[Tutorial] - How to Create a Secure Password
Goto page Previous  1, 2, 3, 4  :||:
Networking/Security Forums -> Physical Security and Social Engineering

Author: JustinTLocation: Asheville, NC, US / Uberlândia, MG, Brazil PostPosted: Fri Nov 05, 2004 10:26 pm    Post subject: Conservatism and dictionary attacks.
    ----
bknows wrote:
You didn't comment on the junk crypted files. You missed an opportunity!


This seems to be a further step in obscuring the actual information, but given certain constraints, this might not be a practical option. For conventional systems and protocols, there oftentimes isn't enough leniency for extra "junk." There is also the imminent threat that an attacker will be a bit more clever than to just stare at encrypted junk files; adversaries at home with cryptography are more likely to exploit irresponsibilities in parameterization and/or implementation. If your threat model is that minimal to make the assumption that an attacker isn't that clever, then perhaps you have more breathing room. For the average home user - probably so.

Sure, we need to instantiate a solution that satisfies our threat model, but in cryptography, it never hurts to be conservative. In fact, you usually do have to be conservative, if you want to achieve a given level of security. This allows you breathing room for unknown attacks, as well as the intricate nit-picks that fill the nooks and crannies of primitives and their underlying components. So, satisfying the threat model, and level of security, isn't always fitting it "to a T", but rather, getting something a little larger for it to allow enough prerequisite room, just to meet the assumed level of security, and some more to grow into, just in case you find yourself in worst-case scenarios or in the path of a clever adversary.


moner wrote:

can someone help me understand how password cracking or brute force works? how does a program know that a particular password that has been found is the correct one? e.g say my password was "pass", how would the computer program know that it has hit bulls eye for e.g for a pgp disk or something else...i know it might be basics for most of you but I don't know


Consider an offline dictionary attack, where the attacker has a copy of a hashed password value (i.e., MD5 or SHA-1, most likely), extracted from the database of an online login system. His dictionary consists of plaintext entries along with their corresponding hash values. During the dictionary exhaust, he attempts to locate an entry who's corresponding hash value matches that of the hashed password value extracted from the target's database. It is, essentially, a variational form of a known-plaintext attack. Raw exhaustive search is much generalized, but relies on most of the same requirements.

Author: moner PostPosted: Wed Nov 10, 2004 5:27 pm    Post subject:
    ----
AdamV wrote:

For example, on a Windows network, when you change your password, it is encrypted and only the encrypted version is stored, never the plaintext. When you log in, your password attempt is encrypted and this is compared with the stored encrypted copy.

SO, the cracking tool does the same thing - it makes up a word to try (or a set of random characters) and then encrypts this and compares with the encrypted hash which has either been taken off a server or possibly sniffed from the network.

Does that make sense?


thanks to all of you that makes good sense, but are there any further articles you would recomend?

Author: mr_brightttLocation: Omaha, Nebraska PostPosted: Sat Jul 02, 2005 6:39 pm    Post subject:
    ----
tip-i often combine passwords or random phrases that i use alot. Like all that glitters killed the cat

It is pretty random and I have used it for an account for about a year. Have had no hacks.

Author: Specialone PostPosted: Sat Aug 13, 2005 10:29 pm    Post subject:
    ----
You can also verify your password with a programm like steganos http://www.steganos.com/

Author: Hailmus PostPosted: Tue Nov 15, 2005 9:11 am    Post subject:
    ----
I use somewhat complicated passwords for many things that allow them
for example for an antivirus program one might use something like (for example) euc7-¹1q&Td)n( or something like that. for some people that might be hard to remember.. also if it was a passy for some encrypted folder you wouldnt want that laying around unlike a hidden passy on paper for logging in.

Here are some hints for hiding some of your passwords easily on your PC:
1) add a readme.txt to somewhere in a folder.. and copy n paste a usual readme text in there..in that text hide your password (readme's are BORING! and seldom would any attacker look there)
2) Default windows pics (or hide it in a huge photo gallery ) what you can do is open a big picture in Mspaint or some photo editing prog. and add text in a section a little off color of what you are typing it on..add your passwords here for easy lookup ..if you really want to be safe encrypt a picture folder with an easy to remember passy and then hide your hard ones here.

I for one though remember most of mine.. and even though they are hard ones..you can do it if I can.

Author: JerryHou PostPosted: Fri Dec 09, 2005 2:53 pm    Post subject:
    ----
That's a good article.Thank you !

