Slashdot Mirror
The Case For Lousy Passwords
itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."
Anytime I visit a site that wants a signup, I use a garbage email account, with the same username and weak password. If someone hacks my identity, it's not even "me".
It's not as if the right to post or read is such a valuable commodity that can't be replicated next time you visit the site.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
hard passwords just lead to post it's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.
one time i worked at a place where every 6 months they would randomly change your password to a random 8 letter string of letters, numbers and a special character. and your username was some cryptic combination of initials, numbers and department. needless to say most people would keep a copy under the keyboard. meanwhile the admins thought they were james bond with their cool security
Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?
The coding horrors article claims that that given password was "cracked" in 160 seconds with a cracker kit but it fails to claim that it is a brute force attack where the attacker has physical access to the system (the cracker software is a bootable DVD, for fuck's sake). Meanwhile, in the real world, this sort of attack is practically impossible to pull off from any site which has any semblance of security. I mean, you only need to place a delay of a fraction of a second between login attempts to drive the time needed to "crack" the login/password combo to months, if not years. Adding to that the fact that it has become pretty much standard for sites to simply block any login attempt after N failed attempts then this reference to this so called cracking software goes from irrelevant to pathetic.
Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
Passwords are a very poorly designed security mechanism, yet no matter how many times this is pointed out, people still seem to think that the solution is to educate users about password security. Human brains just do not generate or remember random strings very well, and it is ludicrous to expect users to do so. Of course, passwords will always be around because password based systems are convenient.
Palm trees and 8
Agree here. Also try using that slider bar thing with a touchscreen. No hidden posts for you.
And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?
As you can probably guess, I use the same, simple password for every single web forum. I use complex passwords only for stuff that matters: my computers, my banking site, my PayPal account (until I canceled it), etc.
What really pisses me off, by the way, is when sites want to restrict my choice of password. The most stupid example is my bank, that doesn't allow (most?) non-alphanumeric characters in a password. Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.
the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker
I've noticed that some websites will lock you out for 5, 10 or 15 minutes if you get the password wrong too many times in a row. That might slightly deter the hacker.
Although they might simply start hacking other accounts and simply cycle through them...
Summation 2
12345 has always worked for me, on every site I've used. Some sites require a 6, and some even 7 and 8. I've never been hacked once!
I'd also like to add that I'm a giant douche and a poopy-head!
The gawker staff accounts is a different issue, but forcing you to have an account just to comment caused lot of this problem.
I used one of these accounts once to post a comment and don't even remember the password. It's probably a crap password but because I don't remember it I needed to change everything else. Thanks Gawker
This was one of the best password articles I've seen.
I think the worst advice I've seen is when people recommend using some algorithm to make long painful "good" passwords that are variations of each other.
Someone who uses:
mysecr1tword4gawker.com
for fun and
mysecr1tword4mybank.com
for their bank isn't that much safer than if they had just used the same password for both.
Much better to use throwaway ones for sites like gawker; and truly random ones for banking.
IMHO OpenID is the best idea. You only need to put your trust in 1 identity provider - where it's worth the effort to set up a good password and 2-factor auth (easy to do for $0 at myopenid.com, and for a few bucks at Verisign's openid provider); rather than needing to trust every site you come across.
To quote the referenced article,
"Why is Ophcrack so fast? Because it uses Rainbow Tables. ....If you've salted your password hashes, an attacker can't use a rainbow table attack against you-"
In other words, any service with 1/10 of a brain will salt their passwords and be immune. They are also only vulnerable if they let their system get hacked and database stolen.
In other words its the same classic trade off as ever: you have to trust the person who runs the service to know what they are doing with your password. But if they do know what they are doing, then you shouldn't have to worry.
Punctuation would have been useful
hard passwords just lead to post it's. Even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.
If "Fgpyyih804423" had at least one non-alpha-numeric character in it, it would have survived at least the free download ophcrack.
I am not your blowing wind, I am the lightning.
Yeah, I just registered an online banking account and their password requirements were 8-12 characters, no special characters.
WTF people?
But then they use security questions as a second line of defense, which is just another password, and a much longer and therefore stronger one at that (if it’s done properly – which most people don’t do, of course). Now, hopefully they’d require someone logging in from an unrecognized IP address to pass a security question...
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
In a word - Lastpass. 'Nuff said.
Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.
When I worked for a major university a few short years ago, they contracted our paperless pay statements and W2s to Talx -- who only allowed numbers in the "password". Super frustrating, and of course no one in HR understood why I had a problem with this. They may have gotten smarter since then, but doubtful.
There is very little future in being right when your boss is wrong.
Go to http://slashdot.org/my/comments, turn off D2, Save, then Restore Defaults, re-customize the options on that page, Save, and then re-enable D2 and Save again. Might help.
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
Presuming it was working the way you wanted before, log out, delete all your SlashDot cookies, then log back in. I have to do that every couple of months since the CSS makeover. Last time I was horrified to see Facebook "like" icons! *shudder*
My bank allows for weakish passwords, but then they use SMS verification for any operation that involves transferring money.
Dilbert RSS feed
I’ve adblocked Facebook’s content on non-Facebook sites.
And you might also try what I suggested to metrix007 in my other comment, next time /. breaks, if it’s a recurring problem for you. I had something screwy with my account that your method didn’t fix, and none of the controls in the D2 system would fix (that /my/comments page isn’t accessible from within D2).
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
Their web app probably dumps your password into an ascii file that's uploaded to a mainframe which cannot handle anything else because of incompatible character sets..
Learn about pinball machines on www.flippers.be
The summary makes the incredibly naive and misleading mistake of conflating online trial-and-error attacks with offline hash attacks.
