Slashdot Mirror
The Case For Lousy Passwords
itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."
Anytime I visit a site that wants a signup, I use a garbage email account, with the same username and weak password. If someone hacks my identity, it's not even "me".
It's not as if the right to post or read is such a valuable commodity that can't be replicated next time you visit the site.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
hard passwords just lead to post it's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.
Today computers offer keychains like Gnome Keyring and KWallet for Linux, and often offer a password-generating tools, browsers also remember the passwords. Creating a complex 30 character password and keeping in the browser takes 4 clicks, creating a complex password and keeping it in the keyring and browser takes 8-9 clicks, creating a stupid password that anyone can crack takes thinking, 6-7 keystrokes and then having to remember it. Laziness is no excuse when you're encouraged to be even more lazy with the complex ones.
one time i worked at a place where every 6 months they would randomly change your password to a random 8 letter string of letters, numbers and a special character. and your username was some cryptic combination of initials, numbers and department. needless to say most people would keep a copy under the keyboard. meanwhile the admins thought they were james bond with their cool security
Am I the only one who found that post unintelligible?
Anyway - I use a very simple passwords, since I don't really care about this account. However, I'm the real Anonymous Coward - most of the others are just fakes who got into my account. As I said, I don't really care, pretty much anyone can get into this account.
Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?
The coding horrors article claims that that given password was "cracked" in 160 seconds with a cracker kit but it fails to claim that it is a brute force attack where the attacker has physical access to the system (the cracker software is a bootable DVD, for fuck's sake). Meanwhile, in the real world, this sort of attack is practically impossible to pull off from any site which has any semblance of security. I mean, you only need to place a delay of a fraction of a second between login attempts to drive the time needed to "crack" the login/password combo to months, if not years. Adding to that the fact that it has become pretty much standard for sites to simply block any login attempt after N failed attempts then this reference to this so called cracking software goes from irrelevant to pathetic.
Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
Passwords are a very poorly designed security mechanism, yet no matter how many times this is pointed out, people still seem to think that the solution is to educate users about password security. Human brains just do not generate or remember random strings very well, and it is ludicrous to expect users to do so. Of course, passwords will always be around because password based systems are convenient.
Palm trees and 8
Agree here. Also try using that slider bar thing with a touchscreen. No hidden posts for you.
the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker
I've noticed that some websites will lock you out for 5, 10 or 15 minutes if you get the password wrong too many times in a row. That might slightly deter the hacker.
Although they might simply start hacking other accounts and simply cycle through them...
Summation 2
Wow I guess "mEginf0xnude0" wouldn't last very long?
12345 has always worked for me, on every site I've used. Some sites require a 6, and some even 7 and 8. I've never been hacked once!
I'd also like to add that I'm a giant douche and a poopy-head!
The gawker staff accounts is a different issue, but forcing you to have an account just to comment caused lot of this problem.
I used one of these accounts once to post a comment and don't even remember the password. It's probably a crap password but because I don't remember it I needed to change everything else. Thanks Gawker
This was one of the best password articles I've seen.
I think the worst advice I've seen is when people recommend using some algorithm to make long painful "good" passwords that are variations of each other.
Someone who uses:
mysecr1tword4gawker.com
for fun and
mysecr1tword4mybank.com
for their bank isn't that much safer than if they had just used the same password for both.
Much better to use throwaway ones for sites like gawker; and truly random ones for banking.
IMHO OpenID is the best idea. You only need to put your trust in 1 identity provider - where it's worth the effort to set up a good password and 2-factor auth (easy to do for $0 at myopenid.com, and for a few bucks at Verisign's openid provider); rather than needing to trust every site you come across.
To quote the referenced article,
"Why is Ophcrack so fast? Because it uses Rainbow Tables. ....If you've salted your password hashes, an attacker can't use a rainbow table attack against you-"
In other words, any service with 1/10 of a brain will salt their passwords and be immune. They are also only vulnerable if they let their system get hacked and database stolen.
In other words its the same classic trade off as ever: you have to trust the person who runs the service to know what they are doing with your password. But if they do know what they are doing, then you shouldn't have to worry.
Punctuation would have been useful
hard passwords just lead to post it's. Even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.
If "Fgpyyih804423" had at least one non-alpha-numeric character in it, it would have survived at least the free download ophcrack.
I am not your blowing wind, I am the lightning.
In a word - Lastpass. 'Nuff said.
