Slashdot Mirror
The Case For Lousy Passwords
itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."
Anytime I visit a site that wants a signup, I use a garbage email account, with the same username and weak password. If someone hacks my identity, it's not even "me".
It's not as if the right to post or read is such a valuable commodity that can't be replicated next time you visit the site.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
hard passwords just lead to post it's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.
one time i worked at a place where every 6 months they would randomly change your password to a random 8 letter string of letters, numbers and a special character. and your username was some cryptic combination of initials, numbers and department. needless to say most people would keep a copy under the keyboard. meanwhile the admins thought they were james bond with their cool security
Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?
The coding horrors article claims that that given password was "cracked" in 160 seconds with a cracker kit but it fails to claim that it is a brute force attack where the attacker has physical access to the system (the cracker software is a bootable DVD, for fuck's sake). Meanwhile, in the real world, this sort of attack is practically impossible to pull off from any site which has any semblance of security. I mean, you only need to place a delay of a fraction of a second between login attempts to drive the time needed to "crack" the login/password combo to months, if not years. Adding to that the fact that it has become pretty much standard for sites to simply block any login attempt after N failed attempts then this reference to this so called cracking software goes from irrelevant to pathetic.
Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
Passwords are a very poorly designed security mechanism, yet no matter how many times this is pointed out, people still seem to think that the solution is to educate users about password security. Human brains just do not generate or remember random strings very well, and it is ludicrous to expect users to do so. Of course, passwords will always be around because password based systems are convenient.
Palm trees and 8
And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?
As you can probably guess, I use the same, simple password for every single web forum. I use complex passwords only for stuff that matters: my computers, my banking site, my PayPal account (until I canceled it), etc.
What really pisses me off, by the way, is when sites want to restrict my choice of password. The most stupid example is my bank, that doesn't allow (most?) non-alphanumeric characters in a password. Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.
12345 has always worked for me, on every site I've used. Some sites require a 6, and some even 7 and 8. I've never been hacked once!
I'd also like to add that I'm a giant douche and a poopy-head!
This was one of the best password articles I've seen.
I think the worst advice I've seen is when people recommend using some algorithm to make long painful "good" passwords that are variations of each other.
Someone who uses:
mysecr1tword4gawker.com
for fun and
mysecr1tword4mybank.com
for their bank isn't that much safer than if they had just used the same password for both.
Much better to use throwaway ones for sites like gawker; and truly random ones for banking.
IMHO OpenID is the best idea. You only need to put your trust in 1 identity provider - where it's worth the effort to set up a good password and 2-factor auth (easy to do for $0 at myopenid.com, and for a few bucks at Verisign's openid provider); rather than needing to trust every site you come across.
To quote the referenced article,
"Why is Ophcrack so fast? Because it uses Rainbow Tables. ....If you've salted your password hashes, an attacker can't use a rainbow table attack against you-"
In other words, any service with 1/10 of a brain will salt their passwords and be immune. They are also only vulnerable if they let their system get hacked and database stolen.
In other words its the same classic trade off as ever: you have to trust the person who runs the service to know what they are doing with your password. But if they do know what they are doing, then you shouldn't have to worry.
Punctuation would have been useful
hard passwords just lead to post it's. Even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.
If "Fgpyyih804423" had at least one non-alpha-numeric character in it, it would have survived at least the free download ophcrack.
I am not your blowing wind, I am the lightning.
Yeah, I just registered an online banking account and their password requirements were 8-12 characters, no special characters.
WTF people?
But then they use security questions as a second line of defense, which is just another password, and a much longer and therefore stronger one at that (if it’s done properly – which most people don’t do, of course). Now, hopefully they’d require someone logging in from an unrecognized IP address to pass a security question...
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
In a word - Lastpass. 'Nuff said.
Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.
When I worked for a major university a few short years ago, they contracted our paperless pay statements and W2s to Talx -- who only allowed numbers in the "password". Super frustrating, and of course no one in HR understood why I had a problem with this. They may have gotten smarter since then, but doubtful.
There is very little future in being right when your boss is wrong.
Presuming it was working the way you wanted before, log out, delete all your SlashDot cookies, then log back in. I have to do that every couple of months since the CSS makeover. Last time I was horrified to see Facebook "like" icons! *shudder*
The summary makes the incredibly naive and misleading mistake of conflating online trial-and-error attacks with offline hash attacks.
Against a system you do not control, the system has total power over how frequently you may try a username/password combination, how informative it is about your success/failure(ie. does it just say "no" does it say "wrong password" does it say "username not recognized"?), as well as being able to, if it wishes, just start ignoring all attempts from your IP/terminal or all attempts against a specific account(subject to the risk of denial of service techniques exploiting this). In this scenario, the difference between a terrible password and an OK password is enormous. The 12345 or 'password' are quite likely to be simple enough to crack by trial and error, even against a remote system. Modestly more complex ones will either be impossible or require days/weeks of low-speed guessing, or careful guessing from multiple hosts.
