Password strength and security

Does exactly what it says on the tin. Some of the nonsense contained herein may be very loosely related to The Sisters of Mercy, but I wouldn't bet your PayPal account on it. In keeping with the internet's general theme nothing written here should be taken as Gospel: over three quarters of it is utter gibberish, and most of the forum's denizens haven't spoken to another human being face-to-face for decades. Don't worry your pretty little heads about it. Above all else, remember this: You don't have to stay forever. I will understand.
Post Reply
User avatar
markfiend
goriller of form 3b
Posts: 21181
Joined: 11 Nov 2003, 10:55
Location: st custards
Contact:

As the folks that do the Fantasy Football will no doubt have seen the email they have sent out that a small number of their accounts have been compromised. (Please note: no accounts here on Heartland have been breached.) I thought it might be a good idea to remind everyone about password best practice.

1) Use a different password for each site.
This might sound like a complete pain in the you-know-where but if the database of just one site is breached and your username and password are on there*, then online criminals will try to use that combination wherever they can. It might not be the end of the world if a hacker gains access to your Heartland account, but if they get into your paypal, it's a different matter.
(* Note that if the website is properly designed then even if the database is breached your password cannot be retrieved from it. Unfortunately many websites are not properly designed.)

2) If the site supports it, use two-factor authentication.
Most online banking sites use this: there's a further step than the usual username/password; either there's a code they send you via SMS or something similar; even if a criminal has the login details for your account they're unlikely to also have access to your phone.

3) Don't use passwords that are actual words.
Not even if you do "clever" letter substitution. P4$$w0rd is just as vulnerable to the "dictionary attack" as password is. Even good old correct horse battery staple isn't safe these days.

4) IMO your best bet is to use a password manager.
I use KeePass - it generates and saves passwords for all your needs.

I'm going to leave this as an open thread if anyone else has any thoughts.
The fundamental cause of the trouble is that in the modern world the stupid are cocksure while the intelligent are full of doubt.
—Bertrand Russell
Bartek
Underneath the Rock
Posts: 6141
Joined: 17 Sep 2005, 10:47

- Bulid password thst contains 3 or more words, use caplita letter, add numbers, special characters, 9 even make a typo like: OrangeGirafeTomato1@! You can allways mix languages.
- Use U2F Keys like yubikey or the one from google wherever you can.
User avatar
Planet Dave
Underneath the Rock
Posts: 6746
Joined: 22 Apr 2003, 23:51
Location: Where the streets fold round

Aye I got that email, good luck to anyone who wants to have a tinker with my FPL squad :lol:
'What a heavy load Einstein must have had. Morons everywhere.'
User avatar
mh
Above the Chemist
Posts: 8123
Joined: 23 Jun 2003, 14:41
Location: A city built on rock 'n' roll

Password manager plus MFA is the way to go, IMO. We don't always do it, and I'm as guilty as the next person of slipping up in the name of personal convenience from time to time, but people really should be thinking of this as like leaving their front door keys in the street rather than as a problem that somebody in IT will fix or can be blamed for if things go wrong.
If I told them once, I told them a hundred times to put 'Spinal Tap' first and 'Puppet Show' last.
Post Reply