Friendly Reminder: Make Good Password Decisions!
Thursday, May 3rd, 2007 at 5:14 PM by: daniellindenDid you know that May is Strong Password Month? OK, that probably isn’t true…but maybe it should be. It makes for a swell excuse to remind every member of the Second Life family to think about our password choices.
Is your password easy to guess — like your name? Is it a common dictionary word, perhaps ‘cat’? Maybe it’s time to choose something a little more secure. Add a number, at least.
Beyond that, have you ever shared your password? I know that the person with whom you shared is totally your best friend forever, but since when has forever really meant forever?
Anyway…Strong Password Month is a great opportunity to take a moment to change your password to something way cooler and totally more secure. Celebrate today!
May 3rd, 2007 at 5:17 PM
WTF is with the Super Secret Code logins???!!!
I am one of LL’s biggest “Hey, lay off them” fans.
Now you do something like THIS. My password is NOT a “weak password”…
Of all the donkey-nine things you could change…
May 3rd, 2007 at 5:18 PM
My password is my last name in SL…. oops!
May 3rd, 2007 at 5:25 PM
Oh, and while I am still cheesed off about this…
How come you don’t TELL anyone you have made changes to the LOGIN PROCESS ??? Is this good communication on LLs part?
May 3rd, 2007 at 5:26 PM
My password is generated by using Chladni patterns to mutate a Hermetic sequence based on the carvings in an obscure chapel in Scotland. Nobody will ever guess that!
May 3rd, 2007 at 5:30 PM
My password is ‘password’. It’s so obvious, nobody will ever guess it…
^^ If this is you, you need to re-think your password strategy. I personally know at least 6 or 7 people who have said the exact same thing.
May 3rd, 2007 at 5:34 PM
They didn’t really say what is strong or weak, but I do know for sure.
No password is stronger. So what you really need is a password that your friends, family, haters and or business partner would able to make a easy guess as they figure what kind of person you are.
So, if you’re a Linden, don’t use password like “SL Rocks” “Lagmonster”, those are too much related to what you do in life.
Really good password for yourself is something non-related to yourself and business you do. Use something crazy like “FHH782″ “69NAMTAB45″ or even be clever with caps. “tEMemEeT”
Also, more characters in a password make harder to hack/guess in.
Pick a good one and burn it into your brain.
May 3rd, 2007 at 5:37 PM
“that wouldn’t able to make easy guess” *
My bad.
May 3rd, 2007 at 5:40 PM
is this a way of saying yet another security compromise has occurred?
May 3rd, 2007 at 5:41 PM
Ah, I see, you’ve decided to add a “Captcha” step to logging in on the website but not to the blog (where it might be useful). What does this mean? It means you’re trying to slow down someone doing something automated on the website, like scripting auctions or using the website as an oracle for a password guesser.
May 3rd, 2007 at 6:07 PM
Erm, I’m md5′d with something totally random to start with, was gonna binary that but SL wont allow that many characters. Since then, I cant turn my offline IMs on, and cant access the maze you call JIRA. Once again, emailed support after talking to Nicole Linden (I think it was) last month and still no reply..
If you’re saying you’ve given out our CC details yet again by accident or through a secrurity breach, just say it, please :/
May 3rd, 2007 at 6:11 PM
Requiring captcha on website login breaks a large number of businesses and interfaces which rely on gathering data from the transaction log automatically. Businesses that will be adversely affected include SL Exchange, SLBoutique, and Apez to name a few off the top of my head.
May I remind Linden Lab that many developers were *instructed* to access the transaction log using automated processes, and so many of us built services which rely completely on that functionality.
Personally I am okay with captcha, but it is imperative that it be disabled until a replacement interface is provided for automatic transaction log retrieval.
May 3rd, 2007 at 6:15 PM
Add “access to our CC details” where needed :/ Sorry, been doing that 1st life clubbing stuff all night, having troubles chasing my keyboard around the room to type on it
May 3rd, 2007 at 6:23 PM
Weapons of Mass Distraction!
Lets talk about voice chat and password security instead of FIXING things that have been broken forever! (Do I sound a bit bitter?)
