How to make an uber-secure password. READ!

[Kwisatz]

In tow of my trojan guide, and since I just developed a sudden interest in cryptography and such using computers, I have decided to write a guide concerning the creation of a secure password. This guide will help users to create strong passwords that are unlikely to be brute-forced and harder to crack. So, without further ado, I present to you:

 

 

 

 

 

 

 

BTTF Man's Ultimate Insider Guide to Strong Passwords

 

 

 

"You weren't trojaned and you were hacked? Are you sure you had a STRONG PASSWORD?!?!"

 

 

 

 

 

 

 

Disclaimer: This is an agreement between you, the reader and/or user, and BTTF_Man, the author and creator of this guide. This guide may be used by anyone for commercial or private purposes free of charge. However, the author (BTTF_Man) assumes no liability for any damages caused directly or indirectly from the use of this guide. Although the author (BTTF_Man) has made every attempt to make this guide understandable and free of technical, grammatical, and any other type of errors, there may still be some, and the author (BTTF_Man) accepts no responsibilty for damages caused by the use of this guide. Damages include, but are not limited to: computer crashes, computer overheating, mind-boggling, obsessive interest in one-way encryption algorithms, baldness, sudden inability to communicate with "normal" people, and being struck by lightning or spontaneous combustion.

 

 

 

 

 

 

 

I will also make vast incorrect generalizations concerning hackers and stuff, but that's how the public views them, so tough.

 

 

 

 

 

 

 

Now since that crap is out of the way, I shall delve into the guide itself!

 

 

 

 

 

 

 

Fundamentals of one-way encryption and password hashing

 

 

 

 

 

 

 

Contrary to popular belief, when your password is stored on any computer, whether it be your own or AIM's servers, it is not decrypted, rather, it is encrypted permanently. This is called one-way encryption, or hashing. Here, we shall delve into one of the most common forms of password encryption, a standard called MD5.

 

 

 

 

 

 

 

MD5 is widely used throughout the world for storing passwords and the like, most especially in PHP and Perl. In fact, your forum account's password has been MD5'd. I shall examine an MD5 hash below:

 

 

 

 

 

 

 

c30bb76b355a39dcd9e73bfb934b380d

 

 

 

 

 

 

 

An MD5 hash is a 32-character long hexadecimal string that is generated based on a piece of text. For instance, the above is the md5 hash of "fark". In fact, go to here and enter "fark" (without quotes for those of you who are slow) in the "Input" box, then click MD5. In the "Result" box, you will see the above hash. Click it several more times. As you can see, an MD5 hash of a piece of text is the same EVERY TIME. There is nothing random about it.

 

 

 

 

 

 

 

So, in a nutshell, you can take any piece of text of any length with any symbols, letters, and numbers in it and generate an MD5 hash. This hash can not be reversed (supposedly) mathematically, and is therefore considered secure and safe for use in passwords...but IS IT?

 

 

 

 

 

 

 

WARNING: "GEEKY" MATH WITH LOTS OF DIVISION AND EXPONENTIAL EXPRESSIONS Scroll down to where it says the end of the geeky part and read from there if you aren't interested in the math.

 

 

 

 

 

 

 

The odds of two pieces of text having the same MD5 hash are so

 

 

 

impossibly tiny, but are present. It is 2^64, or 1 in 18446744073709551616. But, MD5 only works well if you have a longer password. If your password is 2 characters long and could have symbols in it, it would take at most 255^2 operations (65025) to guess it, and if it was upper and lowercase and numeric, it would take 62^2 (3844). Now these numbers may seem big, but when you take into account that my 7-year-old computer can do 250,000 guesses when trying to bruteforce or systematically guess the original password, it will take less than a second. But, if your password has symbols, upper and lowercase letters, and numbers in it and is a mere 10 characters long, it will take a conventional 2.7Ghz desktop computer, at most, (255^10)/2000000/60/60/24/365 years (or 18431691878 years) to guess your password (unless the person doing the bruteforcing had a supercomputer, in which case it would take a considerably shorter amount of time).

