What makes a good password

General Discussion
You mean using admin/admin like Equifax' Argentina branch is a bad idea?
numbers and special characters make passwords hard for people to remember and just as easy as letters for computers to crack

if you really want a secure password make it longer.

It's true, we have spent years training people to create 8 letter passwords with a combination of letters, numbers, uppercase and/or special characters. All that wasted time, we should of taught people tomaketherepasswordslongphrases.
09/18/2017 10:59 PMPosted by Spazlord
One way of cracking passwords is to use a dictionary. You get a big list of words and use a script to test every single word against someone's password.


want to explain a bit further how this works?
most "incorrect guesses" will lock you out after a few attempts.
09/18/2017 10:39 PMPosted by Boomchack
Hello kittens,

I read an article of experts in cryptology saying using numbers and special characters is useless ,
letters are way more secure as they give a probability of 1 to 27 instead of 1 to 10 for numbers ...


That's not exactly what the article says.

It points out that most people use a capital letter at the start of a password and numbers at the end. Which is true... I've done it myself.

However, they also pointed out that using symbols and making the password long is what makes it more secure.
allenludden
09/18/2017 10:39 PMPosted by Boomchack
Blizzard , give us the possibility to secure our accounts

I mean, there's always the Blizzard Authenticator
"correcthorsebatterystaple"

https://xkcd.com/936/
I always use 8-10 digit passwords with upper case, lower case and some numbers. There was an excellent gif on Imgur a while ago that outlined the difficulty at which certain programs could hack passwords and showed in hours, days, weeks and years of time it would take to crack depending on length and randomness.
"I like using nonsensical sentences, that have a few letter replaced by numbers, and bad spelling. No matter what word program they use, if the words aren't spelled correctly, it won't find them."
One number won't kill you
09/19/2017 04:58 AMPosted by Waternebula
One number won't kill you


And someone isn't going to put that much effort into breaking a password and authenticator just for the 200g on your account.

Seems that hacked accounts are the result of buying shady services, going to shady websites, phishing, etc.
https://www.grc.com/haystack.htm
09/19/2017 05:04 AMPosted by Tovi
And someone isn't going to put that much effort into breaking a password and authenticator just for the 200g on your account.

Seems that hacked accounts are the result of buying shady services, going to shady websites, phishing, etc.


For WoW, social engineering, keylogging, and fake sites have been the usual suspects in account theft. Though some guild websites and the like have been hacked and people tend to reuse passwords.

I'm not aware of brute force being used (and apparently will cause the game to lock you out after a certain number of attempts). Blizzard also checks IP address and locks people out if it's suddenly coming from the other side of the world.

In general, I see a couple of posts from people in the thread repeating what's simply not going to help against brute force. Symbols and numbers added to short phrases really don't add additional security. What they do add is complexity that make users post them on sticky notes on the computer screen.

Computers are so fast and so capable they can ram through those. Longer passwords take longer. But they're not unbreakable either. Biometrics are being bypassed by various trickery these days, too.

Passwords don't make us that much safer any more. Multi-factor authentication systems are tighter. However even authenticators can be defeated. Though personally I think the methods of doing so are more trouble than they're worth considering the number of accounts without that security.
- Use unique passwords for every single service.

This is a point I don't see driven home often enough. If you've ever submitted a password anywhere, assume someone else has it. If they can tie it back to your username or email address, they can and will get into other accounts that share those credentials. Read up on credential stuffing to learn more about that.

https://www.owasp.org/index.php/Credential_stuffing

- Enable 2-factor authentication when possible.

Even if someone does get your password, it'll be less likely they'll be able to enter that 6 digit PIN in time. Physical tokens are better.

Those two things should keep you safe against most stuff.
Oh, just use mine: 8675309. It's secure because you have to hum the tune when you type it.

8/
My advice on passwords

1. Choose a word that means something to you. Make one of the letters capital but which letter will shift when you change the password.
2. Replace all of its vowels with some other character and insert a special character that you move around when you change the password
3. Tack on a month-year indicator that helps you remember when you should change the password.
4. Stick in some filler characters around the month-year digit that you shift when change the password

For example, let's say your special word is "warcraft" and you want to change it 2 months from now (Nov 2017)
Replace the vowels with a "k" and put a + somewhere in the word.
W+krcrkft
Add on the change date and it's fillers
W+krcrkft(11(17

When you change it Nov move the fillers and change which letter is capitalized and the next change month/year (2018 jan)
wk+Rcrkft18(1(

Then in Jan 2018 you change it for March 2018 and shift the fillers/capital
wkr+Crkft3)18)
09/19/2017 05:40 AMPosted by Tinkerizmo
Replace the vowels with a "k" and put a + somewhere in the word.
W+krcrkft
Add on the change date and it's fillers
W+krcrkft(11(17

When you change it Nov move the fillers and change which letter is capitalized and the next change month/year (2018 jan)
wk+Rcrkft18(1(

Then in Jan 2018 you change it for March 2018 and shift the fillers/capital
wkr+Crkft3)18)


To a computer brute forcing the password, all of these are identical. They don't care about the numbers and symbols. The speed they can run through the possibilities is only restricted by the system itself. (The server shouldn't allow multiple password tries per second--and that's something we don't control.)

Unfortunately, most password systems are fixed length. Like "pick something between 6 and 8 characters." So you can't really help those systems. Pick something you can remember easily.

What you do with the above is increase the probability that you'll forget the password so you write it down. Which makes it less secure. I know a guy that has a book of passwords. On his desk. Which is left there every day.

Realistically, we're trying to prevent a human from guessing our password. So don't use something personal. Don't use something like a pet name or children's birthdays. Use a nonsense phrase and you're going to succeed at that. But we can't stop brute force unless we significantly increase the password length.
09/19/2017 02:56 AMPosted by Virus
upper case


fun fact.

your blizzard passwords don't recognise uppercase letters.
This is really only pertinent to people actually attempting to hack your account, which doesn't happen. Account compromises are generally a result of keyloggers or perhaps phishing, in which case it doesn't matter what your password is because you gave it to the people breaking into your account.
Password length is the greatest contributor to the number of combinations of the characters you're using. While using upper and lower case, numbers, and symbols will take the number of combinations of an 8 character password from E11 to E14, using a 10 character password with just lower case takes the number of combinations to E14 by itself.

Obviously length + possible characters is greater but the single greatest contributor to password complexity is length.

Of course once quantum computers come online you can throw all this and all modern encryption in the trash can but for now it works. :)

Join the Conversation

Return to Forum