Password

Tringa

Tringa

Numpty of the Day'
Suspended / Banned
Messages
6,133
Name
Dave
Edit My Images
Yes
A few months ago I heard a comment that for password security length is better than complexity, though both are important, and have just seen the table in this link -

www.keepersecurity.com

Password Length vs Complexity: Which Is More Important?

In an online world of various password requirements, is length more important than complexity? Find out and learn how to increase your password security.
www.keepersecurity.com www.keepersecurity.com

If it is correct it looks like when you get to a more than simple password of eleven characters it is pretty secure.

I am a bit confused by some of the table, eg how you can have a password that has at least one upper case letter and number but is only one character long, and

why a password having at least one upper case letter and a number is less secure than a password with only at least one upper case letter.

Dave
 
Tringa said:
why a password having at least one upper case letter and a number is less secure than a password with only at least one upper case letter.

Dave
Click to expand...

Because there are only 10 numbers but 26 letters that could occupy that position
 
How do these cyber criminals get round the lockouts that occur if you try a wrong password x times?
 
Once you get to 11 or 12 random characters, you're generally going to have problem remembering them, so IMHO a password manager becomes (even more) important. I use an old version of 1Password, that makes it a little tricky to generate a memorable new password, though I can usually persuade it to do it; I believe the newer (subscription) version does this better, and of course there are many other options. It's interesting that the linked page above includes a link to a pass-phrase generator, which produces results like "This-Sold-Year3" at its lowest level; it describes this as Very Strong, and it's 15 characters. This is something I could at least remember for the time it takes to re-type!
 
Pound Coin said:
How do these cyber criminals get round the lockouts that occur if you try a wrong password x times?
Click to expand...
I guess they often get hold of encrypted password databases via a hack, and try to crack the passwords off-line (and with VERY fast gear, eg discarded crypto-mining kit?). They may even buy the password datasets online! Just need something that says jo@somewhere's encrypted password is blah, if they can crack it they can then try it on a few of jo's accounts.
 
The only way to stop people accessing your private information online is not to go online.

Beyond that, you're into damage limitation. :(
 
Sangoma said:
Because there are only 10 numbers but 26 letters that could occupy that position
Click to expand...

Eucris said:
Which would give you 260 combinations.
Click to expand...
Really.....?
Here is reading choices

Google Search

www.google.com

10 numbers 26 letters not forgetting upper & lower case and ignoring special characters....if the password was 36 long the potential combinations are huge,
 
Box Brownie said:
Really.....?
Here is reading choices

Google Search

www.google.com

10 numbers 26 letters not forgetting upper & lower case and ignoring special characters....if the password was 36 long the potential combinations are huge,
Click to expand...

It was in response to ONE upper case letter and ONE number
Capital A plus number gives you TEN combinations
Capital B plus number gives you TEN combinations
etc
 
Last edited:
I just use Google password manager and let it generate a complex password every time apart from banking and credit cards etc
 
Eucris said:
It was in response to ONE upper case letter and ONE number
Capital A plus number gives you TEN combinations
Capital B plus number gives you TEN combinations
etc
Click to expand...

But the point discussed was either a number OR a letter
 
ChrisR said:
I guess they often get hold of encrypted password databases via a hack, and try to crack the passwords off-line (and with VERY fast gear, eg discarded crypto-mining kit?). They may even buy the password datasets online! Just need something that says jo@somewhere's encrypted password is blah, if they can crack it they can then try it on a few of jo's accounts.
Click to expand...
This is much of what happens although the passwords are hashed rather than encrypted. There's a number of differences but the main one is that encrypted data can be decrypted back to the original text but hashed data cannot, this means if hackers have a copy of the hashed passwords and they know how the passwords were hashed they can rapidly hash possible passwords and see if they match.

There are some systems that by design or not don't lock out the account so it's possible for hackers to attempt to brute force the accounts.