Go to http://slashdot.org/my/comments, turn off D2, Save, then Restore Defaults, re-customize the options on that page, Save, and then re-enable D2 and Save again. Might help.
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
Presuming it was working the way you wanted before, log out, delete all your SlashDot cookies, then log back in. I have to do that every couple of months since the CSS makeover. Last time I was horrified to see Facebook "like" icons! *shudder*
Man, thanks for that. I was like wtf cannot parse. Too much time thinking literally here in programming-ville.
Tiger Blooded Bi-Winning Machine
I’ve adblocked Facebook’s content on non-Facebook sites.
And you might also try what I suggested to metrix007 in my other comment, next time /. breaks, if it’s a recurring problem for you. I had something screwy with my account that your method didn’t fix, and none of the controls in the D2 system would fix (that /my/comments page isn’t accessible from within D2).
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
The summary makes the incredibly naive and misleading mistake of conflating online trial-and-error attacks with offline hash attacks.
Against a system you do not control, the system has total power over how frequently you may try a username/password combination, how informative it is about your success/failure(ie. does it just say "no" does it say "wrong password" does it say "username not recognized"?), as well as being able to, if it wishes, just start ignoring all attempts from your IP/terminal or all attempts against a specific account(subject to the risk of denial of service techniques exploiting this). In this scenario, the difference between a terrible password and an OK password is enormous. The 12345 or 'password' are quite likely to be simple enough to crack by trial and error, even against a remote system. Modestly more complex ones will either be impossible or require days/weeks of low-speed guessing, or careful guessing from multiple hosts.
With an offline hash attack, you have total control over the hashes, and the only limiting factor in how fast you can attack them is your computer(and hash attacks generally parallelize really well). Here, the difference between a terrible password and a merely mediocre one will likely be less than the refresh rate of the attacker's monitor, and the difference between an OK password and a superb one will still be fairly small. Only a password so good that it is basically a nonstandardized type of private key will be of any use. However, offline hash attacks only happen against compromized systems, you can't get the hash table otherwise. They are an excellent argument for not re-using passwords, since systems get cracked all the time; but they are of only limited relevance in discussing the importance of password complexity, or lack thereof, for online attack scenarios...
There's nothing wrong with writing down important passwords, as long as you protect the bit of paper.
For example, if I write down my password for my domain account at work and put the piece of paper in my wallet, the password would be the least of my worries if my wallet went missing.
It's official. Most of you are morons.
Today computers offer keychains like Gnome Keyring and KWallet for Linux, and often offer a password-generating tools, browsers also remember the passwords. Creating a complex 30 character password and keeping in the browser takes 4 clicks, creating a complex password and keeping it in the keyring and browser takes 8-9 clicks, creating a stupid password that anyone can crack takes thinking, 6-7 keystrokes and then having to remember it. Laziness is no excuse when you're encouraged to be even more lazy with the complex ones.
Well, yes. Of course, this means you now have a single-point failure mode for ALL of your accounts now; somebody sneaks into your browser, and your complex passwords are all useless.
And it doesn't help, because when the sites you have to log into vary their URL and you have to log in to their site and your browser doesn't know which password to use, you're toast.
Your browser burps, and you're toast.
Your keychain freezes, and you're toast.
You're accessing from some other system, and you're locked out of everything.
Doesn't help against phishing, either.
http://www.geoffreylandis.com
The problem is rainbow tables quickly get too large to be of practical use, and take too long to generate. This fast cracking is again people banging on about old LM passwords. The old 3com/MS LanMan OS used a really weak hashing system. Passwords were limited to 14 characters in length, and were case insensitive. Further, they were stored as 2 7 character hashes. Windows versions prior to Vista stored these LM hashes by default unless you changed the security settings or used a password longer than 14 characters. Ok well generating a rainbow table for that is pretty easy, and you can go and download them online. An alphanumeric table is only like 2GB and it covers the entire possible PW size from 1-14.
Ya well you don't get so luck with newer hashes. If you use MD5, which many OSes do (that is also what NTLMv2 is based on) a table that can do only lowercase alpha and space passwords from length 1-9 is 52GB. That means if the password is over 9 characters, or has a capital letter or a number or a special character it is fucked.
People love to bang on about how cool Rainbow tables are at cracking even complex passwords, and they are always going it against LM hashes it seems. Reason is it is easy. Fine but that doesn't matter. Want to try yourself? Ok fire up your favourite rainbow table program and have a go at this: f01889f696f2b20192b8ba7522481a98. I'll even give you the parameters: It is an MD5 hash, no salt, the password is an English phrase, any human can read it no problem. It is more than 20 but less than 30 characters in length.
