You know the kind of stupid stuff you do when you’re 16? And they suddenly appear again many years later to haunt you? You know, like having kids, smoking crack cocaine, burying corpses on your backyard… or even, on those moments of utter carelessness, sharing root passwords?
Some may have noticed this website was compromised yesterday and asked me what happened, so here goes a little advice: don’t use the same “low-security” password you’ve been using for the past 7 years out of sheer laziness on a public website that gets syndicated. In fact, don’t use it anywhere, dammit.
In this particular case, I had a few friends from high school days who happened to know this password, as we shared a few local user accounts on eachother’s machines, and sometimes needed to get root access to help fix things. Being the idiot I am, I ended up using this same password for many other things, some of them not as low security as I’d think, and completely forgot about the fact that one of these friends has his moments low self-esteem, and needs to draw attention to himself every so often. But instead of getting a nicer or more expensive car, computer, cellphone or girlfriend, like everyone else who was beaten up as a child would, he goes around annoying people. Sad.
So, I’m changing all my passwords to 50-character passphrases. With alphanumerics, l33t-sp33k, spaces, non-ASCII characters and whatever else I can think of. Sure, it takes me about a minute to log in to my daily stuff, and it’s a pain in the ass, but it saves me from the trouble of thinking about all those different torture methods. Well, sort of, there’s still a lot of spam…
Shane Vitarana | 24-Feb-05 at 10:27 pm | Permalink
Why not use a password generator like http://www.winguides.com/security/password.php or better yet, download one that runs on your own machine. Then memorize the password in phonetic form.
Example:
Password: 5tl1ylev
Phonetics: Five – tango – lima – One – yankee – lima – echo – victor
I guess you can also write it down on a piece of paper and keep it in your wallet. Then you’ll be fine as long as no one steals your wallet and the wife/girlfriend doesn’t poke around
fx | 07-Mar-05 at 4:34 pm | Permalink
Actually, 15 characters is enough from a mathematic point of view to avoid precomputed dictionary attacks.
But if you use 5tl1ylev, it is “simply” a matter of the hash’s reverse lookup to get to the password.
So, women might disagree, but in terms of passwords, size really matters (at least a minimum size).
In other words, I’d prefer 15 a’s as password over 5tl1ylev any given day.