Which is the better password & 4 facts about passwords

Deleted74295

Feel free to share. - www.DaraIT.co.uk

Which is the better password?

Is it easier to remember.
Better against password attacks
Is the choice that over 300 IT pros recommend
Many environments rely on complex hard to remember passwords which weaken security in the long run.

Also, check out these 4 password facts to remember.

Dashrender

The problem that I have with SevenTimesSevenEqualsEleven is that those are each a work in the dictionary. If you treat each word as a single character, you now have a 5 character password. Sure there 10's of thousands more words in the dictionary than there are options in ASCII, but the question still remains, it is really that much safer?

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

Deleted74295

@Dashrender said:

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

There is always a more secure password out there. Someone can easily add a 1995 to the end of the above password and it becomes infinitely more secure.

This is more about encouraging length rather than pointlessly short passwords for our users such as C0rP123!!

DustinB3403

SevenTimesSevenEqualsEleven is probably the better password.

And 20,000 people just lost their secure password to the internet, good going @Breffni-Potter !

JaredBusch

@Breffni-Potter said:

@Dashrender said:

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

There is always a more secure password out there. Someone can easily add a 1995 to the end of the above password and it becomes infinitely more secure.

This is more about encouraging length rather than pointlessly short passwords for our users such as C0rP123!!

Length is all that matters really. Basic dictionary attacks are not as effective when you have 4 or 5 words there. That is completely different than a short single word password.

Deleted74295

@DustinB3403 said:

SevenTimesSevenEqualsEleven is probably the better password.

And 20,000 people just lost their secure password to the internet, good going @Breffni-Potter !

I'm trying to help the 500000 people who still use Pa$$word1 as a password. , it meets the AD complexity requirements.

BRRABill

@Dashrender said:

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

Isn't that the same words with a letter in them?

If you are thinking they can figure out the words, why would this help?

wirestyle22

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

MattSpeller

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

wirestyle22

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

MattSpeller

@wirestyle22 said:

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

Absolutely! Once the luser finally gave up looking for it and confessed. That's anywhere from an hour to several days where I can take your device offline (disabling your remote wipe) and then it's just a count down to pwnage.

Dashrender

@BRRABill said:

@Dashrender said:

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

Isn't that the same words with a letter in them?

If you are thinking they can figure out the words, why would this help?

Because it's no longer a pure dictionary attack. The letter X (I don't think) isn't in the dictionary because it's not a word).

What I'm getting at does have very limited use - this is true, because assume the system allows for all ASCSII characters, you could put spaces between works, or underlines, etc... lots of easy to remember ways to break this away from a dictionary attack. But then again we are talking about people here - where the most common password is still password.

Dashrender

@MattSpeller said:

@wirestyle22 said:

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

Absolutely! Once the luser finally gave up looking for it and confessed. That's anywhere from an hour to several days where I can take your device offline (disabling your remote wipe) and then it's just a count down to pwnage.

Obviously in the case of MDM managed devices, hopefully you have some kind of limited number of tries before the device self wipes.

dafyre

@Dashrender said:

@MattSpeller said:

@wirestyle22 said:

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

Absolutely! Once the luser finally gave up looking for it and confessed. That's anywhere from an hour to several days where I can take your device offline (disabling your remote wipe) and then it's just a count down to pwnage.

Obviously in the case of MDM managed devices, hopefully you have some kind of limited number of tries before the device self wipes.

I have this on my personal phone, lol.

BRRABill

@dafyre said:

I have this on my personal phone, lol.

I don't, just because the little ones grab my phone sometimes.

Though since I really have no data on there ... what am I waiting for???????

Dashrender

@BRRABill said:

@dafyre said:

I have this on my personal phone, lol.

I don't, just because the little ones grab my phone sometimes.

Though since I really have no data on there ... what am I waiting for???????

You have backups don't you? shouldn't be an issue.

dafyre

@Dashrender said:

@BRRABill said:

@dafyre said:

I have this on my personal phone, lol.

I don't, just because the little ones grab my phone sometimes.

Though since I really have no data on there ... what am I waiting for???????

You have backups don't you? shouldn't be an issue.

This! Any pics or videos that I take are uploaded to my ownCloud server... Contats are on Google... anything else can be replaced.

BRRABill

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

Dashrender

@BRRABill said:

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

BRRABill

@Dashrender said:

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

Goes right to iCloud.