Try any table you like, I've never seen the one that can handle it, and it is a simple password, relatively speaking. It isn't some randomly generated garbage, it is meant to be human readable.
All rainbow tables have really done is made cracking short, simple passwords fast. Fine, but that isn't really all that intensive anyhow. You can crack LM passwords in less than 24 hours on modern hardware, no tables. They are cool, but they don't really change anything. They don't allow for this "We have a table that cracks any hash no matter how long," kind of thing. Not only would such a table take a stupid amount of disk space, but it would take far too long to generate it. Even if you said "Sure we can spare 100EB of storage for a massive table!" what you can't spend is the thousand years it'd take to make it.
If you keep your password in your brain by remembering a random string, you're either a genius or you're doing it wrong.
The brain is bad a remembering random strings, but it's excellent at remembering sequences of movements, like the one necessary to type those random strings. If you wanted to know one of my passwords, I'd have to ask you for a keyboard first.
unfortunately not....
a translation would be.
Where I worked they got u to change your password ever few months or so, oh and forced you to use some odd characters etc...
Problem with these so called 'secure' passwords was that, well, know one could remember them.
so people ended up putting them on post-its, sharing the admin password around or putting a number on the end and incrementing it every time.
Otherwise, well after 3 goes of a password that's so secure even you can't remember it, it's a 2 hour wait and phone call getting your passwords reset and stuff setup again.
thank God the internet isn't a human right.
its the way the password is encrypted. Hashing is not encryption, because you can just brute force it using a dictionary attack and find the hash that matches. A long random string of characters is hard to "crack" if you are repeatedly trying to login with every combonation, but when you have a list of hashes, you can spend as many cycles as you can throw at it in a multiprocessor environment and discover, the password that matches the hash. Hashing is a terrible way to "protect" a password for discovery, especially a hash without a secret salt combined with it. People get confused when things are called "cryptographic hashes" thing they mean encryption when they mean really hard to recover, which with unsalted inputs and simple database comparable inputs they are trivial to recover.
I think the problem was as follows.
the plural of 'post it's is not obvious, often I use quotes for plurals of nouns like that.
but then there's also this problem. the it's fits two ways, I've put two in below.
hard passwords just lead to 'post it's. It's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.
thank God the internet isn't a human right.
I've seen systems set up do you have to change your password every month with a 2-week warning period (I.e. It starts nagging you every 2 weeks), which required a 12 character password with upper-case and lower-case letters, numbers, and non-alphanumeric characters. Plus, it wouldn't let you repeat any of your last 14 passwords.
Along with people keeping the password written down right next to their computers, they came up with passwords like "1234567Aa!01". When that user had to change the password, they'd use "1234567Aa!02". When they hit "1234567Aa!14", they'd start over.
speaking of adblock, (and yes, this is somewhat offtopic, and if someone wants to waste mod points on a nested comment so far down, kudos to you), have you noticed that more ads seem to be getting through on Chrome lately? Is this a "feature" of the browser or is this isolated to me (likely user error or some such)?
Which is extremely weak. Now I'll grant you it could be an issue: If someone gets access to your system and your SAM file and if you are running XP or earlier and if your password is 14 characters or less then there will be an LM hash. Vista or 7? No LM hash by default. Longer password? No LM hash (as LM is limited to 14 characters).
So let's say this password was on 7 instead. Ok so it is 13 characters and uses upper, lower and numeric. Surf over to Ophcrack's site and... no tables that could get it. Their largest Vista stable, 137GB, only does 8 character passwords, so it is too long. they have one that does 12 character passwords, but only numeric. Same deal at Freerainbowtables.com. They've got a 453GB NTLM table that'll do mixed case and numeric but only up to 8 characters.
So with a modern hash, even with no salt, that password is just fine.
Well what if you are running XP? For one you can just turn off LM hashes but suppose you don't want to. Fine, just make a simple phrase. "OrphCrack is 2 stupid 4 this 1." would be a password that none of their tables could handle. It is over 14 characters, so no LM hash gets stored. It is also way too long, even if they doubled the length of their tables (and remember each character is exponentially harder than before, requires exponentially more space and time to make the table) it wouldn't touch it.
