Jump to content

(Archived) Password quality


Recommended Posts

Amazing that passwords doesn't allow the use of double quotes. I get seriously worried after the security breach that a character like that is omitted. Properly because of doubts to what can be inserted. However. Every other descent service on the web can handle this.

 

I hope the management of evernote has placed the responsibilty of the security breach within Evernote organization and taken proper actions!

 

Best regards,

Premium user since Dec, 2008

Link to comment
  • Level 5*

Evernote has already said that it's carrying out a security review,  so there will be changes coming - not sure that allowing one extra character will make a huge difference to password security.  The length and general randomness of the content are the main features,  and even if upper and lower case were the only content you get 52x52x52... possible variations for each extra 'digit' of the password.

Link to comment

My password is "fourrandomcommonwords", do you think that's a good one?

 

Is this a serious question? Okay, okay, I'll bite:

 

- your password is not optimal as the words are semantically connected to each other. On the other hand, it's long and much safer than, say "+(8|&2=

- of course the password is now not safe anymore as it is on the internet

- you might want to look at http://blog.agilebits.com/2011/08/10/better-master-passwords-the-geek-edition/ for a geeky, but very readable blog post on this subject

Link to comment
  • Level 5*

Is this a serious question? Okay, okay, I'll bite:

 

- your password is not optimal as the words are semantically connected to each other. On the other hand, it's long and much safer than, say "+(8|&2=

- of course the password is now not safe anymore as it is on the internet

- you might want to look at http://blog.agilebits.com/2011/08/10/better-master-passwords-the-geek-edition/ for a geeky, but very readable blog post on this subject

No, it actually wasn't a serious question (and no, it's not my actual password -- it'd silly of me to be posting it in public, no?). But thanks for the link -- I'll peruse, and maybe Evernote it.
Link to comment
  • Level 5*

Didn't follow why there's all this chatter about bits n stuff - a quick spreadsheet calculation tells me that as long as you're using more than 8 characters in your passwords,  and they're completely random collections of upper and lower case plus numbers and non-alpha characters, even if you can try passwords at 1,000 per second,  it will take an esitimated 8 million years to brute-force crack it. 

 

Throw in the fact you don't actually know how long the password is in the first place,  and the cracker might as well go buy a wrench.  It would be much faster.  That link presupposes that you need to remember the password,  so you chose a Well Known Phrase with initial caps - which is way longer than 8 characters,  but only involves 52 options for each character.  Faster to crack - no wrench required.

Link to comment
  • Level 5*

That link presupposes that you need to remember the password,  so you chose a Well Known Phrase with initial caps - which is way longer than 8 characters,  but only involves 52 options for each character.  Faster to crack - no wrench required.

Note: I am not a security geek, so take anything I say about this with a large rock of salt.

But the linked article was exactly about creating passwords that you can remember easily ("Master Passwords"). And second, nowhere did it recommend using a Well Known Phrase. The linked article also recommended that you combine their method with a system of your own, which might include adding in extra non-alphabetic characters.

Link to comment
  • Level 5*

Slight typo on my part there - the 'you chose' should have been 'you choose',  and I was meaning that if you choose a phrase so that it is memorable,  it is much less secure than a truly random one.  That's not to say it's unusable - if there's 9 characters or more in your phrase,  you're still talking thousands of years for a random crack - but then if I were a truly sneaky hacker I'd have some social engineering tricks that tell me what words you might use.  And I might've bought your email and a password you used elsewhere off the internet to give me a head start.

 

No dispute here though - just the longer and more random your passwords are,  the better;  and you still need to change 'em frequently.  Some providers might not tell you if their password store gets hit...

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...