Sunbeltblog comments
I got the worst passwords in the world! One of my passwords returned over 80 MILLION results.
hmm... none of my passwords return any results...
In their (Fineco's) defense, they do say:
"The length of the password must be 8 characters and contain a minimum of 1 number"
and only 1 of the examples fit that criteria:
05Fineco = 30 -> good password
but, then, that doesn't fit the first criteria listed:
"Set password difficult to guess and different from those in other uses
Services. Nothing dates, names or places easily attributed to you"
Actually, I think they just picked very poor examples. But, the 1st four steps (I think we can agree) are sage advice. While the 5th (Google search), possibly of dubious value, certainly couldn't hurt.
and who knows - that clever password you thought up might *not* be as creative as you thought...
Why not if you don't mind to give your password to google.
Well if your password returns 80 million results, it means that you havent got a mixture of numbers and letters properly.
That is to say, you have either a sentence or a word...or have just tapped on a few numbers at the end of a word.
Which makes it very easy to crack - a brute force dictionary attack would probably crack your password in a matter of minutes.
To improve your password strength, probably the best method while keeping your original known password, is to transcribe the letters.
ie change every letter say 3 letters higher than it is.
So if your password was marc1234.
That would become: pduf1234.
Thats one of the simplest methods, and I very much doubt that google will find it. That being the case, it obviously means that a dictionary attack (which is the easiest way of cracking a password) won't work.
Sage advice? Do you realize that, for one thing, your password is now being sent in the clear? Somebody is running a packet sniffer on your LAN and you're screwed. So the process to check your password is THE ONE THAT REVEALED YOUR PASSWORD!
Also, how is that a good password checker? The "F1n3co" example shows right there that it's just awful. "F1n3co" is a RIDICULOUSLY BAD choice, yet it shows only one result in Google (the page itself).
To be honest, I reported the existence of these so-called "tips" because of how ridiculously wrong they were. I didn't think anybody could actually take consider them "good"...
Did you actually read what I said?
If so, maybe you can explain to me what is bad about:
> Set password difficult to guess and different from those in other uses
Services. Nothing dates, names or places easily attributed to you
> The length of the password must be 8 characters and contain a minimum number 1
> Do not forget that passwords safer contain numbers and letters
For example, choosing as passwords Fineco "it is advisable to insert before, or after
Within a number: Fineco2005, 05Fineco, F13co etc.
> Try to change your password every two months
Because, I specifically said that _those_ steps were 'sage advice'
And yes - I did also say that their choice of _examples_ were bad.
I did also say that doing a Google search was of "possible dubious value, certainly couldn't hurt"
Yes, I realize it's sent in the clear
Yes, I realize this _can_ be a security concern.
I wonder, though, how easily a random Google search would be noticed and understood to be what it is?
Not really interested in nit-picking though - I agree, sending a potential/real password 'in the clear' is best avoided whenever possible.
So, if those 1st four _aren't_ good advice - what would you recommend?
"I wonder, though, how easily a random Google search would be noticed and understood to be what it is?"
If they're looking for your password -- very easily.
Think about this: to filter the http requests sent to Google by a certain IP can be done with extreme ease.
Let's say that you have 100 search terms on Google found a day from an IP.
You can easily look through 100 "GET" or "POST" requests on Google many 'manually'.
Between all the requests, how many are bound to be phrases that make sense and how many are bound to be words composed by letters and numbers? If there is a list of search terms that make sense but you see one or two that make little sense and are a mix of letters and numbers, wouldn't you suspect that THAT one is the password?
My mistake - I assumed that you allowed comments to your blog posts because you wanted to encourage serious discussion...
Apparently not. You seem more interested in beating a dead horse then engaging dialog.
So, here, once more before I go:
As I already said: "I agree, sending a potential/real password 'in the clear' is best avoided whenever possible."
You see, that was me *agreeing* with you on _that_ point.
The other 4 points though, that you called "ridiculously wrong" and you "didn't think anybody could actually take consider them good", you've, so far, completely ignored my asking what is *so* bad about them...
eh.... this has been a waste....
I'm sorry, you said it Google search "couldn't hurt", and it does hurt. Then you proceed saying that anyhow somebody observing the traffic wouldn't notice the strange Google search because it gets lost in the other searches, and I pointed out that it wouldn't.
You also missed that the blog entry was about two facts: ONE, that the suggestion of "trying to search the password in Google" was an absurd practice. TWO, that the examples they give for "good password" are actually awful examples. You didn't see the blog criticizing the other points, did you?
So much for serious discussion.
80 Million? Ha. 249,000,000 for my old default password. I bet I still use it somewhere for some forgotten service. I once googled: (mypassword) password, and found it on several "Bad Passwords" lists.
No more. Now I always have service-specific passwords that consist of a portion of a SHA1 hash of things relating to each service plus some other salts.
Commenting by HaloScan