This is just people trying to make a scare story where these is no story. Yes rainbow tables can crack passwords in their range really fast provided they have the has file and it isn't salted. Don't use a short password and you are good. Long passwords aren't hard, just make it a phrase of some kind. Given that the best tables are just eeking in at maybe 9 characters, I wouldn't worry about the future if your password is 15+. Be a long ass time before that is a problem.
Most backends will hash the password which means if one DB were stolen, thieves would have to reverse hash my password to stand a chance of guessing the other throwaway passwords. A manual step which might work if someone was targetting me specifically and individually, but my name appears in amongst hundreds of thousands of other names. Besides, working it out lets them have access to some other throwaway accounts, so who cares? At most it puts me out a bit that some spammer starts spamming acai berries or whatever in my name but its not the end of the world.
I appear to have broken slashdot.
Slashdot has been broken for a very, very long time.
Give me Classic Slashdot or give me death!
I think a lot of the confusion would be eliminated if you called them Post-Its. Just my 2 cents...
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
I get a lot of practice as a developer. Finding missing semi-colons, quotation marks and brackets in code is practically my specialty.
The whole point is you have no idea or guarantee the website will keep your data secure. They could plaintext your password along with all your information in a readable directory of the web root. Yes, that still happens, a lot. If it can be rainbowtabled in mere seconds on one OS, it can be eyeballed in even less on your precious apache on linux. Old MySQL passwords are abundant as well, same story as the windows rainbow tables used as an example here.
I was promised a flying car. Where is my flying car?
I recently started using keypass. It has an autofill function for any site you visit. This makes it so I no longer even need to know what my passwords are. It will even produce random passwords for you. It's open source and cross platform. All my passwords are in an encrypted file in my dropbox folder for syncing across my devices, and I carry the key in a thumb drive on my key chain. I also have an keypass app on my android phone in case i need a password and am not on one of my usual devices.
...but he didn't post his password in it.
So much for not caring about "disposable" accounts.
I used to keep a GPG-encrypted file in my home directory containing all my passwords. Then I discovered 1Password through MacHeist, and have never looked back. It lets me generate totally random passwords for everything, fills out tedious signup forms for me in a single keypress, and fills password forms for me in just one more keypress. It also lets me keep "authenticated bookmarks", which are bookmarks to sites that automatically fill out my username/password and log in when I visit them (after entering my master password, of course).
It's also virtually immune to phishing attacks. If the URL doesn't match, it won't fill in the password. This protects you even against scarily good phishing attempts.
On top of that, I don't have to worry about being "locked out" of my passwords or losing them in a fire, because 1) it's sync'd to my iPhone (and other machines) via Dropbox, and 2) the keychain file it emits includes a standards-compliant HTML page that contains all my encrypted passwords, which it uses JavaScript to unencrypt when given my master key.
No comment.
FTR "Fgpyyih804423" is not a very strong password seeing as how it has repeating letters and numbers plus the numbers are all tailing. Why not fY6jKL23a5B2 or something that jumbles up letters and numbers and includes mixed cases. Not that it matter for most things anyways, the only passwords I care about anyways are online banking and private torrent sites - cant have someone running my ratio or my checking account through the ringer hehe.
I can't believe we are arguing about passwords on /.
Sure, there are better methods to be certain "you" are "you." Those other methods are much more complex and prone to end-user issues than passwords. Passwords are the best answer for 99% of the world. OpenID could be a good answer, but only if you run your own OpenID authentication service. I can't believe all the folks using gmail or GOD FORBID BaceFook for OpenID authentication. Why would you want to give any company even more data about your habits they they already have?
For the /. crowd - why aren't you using a password manager? Seriously? Why not? Once you start, then all your passwords can be as secure as your bank password should be. Actually, your bank probably has the oldest systems and prevent you from entering a 50+ character + symbols + nunmbers password. Why is there a difference in the strength of your passwords - you aren't going to type these in ever. The password manager will randomly create a password of almost any length - 6 characters or 55 characters - IT DOES NOT MATTER TO ME. I WILL NEVER TYPE THEM ANYWAY. So I go with the 55 character passwords and with as much non-printable characters as the input field will allow. There is no chance that I'll even attempt to login to Gawker without the password manager. That's a good thing.
As to the security blunders for each system or website that demands a login - there is not anything I can do about that. My 44 character, random mix of numbers, letters, symbols, etc didn't prevent my email from being released by Gawker. However, that email address was spam@domain.com - so it really was throw away for me. I'm using "spam1@domain.com" now. ;) That was a tough change.
