antdudeMatrix Ant Premium Member join:2001-03-25 US
4 recommendations |
antdude
Premium Member
2013-May-28 12:03 am
Anatomy of a hack: How crackers ransack passwords ...» arstechnica.com/security ··· sswords/"For Ars, three crackers have at 16,000+ hashed passcodeswith 90 percent success..." Three pages article that was interesting to read. |
|
FFH5 Premium Member join:2002-03-03 Tavistock NJ
3 recommendations |
FFH5
Premium Member
2013-May-28 12:37 am
Very discouraging. I would hope banks, brokers, & other financial sites have better hashing algorithms than general web sites. |
|
|
4 recommendations |
And users have to accept some responsibility as well as simple passwords are going to fall quickly as shown. Password managers/generators really are a good thing as randomly generated passwords go a long way to defeating patterns etc.
{OkWqI]kvi)9!e9An;$X
and
EJa!rP+XK>NZ-v#t4WYr
for example can be had, but its going to take some time and chances are the crackers will be content with the lower hanging fruit and stop before they get to your password. Combine that with every site has a unique password and you have some built in damage control if a password is given up somewhere. Of course it means you have to defend your password collection, but its easier to do that then defend 50 individual passwords in the wild.
All in all a worthy read.
Blake |
|
TheMG Premium Member join:2007-09-04 Canada MikroTik RB450G Cisco DPC3008 Cisco SPA112
1 recommendation |
TheMG
Premium Member
2013-May-28 1:15 am
said by Link Logger:randomly generated passwords go a long way to defeating patterns etc.
{OkWqI]kvi)9!e9An;$X
and
EJa!rP+XK>NZ-v#t4WYr Good luck remembering that! I know I can't. |
|
2 recommendations |
I certainly can't remember those passwords either, but that is why I use a password manager as then really all I have to remember is one password and I get the benefit of having unique, funky, long, pattern independent, etc passwords everywhere.
Blake |
|
TheMG Premium Member join:2007-09-04 Canada
1 recommendation |
TheMG
Premium Member
2013-May-28 1:20 am
But what if you have to use a computer or device that does not have the password manager installed, what then?
Also, what if the password to your password manager, along with its associated encrypted stored passwords, becomes compromised? |
|
1 recommendation |
said by TheMG:But what if you have to use a computer or device that does not have the password manager installed, what then? No problem as I have my password manager on my phone which is with me all the time. said by TheMG:Also, what if the password to your password manager, along with its associated encrypted stored passwords, becomes compromised? Then they have stuck gold and I'm buck naked running down the middle of the freeway at rush hour. I didn't say it was without risk, but I think having to manage 1 complex password for my password manager is a lot easier and safer then having to manage 50 complex passwords for all the sites you deal with. The problem is from the article 50 trivial simple short passwords, aren't secure at all. Blake |
|
ashrc4 Premium Member join:2009-02-06 australia |
to antdude
"Hacked" 1600 hashes. You mean "Converted"? So are they saying you should use a Bitcoin key as a password and the company stores the other? |
|
TheMG Premium Member join:2007-09-04 Canada MikroTik RB450G Cisco DPC3008 Cisco SPA112
|
to Link Logger
said by Link Logger:my phone which is with me all the time. Something which I don't have. Oh well, I'll stick to using long, yet memorable, passwords that are unique to each site. At least, if one site gets compromised, that limits the damage to only one account. And hopefully my bank has better security than the average website. |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
to antdude
Another great article by Dan Goodin. The end quote is great. quote: When academics and some websites gauge susceptibility to cracking, "they always assume the best possible passwords, when it's exactly the opposite. They choose the worst."
There is a massive difference between a brute force attack and an educated attack. What makes a password great is a long random string of characters including upper case, lower case, numbers, and symbols. The problem is you can't make one up for ever site you visit. |
|
Kilroy |
to TheMG
said by TheMG:But what if you have to use a computer or device that does not have the password manager installed, what then? Use LastPass. If you can get on line you can get your passwords. Plus applications or plugins for most devices. said by TheMG:Also, what if the password to your password manager, along with its associated encrypted stored passwords, becomes compromised? No problem, I have two factor authentication using a Yubikey. If you get my phone it better be unlocked (which means you took it out of my hand while I was using it), otherwise you have to get that password too (which thanks to work is letters, numbers, and symbols). If you leave it on then enjoy talking to the boys in blue when they find my phone as they will be able to easily track it. |
|
|
to Link Logger
said by Link Logger:I certainly can't remember those passwords either, but that is why I use a password manager as then really all I have to remember is one password and I get the benefit of having unique, funky, long, pattern independent, etc passwords everywhere.
