Passwords a scary article or scaremongering?

Profile photo of James Blast James Blast / Blog10 Comments


10 Comments on “Passwords a scary article or scaremongering?”

  1. Profile photo of dai

    I am no expert but I think it reads quite realistically. It is slightly scary that pretty much everything in the world depends on the internet these days, everything was probably much safer 50 yrs ago.

  2. Profile photo of DisappointmentBob

    I only skim-read that article, but wasn’t it mostly based on the vulnerabilities of MD5 hashing? Presumably if a website uses a more secure hash, it’s less of an issue. I didn’t see that the article mentioned how many sites still use MD5 to hash passwords, but I may have missed it.

    Anyway, the moral of the story is always this: use a password manager to ensure that your passwords are unique for each site and never following the familiar pattern of “password1234”.

        1. Profile photo of ivan

          I’d have thought that the reason for wariness of a password manager is that if – by chance – your ‘master’ password gets cracked, then everything else is gone too, and that’s fair enough.

          Of course, the longer your password (and i’m not sure which, if any, Password Manager JQW is using) the harder it is to crack. 1Password, which I use, asks for a ridiculously long one (fnarr fnarr) such that I actually use a sentence. I think the odds on that getting cracked are rather long, so whilst there’s a risk, I reckon the return any hacker would get on the time expended trying to crack just wouldn’t be worth it.

        2. Profile photo of JQW

          With a password manager you’re entrusting your passwords to a third-party. What happens if that third party goes out of business in the future – will you still be able to access your passwords?

          1. Profile photo of ivan

            well the thing i use is a programme that lives on your PC and so if the firm went out of business, I suspect I’d still be able to access my accounts in the short term…

            You make a good point though, which I honestly hadn’t considered. I suppose you’d have to go through the rigmarole of resetting passwords here, there any everywhere, wouldn’t you. Pain in the arse in the short term, definitely!

          2. Profile photo of DisappointmentBob

            My passwords are all stored on my local machine and only synced to the password management firm’s server for backup and to sync with my phone. I’d lose the phone functionality if they suddenly went under, but would still be able to use the software locally, which is how I use it anyway. The cryptography used by the firm in question is stronger than my bank uses, so I don’t worry overmuch.

          3. Profile photo of johnw

            Unless the password manager I use has a backdoor and regularly sends my passwords back to base, then it’s all safe. It sits on a passworded drive on my NAS drive and can be accessed from my laptop or android device. Also, I have two or three main password seeds that are only in my head. I use the password manager (which has an entirely different password, used nowhere else and never written down) to store details of how I vary my password so, lets say my 3rd seed is ‘upintheair’, and I actually used the password ‘Upintheair248’, what I would store would be ‘Seed3248’. All I need to remember is a total of four ‘passwords’.

  3. Profile photo of DisappointmentBob

    For info:

    “MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property for digital security. Also in 2004 more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable;.. As of 2010, the CMU Software Engineering Institute considers MD5 “cryptographically broken and unsuitable for further use”.

    Like I say, I only skimmed so perhaps the article wasn’t just about MD5, but your bank isn’t using it, Amazon won’t be using it, Google won’t be using it, etc etc.

Leave a Reply