For me, the simplicity of NOT REMEMBERING stupid passwords and using KeePassX to do it means
- every password is different, randomly generated
- Some are shorter because the stupid systems only allow so many characters
- Some are only alpha-numeric because the stupid systems only allow certain characters
- To me, I make the decision about the password length and random alphabet once and the password manager deals with it going forward.
Oh, I use different email addresses (email aliases) for almost every website - none are my real email. Heck, my family is too stupid to be trusted with my real email address - they only get an alias.
I control what I can, but don't worry too much about it.
BTW, everyone should block google-analytics.com from running scripts too. I block that domain at the router.
Hmm, didn't work :( At the moment for exampke it shows 8 comments abbreviated, and 132 more. I don't want to have to click more each time to get comments and then drag the sliders each time to abbreviate them.
If you ignore ACs because they are anonymous - you're an idiot.
Why Windows? Because there are a lot of Windows Servers in the world, and it might be hypothetically possible for an attacker to get a copy of the Windows User Account database for a server. If you use 'backwards compatibility' settings for Windows, it generates hashes the same way that Windows 95, 98, etc did, which had some serious weaknesses which make it particularly easy to use Rainbow Tables (according to the linked article, a 14 character password was stored as two separate 7 character hashes, effectively reducing password strength to finding 2 7-character passwords, which a rainbow table can easily and quickly do).
What you say is true if the attacker is attacking your server directly. The Gawker Media situation is one where, through some means or other, crackers managed to secure the password database file with the account names and password hashes for EVERY Gawker user account.
Once they have a copy of the file, they can then proceed to do an OFFLINE Rainbow Tables attack against all the user accounts, and find the password for every username with a sufficiently weak password. With an offline attack, there's no way you can prevent them from trying something like this attack. Any system could be to some level vulnerable to an offline attack if the attacker gets a copy of the account data - even Linux or Apache.
I keep them all listed on my online dating profile. Nobody will ever look there!
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
Seriously, we have a great system for authentication via SSH. Public/Private keys work well. You have one password to remember and no one else gets it--even if they are hacked.
gpgAuth
There's no place like
The best value of the OpenID approach isn't even that you only need to trust one provider - it's that if you use one password for everything, it means you can change one password once and you have a new password on every site. I got a notification from Ars Technica about 6 months ago that there password database had been exposed, and recommending that if you re-used the password on multiple sites, you should change that password everywhere it's used. So, if you have one 'weak' password for 'unimportant' sites, as this Slashdot article suggests, and you also re-use that password you now have to remember to go change that password at every site you've used it - but you might forget to change it right away at a site you only occasionally use.
Of course, the flip side is, if your password is somehow compromized with OpenID and you *don't* know that, and thus don't change the password (because you think it's still safe), an attacker has access to everything. Which is why I'd never use OpenID for something like a bank site, online auction/retailer, etc.
Using OpenID for the types of sites where you might use a 'weak' password because they aren't "that important", and using a moderately strong password makes more sense than using weak passwords on lots of different sites. It's just too bad that more sites don't offer OpenID login.
Of course, any decent auth system will lock the account after a few failed attempts and/or limit the time between attempts and use password shadowing to make sure that one cannot get the file with the hashes in it and attempt a local attack. When the website will email you your password if you forget it, the intention was never to be extermely secure anyway, but merely to provide a reasonable assurance that any and every Tom, Dick, and Harry won't get it. They already expect that Bob and Eve can pull it off.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
well Post-It(TM)s
the plural problem arises more often than a hyphen can fix.
thank God the internet isn't a human right.
It seems I had an account on Gawker / LifeHacker / etc. The problem being, when I login now, I can't use my usual passwords. I want to know what password it is, so I can take that into account.
Does anyone know how I could brute force that?
I haven't jumped into their code or anything, and aren't sure what algorithm they're using. But is there an easy way people have figured out to brute force their passwords? I usually set pretty non-trivial passwords, but since I know what I'm likely to have set, I can restrict the character set, and length, and hopefully crack it quickly.
Any ideas is are much appreciated.
Especially ideas which aren't "grab their function and edit it for your password only then write something which calls it for every possible iteration".
This is my footer. There are many like it, but this one is mine.
It's a simple name plus one number password that I've distributed far and wide to colleagues and vendors and occasionally people in the salesforce and we've had zero security issues around it. Of course, I'll be leaving the company shortly ...
