Jump to content

Is my password strong enough

AdvancedSetup

By AdvancedSetup
in General Windows PC Help

 Share

Recommended Posts

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

The following links provide examples of password strength.

Please note these sites are not related to Malwarebytes and are only provided for reference only and not as an endorsement of any kind.

 

NIST 800-63 Password Guidelines
https://securityboulevard.com/2019/03/nist-800-63-password-guidelines/

NIST Password Guidelines and Best Practices for 2020
https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/

 

Example of why a longer password is more secure

The following password will often satisfy most business password requirements.
aA2@password123

The following password which does not use the recommendations of numbers and symbols still tests as more secure
ThisPineapplemusketCoffee

 

There is nothing wrong with adding numbers and symbols but it should be something you can remember without writing it down or use a Password Manger to make much easier.

Also, remember DO NOT use the same password on more than one site. All sites should have or use their own unique password. Why using a password manager today makes it much easier to manage.

Highly recommended that you DO NOT use single-sign on web links such as Facebook, Google, etc that allow you to log onto other sites.

 

https://bitwarden.com/password-strength/

https://password.kaspersky.com/

https://www.passwordmonster.com/

https://lastpass.com/howsecure.php

https://www.csa.gov.sg/gosafeonline/Resources/Password-Checker

https://www.uic.edu/apps/strong-password/

 

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

 

 

Edited by AdvancedSetup
Updated information
  • Like 2
Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted (edited)

I'm not sure what you mean by "encryption algorithm".  The encryption algorithm is the tactic and methodology that uses a Key to scramble a file, stream or data set into a new format  that with that Key can be reversed back into an original format.  The encryption algorithm may be a complex mathematical equation that can and will vary.  The Key is something like a PKI Certificate or a Password.  XChaCha20  appears to be a password.

The "strength" pf a password, and thus the complexity for its obtainment, increases as a function of the number of characters and the type of characters being used.

XChaCha20  only uses 9 characters consisting of;   Upper Case, Lower Case and Numbers.

Usually most systems may request a minimum of 8 characters and that was 9.  So while it is not bad, it isn't great.  However it does not uses Special Characters [ 1Example: ! @ # $ % ^ & * - _ ~ ] which increases the complexity of the password and thus its inherent Strength.

So I think XChaCha20  is not strong enough as compared to the following derivative examples:  X!ChaCha20$ ,   XCha-Cha$$20 ,   !XCha$Cha20! ,   -XCha**Cha20-    or   X-Cha-Cha-20

A really strong password is at least 10 Characters consisting of...

  • 2 x Upper
  • 2 x Lower
  • 2 x Numbers
  • 2 x Special Characters

Reference:
https://en.wikipedia.org/wiki/Password_strength

1.  Some system don't allow Special Characters or have a limited subset of usable characters.

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites
NewTricks

NewTricks

Posted
Posted

Hi Dave,

I should have given context and attribution.

This particular combination came from a NordPass blog by Lukas Grigas.https://nordpass.com/blog/lastpass-breach/. This blog post contains Lukas's reasons why NordPass users can feel more confident about using their  product, especially if the LastPass breach makes you adverse to all password managers.

He writes: First, one of the key elements of NordPass is that it is a zero-knowledge password manager equipped with an advanced encryption algorithm known as XChaCha20 to ensure protection of everything you store in NordPass."

What is a zero-knowledge password manager?

Link to post
Share on other sites
NewTricks

NewTricks

Posted
Posted (edited)

Greetings.  I'd like to have updated thoughts about password managers. I'm still learning the basics.  I've read the following posts;

https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/ written 7/10/2020

https://www.howtogeek.com/811527/what-is-zero-knowledge-encryption/

https://1password.com/features/zero-knowledge-encryption

Please forgive me for mentioning Google https://passwords.google.com/intro That's like fast food, convenient, but bad for you. From what I've read Google's password/log was originally created for Chrome. It suddenly appeared on my desktop, where I never use Chrome. I did borrow and use a Chromebook for college courses. Syncing was not enabled.

True confession: yes, I used it. It became corrupted and suddenly, one day in 2020 POOF. 158 entries gone.

I'd already kept a list on paper which carried me through to 2023. Now I'm checking all my passwords through these sites:

 https://www.comparitech.com/privacy-security-tools/password-strength-test/ 

https://www.uic.edu/apps/strong-password/ 

 

Perhaps once I commit to a password manager, I'll leave this all behind.

