passwords

Why your favorite web site’s password strength meter is full of hooey

Dave Farquhar security , , ,

Ars Technica talked three password crackers into doing their worst to a leaked database of 16,000 passwords, to see what they could learn.

They learned a lot, and we can learn a lot from their experience as well. “qeadzcwrsfxv1331” isn’t a good password. Neither is “Philippians4:13.” Neither is “correcthorsebatterystaple.” Neither is “Qbesancon321” or “Qbe$@ncon321.” Password guessing has too much intelligence built into it now.

And not only that, by continuing to use the password “popcorn,” you make it easier for those guys to guess other passwords too. Read more

Livingsocial got breached. Change your password, of course

Dave Farquhar security , , , ,

Livingsocial got breached. You need to change your password, if you have a Livingsocial account.

There are two questions worth asking: How do you protect yourself, and how does this happen?

Read more

When your CISSP isn’t enough

Dave Farquhar security , , ,

I had a job interview Monday. I have at least one observation from it–the things on my resume that impress recruiters don’t necessarily impress a good hiring manager. Not on their own, at least.

Let’s do some post-mortem.

Read more

Linksys isn’t the only company building insecure routers

Dave Farquhar security , , , , ,

I warned a few days ago about Linksys routers being trivially easy to hack; unfortunately many other popular routers have security vulnerabilities too.

The experts cited in the article have a few recommendations, which I will repeat and elaborate on. Read more

Although it’s counterintuitive, AT&T’s new password policy makes sense

Dave Farquhar security , , , ,

AT&T has a new password policy that forbids the use of certain common words in passwords, including some words of a colorful nature.

Yes, it reduces the number of possible passwords, but that isn’t exactly a bad thing.

Read more

The ethics of writing nefarious security instructions

Dave Farquhar security , , , , , , ,

This week I posted a link to a video showing how to crack a WPS-enabled wifi network, and this week, Ars Technica wrote a firsthand account of cracking a password list. I’m sure this raises questions of ethics in some people’s minds. To be honest, spreading this kind of information makes me a little uncomfortable too, but I also think it’s necessary.

Read more

How to pick a decent password

Dave Farquhar security , , , ,

Although I write about passwords about 8 times a week, it seems, it occurs to me that I haven’t–at least not recently, that I can find–written about how to make up a halfway decent password.

So, here’s how to make a decent–I won’t say great–password.

Read more

The problem with dictionary passwords

Dave Farquhar security , , ,

Consulting firm Deloitte is warning that 8-character passwords will be obsolete this year. Sound familiar? Of course, the Slashdot crowd blamed it as security “experts” (their words) creating hype to make money.

Well, I’m a certified security professional who doesn’t have a dog in this fight, except that I don’t want your accounts getting stolen. So here’s the problem with many of the solutions the Slashdot crowd posed.

Read more

Long passwords aren’t necessarily good passwords

Dave Farquhar security ,

Well, crud. Not all long passwords are good passwords.

I’ve suspected for a long time that street addresses aren’t good to use–the formula is too simple–but now it seems that even mashing together a sentence into a long password doesn’t work. (That isn’t something I do often, but I’ve done it at least once or twice.) Read more

8-character passwords are obsolete

Dave Farquhar security , ,

In case you missed it, a researcher has built a system that can crack every possible 8-character password in less than six hours. 8-character passwords are obsolete.

If he’s got it, so do the bad guys. Read more