Choose a less commonly used password
commonly used password
1 commonly used password
2 commonly used password
3 traditional password
См. также в других словарях:
Password cracking — is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. The purpose of password cracking might be to help a user recover a… … Wikipedia
Password — For other uses, see Password (disambiguation). A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password… … Wikipedia
password fatigue — /paswɜd fəˈtig/ (say pahswerd fuh teeg) noun a level of frustration reached by having too many different passwords to remember, resulting in an inability to remember even those most commonly used … Australian English dictionary
Password strength — is a measurement of the effectiveness of a password as an authentication credential. Specifically, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it. The… … Wikipedia
Password synchronization — is defined as any process or technology thathelps users to maintain a single password that is subject to a singlesecurity policy, and changes on a single schedule across multiple systems.Password synchronization is an effective mechanism for… … Wikipedia
Self-service password reset — is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a… … Wikipedia
Cognitive password — A cognitive password is a form of knowledge based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. Cognitive password systems have been researched for many years and … Wikipedia
Random password generator — A random password generator is software program or hardware device that takes input from a random or pseudo random number generator and automatically generates a password. Random passwords can be generated manually, using simple sources of… … Wikipedia
Parallel ATA — ATA connector on the right, with two motherboard ATA sockets on the left. Type … Wikipedia
Unix security — Unix security: maintaining a secure environment on Unix and Unix like operating systems is dependent on design concepts of these operating systems, but vigilance through user and administrative techniques is important to maintain security… … Wikipedia
File Allocation Table — For other uses, see Fat (disambiguation). FAT Developer Microsoft Full Name File Allocation Table FAT12 (12‑bit version) FAT16/FAT16B (16‑bit versions) FAT32 (32‑bit version with 28 bits used) Introduced … Wikipedia
Choosing A Master Password
All you need to know about generating a master password
“One password to rule them all”
It has become standard advice for online users to have strong, unique passwords for all their online accounts. Not without reason: a data breach at one company with a poorly protected user database leads to attackers having huge lists of email addresses and associated passwords some of which will work on other companies’ websites.
With many users now having signed up to over one hundred accounts requiring password login, following this advice would necessitate memorizing an impossible number of different passwords.
A potential solution to this problem is to have one master password, which is then varied in a specific way based on the name of the online service. A simple example of this would be to replace some letters of the master password with the first two and last two letters from the services’ name. The downside of such a system is that it would only take two of these passwords to be revealed from data breaches for an attacker to work out the system. Thereafter, the attacker would know all the users’ passwords across all their accounts. For some of the simpler substitution methods, a single data breach may be enough.
There really is no substitute for using strong passwords, unique to every online account.
It is wholly impractical to expect users to memorize over one hundred passwords. These passwords need to be stored somewhere, and preferably backed up. Two potential choices are: (1) store them as an encrypted file, or (2) use one of many password managers (such as LastPass, 1Password, Dashlane, KeePassX, etc.). Whatever your choice, you will need a ‘master’ password — a password giving you access to all your other passwords. This master password will need to be memorized, and will itself need to be very secure, as behind it lies access to all your online accounts.
Master Password Choice
Choosing a master password should be taken seriously. If compromised, your entire online identity could be blown wide open — everything from email to banking, social media, and arguably worst of all: cryptocurrency accounts.
So how do you choose a master password? It needs to have three qualities: (1) strong (so it can’t easily be broken), (2) memorable (so you don’t forget it), and (3) relatively quick to enter on a keyboard and touchscreen.
Provided you keep your master password secret, an attacker will need to attempt a brute-force attack against your password — in other words making repeated guesses of your password. Depending on the type of authentication each site uses, and whether their user account data has been breached, it can be possible for billions of password guesses to be made every second. Moreover, attackers have access to vast databases of known passwords (from historic data breaches) and dictionary words, which when coupled with common letter substitutions and known common password patterns can help them guess likely more passwords first.
The strength of a password is defined by how many guesses an attacker would need to make on average to correctly guess it. The name of the game is to make your password as hard to guess as possible. This is achieved by maximizing three parameters: length, complexity, and randomness. The randomness of a password can be quantified by the term ‘entropy’.
What is Password Entropy?