Against a system you do not control, the system has total power over how frequently you may try a username/password combination, how informative it is about your success/failure(ie. does it just say "no" does it say "wrong password" does it say "username not recognized"?), as well as being able to, if it wishes, just start ignoring all attempts from your IP/terminal or all attempts against a specific account(subject to the risk of denial of service techniques exploiting this). In this scenario, the difference between a terrible password and an OK password is enormous. The 12345 or 'password' are quite likely to be simple enough to crack by trial and error, even against a remote system. Modestly more complex ones will either be impossible or require days/weeks of low-speed guessing, or careful guessing from multiple hosts.
With an offline hash attack, you have total control over the hashes, and the only limiting factor in how fast you can attack them is your computer(and hash attacks generally parallelize really well). Here, the difference between a terrible password and a merely mediocre one will likely be less than the refresh rate of the attacker's monitor, and the difference between an OK password and a superb one will still be fairly small. Only a password so good that it is basically a nonstandardized type of private key will be of any use. However, offline hash attacks only happen against compromized systems, you can't get the hash table otherwise. They are an excellent argument for not re-using passwords, since systems get cracked all the time; but they are of only limited relevance in discussing the importance of password complexity, or lack thereof, for online attack scenarios...
There's nothing wrong with writing down important passwords, as long as you protect the bit of paper.
For example, if I write down my password for my domain account at work and put the piece of paper in my wallet, the password would be the least of my worries if my wallet went missing.
It's official. Most of you are morons.
Today computers offer keychains like Gnome Keyring and KWallet for Linux, and often offer a password-generating tools, browsers also remember the passwords. Creating a complex 30 character password and keeping in the browser takes 4 clicks, creating a complex password and keeping it in the keyring and browser takes 8-9 clicks, creating a stupid password that anyone can crack takes thinking, 6-7 keystrokes and then having to remember it. Laziness is no excuse when you're encouraged to be even more lazy with the complex ones.
Well, yes. Of course, this means you now have a single-point failure mode for ALL of your accounts now; somebody sneaks into your browser, and your complex passwords are all useless.
And it doesn't help, because when the sites you have to log into vary their URL and you have to log in to their site and your browser doesn't know which password to use, you're toast.
Your browser burps, and you're toast.
Your keychain freezes, and you're toast.
You're accessing from some other system, and you're locked out of everything.
Doesn't help against phishing, either.
http://www.geoffreylandis.com
The problem is rainbow tables quickly get too large to be of practical use, and take too long to generate. This fast cracking is again people banging on about old LM passwords. The old 3com/MS LanMan OS used a really weak hashing system. Passwords were limited to 14 characters in length, and were case insensitive. Further, they were stored as 2 7 character hashes. Windows versions prior to Vista stored these LM hashes by default unless you changed the security settings or used a password longer than 14 characters. Ok well generating a rainbow table for that is pretty easy, and you can go and download them online. An alphanumeric table is only like 2GB and it covers the entire possible PW size from 1-14.
Ya well you don't get so luck with newer hashes. If you use MD5, which many OSes do (that is also what NTLMv2 is based on) a table that can do only lowercase alpha and space passwords from length 1-9 is 52GB. That means if the password is over 9 characters, or has a capital letter or a number or a special character it is fucked.
People love to bang on about how cool Rainbow tables are at cracking even complex passwords, and they are always going it against LM hashes it seems. Reason is it is easy. Fine but that doesn't matter. Want to try yourself? Ok fire up your favourite rainbow table program and have a go at this: f01889f696f2b20192b8ba7522481a98. I'll even give you the parameters: It is an MD5 hash, no salt, the password is an English phrase, any human can read it no problem. It is more than 20 but less than 30 characters in length.
Try any table you like, I've never seen the one that can handle it, and it is a simple password, relatively speaking. It isn't some randomly generated garbage, it is meant to be human readable.
All rainbow tables have really done is made cracking short, simple passwords fast. Fine, but that isn't really all that intensive anyhow. You can crack LM passwords in less than 24 hours on modern hardware, no tables. They are cool, but they don't really change anything. They don't allow for this "We have a table that cracks any hash no matter how long," kind of thing. Not only would such a table take a stupid amount of disk space, but it would take far too long to generate it. Even if you said "Sure we can spare 100EB of storage for a massive table!" what you can't spend is the thousand years it'd take to make it.
Perhaps, but if someone was able to log in with your password could they also just turn off the SMS notifications?
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
If you keep your password in your brain by remembering a random string, you're either a genius or you're doing it wrong.
The brain is bad a remembering random strings, but it's excellent at remembering sequences of movements, like the one necessary to type those random strings. If you wanted to know one of my passwords, I'd have to ask you for a keyboard first.
unfortunately not....
a translation would be.
Where I worked they got u to change your password ever few months or so, oh and forced you to use some odd characters etc...
Problem with these so called 'secure' passwords was that, well, know one could remember them.
so people ended up putting them on post-its, sharing the admin password around or putting a number on the end and incrementing it every time.
Otherwise, well after 3 goes of a password that's so secure even you can't remember it, it's a 2 hour wait and phone call getting your passwords reset and stuff setup again.
thank God the internet isn't a human right.
I have the same problem with my ... bank card. In what world is a four digit password based off of ten numbers a secure method of doing business. The immediate answer is, "you have to have a passcard too" but this is no longer true since someone can walk past your wallet with a fancy phone attachment and get your number just by bumping into you to put onto their own fake card. Ah well.
its the way the password is encrypted. Hashing is not encryption, because you can just brute force it using a dictionary attack and find the hash that matches. A long random string of characters is hard to "crack" if you are repeatedly trying to login with every combonation, but when you have a list of hashes, you can spend as many cycles as you can throw at it in a multiprocessor environment and discover, the password that matches the hash. Hashing is a terrible way to "protect" a password for discovery, especially a hash without a secret salt combined with it. People get confused when things are called "cryptographic hashes" thing they mean encryption when they mean really hard to recover, which with unsalted inputs and simple database comparable inputs they are trivial to recover.
