CNBC Just Collected Your Password and Shared It With Marketers

SpacemanukBEJY.53u writes: An article published by CNBC on Tuesday offered tips on how to create a secure password, complete with a form that tested submitted passwords. While well-intended, security experts said it exposed passwords to third-party advertisers. Also, the form created to test a password didn't use SSL/TLS, which meant someone on the same network could have sniffed it. Even worse, the tool claimed to not store the passwords, but an acute observer found they were actually being inputted into a Google Docs spreadsheet. CNBC quickly withdrew the article.

Idiot Test

Has your credit card number been stolen? Enter it here to find out!

Re:Idiot Test

And enter your name and CV2 code to prove that you are checking your OWN card number.

Re:Idiot Test

[TheCarp]

Never not give random numbers.

Actually, I had some fun poisoning a database with the car warantee scam people. Dude called and tried to pretend like the car maker gave them my name. Well I wanted their company name before I pulled the do not call card.... so I play along.

I had a new car but, I wanted to make his pitch sound really stupid and contradictory, so I told him I had a 1992 Buick Lesaber. Yes, the car manufacturer gave you my name shit really makes sense now, please do go one though :)

Well long story short, I can't tell you how many calls I got "About the warantee on your Buick LeSaber". I smiled every single time.

Re:Idiot Test

[Thanshin]

Has your credit card number been stolen? Enter it here to find out!

341 9207 4491 1246

How long does it take to have an answer?

Re:Idiot Test

[Mathinker]

The variety of spam I get is quite interesting, and probably has to do with how many different times I've done that.

I'm both an over-80 fundamentalist Christian woman AND a bisexual 30-year old WIccan!

Re:Idiot Test

We do actually sell this service. Obviously it wouldn't make sense to buy a service which does this from a company you don't trust, but customers trust us. We offer the service on behalf of major banks for example.

We have an arm's length contractor who hires people to steal from thieves. So basically say J Random Crook steals ten thousand credit card details from some crappy MySQL-based e-commerce website in Poland and is trading them to other criminals. Daryl Grey has some means (social engineering, zero day exploits, we don't know and don't care) to steal the data from the crook and pass it to our contractor. The contractor delivers it to us. We don't know who J Random Crook is, and we don't even know who Daryl Grey is, but we do see the data (obviously we're not giving our customer data to the contractor, because we're not idiots) and so we can protect our customers.

We tell our customers "Yep, we saw your credit card number in the feed, also this seems like your CVV? Call your bank and get a new card". We do other stuff too, with that feed ("Wherever you used your email address and the password mittens46 you should change that, because it's being traded by bad people") and other feeds ("We've noticed you own a company. That's cool, but you don't have to publish your home address in the government's public records. Here's how to give them a service address instead")

Re:Idiot Test

Just to confirm, what is your mother's maiden name, favorite pet and high school attended?

Re:Idiot Test

[RavenLrD20k]

Dagobah, Sanctosanctorium, and Auschwitz. Why?

Re:Idiot Test

[The+MAZZTer]

It will be on your next credit card statement, or you can see it sooner if your CC company allows you to view your balance online.

Re:Idiot Test

[houghi]

Has your credit card number been stolen? Enter it here to find out!

This is why AC gets lower points. They are too stupid to provide a URL. So how do I know if it is stolen or not? Can anybody help? My number is 5468 3548 4856 4588 and the csv code is 246. (Valid tru 02/19) All on name of Mathew Bedding.
Can anybody PLEASE tell me?

Re:Idiot Test

[houghi]

It is a joke. The card number is fake. The rest is also fake. However by randomly entering a number, I got a valid card by accident and sheer luck (stupidity). At least a valid number. That does not mean it is a valid card. It just means the number passes the first basic checks concerning BIN and control number.

Re:Idiot Test

[U2xhc2hkb3QgU3Vja3M]

4000 1234 5678 9010

Re:Idiot Test

[K.+S.+Kyosuke]

So you have two personalities and one of them has a fifty year retrograde amnesia? I must have been desentisized by the Internet quite considerably since it sounds perfectly ordinary to me.

Re:Idiot Test

>

I'm both an over-80 fundamentalist Christian woman AND a bisexual 30-year old WIccan!

http://i.imgur.com/dAQ2cSz.gif

Re: Idiot Test

Pro-tip: there's only one guy you're dealing with. There IS no J Random Crook.

Re: Idiot Test

Occam's razor.

There certainly are lots of J Random Crooks out there. It's a thriving market.

Now our contractor certainly _could_ do all J Random's work (and take all the risk) and then, after committing the crime instead of making bank, sell the data to us for a fraction of the money. But why?

