# How to make a safe password



## Monster Tamer (Jan 26, 2009)

I'm sure you people saw or heard about the EL's case. A friend of mine (not-presently), and from many others as well. How the hackers managed to do it? Simple, Ebony himself left a backdoor for invaders, using the same password for most of the sites he's a member from. So it was just a matter of attacking one of those accounts, and the chaos's done.

And as there's always incoming panic from who presence these cases, fearing 'bout their security integrity, here's my two cents for you people. 

*DONT'S*
- Don't use words for passwords. Stuff like "lolinternets", "steeldrums", "oldpocketwatch", those are easily discovered if a hacker wants to. It's what they call a "dictionary attack". Just because there's no space in between the words doesn't mean it's harder to find out.
- Numerical sequences, even worse than the above. Anyone with Google and 5 minutes to spend can mass-attack your password until the numbers are found. If you thought that birth date passwords were easy to find...
- Don't use hex-translated passwords. That was a smart move, but back at 2005 and prior. Nowadays the hackers use the previous methods together with hex translators, so it's also a bad idea.
- Don't use a string of letters, then another of numbers, like "ghyh185132". That's the most overused type of password, and also a easy target for hacks. 

*DO'S*
- Mash at your keyboard randomly. See what came out, then take a note at it. Yeah, that looks stupid, but it's the best way to come with a safe passwords.
- Use the Alt+Numpad symbols. Those are hardly checked by the hacking programs. Symbols like "Â¬", "â™¥", "Â®" and "â†•". Anything that can't be found on your keyboard in two strokes is good enough.
- Mix capital letters with lower case when creating your passwords. LikE THis, seRIouSly. While this is expected from you, the target of the hack, it still hampers the hacker's patience to find out which letters are on lower case and on capital.
- Do make them long, around 8 to 10 characters. Less than that may be easier for you to remember, but also easier to be found out after a brute-force hack.

Some good examples:
- as789uiow34
- .654sad5!16
- sudbâ†”Â®dsaf
- er98Âºhgt723^

Remember, the most random and illogical passwords are the most safe around. And I hope that those tips help you people to not suffer the same fate as our pal Ebony.


----------



## Lobar (Jan 26, 2009)

https://www.grc.com/passwords.htm


----------



## ArielMT (Jan 26, 2009)

^ This.

And if you need to write down your passwords, guard the pad you use as closely as you guard your wallet or purse.


----------



## ToeClaws (Jan 26, 2009)

Excellent post!  Yes... passwords are something people just don't do very well.  I cannot tell you how many times over the years that I've scolded mangers, CEOs, COO's and so on for incredibly simple/stupid passwords that they like because "it's easy to remember".  

Another tip I can offer: It can be a pass-phrase too - don't limit yourself to just a word!

Example: Th1$-i$-p3tty-daMn-$3cur3-dud3!

It's still easy to remember, but it's length and alpha/numeric character combinations make it very hard to crack.


----------



## Stratelier (Jan 26, 2009)

Does it help to explain some of the guidelines?

Well, for starters, if your password is 9 characters long.  If it's all digits (0-9), that means that to an outside hacker, there are exactly one billion potential combinations if they're going to brute-force it.  Random strings of letters are better, with a 9-letter (random letters) password scoring 5.4 _trillion_ combinations.  Alphanumeric?  36^9, about 100 trillion.  Printable ASCII characters?  63^9, about 15 and a half _quadrillion_.



> Example: Th1$-i$-p3tty-daMn-$3cur3-dud3!


(Not anymore :roll: )

But yes, good ol' 1337 is a combination of being both easy to remember and difficult to brute-force.  Even if all you do is substitute numbers for their respective vowels, a password such as "5up3rc4l1fr4g1l15t1c3xp34l1d0c10u5" looks pretty random even though it's really Mary Poppins.

And, having said that, for your own sake DON'T copy-paste any stated examples of a "good" password.


----------



## mrredfox (Jan 26, 2009)

15 character random password generator ftw.


