas entries. Then that number is run through some of the top cyphers ever used. Then I have a password which will not be guessed. Sometimes I use just certain cyphers based on some information from the site.

I promise, once you take passwords & PINs seriously you can find a system for you. It need not be as complex as some of my methods, but, taking it all as serious as it is, you can avoid a lot of worry or loss.

Finally, despite the urge to reuse passwords seems to make sense, do your best to avoid the temptation to do so. Soon, much worry which is present or should exist about this issue will not keep you worried at every news story about passwords. Lastly, stay informed.

]]>