dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2038
share rss forum feed


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

4 recommendations

Anatomy of a hack: How crackers ransack passwords ...

»arstechnica.com/security/2013/05···sswords/

"For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success..."

Three pages article that was interesting to read.


FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5

3 recommendations

said by antdude:

»arstechnica.com/security/2013/05···sswords/

"For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success..."

Three pages article that was interesting to read.

Very discouraging. I would hope banks, brokers, & other financial sites have better hashing algorithms than general web sites.
--
"If you want to anger a conservative lie to him.
If you want to anger a liberal tell him the truth."


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

4 recommendations

And users have to accept some responsibility as well as simple passwords are going to fall quickly as shown. Password managers/generators really are a good thing as randomly generated passwords go a long way to defeating patterns etc.

{OkWqI]kvi)9!e9An;$X

and

EJa!rP+XK>NZ-v#t4WYr

for example can be had, but its going to take some time and chances are the crackers will be content with the lower hanging fruit and stop before they get to your password. Combine that with every site has a unique password and you have some built in damage control if a password is given up somewhere. Of course it means you have to defend your password collection, but its easier to do that then defend 50 individual passwords in the wild.

All in all a worthy read.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel

1 recommendation

said by Link Logger:

randomly generated passwords go a long way to defeating patterns etc.

{OkWqI]kvi)9!e9An;$X

and

EJa!rP+XK>NZ-v#t4WYr

Good luck remembering that! I know I can't.


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

2 recommendations

I certainly can't remember those passwords either, but that is why I use a password manager as then really all I have to remember is one password and I get the benefit of having unique, funky, long, pattern independent, etc passwords everywhere.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

TheMG
Premium
join:2007-09-04
Canada
kudos:3

1 recommendation

But what if you have to use a computer or device that does not have the password manager installed, what then?

Also, what if the password to your password manager, along with its associated encrypted stored passwords, becomes compromised?


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 recommendation

said by TheMG:

But what if you have to use a computer or device that does not have the password manager installed, what then?

No problem as I have my password manager on my phone which is with me all the time.

said by TheMG:

Also, what if the password to your password manager, along with its associated encrypted stored passwords, becomes compromised?

Then they have stuck gold and I'm buck naked running down the middle of the freeway at rush hour. I didn't say it was without risk, but I think having to manage 1 complex password for my password manager is a lot easier and safer then having to manage 50 complex passwords for all the sites you deal with. The problem is from the article 50 trivial simple short passwords, aren't secure at all.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool


ashrc4
Premium
join:2009-02-06
australia
reply to antdude
"Hacked" 1600 hashes. You mean "Converted"?
So are they saying you should use a Bitcoin key as a password and the company stores the other?
--
Paradigm Shift beta test pilot. "Dying to defend one's small piece of suburb...Give me something global...STAT!

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
reply to Link Logger
said by Link Logger:

my phone which is with me all the time.

Something which I don't have.

Oh well, I'll stick to using long, yet memorable, passwords that are unique to each site.

At least, if one site gets compromised, that limits the damage to only one account.

And hopefully my bank has better security than the average website.


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to antdude
Another great article by Dan Goodin.

The end quote is great.

quote:
When academics and some websites gauge susceptibility to cracking, "they always assume the best possible passwords, when it's exactly the opposite. They choose the worst."

There is a massive difference between a brute force attack and an educated attack.

What makes a password great is a long random string of characters including upper case, lower case, numbers, and symbols. The problem is you can't make one up for ever site you visit.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to TheMG
said by TheMG:

But what if you have to use a computer or device that does not have the password manager installed, what then?

Use LastPass. If you can get on line you can get your passwords. Plus applications or plugins for most devices.

said by TheMG:

Also, what if the password to your password manager, along with its associated encrypted stored passwords, becomes compromised?

No problem, I have two factor authentication using a Yubikey. If you get my phone it better be unlocked (which means you took it out of my hand while I was using it), otherwise you have to get that password too (which thanks to work is letters, numbers, and symbols). If you leave it on then enjoy talking to the boys in blue when they find my phone as they will be able to easily track it.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy
reply to Link Logger
said by Link Logger:

I certainly can't remember those passwords either, but that is why I use a password manager as then really all I have to remember is one password and I get the benefit of having unique, funky, long, pattern independent, etc passwords everywhere.

Blake

+1. I never thought that a manager would be needed when I started computing so long ago. Now, I can't remember my name let alone a decent password. And the ability to get to those passwords when on another computer from anywhere or to print the passwords to take with me somewhere is also fabulous. If, at some point, we meet running naked, stop and we'll chat.
--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay



javaMan
The Dude abides.
Premium,MVM
join:2002-07-15
San Luis Obispo, CA

1 edit
reply to TheMG
said by TheMG:

said by Link Logger:

my phone which is with me all the time.

Something which I don't have.

Oh well, I'll stick to using long, yet memorable, passwords that are unique to each site.

At least, if one site gets compromised, that limits the damage to only one account.

And hopefully my bank has better security than the average website.