I think the problem was as follows.
the plural of 'post it's is not obvious, often I use quotes for plurals of nouns like that.
but then there's also this problem. the it's fits two ways, I've put two in below.
hard passwords just lead to 'post it's. It's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.
thank God the internet isn't a human right.
speaking of adblock, (and yes, this is somewhat offtopic, and if someone wants to waste mod points on a nested comment so far down, kudos to you), have you noticed that more ads seem to be getting through on Chrome lately? Is this a "feature" of the browser or is this isolated to me (likely user error or some such)?
I've got a 15 year-old piece of paper with codes that I need to enter when I want to transfer money.
It's quite an amazing system.
Which is extremely weak. Now I'll grant you it could be an issue: If someone gets access to your system and your SAM file and if you are running XP or earlier and if your password is 14 characters or less then there will be an LM hash. Vista or 7? No LM hash by default. Longer password? No LM hash (as LM is limited to 14 characters).
So let's say this password was on 7 instead. Ok so it is 13 characters and uses upper, lower and numeric. Surf over to Ophcrack's site and... no tables that could get it. Their largest Vista stable, 137GB, only does 8 character passwords, so it is too long. they have one that does 12 character passwords, but only numeric. Same deal at Freerainbowtables.com. They've got a 453GB NTLM table that'll do mixed case and numeric but only up to 8 characters.
So with a modern hash, even with no salt, that password is just fine.
Well what if you are running XP? For one you can just turn off LM hashes but suppose you don't want to. Fine, just make a simple phrase. "OrphCrack is 2 stupid 4 this 1." would be a password that none of their tables could handle. It is over 14 characters, so no LM hash gets stored. It is also way too long, even if they doubled the length of their tables (and remember each character is exponentially harder than before, requires exponentially more space and time to make the table) it wouldn't touch it.
This is just people trying to make a scare story where these is no story. Yes rainbow tables can crack passwords in their range really fast provided they have the has file and it isn't salted. Don't use a short password and you are good. Long passwords aren't hard, just make it a phrase of some kind. Given that the best tables are just eeking in at maybe 9 characters, I wouldn't worry about the future if your password is 15+. Be a long ass time before that is a problem.
That's also an option. I was wondering if this was about preventing SQL injection, and they'd never heard of parameterized queries.
Most backends will hash the password which means if one DB were stolen, thieves would have to reverse hash my password to stand a chance of guessing the other throwaway passwords. A manual step which might work if someone was targetting me specifically and individually, but my name appears in amongst hundreds of thousands of other names. Besides, working it out lets them have access to some other throwaway accounts, so who cares? At most it puts me out a bit that some spammer starts spamming acai berries or whatever in my name but its not the end of the world.
I was wondering if this was about preventing SQL injection, and they'd never heard of parameterized queries.
That would have been my first guess, though any SQL system, even if it doesn’t support paramaterized queries, can (and should) be secure if you correctly escape your data, so there’s really no excuse.
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
The real security in bank cards is the secrecy of the algorithm. Which is probably over 20 years old by now.
If any criminal had access to the algorithm, it would of course be trivial to run through the 10000 possible options to find the pin number that goes with the stolen bank card, but fortunately in the past 20 years nobody has ever been able to bribe anyone for access to that algorithm. We're safe, guys.
I appear to have broken slashdot.
Slashdot has been broken for a very, very long time.
Give me Classic Slashdot or give me death!
I think a lot of the confusion would be eliminated if you called them Post-Its. Just my 2 cents...
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
I get a lot of practice as a developer. Finding missing semi-colons, quotation marks and brackets in code is practically my specialty.
The whole point is you have no idea or guarantee the website will keep your data secure. They could plaintext your password along with all your information in a readable directory of the web root. Yes, that still happens, a lot. If it can be rainbowtabled in mere seconds on one OS, it can be eyeballed in even less on your precious apache on linux. Old MySQL passwords are abundant as well, same story as the windows rainbow tables used as an example here.
I was promised a flying car. Where is my flying car?
I recently started using keypass. It has an autofill function for any site you visit. This makes it so I no longer even need to know what my passwords are. It will even produce random passwords for you. It's open source and cross platform. All my passwords are in an encrypted file in my dropbox folder for syncing across my devices, and I carry the key in a thumb drive on my key chain. I also have an keypass app on my android phone in case i need a password and am not on one of my usual devices.
And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?
Use last pass, keeypass, password hasher, etc
Not the same problem at all. Nobody should have a copy of your bank card number, so that can be seen as part of the 'secret' number in addition to the PIN code. So you need the card as well as the PIN. If somebody steals the card number, and fakes a bank card, you have already reduced the number of people that can do this as well as increased the cost of doing it. Then you only get 3 tries before your card is locked. The best way of capturing the PIN is a fake ATM with camera to capture your pin number, and with this attack the length of password or character range becomes irrelevant.
So no, not really same problem.
Phillip.
Property for sale in Nice, France
But much less safer. My phone has a PIN you need to insert to unlock its keyboard or turn it on. Even if they steal it, they can't use it for transferring money.
You either have to leave the paper at home (meaning you won't be able to use internet backing somewhere else), or you risk much more if someone steals your wallet with it and you don't notice in time to tell the bank.
Dilbert RSS feed
I used to keep a GPG-encrypted file in my home directory containing all my passwords. Then I discovered 1Password through MacHeist, and have never looked back. It lets me generate totally random passwords for everything, fills out tedious signup forms for me in a single keypress, and fills password forms for me in just one more keypress. It also lets me keep "authenticated bookmarks", which are bookmarks to sites that automatically fill out my username/password and log in when I visit them (after entering my master password, of course).
It's also virtually immune to phishing attacks. If the URL doesn't match, it won't fill in the password. This protects you even against scarily good phishing attempts.