In its simplest definition, password entropy is a measure of how unpredictable (or random) a password is. It is traditionally expressed in ‘bits’, where a bit is a binary digit representing two possible states (on or off, true or false, 1 or 0). For example, password with 10-bit entropy would be one that is equally likely to be one of any 1,024 possibilities (1,024 = 2¹⁰ = 2x2x2x2x2x2x2x2x2x2).
You can determine the entropy of any randomly generated password from its length and the character set used. For example, if you were to randomly choose an 8-character password using only the 26 lowercase letters, the total number of possible passwords is 26⁸ (slightly more than 208 billion). This translates to just over 37-bit entropy (found by calculating the base two logarithm of 26⁸). A password such as this is too weak to use as a master password. Depending how the password is stored, it could be susceptible to being cracked by brute force.
Note that a password must be chosen completely randomly from all the possible options, otherwise its entropy is reduced. Using the 8-character lowercase letter password ‘password’ would not count as 37-bit entropy, since not only is that one of the most commonly used passwords used but it’s also a dictionary word. Attackers will check all common passwords and dictionary words first and hence would crack this password after far fewer than 208 billion attempts.
It is very hard to assess the entropy of user-chosen (non-random) passwords. This is because humans choose passwords that tend to follow predictable patterns: using whole words and names, predictably substituting certain letters for numbers and symbols, etc. The best way to maximize the entropy of a new password is for the password to be selected as randomly as possible.
It’s worth pointing out that for every 1-bit increase in password entropy, it would take an attacker on average twice as long to crack the password (as there are twice as many possible passwords). In this way, a 50-bit password is twice as hard to crack as a 49-bit one, and 1,024 times as hard to crack as a 40-bit password.
Maximizing Password Strength
It’s clear that longer random passwords are harder to crack than short passwords, as are passwords which are composed of a larger number of possible characters (the character set). What’s not so obvious is that lengthening passwords is much more effective in strengthening them, compared with expanding the character set.
Let’s take the earlier example of our 37-bit password (8 characters long, randomly composed of lowercase letters only). Doubling the character set to include uppercase letters would increase our password strength to 45-bit. However, simply adding two more characters (making the password 10 characters long rather than 8) is more effective, yielding a password strength of 47-bit. It is also arguably faster to type 10 lowercase letters than 8 mixed case letters (especially on a touchscreen) — likely easier to remember it also.
Doubling the length of the password to 16 characters has an astounding effect, taking the strength to over 75-bit. In mathematical terms, the length of the password is exponentially more important than size of the character-set used.
When choosing how strong a password to create, it’s a compromise between ensuring enough entropy that a brute force attack will take an impractical length of time, and ensuring the password isn’t too hard to remember or type out.
1Password recommend at least 40 bits of entropy and consider 75 bits of entropy to be a ‘full green bar’ in their ranking system. William McLaughlin, a Security Analyst at Independent Security Evaluators recommends a minimum of 80 bits of entropy to protect against offline attacks, as a compromise between usability and security.
Strong Password Examples
Below are examples of passwords that meet at least 80 bits of entropy.
- Using uppercase and lowercase letters plus numbers (case sensitive alphanumeric) needs 14 characters:
- Lowercase letters and numbers only (alphanumeric), you would need 16 characters:
- Lowercase letters only, it would be 18 characters long:
These passwords are all about as short as possible (given their character sets), whilst still having at least 80-bit entropy. However, they are not necessarily easy to remember. If this is what you are thinking, then a passphrase may work better for you.
There are a number of ways of generating passphrases randomly. One of the early examples was Arnold Reinhold’s Diceware list from 1995. It uses rounds of five dice rolls to select words at random from a list of 7,776 words.
Recently, the Diceware word list has been improved upon by the Electronic Frontier Foundation (EFF) based a word recognition research carried out at Ghent University’s Center for Reading Research. It is a list of well recognized and concrete words, with insulting and difficult to remember words removed.
The EFF recommend a six-word passphrase generated using this list of words, which would give 77 bits of entropy. However, to be consistent with our previous examples which met or exceeded 80 bits, we will use seven words (which actually gives 90-bit entropy). Your passphrase would then look something like this:
There are pros and cons to using a passphrase. On the one hand, many people find them easier to remember compared to a string of characters (despite being longer). The downside is that passphrases can take longer to type, particularly on a touch screen.
How to Choose a Password Randomly
Computers are not able to generate passwords completely randomly, which is why these random number generators are referred to as ‘pseudo-random’. The deterministic nature of computation makes it impossible to say that any number generated is completely ‘random’. For this reason, it may not be wise to have your master password generated by a password manager, or indeed on a computer at all.
