Libertine

Obviously, you want your admin areas and other important stuff to be secure. So, you need a strong password. Preferably something long, and at the very least containing numbers as well as letters. The only problem with this is that you'll never be able to remember it... and keeping it on your pc can be rather insecure, as well as extremely annoying if your hd dies or you lose the file it's in.

So, just take something that is easy to remember (for you), and hash it using md5, sha-1 or something similar. You'll get a password that will be hella-hard to break for crackers, but you'll easily be able to get it any time you want. Just remember to keep your encryption app/page somewhere handy

__________________
/(bb|[^b]{2})/

Freakster

that's pretty smart

__________________
174-38-56

pamphage

good idea. i've been meaning to stop using 123abc anyway

__________________
SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR.
Unless your sig is for a GFY top banner sponsor, you may use a 624x80 instead of a 120x60.
Let me repeat... A 120 x 60 button and no more that 3 lines of DEFAULT SIZE AND COLOR text.

beemk

sending this page to the password boards....

__________________
I host with Vacares

Libertine

Go ahead. It won't make it much easier to brute force a 32 character string (like md5), and there are quite a few different encoding algos out there, so to get them all they'd have to create even huger password lists... up to the point where using a list takes almost as much time as brute forcing


Another tip, for very inexperienced programmers: if you store passwords in a database, don't store passwords in plain text form. Instead, use a one way hash like md5. If people lose their password, resend them a reset random password, which they can change again in their accounts.
This way, if your database ever gets compromised, the stupid ones among your customers (i.e. the ones that use a single password for all their stuff) have less chance of getting screwed - and blaming you, because you were the one that leaked their password.
(ofcourse crackers can still run wordlists against the hashes and have a fairly good chance of finding weak passes that way, but it's better than nothing)

__________________
/(bb|[^b]{2})/

JOKER

Good Idea,thanx 4 sharing


Take care,
JOKER

__________________
Facilitation - BizDev - Traffic - Consulting - Marketing
Skype: jokerempire | Silent Circle: joker

Paul Waters

I use cock10in

Very secure, and easy to remember.

__________________


Paul

Libertine

Which brings me to the next tip...
If you have any type of protected area for which people can choose their own passes, you should keep a wordlist. Just rip a big one from one of the password forums, and try to keep it up to date.

Make your script check every new username password against the wordlist, and if it's in there, give the person signing up a "username (or password) already exists"-error.

That way, most wordlists will be useless against your sites, and crackers have way less of a chance of getting in

__________________
/(bb|[^b]{2})/

Libertine

But since you probably wouldn't post your password on this board, I suppose the real one is slightly different? Something like cock4in maybe?

__________________
/(bb|[^b]{2})/

Calvinguy

I feel like adding....


As a common rule you never make a username casesensitive but passwords should always be casesensitive.

Paul Waters

It is really cock14in, but if I posted that, I would get shit for braggin'

__________________


Paul