That's actually the article I read that kicked off my e-mail to you guys, LOL.
-----Original Message----- From: Angus Scott-Fleming [mailto:[email protected]] Sent: Thursday, January 31, 2013 7:36 PM To: NT System Admin Issues Subject: Re: Password complexity question On 31 Jan 2013 at 14:16, David Lum wrote: > > I have seen a few articles on password cracking and using unrelated words, > so I have a question Given the "Making complex passwords" section here: > http://www.digitaltrends.com/mobile/crack-this-how-to-pick-strong-password > s-and-keep-them -that-way/ Could you use a fairly simple method to > identify what the password is for and still have it tough to crack? I'm > guessing no, but have to ask For a twitter account: Twitter1 vodka eagles! > Then for a Facebook account:Facebook2 vodka eagles! Ebay: Ebay3 vodka > eagles! Then follow that same pattern for the various accounts. While it > seems like bad practice to include the service name as part of the > password I thought I'd ask your guys' opinion. It's at least better than > using the same password for everything...or is it? It is. But I would recommend using a password manager like LastPass or KeePass with one very strong password to access it rather than worry about individual passwords and patterns. FWIW, I came across this earlier today: More interesting news: passPHRASES aren't more secure, since the dictionary attacks now use them as well. Grammar badness makes cracking harder the long password | Ars Technica When it comes to long phrases used to defeat recent advances in password cracking, bigger isn't necessarily better, particularly when the phrases adhere to grammatical rules. ... A team of Ph.D. and grad students at Carnegie Mellon University and the Massachusetts Institute of Technology have developed an algorithm that targets passcodes with a minimum number of 16 characters and built it into the freely available John the Ripper cracking program. The result: it was much more efficient at cracking passphrases such as "abiggerbetter password" or "thecommunistfairy" because they followed commonly used grammatical rules-in this case, ordering parts of speech in the sequence "determiner, adjective, noun." When tested against 1,434 passwords containing 16 or more characters, the grammar-aware cracker surpassed other state-of-the-art password crackers when the passcodes had grammatical structures, with 10 percent of the dataset cracked exclusively by the teamĀ“s algorithm. See: http://arstechnica.com/security/2013/01/grammar-badness-makes-cracking-harder-the-long-password/ One thing I do to mitigate dictionary attacks: m11spelll wuurds wh33n EEYYEE yuuse tthheemm iiNn P@@ssww00rdd5z....not sure how long the black hats will take to add stuff like this ;-) but it's just an arms race. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