On top of that, I don't have to worry about being "locked out" of my passwords or losing them in a fire, because 1) it's sync'd to my iPhone (and other machines) via Dropbox, and 2) the keychain file it emits includes a standards-compliant HTML page that contains all my encrypted passwords, which it uses JavaScript to unencrypt when given my master key.
No comment.
FTR "Fgpyyih804423" is not a very strong password seeing as how it has repeating letters and numbers plus the numbers are all tailing. Why not fY6jKL23a5B2 or something that jumbles up letters and numbers and includes mixed cases. Not that it matter for most things anyways, the only passwords I care about anyways are online banking and private torrent sites - cant have someone running my ratio or my checking account through the ringer hehe.
KeePass 1.x and Dropbox. Both are available for just about every OS and smartphone made. KeePass also has a built in password generator that can be configured to handle length and content requirements. I can use my work computer, my home computers, my android smartphone, and even a guest computer to access and manage my passwords to anything.
I cringe when I see most places trying to do that.
They've usually got a canned list of around 5-10 questions that you can't change, they're almost always the *same* questions as everybody, and it's usually not that difficult to track down some of that information.
Hell, I don't want to have to answer questions they pick, because if everybody is asking the same question, it devalues the whole point of information that only I should know. Hell, if someone gets access to that information, then you're really SOL.
Lost at C:>. Found at C.
Hmm, didn't work :( At the moment for exampke it shows 8 comments abbreviated, and 132 more. I don't want to have to click more each time to get comments and then drag the sliders each time to abbreviate them.
If you ignore ACs because they are anonymous - you're an idiot.
Why Windows? Because there are a lot of Windows Servers in the world, and it might be hypothetically possible for an attacker to get a copy of the Windows User Account database for a server. If you use 'backwards compatibility' settings for Windows, it generates hashes the same way that Windows 95, 98, etc did, which had some serious weaknesses which make it particularly easy to use Rainbow Tables (according to the linked article, a 14 character password was stored as two separate 7 character hashes, effectively reducing password strength to finding 2 7-character passwords, which a rainbow table can easily and quickly do).
What you say is true if the attacker is attacking your server directly. The Gawker Media situation is one where, through some means or other, crackers managed to secure the password database file with the account names and password hashes for EVERY Gawker user account.
Once they have a copy of the file, they can then proceed to do an OFFLINE Rainbow Tables attack against all the user accounts, and find the password for every username with a sufficiently weak password. With an offline attack, there's no way you can prevent them from trying something like this attack. Any system could be to some level vulnerable to an offline attack if the attacker gets a copy of the account data - even Linux or Apache.
I keep them all listed on my online dating profile. Nobody will ever look there!
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
Seriously, we have a great system for authentication via SSH. Public/Private keys work well. You have one password to remember and no one else gets it--even if they are hacked.
gpgAuth
There's no place like
The best value of the OpenID approach isn't even that you only need to trust one provider - it's that if you use one password for everything, it means you can change one password once and you have a new password on every site. I got a notification from Ars Technica about 6 months ago that there password database had been exposed, and recommending that if you re-used the password on multiple sites, you should change that password everywhere it's used. So, if you have one 'weak' password for 'unimportant' sites, as this Slashdot article suggests, and you also re-use that password you now have to remember to go change that password at every site you've used it - but you might forget to change it right away at a site you only occasionally use.
Of course, the flip side is, if your password is somehow compromized with OpenID and you *don't* know that, and thus don't change the password (because you think it's still safe), an attacker has access to everything. Which is why I'd never use OpenID for something like a bank site, online auction/retailer, etc.
Using OpenID for the types of sites where you might use a 'weak' password because they aren't "that important", and using a moderately strong password makes more sense than using weak passwords on lots of different sites. It's just too bad that more sites don't offer OpenID login.
Of course, any decent auth system will lock the account after a few failed attempts and/or limit the time between attempts and use password shadowing to make sure that one cannot get the file with the hashes in it and attempt a local attack. When the website will email you your password if you forget it, the intention was never to be extermely secure anyway, but merely to provide a reasonable assurance that any and every Tom, Dick, and Harry won't get it. They already expect that Bob and Eve can pull it off.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
well Post-It(TM)s
the plural problem arises more often than a hyphen can fix.
thank God the internet isn't a human right.
> ...it's usually not that difficult to track down some of that information.
Tell them your mother's maiden name is ct!h0Zf&.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
It seems I had an account on Gawker / LifeHacker / etc. The problem being, when I login now, I can't use my usual passwords. I want to know what password it is, so I can take that into account.
Does anyone know how I could brute force that?
I haven't jumped into their code or anything, and aren't sure what algorithm they're using. But is there an easy way people have figured out to brute force their passwords? I usually set pretty non-trivial passwords, but since I know what I'm likely to have set, I can restrict the character set, and length, and hopefully crack it quickly.
Any ideas is are much appreciated.
Especially ideas which aren't "grab their function and edit it for your password only then write something which calls it for every possible iteration".
This is my footer. There are many like it, but this one is mine.
Ugh, the worst offender I've ever seen is the US Postal Service. I dunno how it is now, but at the time, my password had to be EXACTLY EIGHT characters and had to contain EXACTLY ONE capital letter and number, respectively.
Of course, at sign up, the form just discarded any letter over 8 chars and any capital or numbers after the first entered. WTF,man?
I have an index card on my desk with things like 'I_k1ck_@ss St.' written on them. Those are my stock answers for those stupid security questions. Sure, if someone savvy with computers breaks into my house, they might notice that, and take it with them when they steal the computer. Then, with some detective work, they could possibly reset my passwords.
But more realistically, someone doing some identity theft isn't in my house, so they won't be able to crack that, since it's not based on anything they can dig up online about me. (Or even from my garbage can.) And someone stealing my computer is likely doing a smash and grab, to sell for drug money. They're not going to bother with an index card on my desk.