 

 

 

 

 

 

 

GEEKY PART DONE NOW. READ FROM THIS POINT FORWARD.

 

 

 

 

 

 

 

So how does all this math relate to you and your password? Well, since we are past the geeky part, I can go on to the layman's explanation.

 

 

 

 

 

 

 

How to make a strong password (the part you should read)

 

 

 

 

 

 

 

So, with all these figures in mind, let's just talk for a minute about how a hacker would even go about finding your password.

 

 

 

 

 

 

 

When I talk about MD5, the MD5 hash is stored on the server, so that only the owner of the web site may get to it, and even then, unless they have powerful resources, they can't decrypt it or bruteforce it. But, there have been vulnerabilities in many pieces of software (PhpBB included) that allows a hacker to obtain MD5 hashes. Even if the hacker cannot get into the database and find your password's MD5 hash, he can still write a program to bruteforce and just guess through the online form, so the program types in your username and tries all possible passwords. This would take as many calculations as bruteforcing the hash itself, but is extremelyt infeasable because of the time needed for connecting to the server and such.

 

 

 

 

 

 

 

Anyway, after getting off that tangent, many hackers who are trying to bruteforce a password assume that the user only has lowercase letters and possibly numbers in their password, so they will only look for those when bruteforcing. What does this mean for you? If your password has uppercase letters and symbols (the less commonly-used the better), you are more safe against a bruteforce attack. For instance, consider the following two passwords:

 

 

 

 

 

 

 

abc

 

 

 

 

 

 

 

a84jf%HR%#d#c-$&*/fdE

 

 

 

 

 

 

 

Which is more secure? The second one, because it has nonadjacent symbols and upper and lowercase letters, plus some numbers. Granted, the second one could be shorter and still very secure, but this is just for an example.

 

 

 

 

 

 

 

But, what I haven't touched on are two things: MD5 reverse lookup databases and social engineering.

 

 

 

 

 

 

 

An MD5 reverse lookup database is a website where a hacker can go and enter an MD5 hash into a website. If the MD5 hash is in the database, then the web page will tell the hacker what the original text (password, in this cas, is). If it isn't he is out of luck. But he can also type in any piece of text and get it added to the database. So this is just a case of hackers helping hackers. If a hacker DOES manage to get your MD5 hash, and it is a common word that may be in the database, then he can find it easily. If your password is football and a hacker enters the MD5 hash of the word "football" into the database, it will probably come up and say that football hashes to that MD5 hash, because it is a common word.

 

 

 

 

 

 

 

In short, don't use common words. My friend gave me his MD5 hash and bet me $10 I couldn't find out his password (this was after I explained the whole process and method of MD5 to him). I reverse-lookup'd his md5, and his password was, ironically, football (he is not a member of these forums and I have never typed his name on the computer at all, so admins and mods don't flip out). In 5 short minutes I probably could have accessed his email, AIM, and anything else important to him, had he had the same password for all his services. Which leads me to my next point...

 

 

 

 

 

 

 

If you use the same password for all your services and accounts, if a hacker finds out one account's password, you're pretty much screwed. But if you have different passwords for all accounts, then you'd only have one account affected. Just common sense, I guess. Now on to social engineering.

 

 

 

 

 

 

 

A hacker often uses a technique called social engineering to just guess passwords. They will gather all information possible about you: your name, middle name, maiden name (if applicable), your relative's names, your childrens' names, your dog's name, your ID number, your EVERYTHING, and then try to guess your password based on those. If your password is your mother's name, it's a pretty good chance that they'll guess it. But this doesn't happen as often as bruteforcing does, because some hackers are nice and assume you're smarter than that (but some don't). So don't do that either. They may also manipulate you into accepting a trojan or you telling them your password (if you get a trojan see my guide).

 

 

 

 

 

 

 

And don't make your password something dumb like 1234, q1w2e3, or zxcv.

