• Welcome to ForumKorner!
    Join today and become a part of the community.

Secure passwords guide

м¢ℓσνιη

Active Member
Reputation
0
Secure passwords guide

A password is a form of authentication represented by a string of characters that the user can easily provide, but it is hard to guess. In front of the registration form people use obvious passwords such as the names of their children or their house number in order not to forget them or simply because they can't come up with a better one. Their importance is often ignored - at least until the account gets hacked. This guide will show you how to choose secure passwords and still be able to remember them, you'll find links to software that might help and hopefully you'll be determined to change your passwords to more secure ones.

What makes a password strong?

The answer is length, complexity and randomness. The common way to crack passwords is by using a brute force attack. The attacker attempts to crack passwords by trying as many possibilities as time and processing resources permit. A related but much more efficient method is a dictionary attack. Words in one or more dictionaries and lists of common passwords are tested. A long password, composed from multiple types of characters in a random order will be hard to crack.

Guidelines for creating a good password:

  • Minimum length of 8 characters. Actually the longer they are, the better. Length is the most important factor when it comes to strong passwords.
  • Passwords should use all of the following four types of characters:
    • Lowercase
    • Uppercase
    • Numbers
    • Special characters such as !@#$%^&*(){}[]
  • Don't use passwords that are based on personal information because it can be easily accessed or guessed.
  • Do not use words from dictionaries (English or foreign), names or places.
  • Even if you slightly misspell words, spelled them backwards or used 1337 speak your password is not secure.
  • Do not use consecutive numbers or letters such as “1234” or “abcd”.
  • Do not use adjacent keys on your keyboard such as “qwerty” or “asdf”.
  • Do not repeat the same character in your password such as “aaaa” or “2222”.

To achieve such complexity while still being able to remember your password you can use mnemonics.

Example:
"My favorite song is Led Zeppelin - Stairway to Heaven". This phrase is easy to remember (especially if this is your favorite song). It is a phrase with a question and an answer. I can convert it to a password like this:
  • Using the first letter of every word, while keeping cases and punctuation: MfsiLZ-StH
  • Adding a special character between the question and the answer: Mfsi/LZ-StH
  • Adding numbers to my password by converting L (the first letter in the answer) to 12 (L being the 12 letter in the English alphabet): Mfsi/12Z-StH
The result is a good password. It is long enough, has complexity by using letters (both lower and uppercase), numbers and special characters and finally it is sufficiently random. The password itself might not be easy to remember but it is easy to reconstruct from the easy to remember phrase and the 3 simple rules that generated it.

Test your passwords: Link 1, Link 2, Link 3.

Using your passwords safely. Software that you might need.

Making a good password is just the beginning. In the beginning I've mentioned dictionary attacks as being the most used method to crack passwords, however it is easier to steal passwords from unaware users and this is why you should exercise caution when using them.

Guidelines for using passwords securely:

  1. Don’t write down your passwords on paper or inside a non-encrypted file. Instead of using weak passwords, it might be better to use strong ones, even if you have to write them down. Fortunately you can do so in a secure way by using a password manager.
  2. Do not use the same password for all accounts such as additional email accounts or other log-ins you may have on the Internet. To keep track of all passwords you'll have to use a password manager. A password manager encrypts all your passwords using a single password that you’ll have to remember.
  3. Use a password manager (It should be obvious by now). I use LastPass browser plug-in (the free version). It offers support for all major browsers and the free version is sufficient for even the most demanding users. Furthermore it works as a cloud service - your passwords are sent encrypted and through a secure connection on their servers. As a result they are available everywhere, even on multiple devices. If you would rather use a stand-alone application instead of a plug-in, try KeyPass (open-source). It doesn’t include a cloud service (and some might appreciate that) but it offers a portable version that you can carry everywhere on a USB stick. Both can also be used to create strong passwords so next time when you’ll be facing a registration form you won’t have to spend time creating a strong password.
  4. Do not share your password with anyone. Anyone includes your friends and family. First of all, passwords are private and second you don't know if the person your are sharing the password with will take necessary precautions to safeguard it.
  5. Watch for attackers trying to trick you into revealing your passwords (phishing attacks). Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. Do not reply to phone calls or email messages requesting that you reveal your passwords. Legitimate websites or organizations will never ask you for your user name and password. To protect from malicious websites, I recommend using a browser add-on that warns you when you try to visit such a site: Web of Trust (all major browsers) / Norton Safe Web (Firefox and Internet Explorer).
  6. Be aware of when a password is sent securely across the Internet. Sites that begin with “https:/” rather than “http://” are secure for use of your password. Most sites offer https connection, but unfortunately they use http as default or fall-back to http immediately after the log-in. I recommend using a plug-in that enforces a secure https connection: HTTPS Everywhere (for Firefox and Chrome). NoScript for Firefox can also force https connections (Go to NoScript Options -> Advanced -> HTTPS).
  7. Secret questions are vulnerable to guessing attacks. Most websites offer this method as a way to recover your lost password. Choose answers that are hard to guess and if you fear you might forget them, use a password manager.
  8. Do not use the "remember my password" feature offered by many programs. These programs have varying degrees of security protecting your passwords. Some store the information in clear text in a file on your computer or with a weak encryption. Software tools that can retrieve passwords in all major browsers, instant messengers and e-mail clients are available.

