Additional notes:1) use 3 emails address (or 4.. 1 for work)1st: junk email.any form that requires email address and does not / will not contain sensitive info. (IE: SSN, CC, DL, Real Address....) generally for sites you use once and never goto again. but don't have to be.2nd: sites / services you will use regularly and contain sensitive info.3rd: personal.... this is the one you give out to all your friends. (except maybe the FWDers... you know who I am talking about)2) only keep registration info in your 2nd email address. As in forward any semi-valuable registrations from your 1st email address to your 2nd, and then delete under your first one (assuming you are using web based email client) If you value the site enough, change email address to reflect the 2nd email address. The reason for 1st & 2nd is to cut down the spam in 2nd.3) follow good password techniques for your 3 email addresses.... and please do not use for your 2nd email address an address that is bonded to an online screen name (for AIM, yahoo, MSN....) and if you must.... use one that you don't use in its respective program anymore / ever.After all.... if they don't know what email address you used for registering, then they have more work ahead of them before they can figure out your password for it.
and another one if they lock out an IP address for a rolling 24 hours if they guess 10 wrong combos.and only accept 10 simultaneous connections from a single IP addressand put an intentional delay of 200ms before responding with the statusand double hash, once at the client before transmission, then again by the serverThese sorts of steps are trivial to implement, but greatly increase the cost to check.Another easy tip is to append or prepend the website to your passwordlike "gmail.mypassword"or "digg.mypassword"These will hash to very different values, and will add a massive overhead to any brute force attack.I would rate the highest risk as phishing though. Some of the fake sites I have seen are extremely accurate, and double v can look very close to w in many fonts, so a simple glance at the address bar is not enough.
The "how long would it take" table is for offline attacks btw. You would never get those speeds with hydra or brutus, especially not over the internet.You're better off reading the wikipedia article he links to imho...
I have only two passwords:One for important and secured sites: Example: "ld2c4t"One for EVERYTHING else, forums, games, news, etcExample: "password"I think that this is a useful thing to do.
bakednstonedMar 27, 2007
Additional notes:1) use 3 emails address (or 4.. 1 for work)1st: junk email.any form that requires email address and does not / will not contain sensitive info. (IE: SSN, CC, DL, Real Address....) generally for sites you use once and never goto again. but don't have to be.2nd: sites / services you will use regularly and contain sensitive info.3rd: personal.... this is the one you give out to all your friends. (except maybe the FWDers... you know who I am talking about)2) only keep registration info in your 2nd email address. As in forward any semi-valuable registrations from your 1st email address to your 2nd, and then delete under your first one (assuming you are using web based email client) If you value the site enough, change email address to reflect the 2nd email address. The reason for 1st & 2nd is to cut down the spam in 2nd.3) follow good password techniques for your 3 email addresses.... and please do not use for your 2nd email address an address that is bonded to an online screen name (for AIM, yahoo, MSN....) and if you must.... use one that you don't use in its respective program anymore / ever.After all.... if they don't know what email address you used for registering, then they have more work ahead of them before they can figure out your password for it.
grumpyrainMar 27, 2007
and another one if they lock out an IP address for a rolling 24 hours if they guess 10 wrong combos.and only accept 10 simultaneous connections from a single IP addressand put an intentional delay of 200ms before responding with the statusand double hash, once at the client before transmission, then again by the serverThese sorts of steps are trivial to implement, but greatly increase the cost to check.Another easy tip is to append or prepend the website to your passwordlike "gmail.mypassword"or "digg.mypassword"These will hash to very different values, and will add a massive overhead to any brute force attack.I would rate the highest risk as phishing though. Some of the fake sites I have seen are extremely accurate, and double v can look very close to w in many fonts, so a simple glance at the address bar is not enough.
nielstMar 27, 2007
The "how long would it take" table is for offline attacks btw. You would never get those speeds with hydra or brutus, especially not over the internet.You're better off reading the wikipedia article he links to imho...
tech42erMar 27, 2007
Reply button == friend.
flashboy131Mar 27, 2007
EIGHTinchPEENER888= "Best"<a class="user" href="https://www.microsoft.com/athome/security/privacy/password_checker.mspx">https://www.microsoft.com/athome/security/privacy/password_checker.mspx</a>
randomengyMar 28, 2007
Also don't save your password with Firefox or IE. Someone can see all your saved passwords in plaintext in about 10 seconds: <a class="user" href="http://www.gtopala.com/">http://www.gtopala.com/</a>
dstzMar 28, 2007
I have only two passwords:One for important and secured sites: Example: "ld2c4t"One for EVERYTHING else, forums, games, news, etcExample: "password"I think that this is a useful thing to do.
codenameMar 28, 2007
usually when someone Brute Force attacks a target, they should use a proxy...
darksatApr 26, 2007
Its also a good idea to use a pass phrase instead of a pass word.
mvannatterMay 14, 2007
Wow! This makes me smile.
deniksmSep 23, 2007
It is so bad to try hacking passwords