 

 

 

 

 

 

 

What you SHOULD do for a secure password

 

 

 

 

 

 

 

Basically, your password should be upwards of 10 characters long, contain numbers, upper and lowercase letters, and some symbols, the less common the better. It should also be random, if possible. And you should use different passwords for each account you have: your forum account, email account, and IM account should all have dfferent passwords. It should not be a dictionary word or contain any word that relates to you personally.

 

 

 

 

 

 

 

Those rules of thumb will almost guarantee you a strong password. To recap and list for all you slow people:

 

 

 

 

 

 

 

At least 10 characters

 

 

 

Random if at all possible

 

 

 

Upper and lowercase letters

 

 

 

Numbers

 

 

 

Symbols, the weirder the better (whee, ~~~tildes~~~ and ```weird apostrophes``` work well)

 

 

 

Nothing stupid, like 1234, password, pass, your username, q1w2e3, or zxcv

 

 

 

Nothing personally familiar to you

 

 

 

No dictionary words

 

 

 

 

 

 

 

There. You are close to hack-proof. For additional anti-trojan and regular security, read this thread with lots of software links and of course (prepare for shameless plug, third time in this guide) my guide on trojans.

 

 

 

 

 

 

 

I hope you enjoyed this relatively-exhaustive paper on passwords. Go change yours from your dog's name to f74$&hJJ#4 or something.

[blade995]

thats a realy good guide! :D I think this should be stickied so we don't hear i never had a keylogger or any type a virus and still got hacked, how?

 

 

 

 

 

 

 

This realy taught me alot also. Told me about what the odds are, and how hard it is to guess a password.

 

 

 

 

 

 

 

Thank god i have different passwords for everything, and i use random passwords with "wierd" symbols. :D

[devilheart14]

*goes of to change all passwords!!!

[zonda]

BTTF... you need to throw all your guides together and start a book called 'The Bible of Computer Security' or something.

 

 

 

 

 

 

 

That was a good read... an awfully long one, but good nonetheless :wink:

 

 

 

 

 

 

 

Hopefully now people will actually believe the 100's of security messages that say "make your passwords unique and contain numbers and symbles" :roll: So many 'hackings' could be easilly prevented.

 

 

 

 

 

 

 

Anyways, back on topic. Entaro Adun! Live and let Die!

[pedm]

That was quite good, now time to change my passwordsssss.

 

 

 

 

 

 

 

PDM

[EugenyG]

Nice advice.

 

 

 

 

 

 

 

An old tech joke: "Who says it's stupid to have your dog's name as your e-mail password? Rr#Tt_fx^2!b, come here, boy!"

[x76]

MD5 is all fine and dandy for password encryption, sure. It, however, isn't fine and dandy for file security checksums.

 

 

 

 

 

 

 

The MD5 hash has been proved to be "broken."

 

 

 

 

 

 

 

http://www.brokenwookie.com/md5/

 

 

 

 

 

 

 

  $ cmp file1.bin file2.bin 



 file1.bin file2.bin differ: byte 20, line 1 







 $ md5sum file1.bin file2.bin 



 a4c0d35c95a63a805915367dcfe6b751  file1.bin 



 a4c0d35c95a63a805915367dcfe6b751  file2.bin

[Mercifull]

Good guide but you dont really need 10 characters.

 

 

 

The Government password protocol is as follows:

 

 

 

 

 

 

 

Do

 

 

 

 

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use a minimum of eight characters which includes both characters and numbers (i.e. roder4g6 )

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use UPPER and lower case. (i.e. rOdEr4g6 )

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Try to include a symbol within your password if you can (i.e r+dEr4g6 )

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Keep it secure. (Read the Internet, e-mail and Computer Use Policy for further guidance.)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Remember to use your screensaver password facility

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Change your password whenever prompted

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Lock your PC or log out whenever you are leaving your desk (Closure)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ When you have finished your work donÃÆââââ¬Å¡Ã¬Ã¢ââ¬Å¾Ã¢t forget to turn off your computer.