May 3rd, 2007 at 7:01 PM
Mm, indeed.
I have..no sympathy for people that try using something like “happy” for their password, and expect NO ONE to get it.
You’d think it would be common sense. Yet, people still do it.
My password? Gibberish. As it should be.
May 3rd, 2007 at 7:10 PM
I run a few paysites & you wouldn’t believe the % of people who use stuuuupid passwords. The majority of people use easy-to-guess ones. Anyone reading this: if your password contains your kids name, your pets name, or the 733t version of them, or anything else obvious, ask yourself how happy you’ll be the day you log in and all your L$s and inventory are gone ’cause someone logged into your account.
May 3rd, 2007 at 7:18 PM
Friendly reminder,
Use the Linux client at your own risk and don’t forget the red bold lettering stating that any changes made within SL are permanent.
It has been in Alpha since the word alpha was invented. No real open source advocates interested I would suppose. And you want to talk about passwords? What in windows and with the windows client?
Tracy
May 3rd, 2007 at 7:18 PM
There’s some very good guidelines on making “strong” passwords.
-Combine both letters and numbers
-Alternate between small and capitalized characters
-Put a blank space somewhere in your password, if the system allows for it.
-Don’t make passwords that have obvious meanings that people could guess just from knowing YOU (names of family and/or friends, names of your favourite popstar when you let EVERYBODY know you’re a big fan, names of… you get the idea) Dates that have an obvious relation to you are also out of question (birthdates, date you got married, etc.)
Good sources for passwords are:
-Product codes/serial numbers of items you permanently have, like a monitor or a stereo
-Combining different words into something meaningless and garbled. Like the first two characters of 3 or 4 different words
-Turning full character sequences (partly) into the dreaded 1337 speak -> “Abusive” would become “4bu51v3″ for example.
-Turning parts of full nummeric sequences into characters. This can be done by assigning letters to numbers, like a=1, b=2, etc, or just by holding your ALT key pressed for a 1-2 (or even 3 if it’s a low value sequence) keystrokes while typing the numbers on the NUMERIC part of your keyboard. “176″withing a sequence would become an “░” symbol then for example, which is not your avarage symbol in a password.
May 3rd, 2007 at 7:30 PM
Forget what passes people use, why are LL so bothered all of a sudden? I for one am glad my CC details are now void to LL, they’ve messed up before and from what I’m seeing here, have they done it again? LL need to remember, after the letter went public, lots of news groups are monitoring the only way we can converse with Linden Lab. The BBC are very interested in stories, thats just naming one company
May 3rd, 2007 at 7:53 PM
Gotta love this half assed excuse for a post on blog to help push the bad stuff off the load page. Happens everytime after the grid has issues.
May 3rd, 2007 at 7:56 PM
I use random numbers from the mycokerewards promotion.
/not really
May 3rd, 2007 at 8:06 PM
I’m with Apotheus. Adding a captcha to the web login presents a very serious problem for those of us that do automated things with transaction information. I have a script that gathers my group’s sim-owning account’s transaction information so that any of us can find out whether we’ve gotten enough donations to cover our sim payment. The script also emails this information to us four times a month so that we’re reminded of when to hit Lindex.
Now, my script’s days are numbered. The cookie it holds in its config file is still good… for now. Once it breaks, I’m going to have to somehow manually feed it a new cookie after logging in using the captcha. This may not even be feasible. What then?
Two questions:
Why was a captcha added to the account page login?
What automated nastinesses were people up to before that prompted this?
May 3rd, 2007 at 8:44 PM
Publish the secret API for getting at the transaction data through the caps system. Then we won’t need to use the website for logins of the automated collection of transaction information. We know there is a way that the “in” developers have access to — otherwise they would be here complaining as well.
May 3rd, 2007 at 9:41 PM
I am with the others on this. Has there been a security breach? If so I would like to know so I can take the necessary steps to protect myself.