----------



## Irreverent (Jan 26, 2009)

Monster Tamer said:


> And I hope that those tips help you people to not suffer the same fate as our pal Ebony.



Well done MT!


----------



## ToeClaws (Jan 26, 2009)

Stratadrake said:


> Ah, good ol' 1337 is a combination of being both easy to remember and difficult to brute-force.  Even if all you do is substitute numbers for their respective vowels, a password such as "5up3rc4l1fr4g1l15t1c3xp34l1d0c10u5" looks pretty random even though it's really Mary Poppins.



*laughs* Nice, you just brought Mary Poppins into the 21st century.  

Another good tip in the "don't" list is never, ever, EVER e-mail or text a password to someone.  They are forms of clear-text data transmission that can be intercepted in one of dozens of ways (especially if you like using open wireless networks or crappy old WEP encryption).  If you have to communicate a password, then call someone and tell them, or use a graphic that represents the password.  And for godsakes, use a as secure a connection as you can.

It never ceases to amaze me how many people run open wireless networks, and/or have their laptops in open adhoc mode, AND, have horrible passwords or no passwords at all!  Good security starts with a good password or pass-phrase.  After that, there's your connection type, OS, patch level, tactics taken to hardern the OS, firewalls, NAT/PAT, etc. - but at least start with a good password.


----------



## Ren-Raku (Jan 26, 2009)

One previous password I used took me a week to memorise. 26 characters (alphanumersymbolic with upper and lower case)


----------



## â„¢-Daley Leungsangnam475-â„¢ (Jan 26, 2009)

sure ... i MIGHT use the same password for nearly everything ... since then i dont have to remember what combo for what forum

instead ... i use different usernames ... and i tend to change my forum username name nearly once every 13 months ... so it doesnt really bother me

sure i may sound Naive ... but i've only been hacked once ... and that was in 2003 ... my old MSN account ... which i've completely forgot about until right now


----------



## Kesteh (Jan 26, 2009)

Alt+` makes a password generated on two things, a master code I put in and the website.
I love this addon...


----------



## Aden (Jan 26, 2009)

My password is 12345.

\Come on furries, don't let me down...


----------



## ToeClaws (Jan 26, 2009)

Aden said:


> My password is 12345



"That's the kind of password an idiot has on his luggage."


----------



## LizardKing (Jan 26, 2009)

Mine is dr4g0ns3x that's pretty secure right?


----------



## Runefox (Jan 26, 2009)

I'd tell you my password, but that would be silly. Suffice to say, it's 17 characters and random, upper-lower-numeric-symbol characters. While mine is truly random, l33t can be used, too.

For example, if I wanted to make my password my username, I could use:

/PU|\!3f()x

Which would be nicer if I had a longer name, like my old name, Anthonius Runeblaze:

4n7|-!0|\!1U$_r|_|N38L4zE

Yikes.


----------



## Irreverent (Jan 26, 2009)

Lets not go too far.....any system that requires a 17-26 byte crypotgraphically strong password probably should be using two factor authentication anyway.


----------



## ArielMT (Jan 26, 2009)

â–ºSparky Lucarioâ—„â„¢ said:


> sure ... i MIGHT use the same password for nearly everything ... since then i dont have to remember what combo for what forum



You might be doing it wrong.  No matter how strong the password was, using the same password for everything is what allowed EL's account to be cracked.

Edit: I seem to be shown incorrect by this thread and this post.



â–ºSparky Lucarioâ—„â„¢ said:


> instead ... i use different usernames ... and i tend to change my forum username name nearly once every 13 months ... so it doesnt really bother me



You're _really_ doing it wrong.  Usernames are known and, 99 times out of 100, can't be made invalid or recycled.  And like it or not, the names you don't use anymore are still there and still you.


----------



## Aden (Jan 26, 2009)

ToeClaws said:


> "That's the kind of password an idiot has on his luggage."



You get a gold star for the day!