 

 

 

 

 

 

 

 

 

 

 

DonÃÆââââ¬Å¡Ã¬Ã¢ââ¬Å¾Ã¢t

 

 

 

 

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Write your password down and leave it on your desk (or under your mouse mat or keyboard!)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Tell anyone else what it is

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use family names, nicknames, pets names or birthdays (i.e. 04june03)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use more than one set of repeating characters (i.e. aabbccdd)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use a single word that can be found in a Dictionary or Thesaurus (i.e. flagpole)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use a short word followed by a sequence of numbers (i.e. ricky123)

 

 

 

 

 

 

 

 

 

 

Out password expire every 28 days and much be changed, we cannot use the same password again. ;)

 

 

 

 

 

 

 

8 characters is more than enough to be secure. Anything over 6 is pretty hard to brute force.

[Kwisatz]

Good guide but you dont really need 10 characters.

 

 

 

The Government password protocol is as follows:

 

 

 

 

 

 

 

Do

 

 

 

 

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use a minimum of eight characters which includes both characters and numbers (i.e. roder4g6 )

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use UPPER and lower case. (i.e. rOdEr4g6 )

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Try to include a symbol within your password if you can (i.e r+dEr4g6 )

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Keep it secure. (Read the Internet, e-mail and Computer Use Policy for further guidance.)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Remember to use your screensaver password facility

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Change your password whenever prompted

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Lock your PC or log out whenever you are leaving your desk (Closure)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ When you have finished your work donÃÆââââ¬Å¡Ã¬Ã¢ââ¬Å¾Ã¢t forget to turn off your computer.

 

 

 

 

 

 

 

 

 

 

 

DonÃÆââââ¬Å¡Ã¬Ã¢ââ¬Å¾Ã¢t

 

 

 

 

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Write your password down and leave it on your desk (or under your mouse mat or keyboard!)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Tell anyone else what it is

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use family names, nicknames, pets names or birthdays (i.e. 04june03)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use more than one set of repeating characters (i.e. aabbccdd)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use a single word that can be found in a Dictionary or Thesaurus (i.e. flagpole)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use a short word followed by a sequence of numbers (i.e. ricky123)

 

 

 

 

 

 

 

 

 

 

Out password expire every 28 days and much be changed, we cannot use the same password again. ;)

 

 

 

 

 

 

 

8 characters is more than enough to be secure. Anything over 6 is pretty hard to brute force.

 

 

 

 

 

 

 

I touched upon everything except the writing down bit (the logging out part doesn't matter if you have a strong password anyway, the file can't be cracked unless it's Windows, in which case yes you should log out).

 

 

 

 

 

 

 

I'll calculate odds...

 

 

 

 

 

 

 

Assuming full alphabet (255):

 

 

 

 

 

 

 

10 characters will take a conventional computer 18431691879 years.

 

 

 

8 characters will take it 283455.

 

 

 

 

 

 

 

Which are you more safe with?

 

 

 

 

 

 

 

I'll take 10 thank you. You're right, but what if they had a supercomputer with like 100 Itaniums in it? Then you're screwed too.

 

 

 

 

 

 

 

My computer password is 25 characters long and had 5 symbols, 3 uppercase, 12 numbers and the rest lowercase letters. How's THAT for security!

[Sharper]

 

Good guide but you dont really need 10 characters.

 

 

 

The Government password protocol is as follows:

 

 

 

 

 

 

 

Do

 

 

 

 

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use a minimum of eight characters which includes both characters and numbers (i.e. roder4g6 )

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use UPPER and lower case. (i.e. rOdEr4g6 )

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Try to include a symbol within your password if you can (i.e r+dEr4g6 )

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Keep it secure. (Read the Internet, e-mail and Computer Use Policy for further guidance.)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Remember to use your screensaver password facility

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Change your password whenever prompted

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Lock your PC or log out whenever you are leaving your desk (Closure)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ When you have finished your work donÃÆââââ¬Å¡Ã¬Ã¢ââ¬Å¾Ã¢t forget to turn off your computer.