This is another reason why the Diceware / EFF word list for generating passphrases from dice rolls will create for you a very good random master password with reliable entropy.
Your master password will become the master ‘key’ to your complete password vault — where login details to all your individual services and websites are kept. It is also important these passwords to be chosen as randomly as possible. Most password managers will offer an option to generate unique pseudo-random passwords based on your chosen character set and length. This is certainly good enough to use for each individual online account. For these passwords, you do not need to worry about how easy they are to enter or remember: in theory you should never need to manually enter them, nor remember them.
Setting your password manager to generate 16-character passwords using lower and uppercase letters, numbers and symbols for all your passwords should be sufficient. Assuming 8 symbols are included in this character set, these passwords will have an entropy of 98-bit. Bear in mind they do not need to be remembered.
This post simply covers considerations when generating a master password, a small but important part of the much greater subject of online security. You can create an incredibly strong master password, say 256-bit entropy, and still have your online accounts comprised in a countless number of ways other than a brute force attack. Ensuring a strong master password is one step in many steps required to secure your online security, and in no way replaces the need for other forms of security.
A few other relevant recommendations include:
- Keep your master password secret, not just from casual observers, but also from sophisticated viruses, compromised websites, key loggers, etc.
- Refuse to complete ‘memorable information’ requests (such as mother’s maiden name, name of first pet, etc.), or where mandated treat them as additional strong unique passwords (never enter them ‘honestly’).
- Use Two-Factor Authentication (2FA) wherever available, and certainly for important accounts like email and cryptocurrency related websites. 2FA where a code is sent via SMS to your phone number is not a secure form of 2FA, as your phone number can easily be ‘stolen’ from you.
If you found this article interesting, please hold down the clap button below. Follow me on Medium to see more content like this.
I am currently working on EdgeFund, an open-source platform which offers a decentralized shared bankroll on the Blockchain. To learn more about EdgeFund, please visit our website. Join our Telegram group to chat to the team and follow us on Twitter!
Choose a less commonly used password
Published: 19:12 BST, 25 October 2012 | Updated: 21:03 BST, 25 October 2012
Want to guess someone’s password? Try password, researchers have claimed.
An annual study of the most commonly used passwords has found that password, 123456 and 12345678 are still the most commonly used passwords — despite years of security experts urging people to change them to more secure versions.
‘Just in time for Halloween comes something that might scare anyone who spends a lot of time online: SplashData’s annual list of the most common passwords used on the Internet and posted by hackers,’ the researchers said.
Scroll down for video & password safety tips
The most common passwords have been revealed — with password topping the list
The Worst Passwords of 2012, including their current ranking and any changes from the 2011 list:
1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)
‘Users of any of these passwords are the most likely to be victims in future breaches.’
The latest list comes following 12 months of high profile hacks that have revealed user passwords.
Yahoo, LinkedIn, eHarmony, and Last.fm have all suffered major breaches.
Share this article
However, some people have updated their passwords, and the research found new entries to this year’s list include ‘welcome’, ‘jesus’ ‘ninja,’mustang’ and ‘password1.’
The firm behind the study, Splashdata, warned users to change their password.
‘At this time of year, people enjoy focusing on scary costumes, movies and decorations, but those who have been through it can tell you how terrifying it is to have your identity stolen because of a hacked password,’ said Morgan Slain, SplashData CEO.
‘We’re hoping that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.’
SplashData’s top 25 list was compiled from files containing millions of stolen passwords posted online by hackers.
The company advises consumers or businesses using any of the passwords on the list to change them immediately.
‘Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets,’ Slain said.
‘Just a little bit more effort in choosing better passwords will go a long way toward making you safer online.’
CHOOSING A SAFE PASSWORD
SplashData suggests making passwords more secure with these tips:
- Use passwords of eight characters or more with mixed types of characters.
- For example, ‘eat cake at 8!’ or ‘car_park_city?’
- Avoid using the same username/password combination for multiple websites.
- Especially risky is using the same password for entertainment sites that you do for online email, social networking, and financial services.
Sign up for our newsletter.
Get the latest tutorials on SysAdmin and open source topics.
Write for DigitalOcean You get paid, we donate to tech non-profits.
DigitalOcean Meetups Find and meet other developers in your city.