1. Considering the LastPass breach, does your advice still stand with recommending ANY password manager?

2. Do you see advantages or disadvantages between keys or no keys?

 

Thanks for your time.

Edited by NewTricks
Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted (edited)

Instead of trusting a 3rd party application, take control and manage them by yourself by placing all the data in a Password protected and encrypted Excel Spreadsheet.

In the spreadsheet each column holds the type of data and each row represents a particular site.

For example

  • Column A - Site Description
  • Column B - URL
  • Column C - Login Name
  • Column D - Password
  • Column E - Other data such as Challenge Question blurbs and answers

Similar sites can be grouped together on a per TAB basis

  • TAB 1 - Online Sites
  • TAB 2 - Gov't sites
  • TAB 3 - Health
  • TAB 4 - Web Forums
  • TAB 5 - Job sites

The below references will provide a "How To" Password Protect a Excel file and also discusses default Encryption levels and types.  Give the name of the XLS file a non descriptive name so as not to create a Red Flag "Look at Me !" using the same Password Strength rules...

  • 2 x Upper
  • 2 x Lower
  • 2 x Numbers
  • 2 x Special Characters

But make it at least 14 Characters long.
 

If you REALLY want to protect it, you can place that Password Protected Excel file in a Password Protected ZIP or RAR file.  Just make the Archive password slightly different such as XLS password + 2 more Characters.

Basically a Double Wrapped protected object.

References:

 

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
  • Like 1
Link to post
Share on other sites
NewTricks

NewTricks

Posted
Posted

Thank you Dave/David not sure which you prefer ,

I've done a Word file table, only because occasionally Excel doesn't perform as expected. I've never solved the "why." 

The only downside of my process has been naming grouping and organizing, but your examples of tab labels give me hope. Now, I must learn how to password protect that file. I appreciate having the online learning links because they have a variety of options, from simple to more complex.

I feel better because I'm still apprehensive about using a 3rd party. 

  • Like 1
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Author
  • Root Admin
Posted

I do not concur with @David H. Lipman

There are online Cloud services that can crack the password offered by Microsoft Excel. They don't brute force the ASE code they appear to somehow attack Excel and obtain the password. I know because we paid and had one cracked for us before and they returned us the password the same day.

To my knowledge that is not the case for true password managers.

 

Link to post
Share on other sites
NewTricks

NewTricks

Posted
Posted

Thank you @AdvancedSetup. This answers the question of why you and Dave disagree. I read a little about the coding of the Excel password (naturally I didn't totally comprehend) but enough to realize that over time their encryption standards have evolved-definitely not good enough from your experience. 😬 

it seems that regardless of what system is used, there's going to be a balance between risk and/or inconvenience. The good news is I'm being educated to make better choices. Reading about the NIST guidelines, particularly length, has been enlightening. Every little bit helps. 

 

 

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted (edited)

Yes.  Note what @AdvancedSetup had indicated "...because we paid and had one cracked for us ".

So first there would have to be ingress physically or logically to the system where the Password Protected Excel file is located.  Then the malicious actor would have to have to know that that file should be targeted.  As I wrote "Give the name of the XLS file a non descriptive name so as not to create a Red Flag "Look at Me !" ".  Then they would have to have a strong need to access the nondescript Excel document's contents and pay to have it cracked.  What was not described in the crack event was the MS Office version,  password strength and the actual encryption algorithm that was applied and its associated bit depth (128, 256, etc).

There are a lot of hurdles.  Unless you are a High Value Target (HVT) then those hurdles will not even be attempted.

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites
NewTricks

NewTricks

Posted
Posted

Thank you both for giving me more information about the how-to's and the whys. I don't want to make assumptions and behave in ignorant or reckless ways.  

I was 35 years old when I encountered my first computer; tech is not easy or natural to me, but extremely useful. 

30 minutes ago, AdvancedSetup said:

If not now perhaps within a few more years as various newer and faster systems and technology come along.

At the rate life is changing, this is guaranteed. I'm preparing for the ride. 

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted (edited)

I taught my personnel to create a Private Password Algorithm.  This way they knew what the passwords were, what it is Today and what it will be next at the end of the present password cycle.

 

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.