[olug] (no subject)

Jason Troy jason.troy at gmail.com
Tue Nov 6 14:31:44 UTC 2012


Lou, your pw scheme may not be working as you assume. This thread is OT
from the scope of OLUG but given the propeller-heads that lurk here, its
relevant.

Many systems truncate your password to 6-8 chars (some are 12 or more but
if they are doing it right, length should be virtually unlimited).
I do like the idea of lying when it asks you what your favorite color is or
where you were born, etc. I never understood why these are considered
acceptable to ask / require.
Kevin's suggestion (while not human-friendly) is a very good suggestion
because it contains good entropy in generating the password.

Sites off the top of my head that truncate are hotmail/outlook.com and
Wells Fargo. There are many that do this ... a more recent one discussed on
a security forum pointed out a bank in Canada that was only using the first
6 chars. Some aren't even case-sensitive (on the back-end) and the
validation rule was put in place as a simple "feel good" wedge.
Bottom line is that if you have a "base password" that you re-use, you MUST
assume that has leaked. If what you are appending is predictable you must
assume that "no-good-nik" also can guess it.

Greg, good luck w/containing that and maybe consider turning on the 2-step
authentication, it helps. I think most of us knew you were joking about
using "password" as your password. FYI - "I forgot 1234" isn't a good one
to use either. Lesson Learned :(

--JT

On Nov 6, 2012 7:19 AM, "Lou Duchez" <lou at paprikash.com> wrote:

> cracked.com, of all places, has some good suggestions on passwords:
>
> http://www.cracked.com/**article_18962_5-things-we-all-**
> do-that-make-hackers-lives-**incredibly-easy.html<http://www.cracked.com/article_18962_5-things-we-all-do-that-make-hackers-lives-incredibly-easy.html>
>
> For password generation, I've taken some tips from that article:
>
> 1)    If your favorite song is, say, "Wake Me up Before You Go-Go",
> abbreviate it to either "WMuBYGG" or perhaps "WaMeupBeYoGoGo".  You can use
> that as a root word for all your passwords.
>
> 2)    Add a suffix to the root depending on exactly what the password is
> for, such as "homeemail" or "workemail" or "**
> secretpornsitethewifedoesntkno**wabout".
>
> That's pretty uncrackable by virtue of sheer length, yet very memorable to
> you.  cracked.com advises going a step further, and instead of
> "homeemail", use a suffix of "fortawesome" or some other unguessable
> reference that you would get but random hackers would not.  That way, even
> if someone somehow finds out about "WaMeupBeYoGoGoworkemail", they can't
> extrapolate and get your home password.  (By that logic, instead of
> "workemail", maybe you should use a suffix more like "shamepalace".)
>
>
>
>  Well, crap. Sorry all - some no-good-nik likes my email just as much as I
>> do. Password is changed now. I guess "password" wasn't the best of
>> passwords after all...?
>>
>>
>> On Mon, Nov 5, 2012 at 8:51 PM, Justin Reiners <justin at hotlinesinc.com
>> >wrote:
>>
>>  Spam alert!
>>> On Nov 5, 2012 8:50 PM, "Greg Gerke" <ggerke at gmail.com> wrote:
>>>
>>>
>>>>  http://107.20.173.250/**CarolynConnects/wordpress/wp-**
>>> content/plugins/zsliwwqkeeo/**ugoogle.html<http://107.20.173.250/CarolynConnects/wordpress/wp-content/plugins/zsliwwqkeeo/ugoogle.html>
>>>
>>>> ______________________________**_________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>>>
>>>>  ______________________________**_________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>>
>>>
>>
>>
> ______________________________**_________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>



More information about the OLUG mailing list