Office-place server admins should remember, if passwords are required to be more complex than the user is likely to remember or require changes too often then users will write their passwords down. Often this is done on a sticky note placed on their monitor where just anyone can walk by and read it. Remember admins, be reasonable. Insisting on absolute security will result in no security at all because the users will work around it.
Correct punctuation would have been even more useful:
[sic]
Sentences are capitalised.
Proper names are generally capitalised, but registered trademarks such as Post-it® may be specified otherwise by their holders.
Plurals do not take apostrophes. Consider the sentence "The girl's like spaghetti" and appreciate the quite different meaning inferred if you confuse the usage. ( Hat-tip)
Having spent a few years working for a company that dealt with files from Asia on a daily basis, it strikes me as odd that more sites don't allow unicode characters. Adding a single Chinese or Arabic character to the password is enough to force most cracking utilities *even when you have the machine in your hands* to have to resort to brute-force measures that can take days. What's awful, though, is how sites restrict you to A-Z and 0-9 98% of the time, which defeats the entire reason for a password. I suspect that they want to be able to maybe crack it themselves in case they feel the need to do so. Because 10 characters max, with a simple 36 character ASCII limit is going to be cracked exactly as it was in the example.
It's the old obscure OS trick. If you are using an operating system that the hackers commands mean nothing to, you are secure. I know of a few people who run email servers(as an example) that use very obscure and old operating systems that no botnet or hacker is designed or has the knowledge any more to deal with. One friend a few years ago was using an old A/UX Macintosh as a router, precisely because the ability to remotely hack the code was essentially zero.(while there were easy ways ten years ago, everyone has forgotten them by now) If you can find a book on how to program some of these obscure OSs, good luck to you. If you want to really go crazy, run OpenVMS on your mail server. And watch anyone who gets into the system have a fit trying to take over. (I suppose there are some people who can, but criminals are lazy and I suspect less than 1% of people here on slashdot even have used OpenVMS in their lifetime)
While that's not usually workable, though, for modern computers, it IS easy to do with Unicode, since the latest version covers 109.000 characters. Figuring out what characters you used would probably take a cracker just to figure out a simple 2 character combination. It's just not something that the botnets are (currently) equipped to deal with.(though I suspect that they do check for simplified Chinese and Japanese and similar characters - the trick would be to pick something obscure like Sandscrit or another ancient language.
SEE TITLE; & note => fixed that for you (as they say!) LOL. Too easy, apk, all too easy...
There was some guy on this forum a long time ago that made a good point too. He said when your company requires you to make a password include certain special characters or numbers, they make things easier on the person trying to steal the password. Because now she knows to not even try all of the password combinations that don't fit the rules for making a password. She knows not to try any password that doesn't contain uppercase and lowercase letters, numbers, special characters and whatnot. So you give her a smaller list of passwords to try in a brute force attack. Combine that with the post-it note problem and you have a good argument for using, easy-to-remember passwords in the first place.
I just spent ten weeks working in the Oregon State Unemployment Office helping people navigate the information-collecting computer system that everyone must use in order to get unemployment checks. Since the local economy is dissolving like a sugar cube in a cup of hot tea, this is applying to just about everybody here.
The morons who run the department thought that it would be a good idea to force everyone to fill out a very long ten+-page summary of their work history, skills level, and personal financial situation. Then it would try to match potential jobs to potential employees. This might work in Sweden or Singapore, but it sure messes up big time here.
Roughly 20 percent of the people have NEVER used a computer before. They don't know a mouse from a house. They wouldn't know a password from a hole in the ground. This system not only required elaborate passwords, but required changing the password if user (a contradictory term since it refers to all the people who have never used PCs before) to change their password if they forgot their previous one or their user name. Since the state assigns user names to begin with, this applied to just about everyone except people who work in IT and are used to all this kind of horseshit.
I've come away from this experience realizing that programmers ALWAYS write their user interface for people who are just one step below them in the IT industry skills-level hierarchy. They do this unconsciously because they never deal with people who don't ever use PCs. When dealing with the general public and there is a question of making a user interface easy-to-use or 'safe' at Defense_Department_Atom_Bomb_Launch_Codes, for F*ucks sake, go with easy-to-use. Rely on a separate level of human-confirmation for general security.
