Recently there have been a number of reported attempts at breaking into accounts here at MCW by guessing or cracking the login password on accounts. Because of this, we are reminding everyone of the importance of having a strong password on their account.

Your password may be changed by clicking on "Profile" in the upper right corner of the page, entering your current password when prompted and clicking on "Submit", entering your new password in the two boxes on the right side of the page and clicking on "Submit". The forum will then send you a confirmation email, and you should follow the instructions in that email to complete the change. Should you have any questions or problems with this, please PM the Admins for assistance.

Strong passwords should be at least 8 characters, and include a mix of letters and numbers, and not include words found in the dictionary. More discussion of weak and strong passwords is included in the following excerpts from Wikipedia (http://en.wikipedia.org/wiki/Password_strength ):

Weak passwords
A weak password is short, common, a system default, or that which could be rapidly guessed by executing a brute force attack using a subset of all possible passwords such as words in the dictionary, proper names, words based on the user name or common variations on these themes. Passwords easily guessed by acquaintances of the user, such as a birth date and pet's name, are also considered weak.

Examples of weak passwords include:

admin -- too easily guessed
1234 -- too easily guessed
susan -- common personal name
password -- trivially guessed, used astonishingly often
p@ssw0rd -- simple letter substitutions are pre-programmed into cracking tools.
rover -- common name for a pet, a dictionary word in any case
12/3/75 -- date, possibly of personal importance
December12 -- Using the date of a forced password change is very common.
nbusr123 -- probably a user name, if so very easily guessed
asdf -- a sequence of adjacent letters on many keyboards

Studies of production computer systems have for decades consistently shown that about 40% of all user-chosen passwords are readily guessed.

A password might be guessable if a user chooses an easily-discovered piece of personal information as a password (such as a student ID number, a boy- or girlfriend's name, a birthday, a telephone number, or a license plate number). Personal data about individuals are now available from various sources, many on-line, and can often be obtained by someone using social engineering techniques, such as posing as an opinion surveyor.

A password is often vulnerable if it can be found in a list. Dictionaries in machine-readable form are available for many languages, and there exist lists of commonly-chosen passwords. In tests on live systems, dictionary attacks are so routinely successful that software implementing this kind of attack is available for many systems.

A too-short password, perhaps chosen for ease of typing, is vulnerable if an attacker can obtain the cryptographic hash of the password. Computers are now fast enough to try all alphabetic passwords shorter than 7 characters, for example.

Strong passwords
A strong password is sufficiently long, random, or otherwise producible only by the user who chose it, that successfully guessing it will require too long a time. The length of time deemed to be too long will vary with the attacker, the attacker's resources, the ease with which a password can be tried, and the value of the password to the attacker. A student's password might not be worth more than a few seconds of computer time, whilst a password controlling access to a large bank's electronic money transfer system might be worth many weeks of computer time.

Examples of stronger passwords include:

t3wahSetyeT4, not a dictionary word, has both alpha and numeric characters
4pRte!ai@3, not a dictionary word, has both cases of alpha, plus numeric, and punctuation characters
#3kLfN2x, same as preceeding
MoOoOfIn245679, long, with both alpha cases and numeric characters
Convert_100£ to Euros!, Phrases can be long, memorable and contain an extended symbol to increase its strength.

These passwords are longer and use combinations of lower and upper case letters, digits, and symbols. The longer and the wider the variety of symbol choices, the more intensive the password cracking effort or well matched the Rainbow table must be to defeat the password; assuming that suitable password hashing and protection methods are in place.

Further, not using a single word makes password cracking word lists a less effective form of direct brute force attack. Note: some systems do not allow symbols like #, @ and ! in passwords and they may be hard to find on different keyboards. In such cases, adding another letter or number or two may offer equivalent security.

The above examples, having been published in this article as password examples, are no longer good choices; examples from publicly-accessible discussions about passwords are obviously good candidates for inclusion in a dictionary to be used for a dictionary attack. However, beware that even "strong" passwords (by this limited criterion), and especially human-chosen passwords, are not equivalent to a strong encryption key, and should not be used as such, if for no other reason than that they contain no unprintable characters. Passphrases and password-authenticated key agreement methods have been used to address this limitation.

Passwords can be found by using so called brute force password generators. In the simplest case, these are small programs that simply tries all possible combinations. A 3GHz processor can generate approximately 3 million passwords a second. A password such as '4pRte!ai@3' is likely to be found after take approximately 9510 / 3000000 / 3600 / 24 / 365 = 632860 years, assuming purely random possible password generation.

Passwords longer than 7 characters using non-dictionary words are therefore to be preferred in an attempt to use 'good' passwords. However, the majority of computer users don't observe such precautions, in part because they are hard to remember.

Random passwords
The most secure passwords are long, random strings of characters, but such passwords are generally the most difficult to remember. For the same number of characters, a password is stronger if it includes a mix of upper and lower case letters, numbers and other symbols (when allowed). The difficulty in remembering such a password increases the chance that the user will write down the password, which makes it more vulnerable, to a different attack (finding the paper and copying the password) in this case. Whether this represents a net reduction in security depends on whether the primary threat to security is internal or external.

Mnemonic passwords
Some users develop mnemonic phrases that generate random seeming passwords. For instance, use the first letter of each word. Another way to make "random" passwords more memorable is to use random words or syllables instead of randomly chosen letters.

Personal mnemonics are sometimes recommended. That is, things that are memorable to you, but not to others. For example, the password Iw21wIfvP, an otherwise difficult to remember string, derives from "I was 21 when I first visited Paris", possibly easily remembered (for non-Parisians). But, if your first experience of Paris was important to you, it may be possible to guess this password from a little research about you, and, if so, this would not be a sensible password choice.

Another is NYianc@US which derives from the phrase "New York is a nice city at the US", though it may run afoul of restrictions on allowed characters on some systems. Exclusion of punctuation and non-alphanumeric characters may be a practical issue as some keyboards will not have all such characters and some software will not accept some of these characters in a password. It is also a reduction in security, as the policy makes guessing passwords easier, an undesirable outcome. On the other hand, such a password is a considerable improvement on a child or pet's name, initials, birthday, mother's maiden name, or many of the choices made without such a requirement. Please avoid word choices, most language and jargon dictionaries have less than 100,000 words, a PC guessing at 3,000,000 combinations per second can check word lists very quickly. Ritualistic substitutions for letters such as are used in leet are often pre-programmed into password cracking software sofware.

---

This is an EXTRA reminder for everyone to change their passwords as we had another account hacked into this week. Please click "profile" when logged in and set up a new, different password for your account.

Thanks!

---

Here's the deal, if you have an easy to guess password, your account will likely get hacked. It's been done <s>3 4 5</s> 6 times so far.

PLEASE... IF YOU HAVE AN EASY TO GUESS PASSWORD, CHANGE IT NOW!

If your account gets hacked, expect it to be locked permanently.

---