With an offline hash attack, you have total control over the hashes, and the only limiting factor in how fast you can attack them is your computer(and hash attacks generally parallelize really well). Here, the difference between a terrible password and a merely mediocre one will likely be less than the refresh rate of the attacker's monitor, and the difference between an OK password and a superb one will still be fairly small. Only a password so good that it is basically a nonstandardized type of private key will be of any use. However, offline hash attacks only happen against compromized systems, you can't get the hash table otherwise. They are an excellent argument for not re-using passwords, since systems get cracked all the time; but they are of only limited relevance in discussing the importance of password complexity, or lack thereof, for online attack scenarios...
Today computers offer keychains like Gnome Keyring and KWallet for Linux, and often offer a password-generating tools, browsers also remember the passwords. Creating a complex 30 character password and keeping in the browser takes 4 clicks, creating a complex password and keeping it in the keyring and browser takes 8-9 clicks, creating a stupid password that anyone can crack takes thinking, 6-7 keystrokes and then having to remember it. Laziness is no excuse when you're encouraged to be even more lazy with the complex ones.
Well, yes. Of course, this means you now have a single-point failure mode for ALL of your accounts now; somebody sneaks into your browser, and your complex passwords are all useless.
And it doesn't help, because when the sites you have to log into vary their URL and you have to log in to their site and your browser doesn't know which password to use, you're toast.
Your browser burps, and you're toast.
Your keychain freezes, and you're toast.
You're accessing from some other system, and you're locked out of everything.
Doesn't help against phishing, either.
http://www.geoffreylandis.com
The problem is rainbow tables quickly get too large to be of practical use, and take too long to generate. This fast cracking is again people banging on about old LM passwords. The old 3com/MS LanMan OS used a really weak hashing system. Passwords were limited to 14 characters in length, and were case insensitive. Further, they were stored as 2 7 character hashes. Windows versions prior to Vista stored these LM hashes by default unless you changed the security settings or used a password longer than 14 characters. Ok well generating a rainbow table for that is pretty easy, and you can go and download them online. An alphanumeric table is only like 2GB and it covers the entire possible PW size from 1-14.
Ya well you don't get so luck with newer hashes. If you use MD5, which many OSes do (that is also what NTLMv2 is based on) a table that can do only lowercase alpha and space passwords from length 1-9 is 52GB. That means if the password is over 9 characters, or has a capital letter or a number or a special character it is fucked.
People love to bang on about how cool Rainbow tables are at cracking even complex passwords, and they are always going it against LM hashes it seems. Reason is it is easy. Fine but that doesn't matter. Want to try yourself? Ok fire up your favourite rainbow table program and have a go at this: f01889f696f2b20192b8ba7522481a98. I'll even give you the parameters: It is an MD5 hash, no salt, the password is an English phrase, any human can read it no problem. It is more than 20 but less than 30 characters in length.
Try any table you like, I've never seen the one that can handle it, and it is a simple password, relatively speaking. It isn't some randomly generated garbage, it is meant to be human readable.
All rainbow tables have really done is made cracking short, simple passwords fast. Fine, but that isn't really all that intensive anyhow. You can crack LM passwords in less than 24 hours on modern hardware, no tables. They are cool, but they don't really change anything. They don't allow for this "We have a table that cracks any hash no matter how long," kind of thing. Not only would such a table take a stupid amount of disk space, but it would take far too long to generate it. Even if you said "Sure we can spare 100EB of storage for a massive table!" what you can't spend is the thousand years it'd take to make it.
I think the problem was as follows.
the plural of 'post it's is not obvious, often I use quotes for plurals of nouns like that.
but then there's also this problem. the it's fits two ways, I've put two in below.
hard passwords just lead to 'post it's. It's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.
thank God the internet isn't a human right.
Which is extremely weak. Now I'll grant you it could be an issue: If someone gets access to your system and your SAM file and if you are running XP or earlier and if your password is 14 characters or less then there will be an LM hash. Vista or 7? No LM hash by default. Longer password? No LM hash (as LM is limited to 14 characters).
So let's say this password was on 7 instead. Ok so it is 13 characters and uses upper, lower and numeric. Surf over to Ophcrack's site and... no tables that could get it. Their largest Vista stable, 137GB, only does 8 character passwords, so it is too long. they have one that does 12 character passwords, but only numeric. Same deal at Freerainbowtables.com. They've got a 453GB NTLM table that'll do mixed case and numeric but only up to 8 characters.
So with a modern hash, even with no salt, that password is just fine.
Well what if you are running XP? For one you can just turn off LM hashes but suppose you don't want to. Fine, just make a simple phrase. "OrphCrack is 2 stupid 4 this 1." would be a password that none of their tables could handle. It is over 14 characters, so no LM hash gets stored. It is also way too long, even if they doubled the length of their tables (and remember each character is exponentially harder than before, requires exponentially more space and time to make the table) it wouldn't touch it.