Velociraptor = Distiraptor / Timeraptor
Office-place server admins should remember, if passwords are required to be more complex than the user is likely to remember or require changes too often then users will write their passwords down. Often this is done on a sticky note placed on their monitor where just anyone can walk by and read it. Remember admins, be reasonable. Insisting on absolute security will result in no security at all because the users will work around it.
Yeah, by "amazing" I meant it's amazing in how archaic, cobbled together and badly thought through it is. Not that it's actually any good.
Their interface sucks too.
My bank does make me answer a security question if it doesn't recognize the IP.
-- I ignore anonymous replies to my comments and postings.
Having spent a few years working for a company that dealt with files from Asia on a daily basis, it strikes me as odd that more sites don't allow unicode characters. Adding a single Chinese or Arabic character to the password is enough to force most cracking utilities *even when you have the machine in your hands* to have to resort to brute-force measures that can take days. What's awful, though, is how sites restrict you to A-Z and 0-9 98% of the time, which defeats the entire reason for a password. I suspect that they want to be able to maybe crack it themselves in case they feel the need to do so. Because 10 characters max, with a simple 36 character ASCII limit is going to be cracked exactly as it was in the example.
It's the old obscure OS trick. If you are using an operating system that the hackers commands mean nothing to, you are secure. I know of a few people who run email servers(as an example) that use very obscure and old operating systems that no botnet or hacker is designed or has the knowledge any more to deal with. One friend a few years ago was using an old A/UX Macintosh as a router, precisely because the ability to remotely hack the code was essentially zero.(while there were easy ways ten years ago, everyone has forgotten them by now) If you can find a book on how to program some of these obscure OSs, good luck to you. If you want to really go crazy, run OpenVMS on your mail server. And watch anyone who gets into the system have a fit trying to take over. (I suppose there are some people who can, but criminals are lazy and I suspect less than 1% of people here on slashdot even have used OpenVMS in their lifetime)
While that's not usually workable, though, for modern computers, it IS easy to do with Unicode, since the latest version covers 109.000 characters. Figuring out what characters you used would probably take a cracker just to figure out a simple 2 character combination. It's just not something that the botnets are (currently) equipped to deal with.(though I suspect that they do check for simplified Chinese and Japanese and similar characters - the trick would be to pick something obscure like Sandscrit or another ancient language.
Which gets back to why it should just be a hash in the first place, and not an actual password. For the hash, who cares what characters it has? If the system isn't adequately hardened to prevent an exploit on the password submission then they might as well have a button saying "I promise that I really am AAARRRGGGH."
Oh well...
It is not safe if your browser is compromised. You enter a transfer of $50 to bank account A. Trojan in your browser replaces this to $5000 transfer to bank account B and sends this to bank. Bank asks you to provide transaction number 27 from your paper list to confirm $5000 transfer to bank account B. Trojan changes the browser display: "Please give me transaction number 27 for $50 transfer to bank account A." You provide the transaction number 27 and the trojan uses it to confirm the fraudulent transaction. And if the trojan is good, it will continue to alter your balance and your account display for weeks to come... The SMS based transaction numbers are much better. The SMS says: "You requested a transfer of $50 to bank account A. Please confirm in your browser using the code 984759830." An attacker would now need to install a trojan on your computer (to be able to get your login details) and get hold of your mobile phone at the same time. Much more difficult!
Even better, my bank will let you change your password to one with special characters but their login page won't accept them.
Then they ask some dumbass question like "what is your favorite movie?" but I just answered all of those security questions with another password. ;)
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
You bank without using a Live CD?
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
I usually just tell them my mother's maiden name is cthulhu, and then the bank gives me all their money.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
There was some guy on this forum a long time ago that made a good point too. He said when your company requires you to make a password include certain special characters or numbers, they make things easier on the person trying to steal the password. Because now she knows to not even try all of the password combinations that don't fit the rules for making a password. She knows not to try any password that doesn't contain uppercase and lowercase letters, numbers, special characters and whatnot. So you give her a smaller list of passwords to try in a brute force attack. Combine that with the post-it note problem and you have a good argument for using, easy-to-remember passwords in the first place.
I just spent ten weeks working in the Oregon State Unemployment Office helping people navigate the information-collecting computer system that everyone must use in order to get unemployment checks. Since the local economy is dissolving like a sugar cube in a cup of hot tea, this is applying to just about everybody here.
The morons who run the department thought that it would be a good idea to force everyone to fill out a very long ten+-page summary of their work history, skills level, and personal financial situation. Then it would try to match potential jobs to potential employees. This might work in Sweden or Singapore, but it sure messes up big time here.
Roughly 20 percent of the people have NEVER used a computer before. They don't know a mouse from a house. They wouldn't know a password from a hole in the ground. This system not only required elaborate passwords, but required changing the password if user (a contradictory term since it refers to all the people who have never used PCs before) to change their password if they forgot their previous one or their user name. Since the state assigns user names to begin with, this applied to just about everyone except people who work in IT and are used to all this kind of horseshit.
I've come away from this experience realizing that programmers ALWAYS write their user interface for people who are just one step below them in the IT industry skills-level hierarchy. They do this unconsciously because they never deal with people who don't ever use PCs. When dealing with the general public and there is a question of making a user interface easy-to-use or 'safe' at Defense_Department_Atom_Bomb_Launch_Codes, for F*ucks sake, go with easy-to-use. Rely on a separate level of human-confirmation for general security.
ALWAYS let people chose their own password and user-name!!! Don't tell them that it has to be n characters with x letters and digits. This will always fail. And when it fails, you fail to do your job well. Spare me the horseshit about security. Passwords are just a 1960s exercise in 'security through obscurantism', which doesn't work now because there are programs that can blast through millions of potential passwords quickly, and because people will always always ALWAYS forget any password that you force them to use and might might MIGHT remember a password that they have chosen for themselves. If Joe Blow wants 'joe' to be his username and 'blow' to be his password, then that's what he wants. He doesn't want you to tell him that he can't do this. So don't do it.