Hacktoberfest Contribute to Open Source
How To Set Up Password Authentication with Apache on Ubuntu 14.04
This article uses Ubuntu 14.04 which reached end of life (EOL) on Apr 2019
Still using Ubuntu 14.04?
We recommend upgrading to a more modern version. Read upgrade instructions.
This guide might still be useful as a reference, but we strongly recommend using a guide with one of the more modern versions available below
When setting up a web server, there are often sections of the site that you wish to restrict access to. Web applications often provide their own authentication and authorization methods, but the web server itself can be used to restrict access if these are inadequate or unavailable.
In this guide, we’ll demonstrate how to password protect assets on an Apache web server running on Ubuntu 14.04.
To get started, you will need access to an Ubuntu 14.04 server environment. You will need a non-root user with sudo privileges in order to perform administrative tasks. To learn how to create such a user, follow our Ubuntu 14.04 initial server setup guide.
Install the Apache Utilities Package
In order to create the file that will store the passwords needed to access our restricted content, we will use a utility called htpasswd . This is found in the apache2-utils package within the Ubuntu repositories.
Update the local package cache and install the package by typing this command. We will take this opportunity to also grab the Apache2 server in case it is not yet installed on the server:
Create the Password File
We now have access to the htpasswd command. We can use this to create a password file that Apache can use to authenticate users. We will create a hidden file for this purpose called .htpasswd within our /etc/apache2 configuration directory.
The first time we use this utility, we need to add the -c option to create the specified file. We specify a username ( sammy in this example) at the end of the command to create a new entry within the file:
You will be asked to supply and confirm a password for the user.
Leave out the -c argument for any additional users you wish to add:
If we view the contents of the file, we can see the username and the encrypted password for each record:
Configure Apache Password Authentication
Now that we have a file with our users and passwords in a format that Apache can read, we need to configure Apache to check this file before serving our protected content. We can do this in two different ways.
The first option is to edit the Apache configuration and add our password protection to the virtual host file. This will generally give better performance because it avoids the expense of reading distributed configuration files. If you have this option, this method is recommended.
If you do not have the ability to modify the virtual host file (or if you are already using .htaccess files for other purposes), you can restrict access using an .htaccess file. Apache uses .htaccess` files in order to allow certain configuration items to be set within a file in a content directory. The disadvantage is that Apache has to re-read these files on every request that involves the directory, which can impact performance.
Choose the option that best suits your needs below.
Configuring Access Control within the Virtual Host Definition
Begin by opening up the virtual host file that you wish to add a restriction to. For our example, we’ll be using the 000-default.conf file that holds the default virtual host installed through Ubuntu’s apache package:
Inside, with the comments stripped, the file should look similar to this:
Authentication is done on a per-directory basis. To set up authentication, you will need to target the directory you wish to restrict with a block. In our example, we’ll restrict the entire document root, but you can modify this listing to only target a specific directory within the web space:
Within this directory block, specify that we wish to set up Basic authentication. For the AuthName , choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource, which means anyone who can verify their identity with a password will be allowed in:
Save and close the file when you are finished. Restart Apache to implement your password policy:
The directory you specified should now be password protected.
Configuring Access Control with .htaccess Files
If you wish to set up password protection using .htaccess files instead, you should begin by editing the main Apache configuration file to allow .htaccess files:
Find the block for the /var/www directory that holds the document root. Turn on .htaccess processing by changing the AllowOverride directive within that block from “None” to “All”:
Save and close the file when you are finished.
Next, we need to add an .htaccess file to the directory we wish to restrict. In our demonstration, we’ll restrict the entire document root (the entire website) which is based at /var/www/html , but you can place this file in any directory you wish to restrict access to:
Within this file, specify that we wish to set up Basic authentication. For the AuthName , choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource, which means anyone who can verify their identity with a password will be allowed in:
Save and close the file. Restart the web server to password protect all content in or below the directory with the .htaccess file:
Confirm the Password Authentication
To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt that looks like this:
If you enter the correct credentials, you will be allowed to access the content. If you enter the wrong credentials or hit “Cancel”, you will see the “Unauthorized” error page:
You should now have everything you need to set up basic authentication for your site. Keep in mind that password protection should be combined with SSL encryption so that your credentials are not sent to the server in plain text. To learn how to create a self-signed SSL certificate to use with Apache, follow this guide. To learn how to install a commercial certificate, follow this guide.