Quote:
Originally Posted by Renate
The biggest deal is of course to use different passwords for everything, including crappy accounts that you don't care about. Some websites forces you to make an account for a one-time purchase. Generate a new password.
|
This is one place where paper can break down. I have on the order of 400 unique accounts in my password vaults (personal and work). Many are one-use things but I keep them just in case I need them again. This would be difficult to manage on something that fits in my wallet. Instead, I have a couple of YubiKeys with master passwords to my vaults on my physical key ring, with backups stored in a fireproof box.
Quote:
Originally Posted by pdurrant
|
It's both good and maybe not so good advice. Depends on the attack vector.
Longer is better than complicated against brute force attacks. That is, an attacker trying to break into your mobileread account via brute force against the web login interface would need to spend much more time trying to find "correct horse battery staple" than that troubadour mash. Effectively forever for the longer password vs. weeks to months to maybe years for the shorter one, modulo whatever anti-brute force mechanisms mobileread has.
But a thing called rainbow tables exists. A rainbow table is a table of precomputed hashes of common passwords, dictionary words, and combinations. If an attacker can get a dump of the account database, they can apply a rainbow table to find matches and recover cleartext passwords in seconds. A variant of this is likely how attackers were able to partially compromise the LastPass account database a few years ago.
Long story short: passwords suck.