Don't use case-sensitivity for anything, anytime. You're dealing with people who don't understand the concept. You aren't going to get the concept through to them anyway. Do yourself a favor: do the world a favor: don't use case-sensitivity for anything ever. (Ever see Japanese characters differentiated between upper and lower case? Wanna try to explain the concept the concept of case-sensitivity to someone who looks at a keyboard and sees Western language letters already in capitals and they only read Chinese, Thai, or Russian?) It deserves repeating: Do yourself a favor: do the world a favor: don't use case-sensitivity for anything ever!
Get over your PC security hangup! Most websites don't NEED any user accounts passwords, etc... It just doesn't f*ucking matter! Most commercial websites are just trying to use registration for spamming and advert hussling anyway because some 95 IQ shit-for-brains Marketing-major web designer was told by his 95 IQ shit-for-brains Marketing-class college instructor that this was a good idea for 21st-century business.
Trust me: it's not. Don't do it. Expand your mind. Trust your intuition. Stay out of shopping malls and don't watch television advertisements. May the force be with you because the farce is on top of your ass always.
I use KeePass to generate and store complex passwords. Then I just e-mail the encrypted key db to myself on a web-based account. Changes are infrequent, so synchronization isn't that big of an issue. Just don't forget to send yourself updates when you add new sites or change passwords for whatever reason. As a bonus, you'll have redundancy with the presence of the key database on multiple computers and online, so the chances of losing all existing copies are negligible (unless, perhaps, you happen to work and live in the data center that hosts your e-mail account).
https://www.eff.org/https-everywhere
I know my bank does exactly that. First time logging in from a new computer and it asks me a few security questions.
This is what public-key cryptography is for. Someone insists on a password?
makepasswd --minchars 8 --maxchars 64
If that doesn't work, replace maxchars with whatever's relevant for the site. That's already fairly secure, but if a site insists you use non-alphanumeric characters,
makepasswd --minchars 8 --maxchars 64 --string 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789!@#$%^&*(){}?+[]/=;,.:'
And that's assuming they don't allow Unicode. Most websites will let my browser save the password, and a few others, I can copy it from a text file. On the very rare occasions a website insists I type the password every time, and I'm too lazy to work around it, I do this:
gpw
Then, just add some numbers that mean something to me, though after a week or so, I'll have memorized them -- so the next time I need one, there'll be other relevant numbers.
At this point, I never sign up for a new service with the same password I use anywhere else. I don't want to make it easy for someone else to crack my Slashdot account, for instance, but that's no reason to trust Slashdot with my PayPal password, or vice versa. TFA is moronic -- it's not about "lousy" passwords, it's about limiting the scope of passwords, and this isn't new. This time, the site in question didn't use salt. What if they'd actually been malicious?
Don't thank God, thank a doctor!
So first all these cracks apply only when you have the has, none of this is remote in any way, shape or form. Second just start using easier to remember passwords. Take a phrase, make sure it has some capitalization, some numbers, and some punctuation. There you go. You can have a long password that is easy to remember no problem.
I agree two factor security is useful, but guess what? For random websites it'll never be feasible. I don't have to have 200 key fobs or cards for all different sites. For banks and the like, well some of them already offer it. My bank (Bank of America) does. They call it SafePass and you get a little credit card object that is a key generator.
However that kind of thing is only really for high security stuff. You don't want to have a million keys and if there is one key that everything uses that is a security risk in and of itself.
Tell them your mother's maiden name is ct!h0Zf&.
Most of these "security" questions ignore anything but [A-Za-z] in the answer and fold case.
So, although you are a bit more secure by not using the correct, searchable answer, any answer that wasn't correct would accomplish the same thing.
easy fix, use your regular smallish password and a checksum algo of your choice (md5sum, sha1sum, whatever) and then use the hash of your crappy password as your actual password.
they then have to figure out what algo you used, what key length, and what simple password, or just try to brute force the ridiculously long password the hash creates.
And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?
Actually, yes. LastPass.com makes it trivial.
I've changed most of my passwords to long, pseudo-random passwords and store them with LastPass (I also keep a backup locally, Just In Case).
Disclaimer: Although I'm a LastPass user (and pay for the Premium service), I have no other connection with the company.
I have been instructing users to use passphrases, instead of passwords. Something like:
"I have 3 children, and 2 of them are boys."
That is actually a lot harder to crack than d5*wnkf8Vis324
Not a problem actually:
http://www.lastpass.com/ does ALL this.
PCs, Browsers, OSs, Phones, hell they even do One Time passwords if you like!
Very good software!
(stolen from DaBum) I am dyslexia of borg - your ass will be laminated.
So...you just corrected his punctuation by using an apostrophe to form a plural? I award you 10,000 irony points.
I hate everything about (anti-)security questions, which are (IMHO) nothing more than a time/money saver for the institution in case I forget my password and have to bother them about it. These security questions amount to having a link ("Click here to hack this account") where the unauthorized person gets a hint at a weak password. And that weak password could potentially be found in public records. Security questions are practically a gift to criminals.
Place of birth? Maiden name? Parent's middle name? Easily information for someone to dig up.
Favorite teacher/coach? I was home schooled, so it's either my mom or my dad, which if anyone knew I was home schooled they'd figure that one out in two tries.
Favorite movie/book/fictional character? Well, my favorites change from time to time, what's the likelihood that I'll remember when I answered that question and what was my favorite then? And favorites come up in conversation frequently, so someone eavesdropping on a conversation or reading one of my online posts might pick it up.