May 3rd, 2007 at 10:04 PM
I’ve posted this method in the forums and it got a few laughs but it works. Go to your local library and find a complete unabridged dictionary published before 1920 (or even earlier). Turn it upside down and face down, close your eyes and feel somewhere near 1/3 up or down the depth of the book (not the middle) and open it to that page. Find a word that you’ve never heard of and reserse the spelling. That’s the first part of your password. Now look at the page number and mulitply that number by 3 then divide by 5 (round to the nearest whole number) and reserse that too. That’s the second part of your password. Now assemble your password by interspersing the letters of the word and the numbers………do it in an unequal way and toss in a capital letter too.
About as random as you can get.
And password cracking programs would take way too many hours (possibly months or years) to get it.
May 3rd, 2007 at 10:49 PM
Hi is there some reason you have to use that cap thingy with the code letters. I have a disability and am having trouble accessing stuff is there not another thing you can use please?
May 3rd, 2007 at 11:37 PM
Security breach? Hmmmm…Could it just be that, with the large number of new users on the system, LL just wanted to remind people to use good passwords?
When I send out those sorts or reminder messages at work, no-one asks me if there’s been a security breach……
May 3rd, 2007 at 11:41 PM
I know why they are doing it. My sister’s account was hacked,her avatar stolen. and thousands of dollars of lindens charged on the credit card last week.
I wonder how many others had the same experience in the last few days ?
Now suddenly it is ‘Secure Password ‘month and they have instituted the extra login routine .
hmmmmmmm…….
May 3rd, 2007 at 11:43 PM
Changing passwords on a regular basis is also a good idea. And of c0ur5e y0u can play w1th num3er5 if you’re like me and you need something recognizeable to remember.
May 4th, 2007 at 12:01 AM
I would like to sugest that the user name be diffrent from our SL names I have wondered often, why that is not the case. That way would be hackers would have to guess both user name and pass.
May 4th, 2007 at 1:33 AM
There’s a nice program that knocks out two birds (making secure passwords & remembering them) with one stone.
I’d suggest checking out “KeePass Password Safe” at
Sourceforge: http://sourceforge.net/projects/keepass/
or their main site at: http://keepass.info/
It’s an open source, spyware-free program that allows you to centrally store passwords in an encrypted database, it can create randomized secure passwords by various methods, and has a long list of localized languages.
The main program is available for Windows, though there are unofficial ports for Linux, OSX, and smart devices.
Disclaimer: As with all programs out in the wild, run an anti-virus scan on it, and make sure you know what you’re downloading/do some research. I have no connection to KeePass other than being a user of the program for quite some time.
May 4th, 2007 at 2:34 AM
lol Broccoli good one made me smile
May 4th, 2007 at 2:42 AM
How to make secure passwords, that easy to remember? Well, you need a phrase, that you can remember easily, and a “replacement key”, then you go…
Lets take a not-that-random phrase: “I tried to enter my billig informations ten times, and it doesn’t work, i can’t access the forums!”, and lets tage the replacement key “a=4, e=3, t=7″.
Now remove all middle parts of wrom the phrase’s words, and remove all spaces: “Itdtoermybgistnts,aditdtwk,ictastefs!”, then use your replacement key. Et voila: your new and easy to remember password including numbers, special characters and random letters:
I7d7o3rmybgis7n7s,4di7d7wk,ic74s73fs!
You only need to remember the phrase and the replacement key.
May 4th, 2007 at 3:19 AM
The best way i found to get people to make STRONG passwords without making major security problems by writing them down or use easy to guess passwords are to actually encourage them to writ them down.
Basically, tell people to make a 12 letter long random password, mixed small and large letters and numbers, then write it down.
THEN change it so you will replace for example the 5th and 10th charater with a number or another letter and do NOT write that down.
So can easily have a list of written down passwords that are strong (remember, everything can be cracked if the person got time/tries enough, but with a 10+ password with numbers and capital letters, its pretty close to impossible), AND since you are the only one that know that any of those passwords on that list need the 3rd character replaced with a B, and the 9th replaced with a 9, even loosing your list will not be a problem.
May 4th, 2007 at 3:53 AM
May is Strong Password Month?
No, May is Pass Strong Words to Linden Month….
May 4th, 2007 at 4:21 AM
Will this get rid of bots?