 

 

 

 

 

 

 

 

 

 

 

DonÃÆââââ¬Å¡Ã¬Ã¢ââ¬Å¾Ã¢t

 

 

 

 

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Write your password down and leave it on your desk (or under your mouse mat or keyboard!)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Tell anyone else what it is

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use family names, nicknames, pets names or birthdays (i.e. 04june03)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use more than one set of repeating characters (i.e. aabbccdd)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use a single word that can be found in a Dictionary or Thesaurus (i.e. flagpole)

 

 

 

ÃÆââââ¬Å¡Ã¬Ãââ Use a short word followed by a sequence of numbers (i.e. ricky123)

 

 

 

 

 

 

 

 

 

 

Out password expire every 28 days and much be changed, we cannot use the same password again. ;)

 

 

 

 

 

 

 

8 characters is more than enough to be secure. Anything over 6 is pretty hard to brute force.

 

 

 

 

 

 

 

I touched upon everything except the writing down bit (the logging out part doesn't matter if you have a strong password anyway, the file can't be cracked unless it's Windows, in which case yes you should log out).

 

 

 

 

 

 

 

I'll calculate odds...

 

 

 

 

 

 

 

Assuming full alphabet (255):

 

 

 

 

 

 

 

10 characters will take a conventional computer 18431691879 years.

 

 

 

8 characters will take it 283455.

 

 

 

 

 

 

 

Which are you more safe with?

 

 

 

 

 

 

 

I'll take 10 thank you. You're right, but what if they had a supercomputer with like 100 Itaniums in it? Then you're screwed too.

 

 

 

 

 

 

 

My computer password is 25 characters long and had 5 symbols, 3 uppercase, 12 numbers and the rest lowercase letters. How's THAT for security!

 

 

 

If someone's going to go into the trouble of using 100 processors to brute forcing a strong 8 character password then obviously it isn't a normal runescape, or email, or computer account. 6 letter password with uppercase and letters is fine for a normal password.

[Pyro]

 

 

 

I'll calculate odds...

 

 

 

 

 

 

 

Assuming full alphabet (255):

 

 

 

 

 

 

 

10 characters will take a conventional computer 18431691879 years.

 

 

 

8 characters will take it 283455.

 

 

 

 

 

 

 

Which are you more safe with?

 

 

 

 

 

 

 

I'll take 10 thank you. You're right, but what if they had a supercomputer with like 100 Itaniums in it? Then you're screwed too.

 

 

 

 

 

 

 

My computer password is 25 characters long and had 5 symbols, 3 uppercase, 12 numbers and the rest lowercase letters. How's THAT for security!

You are more safer with 10 than with 8. The question is, why bother? Unless your harddrive is 100% encrypted, including windows itself, it is possible to hack fairly easily. If a skilled user has physical access to your computer, he can gain access to it. Without brute forcing.

 

 

 

 

 

 

 

You could use the password on Windows, but then again, someone could just use a bootdisk and mount your harddrive as a slave. You could use it on the BIOS, but then again, someone could just flash the CMOS. The *only* way you can ever archieve any real physical security is by encrypting the entire harddrive. This is a major hassle, which will reduce writing speed and prevent you from using many programs.

 

 

 

 

 

 

 

I'm usually a security freak, but there's a point when it gets silly. Internet passwords for sensitive information are of course another matter, but one should always consider the potential risks and jugde how much security is needed depending on it. A complicated password is seriously the least of ones worries.

 

 

 

 

 

 

 

If someone has resources such as a major supercomputer, they will own your box. No matter what passwords you put on it.

[Barking-Loon]

Sweet, keep it up Man! 8)

[x76]

I said this in another thread and I'll say it in this one. Your Windows password isn't as safe as you think unless you disable the LM hash. If the LM hash is enabled your password is converted into all uppercase letters.

 

 

 

 

 

 

 

Open your registry, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, find the key "nolmhash." If it's set to 0 set it to 1. Your password is now much more secure.