I always answer their security questions with some kind of nonsense. I don't need a simple password bypass. The system is only as strong as it's weakest link, and I'm not going to add another weak link. Hell, rarely do I find 3 different questions that are even applicable to me, and they don't let you skip setting up security questions, so I'd be forced to enter nonsense for at least one of them most of the time. /rant
I call them "sticky notes".
Care to state that in English?
Which is why my standard answer to any of those "security" questions is "guess".
What's my mother's maiden name? Guess.
You'd be surprised how effective it is... :P Anybody who actually does go stalkerish and tracks down my mom's maiden name still can't actually answer the question correctly...
Hello,
If most sites were using bcrypt with a decent work factor or another similar algorithm you would probably never crack more than a tiny, tiny fraction of a password database. We know how to prevent this. It is best summarized in PBKDF type algorithms, bcrypt and others. Use it. This stuff works.
I use phone numbers from the past. Old home numbers for forums, old work numbers for news sites, old GFs numbers for porn sites, and I use a hotmail email to sign up for everything that I do not want my real name used for.
In the wake of the Gawker exploit, we're seeing lots of news articles in major papers consulting "security experts" and the reporter then quoting or suggesting using more than 8 character passwords.
Of course, none of them mention that Gawker threw away any characters beyond 8, so that (for example) 12345678 was just as secure as 12345678%#^*(&^&(**, and entering 12345678 would allow both accounts access. I find it
hard to believe that others sites don't do similar things, and of course they're not going to tell you that (it's a security exploit clue) so there's a good chance that your attempt and effort is wasted anyway.
Don't get me started on sites that have so-called "security questions" which are a non-editable list of crap that anyone with a phone book or knows how to use Google can discover. My bank recently added a bank of 5 non-editable questions (although, they do give you a list of 10 stupid questions to select from) but my reasonably secure answers always failed a login ... creating and using the questions became mandatory one day, and I was locked out of my account in the meantime, with bill due dates looming.
Turns out that they limited the characters for all answers in total to less than 60; apparently they wanted short, one-word answers, and called it "good". It took two days and phone calls to both my bank and from them to their outsourced IT guys to figure out that little problem, but a few hours before they called me I had managed to figure that out myself in about an hour (it took about 5 minutes each attempt to login, wade, select and answer, record the answers, test, logout, count characters, login ... ). Even though they called later and told me 60 I had actually determined the limit to be 63, or 1 less than an average of 16 characters per answer.
Now, in contrast to your bank, low-value sites that require you to log in to comment, and where all you do is casually comment, don't deserve your time and effort to create and use good passwords, probably. Perhaps better advice is to create a throwaway eMail address in Gmail or some other free public eMail service, and have your mail program simply automatically delete every eMail from that address upon arrival in your inbox, eliminating the spam issue completely (for you). Use that eMail, and a correspondingly useless username and password, and don't worry about it. If you find later that you are going to actually use that site (ie by making a submission rather than just a comment) then reset or create anew with more secure credentials.
This is really a natural progression of the web itself; at one time you logged into sites that actually mattered, now every little crap site on the planet wants a login. If you follow that approach, you need to divide the expanse into what matters and what doesn't, keeping in mind that if you put one site into the "doesn't matter" category, then every site in that category can result in them all being compromised ... so be sure that it's appropriate and you don't use throwaway credentials in a site that matters; in particular any social networking site should have it's own unique credentials, since "Sharing" is their middle names.
Taken in this light, it's also a corollary to the (not unreasonable) revelation that a lot of the usernames and passwords were low-value security-wise on Gawker. I mean, I understand that crap passwords are an irritant to IT Pros, but we all only have so much time. Maybe some of those users actually have the password thing right and do have good security in mind; just not for a site like a Gawker Media site. Of course, it appears the principals and staff of Gawker aren't in that category, since their credentials themselves should have been good practice examples.
I realize that IT pros who actually know what they're doing might cringe at the idea of deliberately creating insecure passwords, but we all have lives to lead and time to allocate, and as the Gawker Media incident shows, not e
My objective was to point out the sentence made more sense if you broke it up. The original post contained the 's, since I was quoting it the 's stuck. There are plenty of others more willing then me to point out the additional issue.
I have a post-it note labled "passwords" with about a dozen random 12 character strings stuck to my monitor at work. None of them are actual passwords that are used anywhere.
It's surprising how often I find my network login has been locked out.
The point of TFA is that it isn't worth worrying about that, though... in a world where people just brute force the hash rather than trying to guess your password, there isn't really any difference in the strength of your password, whether it's "123456" or "Idtawgmp0fw@12qpTT78v!^y23". And that's not to mention that hackers don't usually go after individual accounts, they go after entire sites.
You're actually *safer* using one or two passwords that you can easily remember for stuff that isn't generally secure (stuff like forums), because then you don't have to trust that password to an outside site like LastPass which could, itself, get hacked and compromise all your info.
Anybody who's trying to hack your stuff and knows you in person probably isn't going to go after your passwords...
Obligatory XKCD: http://xkcd.com/538/
Yeah because I doubt anybody would have rainbow table entries for your crappy passwords.
I started using a different password for every site and tracking them in a spreadsheet. It's grown too unwieldy for decent use, and it's surprising to see the number of things that I've signed up for.
No, I will not work for your startup
Good reference. Thanks. I use PasswordSafe but it's local. I actually like that feature b/c it reduces the number of vendor dependencies, but it's a pain b/c of sync. It might be worth checking out lastpass so thanks for the reference.
FYI, there's an interesting company called SpiderOak which has similar security (zero knowledge cloud encryption) for storing files online which is pretty handy as well.
That sounds dangerously like security through obscurity to me. Relying on lack of information about your password to protect it is insecure, as best as I understand the issue.
Good hashes should be able to share everything about themselves except the values that generated them. If you use a weak value to generate it, then any security hash is weak.
