

How I’d Hack Your Weak Passwords - yanw
http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/

======
mrcharles
You don't need special characters if you can use a passphrase. I use a
passphrase for all my encryption passwords (usually 5-6 words long), which
results in a password which is 20-30 characters long. This is implicitly
better than a 10 character phrase of mixed letters/numbers/symbols.

The problem of course is that so many password entry forms (I'm looking at
you, most-of-the-internet) have limits on the lengths of passwords. This needs
to change. Hell, some even limit your ability to use special characters (no
spaces? wtf.)

The most egregious offense I've seen is an international banking site I use
for my stock -- it limits your password to 8 characters, numeric only. I
nearly shit myself. Of course, I immediately went in for their high security
passcard that has a random 2d array of numbers in it, which is in addition to
the password. Trying to perform any actions with the account requires you
enter sequences from the array.

------
Xurinos
I can't remember if it was here or on reddit, but someone posted an
interesting article that said that the big flaw with these mixed character
passwords is that people have a hard time remembering them. When you start
demanding that they use a different oddball password for every site, most
people just write them down or ignore the advice.

The article showed an alternative to all the crazy rules: Create pass phrases
instead. "I break 4 hacker news!" is much easier to remember than
"f6jjaASDJc%$1~", and it fits all the insane rules we have invented for good
passwords (mixed case, numbers, symbols, length).

~~~
zokier
Whats wrong in writing passwords down? I, myself, keep most important
passwords saved in my phone.

~~~
wootee
Nothing wrong with writing them down, but put them on paper and keep them in
your wallet or a safe. We put our SSN cards, driver licenses and passports and
credit cards in our wallets. Why not our passwords?

~~~
yalurker
Isn't "Never carry your social security card in your wallet" standard advice?
I was taught that since I was a child, before identity theft was even really a
mainstream thing.

As to credit cards, if your wallet is lost or stolen, you can quickly cancel
the cards. It is probably more difficult to quickly change all your passwords.

Keeping them in a safe, however, is probably a fine idea. Potentially a good
one if you want people to have access to certain accounts if something happens
to you.

------
phillaf
This tip I found on lifehacker got me to greatly improve my passwords
strength, while helping me to remember each of them.

[http://lifehacker.com/184773/geek-to-live--choose-and-
rememb...](http://lifehacker.com/184773/geek-to-live--choose-and-remember-
great-passwords)

------
Super_Jambo
At uni doing computer science a dictionary attack on the departments password
file threw up TWO people with: NCC-1701-D.

------
Luyt
This is probably how my World of Warcraft account got 'hacked' ('cracked'
would be a better term).

I was using almost the same user/password combination for both WoW itself and
WoW-related forums and guild websites. Stupid, stupid, stupid me. One sunday I
logged in only to find all my level-80 WoW characters naked and skint.

Luckily Blizzard was able to restore my stuff, and since then I use an
Authenticator.

~~~
Qz
Mine got 'hacked' a couple months back. Too bad I had stopped playing 2 years
earlier and their attempt to charge character transfers were on an expired
card. But now I get no end of junk emails about how I need to secure my non-
existent WoW account.

------
brazzy
Keeping separate passwords for everything is simply not practical - nobody can
remember that much. So they write them down. And because they need to look up
passwords constantly, they keep the list easily accessible, i.e. easily
compromised.

IMO a viable alternative is to have a few separate passwords based on how
sensitive they are. Personally, I use three: \- One for regular websites where
I wouldn't mind losing the account (game forums, throwaway registrations,
etc.) \- One for stuff that would be seriously annoying to lose or where money
is spent (my personal site, various shops, etc.) \- One for everything where
money is kept or which could be used to compromise other sites (banking,
paypal, ebay, google mail)

------
jedbrown
head -c 8 /dev/random | base64

After a couple tries, you'll have something that breaks into pronounceable
syllables, insert some punctuation (there's a lot of punctuation on your
keyboard besides those under the number keys) to break the syllables and
you're good to go. There are many tools that generate pronounceable nonsense
passwords, but I prefer this way. Another approach is to generate 5 to 8 word
phrases ad-lib style (these take longer to type in, but some people find them
easier to remember).

~~~
zokier
pwgen tries to make remembrable passwords

------
wootee
If you are really serious about passwords, then generate random passwords
_offline_ on non-networked computers. There's an app called launch codes I use
to do that. It uses random data from MS CryptoAPI to seed a Mersenne twister
RNG. Letting people create their own password is like letting a child run with
a knife in his hand.

------
josefresco
What no social engineering? No Mitnick approach? Please, many times the
easiest way to get someone's password is to simply call them and ask for it.

Also, there should be a section about targeting geeks. If the person you're
trying to hack is of the geek variety, 1337speak is where I'd start once the
obvious ones were done.

------
Semiapies
I do wonder, every time I see someone recommend 133+ing the vowels
("m0d3ltf0rd"), how many dictionary-attack programs and script try those as a
matter-of-course. People who do that don't seem to do it "randomly" - just as
in the example used, they tend to change every vowel to a number in a single
word (or less often, phrase).

------
pmichaud
tl;dr: use better passwords. Long the better, lower, upper, special
characters.

