N Gauge Forum

Notices, Help With Problems and Your Forum Ideas... => Computer Help => Topic started by: BobB on May 01, 2012, 06:06:01 PM

Title: Password security
Post by: BobB on May 01, 2012, 06:06:01 PM
We are in the process of upgrading computer hardware, software and the operational processes involved. Some of the new computers and/or their installed software are rating the various user identifications and the associated passwords.

We are experiencing many varied password rating from medium to strong but the available data does not form any patently available pattern to suggest a logical rating method.

Any geek (or suitable intelligent person) know the logic generally adopted ?
Title: Re: Password security
Post by: EddieA on May 01, 2012, 06:26:59 PM
Ok an amateur but I use the following:-

At least 8 characters, with a mixture of Upper/lower case letters plus an number or two and a symbol (£, &, %) etc.     
Title: Re: Password security
Post by: Pengi on May 01, 2012, 06:29:04 PM
This link might help:

http://www.passwordmeter.com/ (http://www.passwordmeter.com/)
Title: Re: Password security
Post by: Calnefoxile on May 01, 2012, 06:53:29 PM
Quote from: EddieA on May 01, 2012, 06:26:59 PM
Ok an amateur but I use the following:-

At least 8 characters, with a mixture of Upper/lower case letters plus an number or two and a symbol (£, &, %) etc.   

To be honest, that is pretty much the 'norm' from within the IT industry.

Speaking as a member of the IT Industry  ;D

Cheers

Neal.

P.S. To be really secure, it should be changed every month and not by adding a 1 then 2 then 3 etc. to the end.
Title: Re: Password security
Post by: scotsoft on May 01, 2012, 07:03:33 PM
I find a simple phrase like "fiftytwo52weeks1year" gets a fairly strong rating where sites have that facility and the password can be tailored to something memorable/ personal so easy to remember.
Title: Re: Password security
Post by: tim-pelican on May 01, 2012, 08:43:50 PM
Quote from: Calnefoxile on May 01, 2012, 06:53:29 PM
P.S. To be really secure, it should be changed every month and not by adding a 1 then 2 then 3 etc. to the end.

Actually, this is mostly counter-productive.  Most people cannot remember a new password that meets the secure template every month, especially once they have to be doing the same thing for six or ten or twenty different systems.  They will do one of:

-The 'password increment' routine you describe above
-Write the password down

Much better, in majority of cases, to have strong passwords that change less frequently than a rolling set of weak passwords.

In any case, all frequent changes do (beyond keeping auditors happy, and "security compliance" is a whole nother rant!) is reduce the attack surface for the particular case where an attacker is purely time-bound, e.g. they have the encrypted password file and can take it away for six months to brute-force it, then break in once with the correct credentials.  Someone continuously logging in with incorrect details should flag alarms bells a long time before they manage to brute-force.
Title: Re: Password security
Post by: EtchedPixels on May 01, 2012, 09:14:52 PM
Quote from: tim-pelican link=topic=5441.msg60603#msg60603
Actually, this is mostly counter-productive. 

And the research backs that up. Good security systems are usually two factor systems, such as physical possession of a smart card and knowing the password.

Serious systems are also oriented around "When the system gets broken into", not "how do I stop it". That means intrusion detection, spotting strange attempts to send data outbound, MLS content labelling and the like. Given so much abuse is intentionally performed by employees that tends to make a lot of sense.
Title: Re: Password security
Post by: Mustermark on May 02, 2012, 03:00:17 AM
Quote from: Pendy on May 01, 2012, 06:29:04 PM
This link might help:

http://www.passwordmeter.com/ (http://www.passwordmeter.com/)

Th4t'S a Co01 l!nK p3nDy.

I can see myself messing for hours to find the shortest, easiest character sequence to give me 100%.
Title: Re: Password security
Post by: EtchedPixels on May 02, 2012, 10:28:26 AM
Better hope whoever runs it doesnt log the data, and given its http not https nobody is listening in to your wireless network 8)
Title: Re: Password security
Post by: Pengi on May 02, 2012, 10:58:33 AM
Good point EP, must say I have only used it to develop a strong password - and than changed some, or all, of the characters afterwards.
Title: Re: Password security
Post by: Mustermark on May 02, 2012, 11:31:32 AM
Quote from: EtchedPixels on May 02, 2012, 10:28:26 AM
Better hope whoever runs it doesnt log the data, and given its http not https nobody is listening in to your wireless network 8)

I thought that too.