I make a password have 15 characters,including A-Z,a-z,1-9 and dot.

Author: zhx PostPosted: Tue Dec 20, 2005 6:15 pm    Post subject:
    ----
For whatever reason, I memorize long strings of random characters easily, and for a while, after I installed a certain piece of software, I would use chunks of the serial number as passwords.

Now my favorite technique is to choose a random word and 1337-ify it one way or the other. My general procedure is as follows:

1. Pick random word (normally at least 8 chars):
accelerate
2. 1337ify!:
@cc3l3r@t3
3. If I really want to beef it up, I will discard a random character and/or replace with another random character:
@c3l3r@t3, @c#3l3@t3

(I guess this is a poor example for the forum, as @ is turned into -at-.)

Don't forget that it doesn't matter that you have a 56 character password using half the characters on your keyboard if you keep it on a sticky note on your monitor.

Author: capiLocation: Portugal PostPosted: Wed Dec 21, 2005 1:43 pm    Post subject:
    ----
zhx wrote:
(I guess this is a poor example for the forum, as @ is turned into -at-.)

No worries, I take it you mean something like this:

1. Pick random word (normally at least 8 chars):
accelerate
2. 1337ify!:
@cc3l3r@t3
3. If I really want to beef it up, I will discard a random character and/or replace with another random character:
@c3l3r@t3, @c#3l3@t3

Smile

Author: yuvarajLocation: US PostPosted: Wed Jun 21, 2006 9:07 am    Post subject: Secure Password try this
    ----
oh! yes, its said rightly that the best is alphanumberic passwords for secure login. If this type of password is too difficult to remember then have it in this type.

For example: if the password is "n1a4m3e." Just make this "n!a$m#e." (shift key for number), somewhat difficult to guess by the hackers.

just make this with the numbers or words you easily remember.

Author: the_wanderer PostPosted: Fri Apr 13, 2007 7:44 am    Post subject:
    ----
Very good and informative tutorial. But I have a couple of questions:

Let's say I want to put the first letter of each word of a favourite lyric.
Ex: smwiltbtlosavopb

Then I capitalise the 1st, 6th, 11th, 16th => SmwilTbtloSavopB

I then add some special characters at the beginning and end like
@SmwilTbtloSavopB% and some numbers @SmwilTbtloSavopB%5388
Can it be effective ? Presuming that I am good at remembering such words.

And if I wanted to use an ASCII character, will I have to type at the password prompt the same sequence for the required character ? I never tried it Embarassed

Thanks !

Author: mcse_696 PostPosted: Sun Apr 29, 2007 1:25 am    Post subject: syskey extra secure
    ----
You can use the (SysKey) utility to additionally secure the SAM database by moving the SAM database encryption key off the Windows-based computer. The (SysKey) utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database. This article describes how to use the SysKey utility to secure the Windows SAM database.
1. At a command prompt, type (syskey), and then press ENTER.
2. In the Securing the Windows Account Database dialog box, note that the Encryption Enabled option is selected and is the only option available. When this option is selected, Windows will always encrypt the SAM database.
3. Click Update.
4. Click Password Startup if you want to require a password to start Windows. Use a complex password that contains a combination of upper case and lower case letters, numbers, and symbols. The startup password must be at least 12 characters long and can be up to 128 characters long.

Note If you must remotely restart a computer that requires a password (if you use the Password Startup option), a person must be at the local console during the restart. Use this option only if a trusted security administrator will be available to type the Startup password.
5. Click System Generated Password if you do not want to require a startup password.

Select either of the following options:• Click Store Startup Key on Floppy Disk to store the system startup password on a floppy disk. This requires that someone insert the floppy disk to start the operating system.
• Click Store Startup Key Locally to store the encryption key on the hard disk of the local computer. This is the default option.
Click OK two times to complete the procedure.

Remove the SAM encryption key from the local hard disk by using the Store Startup Key on Floppy Disk option for optimum security. This provides the highest level of protection for the SAM database.

Always create a back-up floppy disk if you use the Store Startup Key on Floppy Disk option. You can restart the system remotely if someone is available to insert the floppy disk into the computer when it restarts.

Author: Madgeki PostPosted: Mon Jan 17, 2011 7:35 pm    Post subject: hi! moner Lurker
    ----
yes it does make sense, brilliant!



Networking/Security Forums -> Physical Security and Social Engineering


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Goto page Previous  1, 2, 3, 4  :||:
Page 4 of 4

Powered by phpBB 2.0.x © 2001 phpBB Group