[olug] (no subject)

Barry Von Ahsen barry at vonahsen.com
Tue Nov 6 14:50:16 UTC 2012


the linkedin breach made me finally switch to a password manager, and I haven't looked back since

it's occasionally inconvenient, but if it's inconvenient for me, hopefully it's almost impossible for !$me

I also use it for my reset questions, since that can be the easier access route (as mentioned by others)

-barry



On Nov 6, 2012, at 8:31 AM, Jason Troy wrote:

> Lou, your pw scheme may not be working as you assume. This thread is OT
> from the scope of OLUG but given the propeller-heads that lurk here, its
> relevant.
> 
> Many systems truncate your password to 6-8 chars (some are 12 or more but
> if they are doing it right, length should be virtually unlimited).
> I do like the idea of lying when it asks you what your favorite color is or
> where you were born, etc. I never understood why these are considered
> acceptable to ask / require.
> Kevin's suggestion (while not human-friendly) is a very good suggestion
> because it contains good entropy in generating the password.
> 
> Sites off the top of my head that truncate are hotmail/outlook.com and
> Wells Fargo. There are many that do this ... a more recent one discussed on
> a security forum pointed out a bank in Canada that was only using the first
> 6 chars. Some aren't even case-sensitive (on the back-end) and the
> validation rule was put in place as a simple "feel good" wedge.
> Bottom line is that if you have a "base password" that you re-use, you MUST
> assume that has leaked. If what you are appending is predictable you must
> assume that "no-good-nik" also can guess it.
> 
> Greg, good luck w/containing that and maybe consider turning on the 2-step
> authentication, it helps. I think most of us knew you were joking about
> using "password" as your password. FYI - "I forgot 1234" isn't a good one
> to use either. Lesson Learned :(
> 
> --JT
> 
> On Nov 6, 2012 7:19 AM, "Lou Duchez" <lou at paprikash.com> wrote:
> 
>> cracked.com, of all places, has some good suggestions on passwords:
>> 
>> http://www.cracked.com/**article_18962_5-things-we-all-**
>> do-that-make-hackers-lives-**incredibly-easy.html<http://www.cracked.com/article_18962_5-things-we-all-do-that-make-hackers-lives-incredibly-easy.html>
>> 
>> For password generation, I've taken some tips from that article:
>> 
>> 1)    If your favorite song is, say, "Wake Me up Before You Go-Go",
>> abbreviate it to either "WMuBYGG" or perhaps "WaMeupBeYoGoGo".  You can use
>> that as a root word for all your passwords.
>> 
>> 2)    Add a suffix to the root depending on exactly what the password is
>> for, such as "homeemail" or "workemail" or "**
>> secretpornsitethewifedoesntkno**wabout".
>> 
>> That's pretty uncrackable by virtue of sheer length, yet very memorable to
>> you.  cracked.com advises going a step further, and instead of
>> "homeemail", use a suffix of "fortawesome" or some other unguessable
>> reference that you would get but random hackers would not.  That way, even
>> if someone somehow finds out about "WaMeupBeYoGoGoworkemail", they can't
>> extrapolate and get your home password.  (By that logic, instead of
>> "workemail", maybe you should use a suffix more like "shamepalace".)
>> 
>> 
>> 
>> Well, crap. Sorry all - some no-good-nik likes my email just as much as I
>>> do. Password is changed now. I guess "password" wasn't the best of
>>> passwords after all...?
>>> 
>>> 
>>> On Mon, Nov 5, 2012 at 8:51 PM, Justin Reiners <justin at hotlinesinc.com
>>>> wrote:
>>> 
>>> Spam alert!
>>>> On Nov 5, 2012 8:50 PM, "Greg Gerke" <ggerke at gmail.com> wrote:
>>>> 
>>>> 
>>>>> http://107.20.173.250/**CarolynConnects/wordpress/wp-**
>>>> content/plugins/zsliwwqkeeo/**ugoogle.html<http://107.20.173.250/CarolynConnects/wordpress/wp-content/plugins/zsliwwqkeeo/ugoogle.html>
>>>> 
>>>>> ______________________________**_________________
>>>>> OLUG mailing list
>>>>> OLUG at olug.org
>>>>> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>>>> 
>>>>> ______________________________**_________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>>> 
>>>> 
>>> 
>>> 
>> ______________________________**_________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>> 
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug




More information about the OLUG mailing list