ALWAYS let people chose their own password and user-name!!! Don't tell them that it has to be n characters with x letters and digits. This will always fail. And when it fails, you fail to do your job well. Spare me the horseshit about security. Passwords are just a 1960s exercise in 'security through obscurantism', which doesn't work now because there are programs that can blast through millions of potential passwords quickly, and because people will always always ALWAYS forget any password that you force them to use and might might MIGHT remember a password that they have chosen for themselves. If Joe Blow wants 'joe' to be his username and 'blow' to be his password, then that's what he wants. He doesn't want you to tell him that he can't do this. So don't do it.
Don't use case-sensitivity for anything, anytime. You're dealing with people who don't understand the concept. You aren't going to get the concept through to them anyway. Do yourself a favor: do the world a favor: don't use case-sensitivity for anything ever. (Ever see Japanese characters differentiated between upper and lower case? Wanna try to explain the concept the concept of case-sensitivity to someone who looks at a keyboard and sees Western language letters already in capitals and they only read Chinese, Thai, or Russian?) It deserves repeating: Do yourself a favor: do the world a favor: don't use case-sensitivity for anything ever!
Get over your PC security hangup! Most websites don't NEED any user accounts passwords, etc... It just doesn't f*ucking matter! Most commercial websites are just trying to use registration for spamming and advert hussling anyway because some 95 IQ shit-for-brains Marketing-major web designer was told by his 95 IQ shit-for-brains Marketing-class college instructor that this was a good idea for 21st-century business.
Trust me: it's not. Don't do it. Expand your mind. Trust your intuition. Stay out of shopping malls and don't watch television advertisements. May the force be with you because the farce is on top of your ass always.
There are worse things than passwords. Those are the "verification questions" that are now popping up everywhere. They start with the
"What is the color of your first car?"
"What is your mother's maiden name?"
"How long is your penis?"
Seriously. These questions deal with facts. Any person can find the *real* answers to most people's "verification questions", if they wanted to. So what is the answer and for verification questions to be "useful"? Yes, make up nonsensical answers to the questions.
"What is the color of your first car?"
A: "I like green pizza with slime5!"
then of course each important site needs it's own combination, so you have to write down your verification questions and answers. But then this is the only way you can have security. You can't have remote security through facts about yourself.
Maybe if it had some special characters and no repeating passwords, it would have been harder to crack.
This is what public-key cryptography is for. Someone insists on a password?
makepasswd --minchars 8 --maxchars 64
If that doesn't work, replace maxchars with whatever's relevant for the site. That's already fairly secure, but if a site insists you use non-alphanumeric characters,
makepasswd --minchars 8 --maxchars 64 --string 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789!@#$%^&*(){}?+[]/=;,.:'
And that's assuming they don't allow Unicode. Most websites will let my browser save the password, and a few others, I can copy it from a text file. On the very rare occasions a website insists I type the password every time, and I'm too lazy to work around it, I do this:
gpw
Then, just add some numbers that mean something to me, though after a week or so, I'll have memorized them -- so the next time I need one, there'll be other relevant numbers.
At this point, I never sign up for a new service with the same password I use anywhere else. I don't want to make it easy for someone else to crack my Slashdot account, for instance, but that's no reason to trust Slashdot with my PayPal password, or vice versa. TFA is moronic -- it's not about "lousy" passwords, it's about limiting the scope of passwords, and this isn't new. This time, the site in question didn't use salt. What if they'd actually been malicious?
Don't thank God, thank a doctor!
So first all these cracks apply only when you have the has, none of this is remote in any way, shape or form. Second just start using easier to remember passwords. Take a phrase, make sure it has some capitalization, some numbers, and some punctuation. There you go. You can have a long password that is easy to remember no problem.
I agree two factor security is useful, but guess what? For random websites it'll never be feasible. I don't have to have 200 key fobs or cards for all different sites. For banks and the like, well some of them already offer it. My bank (Bank of America) does. They call it SafePass and you get a little credit card object that is a key generator.
However that kind of thing is only really for high security stuff. You don't want to have a million keys and if there is one key that everything uses that is a security risk in and of itself.
I have been instructing users to use passphrases, instead of passwords. Something like:
"I have 3 children, and 2 of them are boys."
That is actually a lot harder to crack than d5*wnkf8Vis324
So...you just corrected his punctuation by using an apostrophe to form a plural? I award you 10,000 irony points.
I call them "sticky notes".
Care to state that in English?