 

 

 

 

 

 

 

Do this at your own risk. If you edit anything else it can mess up your Windows.

[Sharper]

I've never heard of the LAN manager hash having anything to do with the password you create turning uppercase. My understand is that it is a unique encoded hash that the registry stores and uses for authentication with devices that do not support the new Kerberos authentication protocol's.

 

 

 

 

 

 

 

Specifically Windows 9x systems need LAN manager hash enabled to be able to authenticate with eachother, this includes Windows NT 4 servers. The LAN manager hash is also neccessary for standlone Windows 2000 authentication and any sort of authentication from a client to a Windows NT 4 server.

 

 

 

 

 

 

 

So unless you are running a Windows XP/Windows 2000 server only network then this feature should not be disabled. And even then, I fail too see how it will help with your network security, Kerberos authentication is used by default so the LAN manager hash should be irrelivant on newer computers.

[Sharper]

My apoligies, the password is converted to uppercase during the LM Response of a NTLM authentication hand-shake. But this still does not store your password in this fashion. There is still algorithm's run against the initial password to create the hash. And even then the hash is used for a 3 way handshake between client/server. I believe the NTLM authentication process would actually require you to be logged on your computer to begin with, I'm not exactly sure what security process is used for logging onto old Windows 9x computers though.

[tubarina]

by the way you guys got your math wrong there is 267934565633045025 ways to rearange a 255 symbol alphabet into 10 symbols long so that makes bttf's comp be able to find the password in roughly 34076 years not the billions of years he put up. so say someones comp can guess roughly 1000000 passwords a sec they could find your pass in roughly 8519 years. not that any of this matters because it is still way to long for just one comp to scan. you dont do 255^10 you do (sub 255)C(sub 10)

[tubarina]

also a 8 symbol password using a 255 symbol alphabet has 396861704798625 ways of aranging it so it would take bttf's comp roughly 50 years to guess and a comp guessing 1000000 words a sec 12 years to guess.

[Kwisatz]

Tubarina

 

 

 

 

 

 

 

What the heck is (sub 255)c(sub10)? Exponents are how you calculate it. I know I didn't account for the fact that some pieces of text have identical hashes, but let's examine:

 

 

 

 

 

 

 

a one-character password would be 255^1, because there are 255 characters.

 

 

 

a two-character password would be 255^2, because there are 255 first characters and 255 second characters possible per first character, so 255*255.

 

 

 

 

 

 

 

As I said before, this doesn't take into account the odds of having a same hash.

[tubarina]

lol. sorry i got a little confused. In math we were learning about combinations of things such as pick 5 cards out 52. to find out how many combinations of 5 cards you can use NCR (n and r are the numbers you plug in but they are subscript). so you do sub52 C sub5. sorry for the confusion, you were write.

 

 

 

 

 

 

 

(i was doing math while reading this)

[Hannibal]

You forgot one important point, which is a standard issue with Cryptography and/or data security. Security must be good enough to force whomever tries to crack it to go to so much trouble that it is worth the information you're trying to protect.

 

 

 

 

 

 

 

For example, if I have a company secret that would give my concurrent a business advantage of one million dollars, I should make sure that the costs for my concurrent to find and use the data are more than one million dollars. I should not go paranoid and spend a million dollars on its security myself, that would be absolute nonsense.

 

 

 

 

 

 

 

So, if I have a forum password (as a normal user), then a password of say, 6 characters would be more than enough. Any non-admin user would have to go to way too much trouble to hack it anyway. On the other hand, when someone cracks an administrator password, the *entire forum* is screwed. Which means administrator passwords should be more secure (ie, longer, and more difficult to guess). The same goes for the fact that when you have a certificate you use to sign your emails, someone who knows the password for your account on the CA (Certificate Authority, ie Thawte for example), then you're very much screwed. So you should pick a password with numbers, lower+uppercase letters, symbols if possible, and it should be at least 12 characters long.