Which is why you lie. Consistently and constantly to those questions.
What was your birth place? Pizza Hut, Luna City
What was your first pet's name? Sir Fucks-a-lot
What was your mother's maiden name? Jack Daniels
What is your favorite food? Glass
If you do so, no amount of digging into your personal life is going to come up with the right answers and as long as you give the same answers each time, it's not that difficult to remember.
Of course, then you have the problem where THAT database is compromised, given unlike the password data base the answers probably weren't encrypted...
I like the way that Chase is setup. If I have not accessed their website from a particular computer, they require a second form of authentication that they send out via SMS or phone.
You bank without using a Live CD?
Yes, this is the Real World, don't'cha'know, and some people are willing to entertain microscopic risks in exchange for convenience.
You're special forces then? That's great! I just love your olympics!
Which is why you lie. Consistently and constantly to those questions.
What was your birth place? Pizza Hut, Luna City
What was your first pet's name? Sir Fucks-a-lot
What was your mother's maiden name? Jack Daniels
What is your favorite food? Glass
If you do so, no amount of digging into your personal life is going to come up with the right answers and as long as you give the same answers each time, it's not that difficult to remember.
Of course, then you have the problem where THAT database is compromised, given unlike the password data base the answers probably weren't encrypted...
Yup. The only way someone could ever get them is if you posted the list of questions and answers to some kind of non-anonymous messaging board. Luckily, nobody would eve be that foolish. ;)
You're special forces then? That's great! I just love your olympics!
They also make working with that information awkward. I do a bit of genealogy as a hobby. Have the family tree done up as a nice web page. Mother's maiden name is all over it of course. But, so far, even though all the info in there is public, I have not put that page on the Internet. All because of security questions.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
The point of TFA is that it isn't worth worrying about that, though... in a world where people just brute force the hash rather than trying to guess your password, there isn't really any difference in the strength of your password, whether it's "123456" or "Idtawgmp0fw@12qpTT78v!^y23".
I respectfully disagree.
To the best of my knowledge, rainbow tables for unsalted, printable-ASCII passwords are useful for passwords up to about 14 characters. Using a longer password would make it less likely that bad guys would have created rainbow tables for it. Generating tables for all passwords up to 20 characters in length would be a very large undertaking. Tables up to 30 characters would be exceedingly resource intensive.
Naturally, it would be best if sites used reasonable methods of protecting passwords (e.g. a hash composed of the username, password, and salt), but having site-unique, long passwords (whether stored at LastPass or elsewhere) does help limit the damage of any compromise.
FYI, you give away your bank card number every time you use it. At most, I'd call it semi-private.
Bullish Machine Tzar
Ugh, the worst offender I've ever seen is the US Postal Service. I dunno how it is now, but at the time, my password had to be EXACTLY EIGHT characters and had to contain EXACTLY ONE capital letter and number, respectively.
Of course, at sign up, the form just discarded any letter over 8 chars and any capital or numbers after the first entered. WTF,man?
USPS is so stuck in the 80s when it comes to computing. I've been working with some of their data and it is incredibly frustrating. Like it was made for those old spool printers. I don't know how anyone can have a database full of ALL CAPS and fixed width datasets this late in the game.
Bullish Machine Tzar
you consider something like jkafhnhbhhsgfjkhl02948329075843jknewuwdfm a crappy password?
something tells me you don't understand what I have suggested. and also I think rainbowtables for passwords 60+ characters long will be rather.. not feasible.
Think of it more of an easy way of remembering your ridiculously long random password.
Relying on lack of information about your password to protect it is insecure,
Your password itself is 'lack of information' so essentially you are arguing a password is security through obscurity.
Good hashes should be able to share everything about themselves except the values that generated them. If you use a weak value to generate it, then any security hash is weak.
In this instance the hash is not public, the hash is the secret used as your password. unless you want to argue 60+ character essentially random passwords are less secure than hunter2, your argument is moot.
Think of it as an easy way to remember your ridiculously long password, without writing it down.
My bank forces me to answer the security questions any time I log in from a computer other than my own.
Better yet, use a hash of your 'secret' password combined with the name of the site. that way if one site gets compromised or you get phished, they can't use that to figure out your password to other sites yet you only have a single password to remember to let you recover all your site specific ones.
http://notanumber.net/
So don't use the real answer to the father's middle name question. Say it's 1y1g2r3fs5cxy4 or something.
...the future crusty old bastards are already drinking the Kool-Aid.
The best one was a client (anonymous) that migrated to one of our platforms, and we found out that the support staff had been setting everyone's password to 'password' and telling them to change it.. ummmm.. I don't think *anyone* changed it, all the accounts seem compromised.
Once it's known that your hash (which granted would be a strong password by itself) is in fact the hash of a weak password, then calculating which weak password generated it would be easy.
And having them find out what your actual password is with only a password makes finding it easy. The whole point is for it to be kept a secret. (in this case what algo you used and that you even hashed it is also a secret).
Having a strong password and then telling them 'it is x characters long and starts with xyz' to get the strong password negates it's value also. There is no difference to what is being done here.
You can't, at least not at my bank. One time SMS codes are mandatory for transactions to new accounts and any security changes so it's pretty robust. The weakest link would be if you had the password, and my personal details and called up my bank pretending to be me and requested a change of cell phone number for SMS. But then this change gets sent to my email address and a letter to my house so I'd know about it. Unless you had all that too. Possible but about as hard as I realistically expect.
Keepass. Windows/Linux/Mac on the desktop, Android, iPhone, Blackberry and Symbian on mobile. There are ways to do on-line sync with it but I just copy the file manually when I update it now and then.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Move to OpenID. You can deploy even your own OpenID provider!.
Thanks for reading my post./facepalm
You're welcome. Don't hurt yourself! ;-)
...the future crusty old bastards are already drinking the Kool-Aid.