----------



## â„¢-Daley Leungsangnam475-â„¢ (Jan 26, 2009)

but i've used 4 different combos for passwords ... but i'm sticking with the one for now ... i change them all whenever i want

and i've used like 200+ usernames ... 

bleh ... i do things my way really


----------



## net-cat (Jan 26, 2009)

Aden said:


> My password is 12345.


Incredible! That's the combination on my luggage!

Best way I've found is a completely arbitrary sentence with random punctuation mixed in.

... and it help that it's tied to a 4096 bit RSA key that lives only on my thumb drive.


----------



## Monster Tamer (Jan 26, 2009)

ArielMT said:


> And if you need to write down your passwords, guard the pad you use as closely as you guard your wallet or purse.



Which reminds me, don't do like Resident Evil and leave your passwords in a .doc (or any other text file) in your pc. Go wonder what kind of trojan you have hidden in there...

Yep, there's a particular type that can copy your textfiles and transmit them silently to another computer. So thread lightly.


----------



## verix (Jan 26, 2009)

Aden said:


> My password is 12345.
> 
> \Come on furries, don't let me down...



lol you would be surprised how many people on FA had their password as "dragon" at one point

I think it was the most popular animal-based password I found


----------



## mrredfox (Jan 26, 2009)

Ren-Raku said:


> One previous password I used took me a week to memorise. 26 characters (alphanumersymbolic with upper and lower case)


 A week?? ptf... took me 5 minuites at work to learn my 15 character password, heh i can still remember all passwords i have ever used on the internet


----------



## Irreverent (Jan 26, 2009)

net-cat said:


> Best way I've found is a completely arbitrary sentence with random punctuation mixed in.
> 
> ... and it help that it's tied to a 4096 bit RSA key that lives only on my thumb drive.



Which would be two factor.


----------



## Rehka (Jan 26, 2009)

ToeClaws said:


> Another good tip in the "don't" list is never, ever, EVER e-mail or text a password to someone.  They are forms of clear-text data transmission that can be intercepted in one of dozens of ways (especially if you like using open wireless networks or crappy old WEP encryption).  If you have to communicate a password, then call someone and tell them, or use a graphic that represents the password.  And for godsakes, use a as secure a connection as you can.



I'm going to sounds like a complete idiot. I don't care, I'm going to ask anyway.

How about emailing yourself passwords? like if you were to use a random password generator and email the results to yourself? (perhaps because you have illegible writing or something )


----------



## ArielMT (Jan 26, 2009)

Aden said:


> My password is 12345.
> 
> \Come on furries, don't let me down...



Dilbert is a documentary cleverly disguised as a comic strip.


----------



## SnowFox (Jan 26, 2009)

I don't even know my password, I used a script to generate it. It's kind of annoying when I want to sign in from another computer then remember that I don't know my password  Well at least I'm covered for when someone tries to torture me for info


----------



## Ren-Raku (Jan 26, 2009)

SnowFox said:


> I don't even know my password, I used a script to generate it. It's kind of annoying when I want to sign in from another computer then remember that I don't know my password  Well at least I'm covered for when someone tries to torture me for info



Sounds kinkeh!


----------



## SnowFox (Jan 26, 2009)

Ren-Raku said:


> Sounds kinkeh!



Well, when you put it that way....

wanna hack my account? *wink wink*

oh god, I'm so dirty


----------



## Ren-Raku (Jan 26, 2009)

SnowFox said:


> Well, when you put it that way....
> 
> wanna hack my account? *wink wink*
> 
> oh god, I'm so dirty



If it would make you happy *ties Snowy down and blindfolds him* Though I have no clue about real hacking lulz. OUCH I JUST CLICKED MY HIP! Nothing bit, but made a huge click and a tingling sensation went down my leg.


----------



## Runefox (Jan 26, 2009)

SnowFox said:


> I don't even know my password, I used a script to generate it.



So you just like, copy and paste it every time?


----------



## SnowFox (Jan 26, 2009)

Ren-Raku said:


> If it would make you happy *ties Snowy down and blindfolds him* Though I have no clue about real hacking lulz. OUCH I JUST CLICKED MY HIP! Nothing bit, but made a huge click and a tingling sensation went down my leg.