May 4th, 2007 at 4:29 AM
There is a single way to avoid loss of inventory or cash, I do not know any other that is effective and enforceable with the TOS. LL is legitimately not responsable for any loss, this was repeated just yesterday at TH by that badass Cory. They are not acting restrictively, just check any TOS from and by any hosting/software company in business today. This is an obvious legal barrel you should not miss. Passwords get hacked every day, cope with this simple fact.
1 buy an alt OR use an associate or partner you trust, offload your valuable items onto these recipients with full permissions. Do not offload thousands of items, be selective and learn to judge value where value is. When I say buy an alt I mean BUY IT, make it fully legitimate with LL.
2 cash out regulary, once a week, once a day depending on your income if you have one. My experience with Slex has only been excellent so far. Do not perform transactions above 100 USD, these will hang way longer. Use paypal as a buffer and cash out again to your bank as soon as paypal fees gets tolarable within the amount in question. EU residents troubled because of restrictions on CC/transat? Never in my experience as long as your accounts are fully legitimate and VERIFIED, paypal Intl. to local banks.
It ain’t Password Month, it’s May. May, do you remember?
Be realistic, use your judgement, don’t stress out.
May 4th, 2007 at 4:38 AM
I have a favorite password strategy that I like to share. It does not involve numbers and capital letters. I find a sentence appropriate to the place I need a password for and type the first letter of each word in that sentence. That info won’t help you guess my passwords because my idea of what is appropriate is rather hard to guess, even by those who know me.
Lately I have discovered that I remember the password better if the sentence is from the lyrics of a song.
May 4th, 2007 at 5:00 AM
Anyone having trouble with the capcha system?
I was apparently unable to read five different images in a row.
I would suggest using a different capcha system.
Anyone else having trouble please reply here.
May 4th, 2007 at 5:03 AM
Has the system been changed to only allow a person to be logged in to secondlife.com on one machine at a time?
This is not cool. I didn’t forget my password and I’m not unable to read 99 percent of the capcha images.
May 4th, 2007 at 5:26 AM
To complete the tips given , I’ll say that a password should be at least 8 characters long and contain special characters.
BTW, do you know why May is the password month ? It’s because June is the cracking month, or was it April…
May 4th, 2007 at 6:15 AM
what a nice satirical blogentry
but you’re right, many people have surely “god”, “sex” or “myname” as password
May 4th, 2007 at 6:47 AM
You’re kidding me, right?! A “captcha” on the account login page?! I mean, it makes sense on the registration page, so you don’t get automated signups, but trying to restrict automated logins? Why? Because of password hacking attempts? Fix that on the server end — lock out IP addresses or accounts briefly if they’re repetitively tried and failed. Been a solution in the industry for a long time! What is the logic here? For the most part, it’s just making things more difficult for residents. And the pop-up window about the captcha doesn’t work. And if you go to the link it’s try to send you to, it talks about avoiding automated registrations. We’re not registering here! Please take this off and consider implementing alternate solutions that don’t inconvenience residents and their systems.
Stop breaking things!
May 4th, 2007 at 7:16 AM
I cannot even get into my account with this new system ROFL. I keep entering the password and capcha and no joy…keeps telling me it is wrong. Nightmare….
May 4th, 2007 at 8:05 AM
wow @ post number 27. Does she know how her account was hacked?
Guess this is a good reminder to secure your account better.
With the lindens total disregard to our inventory loss I wont be needing to buy lindens any more until the inventory loss is fixed. so maybe a prepaid visa card would be in order and just recharge each month to cover my tier costs would be a safe way to go.
This bit about passwords reminds me of an old saying.
Locks only keep the honest people out.
May 4th, 2007 at 8:16 AM
Thanks for giving all of SL my password! haha kidding you. Good advice
Cat
May 4th, 2007 at 8:20 AM
I agree with Seraph… throttling login attempts by IP address would make using the web page as a password oracle ineffective, without blocking legitimate use.
May 4th, 2007 at 8:51 AM
throttling login attempts by IP address would not actually make using the web page as a password oracle ineffective, at least not for folks using a distributed network of zombie hacked pcs and there are probably plenty of those out there.
