• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

[Tutorial] - How to Create a Secure Password

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page Previous  1, 2, 3, 4
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlândia, MG, Brazil

Offline

PostPosted: Fri Nov 05, 2004 10:26 pm    Post subject: Conservatism and dictionary attacks. Reply with quote

bknows wrote:
You didn't comment on the junk crypted files. You missed an opportunity!


This seems to be a further step in obscuring the actual information, but given certain constraints, this might not be a practical option. For conventional systems and protocols, there oftentimes isn't enough leniency for extra "junk." There is also the imminent threat that an attacker will be a bit more clever than to just stare at encrypted junk files; adversaries at home with cryptography are more likely to exploit irresponsibilities in parameterization and/or implementation. If your threat model is that minimal to make the assumption that an attacker isn't that clever, then perhaps you have more breathing room. For the average home user - probably so.

Sure, we need to instantiate a solution that satisfies our threat model, but in cryptography, it never hurts to be conservative. In fact, you usually do have to be conservative, if you want to achieve a given level of security. This allows you breathing room for unknown attacks, as well as the intricate nit-picks that fill the nooks and crannies of primitives and their underlying components. So, satisfying the threat model, and level of security, isn't always fitting it "to a T", but rather, getting something a little larger for it to allow enough prerequisite room, just to meet the assumed level of security, and some more to grow into, just in case you find yourself in worst-case scenarios or in the path of a clever adversary.


moner wrote:

can someone help me understand how password cracking or brute force works? how does a program know that a particular password that has been found is the correct one? e.g say my password was "pass", how would the computer program know that it has hit bulls eye for e.g for a pgp disk or something else...i know it might be basics for most of you but I don't know


Consider an offline dictionary attack, where the attacker has a copy of a hashed password value (i.e., MD5 or SHA-1, most likely), extracted from the database of an online login system. His dictionary consists of plaintext entries along with their corresponding hash values. During the dictionary exhaust, he attempts to locate an entry who's corresponding hash value matches that of the hashed password value extracted from the target's database. It is, essentially, a variational form of a known-plaintext attack. Raw exhaustive search is much generalized, but relies on most of the same requirements.
Back to top
View user's profile Send private message Visit poster's website
moner
Just Arrived
Just Arrived


Joined: 28 Sep 2004
Posts: 0


Offline

PostPosted: Wed Nov 10, 2004 5:27 pm    Post subject: Reply with quote

AdamV wrote:

For example, on a Windows network, when you change your password, it is encrypted and only the encrypted version is stored, never the plaintext. When you log in, your password attempt is encrypted and this is compared with the stored encrypted copy.

SO, the cracking tool does the same thing - it makes up a word to try (or a set of random characters) and then encrypts this and compares with the encrypted hash which has either been taken off a server or possibly sniffed from the network.

Does that make sense?


thanks to all of you that makes good sense, but are there any further articles you would recomend?
Back to top
View user's profile Send private message
mr_brighttt
Just Arrived
Just Arrived


Joined: 28 Jun 2005
Posts: 0
Location: Omaha, Nebraska

Offline

PostPosted: Sat Jul 02, 2005 6:39 pm    Post subject: Reply with quote

tip-i often combine passwords or random phrases that i use alot. Like all that glitters killed the cat

It is pretty random and I have used it for an account for about a year. Have had no hacks.
Back to top
View user's profile Send private message Send e-mail AIM Address
Specialone
Just Arrived
Just Arrived


Joined: 13 Aug 2005
Posts: 0


Offline

PostPosted: Sat Aug 13, 2005 10:29 pm    Post subject: Reply with quote

You can also verify your password with a programm like steganos http://www.steganos.com/
Back to top
View user's profile Send private message
Hailmus
Just Arrived
Just Arrived


Joined: 15 Nov 2005
Posts: 0


Offline

PostPosted: Tue Nov 15, 2005 9:11 am    Post subject: Reply with quote

I use somewhat complicated passwords for many things that allow them
for example for an antivirus program one might use something like (for example) euc7-¹1q&Td)n( or something like that. for some people that might be hard to remember.. also if it was a passy for some encrypted folder you wouldnt want that laying around unlike a hidden passy on paper for logging in.

Here are some hints for hiding some of your passwords easily on your PC:
1) add a readme.txt to somewhere in a folder.. and copy n paste a usual readme text in there..in that text hide your password (readme's are BORING! and seldom would any attacker look there)
2) Default windows pics (or hide it in a huge photo gallery ) what you can do is open a big picture in Mspaint or some photo editing prog. and add text in a section a little off color of what you are typing it on..add your passwords here for easy lookup ..if you really want to be safe encrypt a picture folder with an easy to remember passy and then hide your hard ones here.

I for one though remember most of mine.. and even though they are hard ones..you can do it if I can.
Back to top
View user's profile Send private message
JerryHou
Just Arrived
Just Arrived


Joined: 09 Dec 2005
Posts: 0


Offline

PostPosted: Fri Dec 09, 2005 2:53 pm    Post subject: Reply with quote

That's a good article.Thank you !