Blake +1. I never thought that a manager would be needed when I started computing so long ago. Now, I can't remember my name let alone a decent password. And the ability to get to those passwords when on another computer from anywhere or to print the passwords to take with me somewhere is also fabulous. If, at some point, we meet running naked, stop and we'll chat. |
|
javaManThe Dude abides. MVM join:2002-07-15 San Luis Obispo, CA 1 edit |
to TheMG
said by TheMG:said by Link Logger:my phone which is with me all the time. Something which I don't have. Oh well, I'll stick to using long, yet memorable, passwords that are unique to each site. At least, if one site gets compromised, that limits the damage to only one account. And hopefully my bank has better security than the average website. Before I had a smartphone to carry my password manager I used a portable version. I kept it and the database on a thumb-drive. Worked well. As far as someone getting access to the database, that depends on the master password. And I'd say it is going to be much more difficult to get that than someone obtaining my hashed password from a hacked site. And last time I checked it would take around 165 centuries to brute force my master password, which is what it would take to crack it. All in all, using a password manager that will generate strong unique passwords for all of your online and other accounts can't be undervalued. I recommend one to everyone I know. |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
|
to Link Logger
said by Link Logger:{OkWqI]kvi)9!e9An;$X
and
EJa!rP+XK>NZ-v#t4WYr You stole my passwords! |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
to antdude
Now if only more sites allowed symbols, such as ( ) ! / \ @ # $ % etc., I would be able to use a simple formula to create strong but memorable passwords in more places.
The problem is, there are still many that don't--and one of them is a bank I used to bank at. Not to say that I closed my account because of their stupid obsolete password system. I had other reasons. |
|
MiNdErAsRDark Lord of Sriracha join:2000-11-25 Outer Limits
1 recommendation |
to Link Logger
said by Link Logger:{OkWqI]kvi)9!e9An;$X
and
EJa!rP+XK>NZ-v#t4WYr These are the types of passwords that I generally use. However most banking sites don't allow symbols, nor more than 8 characters. In fact some only allow 4 digit pin type passwords. How does one protect themselves when the banks are the weak link? |
|
|
to antdude
a) I need an aspirin after getting dragged through the mud of the nuts and bolts of how they did this -- okay, so I never had a head for math, I admit.
b) shows how most of the world STILL never learn about their passwords -- HOW many were of dictionary words in those examples they were cracking?
/raises hand
Regards |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
to MiNdErAsR
said by MiNdErAsR:However most banking sites don't allow symbols, nor more than 8 characters. In fact some only allow 4 digit pin type passwords. How does one protect themselves when the banks are the weak link? The reality is that your password is more likely to be lost by the organization that requires it, than to be brute forced. Password attacks these days are run against an off line hash file. The main thing is to have different passwords for every site, so when, not if, one of the sites looses your password you don't have more than the one compromised site. |
|
TheMG Premium Member join:2007-09-04 Canada MikroTik RB450G Cisco DPC3008 Cisco SPA112
|
to MiNdErAsR
said by MiNdErAsR:However most banking sites don't allow symbols, nor more than 8 characters. In fact some only allow 4 digit pin type passwords. How does one protect themselves when the banks are the weak link? My bank is one of those, they require a 6-digit pin. No letters or symbols allowed. However, you also need two other key pieces of information: -debit card number (this serves as the username) -correct answer to one of 4 randomly chosen security questions You only get 3 attempts, after which the online banking account is locked out (assuming a correct debit card number). I'm going to assume that a major bank should have their servers very well secured to prevent password hashes and answers to security questions from being stolen. If they are secure, then I don't see a problem with the 6-digit pins. With only 3 chances to get it all right, it's doubtful any hacker is going to be able to correctly "guess", unless the user chose a really stupid pin like "123456" or "111111" and easily guessed answers to security questions. Only thing they could do better, however, is to provide a two-factor authentication keychain dongle. I would definitely sign up for that. |
|
|
to jaykaykay
said by jaykaykay:If, at some point, we meet running naked, stop and we'll chat. Looking forward to it |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
to TheMG
said by TheMG:But what if you have to use a computer or device that does not have the password manager installed, what then? From a security standpoint the odds that I would ever use a password on a computer that does not have a password manager installed should approach zero. If I have not installed a password manager I probably do not control the computer and should not be using a password on it since that would risk compromising the password/account. |
|
antdudeMatrix Ant Premium Member join:2001-03-25 US |
to Link Logger
said by Link Logger:said by jaykaykay:If, at some point, we meet running naked, stop and we'll chat. Looking forward to it Woohoo! Let us known when and where! :P |
|
ashrc4 Premium Member join:2009-02-06 australia |
ashrc4
Premium Member
2013-Jul-14 1:45 am
said by ashrc4:"Hacked" 1600 hashes. You mean "Converted"? So are they saying you should use a Bitcoin key as a password and the company stores the other? Ok Lavabit new what i was getting at; quote: The secure mail storage process uses asymmetric encryption to ensure the privacy of messages while being stored on the Lavabit servers. Asymmetric encryption is a process that uses public key and private key encryption to make messages unreadable without knowing a user's plaintext password. Presently we use Elliptical Curve Cryptography (ECC) with 512 bits of security to encrypt messages. The private, or decryption, key is then encrypted with a users password using the Advanced Encryption Standard (AES) and 256 bits of security. The result is that once a message is stored on our servers in this fashion, it cant be recovered without knowing a user's password. This provides a priceless level of security, particularly for customers that use e-mail to exchange sensitive information. You can learn more about our asymmetric encryption technology by reading our white paper on the subject.
» lavabit.com/features.html sourced from article » www.dailykos.com/story/2 ··· gestions |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
|
to Link Logger
said by Link Logger:I certainly can't remember those passwords either, but that is why I use a password manager as then really all I have to remember is one password and I get the benefit of having unique, funky, long, pattern independent, etc passwords everywhere.
Blake +2 |
|