And even if they were crazy enough to do that, why work so hard to make it look like hundreds of different goofs are stealing this stuff? I mean, let's take the very simplest two facts, a username (typically email address) and password. In just one day I'll see

username password
username;password
username:password
username,password
password:username
"username","password"
and so on...

And I'll see this data is being sent via a dozen different stupid web file sharing sites, pastebins, hidden IRC channels, FTP sites, everything. Which is a lot of work for one person to set all those up just to fake me out every day. Or it could be hundreds of different idiots each with their own superstitions and preferences.

One of these options is way less complicated to justify. You're over thinking this, possibly because you've always thought there weren't many bad guys knocking off web sites and phishing users. THAT I can categorically tell you isn't true. There are a LOT and we just see the surface of it.

Re:Idiot Test

[Coren22]

I totally trust AC with all my credit card security needs.

Re: Idiot Test

Who is Matthew Bedding?

Re:Idiot Test

[davester666]

the only important question on the internet is "Bang or not?"

Re:Idiot Test

[davester666]

I know you are lying because Auschwitz has no school.

Re:Idiot Test

[rpstrong]

I know her maiden name, but I have no idea of what her favorite pet is or where she went to school.

Re:Idiot Test

You're smarter than me - they hung up when I said I would be happy to warantee my '67 DeLorean.

Re:Idiot Test

[TheCarp]

That is nothing dude. About 15 years ago I found a Chick Tract and looked up their website. I couldn't help myself, I ordered a box set of full size chick comic books. I mean, how can you NOT want comic books about how Islam was founded by the Catholic Church, which is headed by Satan? Fucking GOLD!

But whats really gold..... it put me on their mailing lists.... OMG the WOW!

Test my Luggage!

1234iamsosmart

Re:Test my Luggage!

You got it wrong! it's 1-2-3-4-5-6! Any idiot would know valid luggage combinations.

Re:Test my Luggage!

[U2xhc2hkb3QgU3Vja3M]

You're the idiot

Sound strategy

[Thanshin]

They were obviously applying Torvalds' Secret Sauce.

They even pushed it one step further: Willing is for willers. Does just Do.

Not a suprise

[Coisiche]

I saw something years ago that was an online password strength checker. There was just no way I was going to use it because my immediate thought was that exactly this could happen.

People that persist with weak passwords are a lost cause but there are people who take the security a bit more seriously and are vaguely aware of password strength even if they don't know what password entropy is and they *want* to know if they've made a good password, making them easy fodder for traps like this.

I guess I should add "don't ever use a password strength checker" on those occasions when family ask computer security advice.

Re:Not a suprise

[mwvdlee]

Having recently made a random password generator (http://random.toyls.com/), I ended up concluding nothing that tries to help users with passwords can guarentee they are not spied upon.

There's either server code that generates code or javascript that generates it client-side (my solution). In the first case, the server knows the codes before sending them to the user, in the second case, there has to be javascript running, which could basically track everything the user does. (either AJAX, cookies or local storage for later retrieval). And than there's the possibility of third party javascript, either included on the page or provided through browser extensions, which are completely out of control. I make some effort to try and block these javascripts access on my site, but there's really nothing that could stop a determined hacker using a browser extension.

Re:Not a suprise

Yeah, but this came from a media outlet that likes to claim it ads value because it has editors which means it is much better than all those little sites that are just "blogs."

Re: Not a suprise

Grc.com has password tools that are safe.

Re:Not a suprise

[BlackPignouf]

If your password is "+cvcy9oTt", just send "-dt7vQprg" to the online password strength checker.
PS: Talking about online password security : I used my usual password generator (pwdhash) with slashdot.org at first, without realising it would generate my account password. It's amazing how stupid I can be :D

Re:Not a suprise

"Having recently made a random password generator (http://random.toyls.com/), I [...]"

Also used http instead of https, and don't forward visitors to https either.
Great job.

Re:Not a suprise

"Having recently made a random password generator (http://random.toyls.com/), I [...]"

Also used http instead of https, and don't forward visitors to https either.
Great job.

Mod parent up.

Re:Not a suprise

[buchner.johannes]

There are some great tools available.

For password checking, you can try Kaspersky's
https://blog.kaspersky.com/pas...
You can disconnect your computer from the network while using it.

For generating a password:
http://correcthorsebatterystap...

Re:Not a suprise

My password generator is Linux

cat /dev/urandom | tr -dc [:graph:] | fold -w 20

Only for recovery/default unremovable accounts with the password documented in encrypted containers or for temporary throwaway accounts. There is no way I could remember something like that.