The simpler answer these days to password security is for anything important you need to use 2FA which makes systems far more difficult to get into.
 
ChrisR said:
I guess they often get hold of encrypted password databases via a hack, and try to crack the passwords off-line (and with VERY fast gear, eg discarded crypto-mining kit?). They may even buy the password datasets online! Just need something that says jo@somewhere's encrypted password is blah, if they can crack it they can then try it on a few of jo's accounts.
Click to expand...
Exactly.

For brute force (trying every possible password) they would somehow extract the password file and then run it locally at their leisure - they are creating encryptions of all possible passwords and scanning the db for them rather than trying every password against every user. It's pretty easy to create a list of all possible pwds of 6 or fewer lower case letters. Extend the number to say 11 and upper, lower, numeric and special and the list gets very long. This is why length matters most and complexity matters a bit.

For online attacks (where they can't capture the file) they tend to use low and slow - every few minutes try a new password. Odds are very much against them but they can try every userid - they are looking to get into any account not "yours". This typically uses common passwords - you can scan a data breach list and find the most common passwords in any language.

Most common method is to get successes on method 1 or 2 and then sell the data in the format website, userid, password. People buying the data can then try other websites with the same userid and password in case you used the same one elsewhere. Which is why it's important not to use a password on your phone (which tend to be way shorter and easier to type) and also on other websites.

This is a very useful (if mildly terrifying) website - https://haveibeenpwned.com/

Remember that current best practice advice is not to change passwords regularly - it's better to have good ones, never use them elsewhere and only change if there's been a breach.

And also remember, there's always a relevant xkcd....

password_strength.png
 
I used to use 1Password, but it was to costly, so I changed to Proton Pass instead. 1Password is more advanced, but hopefully Proton Pass will catch up eventually somewhere down the road.
 
Last edited:
Tringa said:
A few months ago I heard a comment that for password security length is better than complexity, though both are important, and have just seen the table in this link -

www.keepersecurity.com

Password Length vs Complexity: Which Is More Important?

In an online world of various password requirements, is length more important than complexity? Find out and learn how to increase your password security.
www.keepersecurity.com www.keepersecurity.com

If it is correct it looks like when you get to a more than simple password of eleven characters it is pretty secure.

I am a bit confused by some of the table, eg how you can have a password that has at least one upper case letter and number but is only one character long, and

why a password having at least one upper case letter and a number is less secure than a password with only at least one upper case letter.

Dave
Click to expand...
Sangoma said:
But the point discussed was either a number OR a letter
Click to expand...

One letter and one number.
 
Eucris said:
One letter and one number.
Click to expand...
Yes, but they are filling two different positions in say an 8 character password, so if you replace the number with a letter, you have more options.
Read the table in the link.
 
Edwardsson said:
I used to use 1Password, but it was to costly, so I changed to Proton Pass instead. 1Password is more advanced, but hopefully Proton Pass will catch up eventually somewhere down the road.
Click to expand...
1password is more or less the only software I have on subscription. For me, it's worth paying for.
 
Edwardsson said:
I used to use 1Password, but it was to costly, so I changed to Proton Pass instead. 1Password is more advanced, but hopefully Proton Pass will catch up eventually somewhere down the road.
Click to expand...
I've been using KeePass for years. It runs on most systems and it's safe enough for my needs. Also, it's free to use.
 
Keypass is free and open source, and has been ported for a range of platforms (I use it on both my Windows machines and Android devices).
The password data is held in an encrypted DB - which can be local on a device, on a USB stick, or on a Cloud based fileshare of your choice (so it will be automatically available to multiple devices)


https://keepass.info/
 
Edwardsson said:
I used to use 1Password, but it was to costly, so I changed to Proton Pass instead. 1Password is more advanced, but hopefully Proton Pass will catch up eventually somewhere down the road.
Click to expand...
...and quite possibly increase its cost.
 
You must log in or register to reply here.
Back
Top