Password Selection on non-secure Forums

[DPDISXR4Ti]

The recent attack gave cause for someone to ask me about passwords being compromised on our server here. While passwords ARE encrypted in the database, they are NOT encrypted across the wire. Frankly, I don't know of any forum such as this that does encrypt the password across the wire, as it adds considerable expense.

My point is this... You should NOT use the same password for access to this forum that you use for ANY secure access site such as PayPal, etc. It's easy enough to tell the difference if the site has secure access - just look for a "https" address rather than "http". I have a different ID and password that I use for secure (https) logins vs. non-secure (http). I would suggest that you do the same.

Again, this is not a MCA Forum specific issue; it's something you should be mindful of when using the Internet for ANY sites that require a login.

[white_2kgt]

The recent attack gave cause for someone to ask me about passwords being compromised on our server here. While passwords ARE encrypted in the database, they are NOT encrypted across the wire. Frankly, I don't know of any forum such as this that does encrypt the password across the wire, as it adds considerable expense.

vBulletin does an MD5 hash of the password prior to submitting it to the server with a known password that is unique the the install of vB. In addition to that the passwords are hashed, salted and hashed before being stored in the database, so even if the database is compromised it will take a while to crack the passwords.

I can crack phpBB passwords in about 5 hrs at home, vB takes me a few days.

I know nothing of your recent attack but just wanted to point this out. I have not looked at phpBB's security in a year or so, things may have changed. I stopped using it around that time and switched to vB on my forum. Your advice is good though, never use the same password for low priority stuff as you do for high priority stuff.

[DPDISXR4Ti]

Thanks for the detailed info.

There have been a bunch of security-related updates to php over the last year - not sure if any were login related, but I suspect some may have been.

Regardless, as you confirm (and clearly you have more of a clue on this than I), don't use your banking PW as you PW for any non-secure login!

[Frag]

It's good to be secure but the facts are 90% of people can't remember multiple passwords.

[Rocky Leitch]

That is where the good old pen and
paper come in.
Being 40 something doesn't help.
Anyway thanks for the tip.


Rocky

[tombrend]

It's good to be secure but the facts are 90% of people can't remember multiple passwords.

If you can remember one, you can remember two. A lot of people use something as simple as their pet's name for their less secure password, so it shouldn't be that hard. Try working for the government. You're required to have your passwords that you use for work related things to be 8 or more random alphanumeric symbols with no intelligible pattern, and to change them every two weeks.

[Frag]

It's good to be secure but the facts are 90% of people can't remember multiple passwords.

If you can remember one, you can remember two. A lot of people use something as simple as their pet's name for their less secure password, so it shouldn't be that hard. Try working for the government. You're required to have your passwords that you use for work related things to be 8 or more random alphanumeric symbols with no intelligible pattern, and to change them every two weeks.

Well... in my expierence working on a Helpdesk and reseting/unlocking a few hundred accounts a month for the last few years. Most people can't remember multiple passwords even after as little as two days (a weekend) it's not uncommon for people to forget a password within an hour of setting it themself!

Although I have never worked at a place that required passwords as strong as what you mention above. I think it's safe to say that most people definately could not remember a password that complicated.

Of course this opinion is coming from a slightly burned out person who works on a Helpdesk... YMMV!

[xr4man]

i had a friend setup a gateway server for me a while back using free bsd. we decided that we would use the vin from his jetta as the root password. try that for a secure as hell password!

[tombrend]

i had a friend setup a gateway server for me a while back using free bsd. we decided that we would use the vin from his jetta as the root password. try that for a secure as hell password!

That'll do it . I've used a sail number (6 digits), birth dates, phone numbers, license plates, and hull numbers (something like 12 digits). Bad ideas I've known people to use are social security numbers, credit card numbers, and the classic "12345".

[Ed Lijewski]

Try working for the government. You're required to have your passwords that you use for work related things to be 8 or more random alphanumeric symbols with no intelligible pattern, and to change them every two weeks.

Where? What agency/department?

Every 90 days is more typical.

Re the 8 or more random alphanumeric symbols with no intelligible pattern, what works for me is using the same "random" pattern but moving it along the keyboard one "step" each password change. When I exhaust the available steps for the same pattern, I'll modify the pattern slightly, and use then same process moving from left to right on the keyboard.

YMMV

[Frag]

Wow thats like, really complicated for a personal non critical account such an internet forum...

I have been using the same password(s) with slight variations for over 10 years now and NEVER had a problem...

At a bare minimum it usually has...

2. A word that is spelled backwards.
1. At least 1 UPPER case character.
3. At least 2 numbers.
4. A minimum of 6 characters long unless said application/system etc wont allow it to be that long.

This results in a password that is...

1. Fairly secure/strong.
2. Easy to remember since it's a variation.
3. Less lockouts/account suspensions and password recovery's and/or resets.

YMMV

[tombrend]

Try working for the government. You're required to have your passwords that you use for work related things to be 8 or more random alphanumeric symbols with no intelligible pattern, and to change them every two weeks.

Where? What agency/department?

Every 90 days is more typical.

Re the 8 or more random alphanumeric symbols with no intelligible pattern, what works for me is using the same "random" pattern but moving it along the keyboard one "step" each password change. When I exhaust the available steps for the same pattern, I'll modify the pattern slightly, and use then same process moving from left to right on the keyboard.

YMMV

I was working at the Naval Undersea Warfare Center in a secure computer lab. It may have been every month, but it certainly wasn't more than that.

[John Brennan]

I have a bunch of different passwords, but rarely forget them. I remember childhood phone numbers, SS numbers of my whole family, poems, passages from literature, etc. I think all those years in the restaurant business sharpened my memory, but it's kind of always been there.