Want me to rub it better?



Runefox said:


> So you just like, copy and paste it every time?



No, I typed it in once then got the cookie to remember it.


----------



## Raithah (Jan 26, 2009)

Kinda offtopic, but if you don't mind the tangent, what's more secure: [randomly] generating passwords to their maximum allowed length (~30 characters for most services, I think), then writing the string down on a card to be placed in a wallet; or making easily remembered, shorter passwords? I mean, the former makes more sense to me, but I'm not exactly an expert in the field of data security.


----------



## Ren-Raku (Jan 26, 2009)

SnowFox said:


> Want me to rub it better?



Please do, it goes well with my bust ankle :/ Why do I keep breaking?


----------



## Irreverent (Jan 26, 2009)

ArielMT said:


> Dilbert is a documentary cleverly disguised as a comic strip.



Heh.  Yes. Yes it is.


----------



## Monster Tamer (Jan 27, 2009)

SnowFox said:


> No, I typed it in once then got the cookie to remember it.



That's something I recommend against, but for other reasons. What if you leave your pc on, and someone unwanted (read: parents) begins browsing through your last visited sites... Yeah, scene's not beautiful at all. <_>;; Unless you got a rigged Firefox to erase all your browsing tracks, then it's safe.



ArielMT said:


> Dilbert is a documentary cleverly disguised as a comic strip.



Wasn't that 12345 joke on Spaceballs too?


----------



## ToeClaws (Jan 27, 2009)

Monster Tamer said:


> Wasn't that joke on Spaceballs too?



Yep, that's where it originally came from - the combination to Druidia's airshield (also President Scroob's luggage).   That movie had some of the best quotes ever.

Dark Helmet: And now you know why evil will always triumph... because good is dumb.


----------



## CAThulu (Jan 27, 2009)

*L* odd how we were just discussing this very movie tonight.


----------



## Armaetus (Jan 27, 2009)

https://secure.pctools.com/guides/password/

How does one expect to remember a password with those weird characters?



net-cat said:


> ... and it help that it's tied to a 4096 bit RSA key that lives only on my thumb drive.



...and if the thumb drive dies?


----------



## ToeClaws (Jan 28, 2009)

CAThulu said:


> *L* odd how we were just discussing this very movie tonight.



*chuckles* Yes.  Made me want to see it again.  Well until we were pleasantly distracted by the Lycans anyway. :mrgreen:



mrchris said:


> https://secure.pctools.com/guides/password/
> 
> How does one expect to remember a password with those weird characters?



You get used to them pretty easily.  I tend to only substitute a few letters with numbers or symbols.  If you still find it hard to remember, then just stick to using a pass-phrase instead of a password.  For example, if you use "*I-can-never-remember-weird-characters!*" as your pass-phrase, it's still ultra secure in that there are so many characters that it's not easily cracked.  In fact, that's more secure than a password like "*53cur3!*"


----------



## net-cat (Jan 28, 2009)

mrchris said:


> ...and if the thumb drive dies?



... buy a new thumb drive and put my contingency plan into effect?


----------



## Irreverent (Jan 28, 2009)

net-cat said:


> ... buy a new thumb drive and put my contingency plan into effect?




Retrieve backup thumbdrive from fireproof safe, copy contents to newly purchased replacement thumbdrive, deposit backup thumbdrive back in safe, use new replacement.

Probably what Net-cat meant, but just driving the point home.  Disasters are when you execute your disaster recovery plan, not create one you should have had in the first place.  And test, test, test.


----------



## seanm07 (Feb 2, 2009)

For my password, I just randomly one day typed 8 numbers into notepad and memorised it and *BING* I always remember it


----------



## Xaerun (Feb 2, 2009)

Eh. Things that don't really matter (like say, MySpace) I don't bother thinking up elaborate passwords. Oh, they're not easy, but they're not 'random' imo.
Things that are important or involve any amount of money? Ho-ho, watch out.