I make a password have 15 characters,including A-Z,a-z,1-9 and dot.
Back to top
View user's profile Send private message
zhx
Just Arrived
Just Arrived


Joined: 20 Dec 2005
Posts: 0


Offline

PostPosted: Tue Dec 20, 2005 6:15 pm    Post subject: Reply with quote

For whatever reason, I memorize long strings of random characters easily, and for a while, after I installed a certain piece of software, I would use chunks of the serial number as passwords.

Now my favorite technique is to choose a random word and 1337-ify it one way or the other. My general procedure is as follows:

1. Pick random word (normally at least 8 chars):
accelerate
2. 1337ify!:
@cc3l3r@t3
3. If I really want to beef it up, I will discard a random character and/or replace with another random character:
@c3l3r@t3, @c#3l3@t3

(I guess this is a poor example for the forum, as @ is turned into -at-.)

Don't forget that it doesn't matter that you have a 56 character password using half the characters on your keyboard if you keep it on a sticky note on your monitor.
Back to top
View user's profile Send private message AIM Address MSN Messenger
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Wed Dec 21, 2005 1:43 pm    Post subject: Reply with quote

zhx wrote:
(I guess this is a poor example for the forum, as @ is turned into -at-.)

No worries, I take it you mean something like this:

1. Pick random word (normally at least 8 chars):
accelerate
2. 1337ify!:
@cc3l3r@t3
3. If I really want to beef it up, I will discard a random character and/or replace with another random character:
@c3l3r@t3, @c#3l3@t3

Smile
Back to top
View user's profile Send private message
yuvaraj
Just Arrived
Just Arrived


Joined: 21 Jun 2006
Posts: 0
Location: US

Offline

PostPosted: Wed Jun 21, 2006 9:07 am    Post subject: Secure Password try this Reply with quote

oh! yes, its said rightly that the best is alphanumberic passwords for secure login. If this type of password is too difficult to remember then have it in this type.

For example: if the password is "n1a4m3e." Just make this "n!a$m#e." (shift key for number), somewhat difficult to guess by the hackers.

just make this with the numbers or words you easily remember.
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
the_wanderer
Just Arrived
Just Arrived


Joined: 10 Apr 2007
Posts: 0


Offline

PostPosted: Fri Apr 13, 2007 7:44 am    Post subject: Reply with quote

Very good and informative tutorial. But I have a couple of questions:

Let's say I want to put the first letter of each word of a favourite lyric.
Ex: smwiltbtlosavopb

Then I capitalise the 1st, 6th, 11th, 16th => SmwilTbtloSavopB

I then add some special characters at the beginning and end like
@SmwilTbtloSavopB% and some numbers @SmwilTbtloSavopB%5388
Can it be effective ? Presuming that I am good at remembering such words.

And if I wanted to use an ASCII character, will I have to type at the password prompt the same sequence for the required character ? I never tried it Embarassed

Thanks !
Back to top
View user's profile Send private message
mcse_696
Just Arrived
Just Arrived


Joined: 20 Jan 2007
Posts: 0


Offline

PostPosted: Sun Apr 29, 2007 1:25 am    Post subject: syskey extra secure Reply with quote

You can use the (SysKey) utility to additionally secure the SAM database by moving the SAM database encryption key off the Windows-based computer. The (SysKey) utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database. This article describes how to use the SysKey utility to secure the Windows SAM database.
1. At a command prompt, type (syskey), and then press ENTER.
2. In the Securing the Windows Account Database dialog box, note that the Encryption Enabled option is selected and is the only option available. When this option is selected, Windows will always encrypt the SAM database.
3. Click Update.
4. Click Password Startup if you want to require a password to start Windows. Use a complex password that contains a combination of upper case and lower case letters, numbers, and symbols. The startup password must be at least 12 characters long and can be up to 128 characters long.

Note If you must remotely restart a computer that requires a password (if you use the Password Startup option), a person must be at the local console during the restart. Use this option only if a trusted security administrator will be available to type the Startup password.
5. Click System Generated Password if you do not want to require a startup password.

Select either of the following options:• Click Store Startup Key on Floppy Disk to store the system startup password on a floppy disk. This requires that someone insert the floppy disk to start the operating system.
• Click Store Startup Key Locally to store the encryption key on the hard disk of the local computer. This is the default option.
Click OK two times to complete the procedure.

Remove the SAM encryption key from the local hard disk by using the Store Startup Key on Floppy Disk option for optimum security. This provides the highest level of protection for the SAM database.

Always create a back-up floppy disk if you use the Store Startup Key on Floppy Disk option. You can restart the system remotely if someone is available to insert the floppy disk into the computer when it restarts.
Back to top
View user's profile Send private message Visit poster's website
Madgeki
Just Arrived
Just Arrived


Joined: 03 Nov 2010
Posts: 1


Offline

PostPosted: Mon Jan 17, 2011 7:35 pm    Post subject: hi! moner Lurker Reply with quote

yes it does make sense, brilliant!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Goto page Previous  1, 2, 3, 4
Page 4 of 4


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register