    Tip: Firefox can protect your passwords with a "master password". If you plan on letting it store your passwords you must enable this feature. Go to Tools > Options... > Security, check Use a master password. A window asking for the master password will pop-up. This password will be used to encrypt all your other passwords so make sure it is strong and remember it.

    Note: Latest versions of most IM clients (ICQ version 6 and higher, Yahoo! IM version 7.5 and up, and all versions of Skype) do not save the password itself, but its hash that is used for authentication. Even so, if an attacker gets a hold of that file he can use it to log-in into your account.
  9. Keep your PC malware-free. Make sure the security software you are using is up-to-date and offers protection against key-loggers. A key-logger is a type of malicious software that runs on your computer logging every keystroke. If your security software doesn’t offer this kind of protection, I recommend installing Keyscrambler Personal (IE and Firefox add-on).
  10. Don’t type your passwords on someone else's computer. If possible, don't use someone else's computer that you don't trust to log-in to any website, especially to very sensitive websites such as your banking account. That PC might be infected with a key-logger or other types of malware that can steal your passwords. Public PC-s are highly insecure, it is best to avoid them altogether but if this is not possible consider using multiple factor authentication. For example, Google users can opt in to the Google Authenticator service. When you log in from a device that is not trusted, you will be asked for your password (something you know) and a code, provided by Google via your phone (using an app or a simple SMS) (something you have). This way, even if your password is compromised, no one will be able to log in into your account without your phone.
  11. Secure your wireless connection. Using a non-encrypted wireless connection or a WEP encrypted one (WEP is flawed by design and easily breakable) exposes you to a man-in-the-middle attack. An attacker can easily connect to your network, intercept transmitted packets and possibly steal your passwords or hijack your session. Use WPA2 or WPA encryption (if you own devices that can’t use WPA2) with a strong pass-phrase to protect your wireless connection. Be aware that most public hot-spots don’t offer a secure wireless connection.
  12. Change passwords immediately when they are compromised. Even if you have the slightest doubt that one of your password was stolen, change it immediately.
  13. Change your passwords regularly. Changing you passwords twice a year ensures you that a persistent attacker won't have enough time to brake them by using brute-force.

Credit to MalwareTips.com
 

Ewan

User is banned.
Reputation
0
Thanks for posting this!

Really great guide!
 

м¢ℓσνιη

Active Member
Reputation
0
No problem. It's essential to have a strong password.
 

Quad

User is banned.
Reputation
0
When I bought my AIMS i realized how important it was to have a good PW.

there are 2 main ways to get attacked. 1 Via Brute Forcer, and 2 via RATs.
1) Use long passwords with special characters. I normally use _ and ! mixed in as letters.
2) Download an anti keylogger program so if you do get ratted they wont be able to key log your PWs
 

F. Malware

Onyx user!
Reputation
0
Special characters, numbers, letters. Any combination, doesn;t matter. As long as you have every possible char. you will be better off, also don't use anything that logs passwords. It just an easier way to get access to all your accounts, you may think they are secure but they aren't I guarantee it. You should also try to memorize all your pws, putting them anywhere is unsafe, most common computer users have a very shallow view on hacking. Being exposed to RATs and keyloggers on windows has made the majority of the users stupid. They think that if they put up an anti virus, throw up a vpn, spoof their mac address, crack anothers wifi, and install a keyscrambler they will be ok, they are SADLY mistaken. Tbh if you want to learn something about coding, cli, processes, networking, basically everything that makes your computer go beep, you need to move to unix. It's just the way I see it tbh, although if your just the common forum goer and gamer then stick to windows.


http://malwaretips.com/Thread-Secure-passwords-guide

Kid your a leech, this is the second time we caught you.
 

м¢ℓσνιη

Active Member
Reputation
0




That is why I've given credit
 

F. Malware

Onyx user!
Reputation
0
Now you put credit lol, why did you delete the other thread you leeched?
 

м¢ℓσνιη

Active Member
Reputation
0
Torvalds said:
Now you put credit lol, why did you delete the other thread you leeched?

Umm, I didn't? :huh:
 

F. Malware

Onyx user!
Reputation
0
The AV one you posted, isn't it gone?
 

м¢ℓσνιη

Active Member
Reputation
0
Torvalds said:
The AV one you posted, isn't it gone?

Not as far as I know.
 

F. Malware

Onyx user!
Reputation
0
It is, I can't find it. I checked my posts and what I posted is gone so.