Hello,
If most sites were using bcrypt with a decent work factor or another similar algorithm you would probably never crack more than a tiny, tiny fraction of a password database. We know how to prevent this. It is best summarized in PBKDF type algorithms, bcrypt and others. Use it. This stuff works.
I use phone numbers from the past. Old home numbers for forums, old work numbers for news sites, old GFs numbers for porn sites, and I use a hotmail email to sign up for everything that I do not want my real name used for.
In the wake of the Gawker exploit, we're seeing lots of news articles in major papers consulting "security experts" and the reporter then quoting or suggesting using more than 8 character passwords.
Of course, none of them mention that Gawker threw away any characters beyond 8, so that (for example) 12345678 was just as secure as 12345678%#^*(&^&(**, and entering 12345678 would allow both accounts access. I find it
hard to believe that others sites don't do similar things, and of course they're not going to tell you that (it's a security exploit clue) so there's a good chance that your attempt and effort is wasted anyway.
Don't get me started on sites that have so-called "security questions" which are a non-editable list of crap that anyone with a phone book or knows how to use Google can discover. My bank recently added a bank of 5 non-editable questions (although, they do give you a list of 10 stupid questions to select from) but my reasonably secure answers always failed a login ... creating and using the questions became mandatory one day, and I was locked out of my account in the meantime, with bill due dates looming.
Turns out that they limited the characters for all answers in total to less than 60; apparently they wanted short, one-word answers, and called it "good". It took two days and phone calls to both my bank and from them to their outsourced IT guys to figure out that little problem, but a few hours before they called me I had managed to figure that out myself in about an hour (it took about 5 minutes each attempt to login, wade, select and answer, record the answers, test, logout, count characters, login ... ). Even though they called later and told me 60 I had actually determined the limit to be 63, or 1 less than an average of 16 characters per answer.
Now, in contrast to your bank, low-value sites that require you to log in to comment, and where all you do is casually comment, don't deserve your time and effort to create and use good passwords, probably. Perhaps better advice is to create a throwaway eMail address in Gmail or some other free public eMail service, and have your mail program simply automatically delete every eMail from that address upon arrival in your inbox, eliminating the spam issue completely (for you). Use that eMail, and a correspondingly useless username and password, and don't worry about it. If you find later that you are going to actually use that site (ie by making a submission rather than just a comment) then reset or create anew with more secure credentials.
This is really a natural progression of the web itself; at one time you logged into sites that actually mattered, now every little crap site on the planet wants a login. If you follow that approach, you need to divide the expanse into what matters and what doesn't, keeping in mind that if you put one site into the "doesn't matter" category, then every site in that category can result in them all being compromised ... so be sure that it's appropriate and you don't use throwaway credentials in a site that matters; in particular any social networking site should have it's own unique credentials, since "Sharing" is their middle names.
Taken in this light, it's also a corollary to the (not unreasonable) revelation that a lot of the usernames and passwords were low-value security-wise on Gawker. I mean, I understand that crap passwords are an irritant to IT Pros, but we all only have so much time. Maybe some of those users actually have the password thing right and do have good security in mind; just not for a site like a Gawker Media site. Of course, it appears the principals and staff of Gawker aren't in that category, since their credentials themselves should have been good practice examples.
I realize that IT pros who actually know what they're doing might cringe at the idea of deliberately creating insecure passwords, but we all have lives to lead and time to allocate, and as the Gawker Media incident shows, not e
My objective was to point out the sentence made more sense if you broke it up. The original post contained the 's, since I was quoting it the 's stuck. There are plenty of others more willing then me to point out the additional issue.
I have a post-it note labled "passwords" with about a dozen random 12 character strings stuck to my monitor at work. None of them are actual passwords that are used anywhere.
It's surprising how often I find my network login has been locked out.
...no special characters, repeated characters, all letters before numbers...
I started using a different password for every site and tracking them in a spreadsheet. It's grown too unwieldy for decent use, and it's surprising to see the number of things that I've signed up for.
No, I will not work for your startup
They also make working with that information awkward. I do a bit of genealogy as a hobby. Have the family tree done up as a nice web page. Mother's maiden name is all over it of course. But, so far, even though all the info in there is public, I have not put that page on the Internet. All because of security questions.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
About ten years, now.
The best one was a client (anonymous) that migrated to one of our platforms, and we found out that the support staff had been setting everyone's password to 'password' and telling them to change it.. ummmm.. I don't think *anyone* changed it, all the accounts seem compromised.
haha
Move to OpenID. You can deploy even your own OpenID provider!.