Adding a second password or backup security question would be better, and it would also be much easier to automate. Another system that would work would be emailing a login code to the user’s registered email account and requiring them to enter that as well as their password and name. Though that would be more inconvenient. How about choice of - either enter the captcha or click a button to have a code emailed to you and enter that?
May 4th, 2007 at 9:30 AM
Carlisse, read my full suggestion: “lock out IP addresses or accounts briefly if they’re repetitively tried and failed.” I also said to lock out accounts. You lock out IP addresses because a single system could be going after multiple accounts. You also lock out accounts because multiple systems could be going after a single account. If I enter a bad password into my system at work, after 3 attempts, I have to call the help desk to get it reset. Now 3 might be too small a number, but it’s a number to start discussion with. In this case, the reset could be via an email link to the account’s registered email address. Yes, this could be used to do a DOS attack against specific users — thus the email reset and locking out IPs that repeatedly hit the system.
In short, don’t make it harder for the normal user unless you absolutely have to. If you do have to, tell us why.
And LL, I just read the transcript — Cory, just how many months of data do you need before you know that the system has issues at high load and logins need to be restricted? You’re working on “metrics”. C’mon already. How long will this take to figure out? Basically, it sounds like login restrictions were a sop to us — say you’re going to do something, but don’t actually do it. Maybe we’ll shut up and won’t notice. You can only use that approach so much, though and guess what — you’ve reached your limit.
May 4th, 2007 at 9:34 AM
My password is my mother’s car’s number plate, infact it used to be but it’s not anymore, but it is for additional passwords :]
Unless you stalk my mother, you’ll never get it :O
May 4th, 2007 at 9:46 AM
I agree that verifying by ip address isnt all that good of security check.
With homes built so close together and wifi in just about every home people have many choices of an ip address.
I myself have a choice of 6 not counting my own that I could log on with. In an earlier blog another person mentioned how when her son is playing his online games and eating up the bandwidth she takes her lap top in her car and finds a strong signal to log onto SL.
I guess this new feature can be a bit annoying but Ill take that over being ripped off by some thief that has cracked my password.
May 4th, 2007 at 10:04 AM
My advice would be to use two “non dictionary” words, add some numbers and maybe a character or two somewhere in there somewhere.
Even dictionary words, with sufficient characters replaced and obscured by letters and numbers is good.
Such as;
Choose two totally random words
Replace each vowel with a number
Add some non alpha characters
“airplanehaddock” becomes “$12rpl3n4%h5dd6ck@”
That will foil anyone guessing and a dictionary attack. The only way someone will get that is by some other method. Unless they have a few years for a brute force attack!
If you use “god”, “cat”, “password” or something similar then you’re asking for trouble. Even “steve1″ is pathetic.
If you can’t remember your password…. get a games console!
May 4th, 2007 at 10:20 AM
Why would i need a good password if i can’t even LOG IN`??????
May 4th, 2007 at 10:21 AM
Personally I use this site:
http://www.webcogs.com/passwordgenerator.aspx
Pronouncable passwords: easy to remember, medium strength and they don’t contain any words from the english dictionary. If you want to test the strength of your password (current or new) I usually use this strength guage:
http://www.microsoft.com/athome/security/privacy/password_checker.mspx
May 4th, 2007 at 10:32 AM
thanks for the password checker link Sable. Works great
May 4th, 2007 at 10:36 AM
What is going on. I cant log in second life I tried changing password that never helped and I cant find anything on the subject besides something about password security HELP PLZ !
May 4th, 2007 at 10:36 AM
@39 Yes I have already in post number 25 or so said I can’t use the capcha and i can’t I want to sell some lindens but I can’t get past it
May 4th, 2007 at 10:39 AM
[...] Most of my friends know how much I ROFL when I see furious comments on the SL blog…but this one is teh funnest It’s posted in a blog post about strong passwords - and since the grid is [...]
May 4th, 2007 at 10:39 AM
Aww, great.
Now they don’t post my comment.
Nice going here….