This is just people trying to make a scare story where these is no story. Yes rainbow tables can crack passwords in their range really fast provided they have the has file and it isn't salted. Don't use a short password and you are good. Long passwords aren't hard, just make it a phrase of some kind. Given that the best tables are just eeking in at maybe 9 characters, I wouldn't worry about the future if your password is 15+. Be a long ass time before that is a problem.
> ...it's usually not that difficult to track down some of that information.
Tell them your mother's maiden name is ct!h0Zf&.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Having spent a few years working for a company that dealt with files from Asia on a daily basis, it strikes me as odd that more sites don't allow unicode characters. Adding a single Chinese or Arabic character to the password is enough to force most cracking utilities *even when you have the machine in your hands* to have to resort to brute-force measures that can take days. What's awful, though, is how sites restrict you to A-Z and 0-9 98% of the time, which defeats the entire reason for a password. I suspect that they want to be able to maybe crack it themselves in case they feel the need to do so. Because 10 characters max, with a simple 36 character ASCII limit is going to be cracked exactly as it was in the example.
It's the old obscure OS trick. If you are using an operating system that the hackers commands mean nothing to, you are secure. I know of a few people who run email servers(as an example) that use very obscure and old operating systems that no botnet or hacker is designed or has the knowledge any more to deal with. One friend a few years ago was using an old A/UX Macintosh as a router, precisely because the ability to remotely hack the code was essentially zero.(while there were easy ways ten years ago, everyone has forgotten them by now) If you can find a book on how to program some of these obscure OSs, good luck to you. If you want to really go crazy, run OpenVMS on your mail server. And watch anyone who gets into the system have a fit trying to take over. (I suppose there are some people who can, but criminals are lazy and I suspect less than 1% of people here on slashdot even have used OpenVMS in their lifetime)
While that's not usually workable, though, for modern computers, it IS easy to do with Unicode, since the latest version covers 109.000 characters. Figuring out what characters you used would probably take a cracker just to figure out a simple 2 character combination. It's just not something that the botnets are (currently) equipped to deal with.(though I suspect that they do check for simplified Chinese and Japanese and similar characters - the trick would be to pick something obscure like Sandscrit or another ancient language.
I usually just tell them my mother's maiden name is cthulhu, and then the bank gives me all their money.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
This is what public-key cryptography is for. Someone insists on a password?
makepasswd --minchars 8 --maxchars 64
If that doesn't work, replace maxchars with whatever's relevant for the site. That's already fairly secure, but if a site insists you use non-alphanumeric characters,
makepasswd --minchars 8 --maxchars 64 --string 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789!@#$%^&*(){}?+[]/=;,.:'
And that's assuming they don't allow Unicode. Most websites will let my browser save the password, and a few others, I can copy it from a text file. On the very rare occasions a website insists I type the password every time, and I'm too lazy to work around it, I do this:
gpw
Then, just add some numbers that mean something to me, though after a week or so, I'll have memorized them -- so the next time I need one, there'll be other relevant numbers.
At this point, I never sign up for a new service with the same password I use anywhere else. I don't want to make it easy for someone else to crack my Slashdot account, for instance, but that's no reason to trust Slashdot with my PayPal password, or vice versa. TFA is moronic -- it's not about "lousy" passwords, it's about limiting the scope of passwords, and this isn't new. This time, the site in question didn't use salt. What if they'd actually been malicious?
Don't thank God, thank a doctor!
Tell them your mother's maiden name is ct!h0Zf&.
Most of these "security" questions ignore anything but [A-Za-z] in the answer and fold case.
So, although you are a bit more secure by not using the correct, searchable answer, any answer that wasn't correct would accomplish the same thing.
I call them "sticky notes".
I have a post-it note labled "passwords" with about a dozen random 12 character strings stuck to my monitor at work. None of them are actual passwords that are used anywhere.
It's surprising how often I find my network login has been locked out.
Which is why you lie. Consistently and constantly to those questions.
What was your birth place? Pizza Hut, Luna City
What was your first pet's name? Sir Fucks-a-lot
What was your mother's maiden name? Jack Daniels
What is your favorite food? Glass
If you do so, no amount of digging into your personal life is going to come up with the right answers and as long as you give the same answers each time, it's not that difficult to remember.
Of course, then you have the problem where THAT database is compromised, given unlike the password data base the answers probably weren't encrypted...
Yup. The only way someone could ever get them is if you posted the list of questions and answers to some kind of non-anonymous messaging board. Luckily, nobody would eve be that foolish. ;)
You're special forces then? That's great! I just love your olympics!
So don't use the real answer to the father's middle name question. Say it's 1y1g2r3fs5cxy4 or something.
...the future crusty old bastards are already drinking the Kool-Aid.