Forum Notice: Passwords

[xUKHCx]

It is good to remind everyone now and again about passwords. Your MacRumors account like most websites is protected by a username and password.

As your username is fixed your security point is the password. Therefore to protect your account you need to use a good strong password.

I know everyone is thinking right now that "Well I have a strong password" but please stop and really consider it.

Here are Google's tips on creating a good password and some do-NOTs from Microsoft's tips page

Avoid creating passwords using:

• Dictionary words in any language.

Words in all languages are vulnerable.

• Words spelled backwards, common misspellings, and abbreviations.

Words in all languages are vulnerable.

• Sequences or repeated characters.

Examples: 12345678, 222222, abcdefg, or adjacent letters on your keyboard (qwerty).

• Personal information.

Your name, birthday, driver's license, passport number, or similar information.

There are a number of online password checkers that you can use to test how strong potential passwords are, here is Microsoft's.

It is also worth reminding members about the following thread: Forum tip: keep your email address up to date

 

[stridemat]

Think it may need upgrading. A few years ago this was deemed as a strong password.

 

[GoCubsGo]

Is this a gentle way of telling us there is a possible breach and you'd like us to change our passwords?
Edit: here ... though MS now knows my password. Those goons.

 

[Jaffa Cake]

Hmm... would there happen to be a particular reason for this (admittedly sage) advice, or is that just me paranoia talking?

 

[Mac'nCheese]

My password is 12pas01word. Is that strong enough or do you recommend a stronger one?

 

[xUKHCx]

Is this a gentle way of telling us there is a possible breach and you'd like us to change our passwords?

Hmm... would there happen to be a particular reason for this (admittedly sage) advice, or is that just me paranoia talking?

There was a small issue (2 accounts identified) where the user's passwords were guessed.

It seemed prudent of us to take this as a timely reminder for everyone.

 

[GGJstudios]

My password is 12pas01word. Is that strong enough or do you recommend a stronger one?

I'd recommend something easy to remember like:

H3)^%nP7"@v^~`(8jW<2o&('|!>*sE5#-x_C{$G+\​

 

[Mac'nCheese]

I'd recommend something easy to remember like:

H3)^%nP7"@v^~`(8jW<2o&('|!>*sE5#-x_C{$G+\​

Now you're just being silly.

 

[GGJstudios]

Now you're just being silly.

Not really. That's the kind of passwords I use on my wireless network and many financial accounts.

 

[simsaladimbamba]

I'd recommend something easy to remember like:

H3)^%nP7"@v^~`(8jW<2o&('|!>*sE5#-x_C{$G+\​

That's quite a weak one:

xUKHCx, just out of curiosity, were these two accounts, those two that have been registered in 2009 and been inactive post wise and then suddenly been used to post spam?

 

[GGJstudios]

That's quite a weak one:

LOL! I didn't say it was strong; I said it was easy to remember!

 

[bobfitz14]

Hmm... would there happen to be a particular reason for this (admittedly sage) advice, or is that just me paranoia talking?

+1. good advice nonetheless.

 

[simsaladimbamba]

LOL! I didn't say it was strong; I said it was easy to remember!

You're such an easy boy, but I hope that one day we can use more secure passwords like these: 1.000.000

Seems there is a limit here:

The following errors occurred with your submission:
The text that you have entered is too long (288420 characters). Please shorten it to 20000 characters long.

 

[miles01110]

Not really. That's the kind of passwords I use on my wireless network and many financial accounts.

Why? Most banks use a 128-bit SSL encryption method, meaning a 41-character password such as "H3)^%nP7"@v^~`(8jW<2o&('|!>*sE5#-x_C{$G+\" is no more secure than a 32-character password of similar construction. What bank allows 41-character passwords anyways? That is highly uncommon.

 

[GGJstudios]

Why? Most banks use a 128-bit SSL encryption method, meaning a 41-character password such as "H3)^%nP7"@v^~`(8jW<2o&('|!>*sE5#-x_C{$G+\" is no more secure than a 32-character password of similar construction. What bank allows 41-character passwords anyways? That is highly uncommon.