Before I had a smartphone to carry my password manager I used a portable version. I kept it and the database on a thumb-drive. Worked well. As far as someone getting access to the database, that depends on the master password. And I'd say it is going to be much more difficult to get that than someone obtaining my hashed password from a hacked site. And last time I checked it would take around 165 centuries to brute force my master password, which is what it would take to crack it.

All in all, using a password manager that will generate strong unique passwords for all of your online and other accounts can't be undervalued. I recommend one to everyone I know.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20


Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to Link Logger
said by Link Logger:

{OkWqI]kvi)9!e9An;$X

and

EJa!rP+XK>NZ-v#t4WYr

You stole my passwords!


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to antdude
Now if only more sites allowed symbols, such as ( ) ! / \ @ # $ % etc., I would be able to use a simple formula to create strong but memorable passwords in more places.

The problem is, there are still many that don't--and one of them is a bank I used to bank at. Not to say that I closed my account because of their stupid obsolete password system. I had other reasons.
--
Think Outside the Fox.


MiNdErAsR
Dark Lord of Sriracha

join:2000-11-25

1 recommendation

reply to Link Logger
said by Link Logger:

{OkWqI]kvi)9!e9An;$X

and

EJa!rP+XK>NZ-v#t4WYr

These are the types of passwords that I generally use. However most banking sites don't allow symbols, nor more than 8 characters. In fact some only allow 4 digit pin type passwords. How does one protect themselves when the banks are the weak link?

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to antdude
a) I need an aspirin after getting dragged through the mud of the nuts and bolts of how they did this -- okay,
so I never had a head for math, I admit.

b) shows how most of the world STILL never learn about their passwords -- HOW many were of dictionary words
in those examples they were cracking?

/raises hand

Regards


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to MiNdErAsR
said by MiNdErAsR:

However most banking sites don't allow symbols, nor more than 8 characters. In fact some only allow 4 digit pin type passwords. How does one protect themselves when the banks are the weak link?

The reality is that your password is more likely to be lost by the organization that requires it, than to be brute forced. Password attacks these days are run against an off line hash file. The main thing is to have different passwords for every site, so when, not if, one of the sites looses your password you don't have more than the one compromised site.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
reply to MiNdErAsR
said by MiNdErAsR:

However most banking sites don't allow symbols, nor more than 8 characters. In fact some only allow 4 digit pin type passwords. How does one protect themselves when the banks are the weak link?

My bank is one of those, they require a 6-digit pin. No letters or symbols allowed.

However, you also need two other key pieces of information:

-debit card number (this serves as the username)
-correct answer to one of 4 randomly chosen security questions

You only get 3 attempts, after which the online banking account is locked out (assuming a correct debit card number).

I'm going to assume that a major bank should have their servers very well secured to prevent password hashes and answers to security questions from being stolen. If they are secure, then I don't see a problem with the 6-digit pins. With only 3 chances to get it all right, it's doubtful any hacker is going to be able to correctly "guess", unless the user chose a really stupid pin like "123456" or "111111" and easily guessed answers to security questions.

Only thing they could do better, however, is to provide a two-factor authentication keychain dongle. I would definitely sign up for that.


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to jaykaykay
said by jaykaykay:

If, at some point, we meet running naked, stop and we'll chat.

Looking forward to it
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online
reply to TheMG
said by TheMG:

But what if you have to use a computer or device that does not have the password manager installed, what then?

From a security standpoint the odds that I would ever use a password on a computer that does not have a password manager installed should approach zero. If I have not installed a password manager I probably do not control the computer and should not be using a password on it since that would risk compromising the password/account.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable
reply to Link Logger
said by Link Logger:

said by jaykaykay:

If, at some point, we meet running naked, stop and we'll chat.

Looking forward to it

Woohoo! Let us known when and where! :P
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


ashrc4
Premium
join:2009-02-06
australia
reply to ashrc4
said by ashrc4:

"Hacked" 1600 hashes. You mean "Converted"?
So are they saying you should use a Bitcoin key as a password and the company stores the other?

Ok Lavabit new what i was getting at;
quote:
The secure mail storage process uses asymmetric encryption to ensure the privacy of messages while being stored on the Lavabit servers. Asymmetric encryption is a process that uses public key and private key encryption to make messages unreadable without knowing a user's plaintext password. Presently we use Elliptical Curve Cryptography (ECC) with 512 bits of security to encrypt messages. The private, or decryption, key is then encrypted with a user’s password using the Advanced Encryption Standard (AES) and 256 bits of security. The result is that once a message is stored on our servers in this fashion, it can’t be recovered without knowing a user's password. This provides a priceless level of security, particularly for customers that use e-mail to exchange sensitive information. You can learn more about our asymmetric encryption technology by reading our white paper on the subject.

»lavabit.com/features.html sourced from article »www.dailykos.com/story/2013/07/1···gestions
--
Paradigm Shift beta test pilot. "Dying to defend one's small piece of suburb...Give me something global...STAT!


Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to Link Logger
said by Link Logger:

I certainly can't remember those passwords either, but that is why I use a password manager as then really all I have to remember is one password and I get the benefit of having unique, funky, long, pattern independent, etc passwords everywhere.

Blake

+2
--
"Graffiti Wall" Dustyn's Wall »[Serious] RIP