----------



## SnowFox (Feb 2, 2009)

Xaerun said:


> Eh. Things that don't really matter (like say, MySpace) I don't bother thinking up elaborate passwords. Oh, they're not easy, but they're not 'random' imo.
> Things that are important or involve any amount of money? Ho-ho, watch out.



Same here. Most stuff on the internet I don't really care about anyway. I think everyone should post their most important passwords on this thread so we can tell them if it's secure or not.

Me first: FAq.o2kvZNNxc


----------



## Xaerun (Feb 2, 2009)

SnowFox said:


> Same here. Most stuff on the internet I don't really care about anyway. I think everyone should post their most important passwords on this thread so we can tell them if it's secure or not.
> 
> Me first: FAq.o2kvZNNxc


With all due respect:
http://img105.imageshack.us/img105/1143/1233137480090wg4.jpg


----------



## kamperkiller (Feb 26, 2009)

My real accounts that involve money or may one day require money have a minimum of 14 leters numbers and or characters in it making a grrand total of 48 characters.


----------



## Gar-Yulong (Feb 26, 2009)

Recently I've just been using KeePass.


----------



## kamperkiller (Feb 26, 2009)

Hi guys I thought I would leave you a list of the most common passwords. If you find yours change it... now.

we as people are basically sheep. we listen to the same music, eat the same food, wear the same cloths, and have the same dreams.... what you are thinking of is thought by at least 50 other people around the world. now the number 1 password is still  123  and god...

oh more http://blog.taragana.com/index.php/archive/most-common-myspace-passwords-from-20-000-passwords/
http://www.threadwatch.org/node/14095
http://boingboing.net/2009/01/02/top-500-worst-passwo.html
http://blog.jimmyr.com/Most_Common_Passwords_20_2008.php


----------



## WarMocK (Feb 26, 2009)

kamperkiller said:


> Hi guys I thought I would leave you a list of the most common passwords. If you find yours change it... now.
> 
> we as people are basically sheep. we listen to the same music, eat the same food, wear the same cloths, and have the same dreams.... what you are thinking of is thought by at least 50 other people around the world. now the number 1 password is still  123  and god...


It's times like those that make me proud to be a maverick. 8)
But this little "incident" reminded me to change some of my PWs that should have been changed some time ago (god, it's incredible how fast the last year went by ^^).


----------



## Eevee (Feb 26, 2009)

the passphrase for my SSH key is some 40 characters long


I wish some sites didn't have braindead restrictions on passwords like /^[0-9a-z_-]{6,8}$/ or I'd start using cleverly-generated Unicode passwords everywhere


----------



## PriestRevan (Feb 26, 2009)

I use 2 passwords (which one is just a bunch of letters) and then from one of the, I break it off into random numbers and shit.


----------



## ArielMT (Feb 26, 2009)

cat /dev/random

Or, if you're in a real hurry: cat /dev/urandom



Monster Tamer said:


> Which reminds me, don't do like Resident Evil and leave your passwords in a .doc (or any other text file) in your pc. Go wonder what kind of trojan you have hidden in there...
> 
> Yep, there's a particular type that can copy your textfiles and transmit them silently to another computer. So thread lightly.



Yes.  Don't store your passwords in the clear on your PC if you can help it, especially never in word processor files.

If you're going to have trouble remembering a bunch of different passwords, then buy a book.  Buy the tiniest blank book you can write in, write your passwords in that, and keep that book as closely guarded as you keep your cash, checks, and cards.

Also, keep a separate list of sites you've set a password with, so you'll know what passwords to reset if the book is lost.


----------



## Carenath (Feb 26, 2009)

This post should be stickied, good advice for anyone. I already do this, and have for the past years, as a matter of course. Another point to make would be your email account. No point having a strong password for FA and other sites, only for a hacker to get into your email account and use the "I forgot my password" feature to get into your sites.

Pick a strong password for your email account and DONT use it anywhere else.


----------