I wasn't referring to the length of the password, but to the content.

Not really. That's the kind of passwords I use on my wireless network and many financial accounts.

I didn't say that was the actual password or the actual length.

It's worth noting that the Microsoft password checker that xUKHCx posted shows a simple password to be strong if you simply increase the number of characters. Try typing all "1" characters:
1-16 1s: weak
17-19 1s: medium
20-28 1s: strong
29+ 1s: best

Not what I would consider a good password checker.

 

[DewGuy1999]

Is this a gentle way of telling us there is a possible breach and you'd like us to change our passwords?
Edit: here ... though MS now knows my password. Those goons.
View attachment 270545

If you're using OS X, Keychain Access, can show how strong a password is, no need to give it out to Microsoft.

 

[ravenvii]

If you're using OS X, Keychain Access, can show how strong a password is, no need to give it out to Microsoft.

I checked and couldn't find the functionality. Could you point me to it?

 

[GGJstudios]

I checked and couldn't find the functionality. Could you point me to it?

That's only for creating Mac user account passwords:

While entering a password, use the Password Assistant to see how secure your password is. Click the key button to the right of the Password field.

 

[DewGuy1999]

I checked and couldn't find the functionality. Could you point me to it?

Okay, this is for Keychain Access 3.3 under OS X 10.4.11, so it may be set up differently under Leopard and/or Snow Leopard. If you go to File, New Password Item..., in the Password box type your password then click the little Key icon and it will show how strong it is.

 

[S.B.G]

While this is always awesome advice to use (and I do use the most bizarre password strings of great length), there is still one inherit problem with the MR site and that is it's lack of SSL. If someone is logging into MR while connected to some public WiFi spot or even on an unsecured home WiFi, anyone with a packet sniffer can grab your username and password, regardless of how strong it is.

I would love to see MR get SSL and have the whole site default to it (HTTPS). That way every user's session on the domain would be fully encrypted from browser to server and even those folks with weak passwords would be protected while on free or unsecured WiFi hotspots.

My home and office WiFi networks are secured using 63 character pseudo random generated passwords with maximum entropy using the WPA2 encryption.

Like I said, using strong passwords is always a good idea and everyone should.

Attached is the screen capture of my MR password entered in the Keychain Access app.

 

[exabytes18]

Most banks use a 128-bit SSL encryption method, meaning a 41-character password such as "H3)^%nP7"@v^~`(8jW<2o&('|!>*sE5#-x_C{$G+\" is no more secure than a 32-character password of similar construction.

That's not quite true.

 

[annk]

I just want to chime in to support xUKHCx's message. My google account was hacked some months ago, and a couple mails were sent out from my gmail from a Chinese IP. Google notified me immediately (apparently they have some sort of filter that catches activity that doesn't seem to jive??) so no major damage done, but it scared me and woke me up.

I thought I had strong passwords, but I've since paid a lot more attention to them.

 

[iPhoneCollector]

I just want to chime in to support xUKHCx's message. My google account was hacked some months ago, and a couple mails were sent out from my gmail from a Chinese IP. Google notified me immediately (apparently they have some sort of filter that catches activity that doesn't seem to jive??) so no major damage done, but it scared me and woke me up.

I thought I had strong passwords, but I've since paid a lot more attention to them.

That is scary. I should change my PW

 

[QuarterSwede]

I usually avoid password generators because I actually like to be able to login from anywhere without using my device (well, not a public pc).

I've found that coming up with a strong password is easy if you create it like it would go on a personalized license plate and use symbols as well. Stongpassword would be something like $tr0ngP@s$w0rd. Easy to remember and strong at the same time.

 

[xUKHCx]

xUKHCx, just out of curiosity, were these two accounts, those two that have been registered in 2009 and been inactive post wise and then suddenly been used to post spam?

In short: No.

In long: Nope.