Here are some password that will get your site hacked.....

[GatorBrent]

Having the same password as username will get you hacked 100% of time.

Here are other real bad ones.......

password, jordan, any type of number combination without a letter, any type of name, And anything that can be found in the dictionary.

[Stef]

In addition, some password guidelines:

- Use a combination of letters, numbers, special characters, upper and lower case (use at least one uppercase letter, one lowercase letter, one number, one special character)
- Your password should not be used anywhere else
- Often change passwords and don't reuse them
- Don't use a password that can be linked to you in any way
- You can use the first (one, two or three) characters of every word in a sentence (like 1RtRtA - but this one would not be a good idea if you happen to be Peter Jackson...)
- You can concatenate two words together (like j0ke=l0l)
- You can use words without the vowels (like CntGt1n! (can't get in!))

[hotdog]

You should not replace number for letters, these are also classed as dictionary words

tree = tr33 <--- bad
boogie = b00g13 <--- bad
joke = j0k3 <--- bad
lol = l0l <--- bad

Ideally, you should pick a sentence, a phrase or quote and choose the first, second, middle or last letter of each word: Mary Had A Little Lamb = mhall (don't use this, especially if your name is M Hall), or even use this style but backwards: llahm

[bheka]

Even if its a good password, when changing it, don't just increment it.

Eg.

GooDPassWord1
GooDPassWord2
GooDPassWord3
aGooDPassWord
bGooDPassWord
cGooDPassWord

... you get the idea.

[esl]

I think you should have multiple letters and numbers, uper and lowercase.

aa1Aa1a1Aa1aAA1a1aaA
(not all a's and 1's)

[hotdog]

depending on the script, a lot of script writers are lazy and make passwords case insensitive "ApAsSwOrD" is same as "apassword".

[esl]

It does not hurt to do so anyway.

[dancerdog3]

I use a password generator. It creates random combinations of characters for passwords. It also saves these passwords in an encrypted database. But, the best part is that I can run it on a USB memory stick.

http://keepass.sourceforge.net/

Secure passwords are a good thing.

[hotdog]

what is secure to one person isn't to another, MD5 encryption is meant to be solid but there are MD5 downloads you can get that do break them (they have live samples), does take a lot of resources going through so many combinations but is breakable

[wsuccess]

Quote:

Originally Posted by dancerdog3

I use a password generator. It creates random combinations of characters for passwords. It also saves these passwords in an encrypted database. But, the best part is that I can run it on a USB memory stick.

Secure passwords are a good thing.

Let the flame wars start!



I applaud the intent of the posters in this forum who want people to be more aware of password security and to use good definition techniques. But I would like to throw a log on the fire by suggesting that your arguments are not practical concerns in the real world and may actually INCREASE the likelihood of security violations!



Gauntlet thrown… Let’s begin.



According to a Scrabble website I found online with canonical word lists of all words found in the approved dictionary, there are 15,191 words consisting of exactly six letters (the usual minimum for any password controlled website). If we add seven letter words, that’s another 139,162 words. And if we go to eight-letter words (increasingly common as a minimum length for passwords), we are dealing with 116,102 words. But heck, let’s go for the smallest test case and stick with exactly 6 characters. That gives us 15,191 combinations to try out for any single account we want to hack by brute force. But wait… that’s ignoring case! Let’s say the website security recognizes case and keep ourselves limited to capitalizing one and only one letter in our chosen password. That multiplies our possible set to 15,191 x 6 (one multiplier for each position that could take a capital, causing a new password to be formed). That’s 91,146 dictionary words. Remember, we’re not allowing multiple capitals in the word, which would add a massive multiplier for possibilities. Remember that we’ve also conveniently left out all proper nouns (I got the number of words from a Scrabble generator, which doesn’t allow names of people or places). That would increase things a bit, I should think.



Now let’s say the password creator is really lazy and adds a single digit to their chosen word either at the start or end (I’m not allowing digits in the middle or multiple digits, just to keep the math small). That gives us 91,146 x 20 potential passwords or 1,822,920 possible choices. Now let’s say I’m going to brute force my way through the entire set of possibilities for a single user account id. We’ll ignore the fact that almost any reputable authentication system on the web today locks down after a few tries or at least gives an operator a warning. Let’s say our brilliant hack program can calculate the next possibility from our limited list, submit it to the host system, wait for a lookup in their authentication system, and parse the return all in 0.5 seconds (too fast as an average in my experience, but hey… let’s cut our hacker some slack). To run through an entire set of possibilities for a single account, it takes us 1,822,920 / 2 seconds, or approximately 253 hours or about 10.5 days of solid nonstop processing. For one account. Purists can alter the numbers and allowed possibilities any way they want. Cut down the list to only “common” words, but add proper nouns. The numbers still come out too high for any reasonable use.



Therefore, I maintain that even a lazy person who picks a real six-letter dictionary word, capitalizes any single letter in the word, and adds a single digit either at the beginning or end is so safe from brute force algorithms as to make the worry negligible. On the other hand, keeping a completely random set of letters and digits with no mnemonic for capitalization or anything else results in something that can ONLY be remembered and used by writing it down and referencing it. And guess what, kiddies? How do you think most hackers get into secure websites? That’s right… they FIND the password somewhere, place a keystroke logger in sequence, or build a false front redirect site. Or in the case above, find the USB memory stick on a desktop. It’s a heck of a lot easier to bank on human fallibility than on computer number crunching exercises. So I maintain that your suggestions for building the tightest possible, unbreakable passwords is likely to result in MORE hacks rather than fewer. (I still remember the time I was on a job interviewing workers at a bank and found an access terminal in the main work area with a login ID and password allowing access to any customer’s detailed account records. No I didn’t take advantage of it. That’s not my bag.)



My comments should not be taken to apply to highly critical, defense-related, or other maximum security systems. But for common personal web use, I think we can all lighten up a bit.

[wsuccess]

Oops... Brent's original message is still mighty strong and not negated by anything I said above. Using an identical ID/password combination or common password words will getcha hacked faster if somebody's still using those scripts. But I'm guessing brute force is MUCH less common today than people think.