Re:Not a suprise

[mwvdlee]

For both; just store the password in a cookie or local storage and wait for the next network-connected visit.
As for the correcthorsebatterystaple generator; without reading the JavaScript, it could be entirely non-random for all you know.
Ofcourse, this goes for code that claims to produce random data. Atleast with JavaScript you have the option of verifying the code.

These problems are not limited to just these two, but to the very concept of password checker and/or generator websites, including my own.
In the end, ALL these sites are a matter of trust. This goes doubly so for offline password tools, since these have a lot more access.

Re:Not a suprise

Uh, it's Javascript. The script generates the password entirely on the client, and the password itself never traverses the network. Not to mention that the Javascript itself is simple, and by no means a secret. What utter cretin modded you up?

Re:Not a suprise

Password is generated client-side, so does this actually matter? Even if you're HTTPS you're trusting that the server operator isn't going to spy on you.

Re: Not a suprise

Hear, hear. Nobody even replied to your post, even though it was actually useful (unlike most of the others on here.)

Re:Not a suprise

There's always Diceware-style generators. The website is static, it just instructs the user to roll their own dice and how to interpret those rolls to generate a password.

Re:Not a suprise

A thing that can help...

Use a server side script to generate several hundred password form display fields with randomly generated IDs. Only one of which is display:visible. Your code can inline the correct id to place the actual password into. This should make it a great deal more difficult for a browser extension to find the actual password. You could also see if entities work with your thing. Most scripts never take et al into account when parsing stuff, but it should display correctly as 'y' to the user.

Re:Not a suprise

[Qzukk]

The script generates the password entirely on the client

Without HTTPS to be sure that you're receiving the script you thought you were, how can you be sure?

Re:Not a suprise

Password is generated client-side, so does this actually matter? Even if you're HTTPS you're trusting that the server operator isn't going to spy on you.

That's an infinitely better bet than allowing anyone and everyone in a position to sniff, monitor, or capture unencrypted traffic to do so. You're basically arguing against SSL/TLS entirely at that point. Do you work for the FBI?

Re: Not a suprise

He already said that he realized it couldn't be secure anyways.

MITM attacks are hard to pull off. Some random website some guy wrote will never be a victim

Re:Not a suprise

Erm, are we seriously having this conversation right now? You're already putting your trust in a 3rd party, entirely unnecessarily I might add, to generate very, very sensitive data, using a tool that is so simple, you could have written it yourself, and used it from the safety of your own workstation quicker than you could have audited the Javascript you just received over HTTPS.

Seriously, what are you even trying to argue? If you inspect the Javascript, which you did because you're supposedly security conscious, what good would HTTPS actually do? You know what the Javascript does, so you ran it. It doesn't matter how it arrived, because you just read through what arrived, and it looks fine, so you ran it. Hell, you probably ran it with the debugger just to make sure it wasn't doing anything clever before actually using anything it generated.

That you can even make the argument means that you already, implicitly, trust the server on the other end. As if the Javascript they intended to serve you is already safe, and thus making sure you receive it by using HTTPS is somehow an improvement. Why are you passing around all of this unearned trust? Isn't that inherently dangerous to security?

Re:Not a suprise

[Qzukk]

If you inspect the Javascript

Here's a thought question for you: set up a webserver to serve up foo.js with caching disabled. Load the webpage that loads foo.js, then open the source of foo.js in a browser. Prove that when the browser fetches foo.js a second time in order to display its source, that the foo.js you're looking at now is the same foo.js that is running in the window. (This is the current behavior in Chrome, YMMV on other browsers)

That you can even make the argument means that you already, implicitly, trust the server on the other end.

Inaccurate. Accepting a page without HTTPS means that I already, implicitly, trust the DNS server to have directed me to the correct server and all of the hardware and software between that server and my client to have sent me the page unmodified.

Accepting a page with HTTPS only requires trust in my client, the server, and the third party that signed the certificate.

Re:Not a suprise

[rthille]

Before pasting that into a shell, you might want to add:
    | head -20

Especially if you're doing it on a remote box over ssh with large buffers and a slow link :-(

Re:Not a suprise

Here's a thought question for you: set up a webserver to serve up foo.js with caching disabled.

Without finishing the first sentence, I can already tell that you haven't done enough of the thinking you refer to.

Load the webpage that loads foo.js, then open the source of foo.js in a browser.

Really? Are you going to spout the old "source view re-sends the request" argument? Please, tell me you are!

Prove that when the browser fetches foo.js a second time in order to display its source, that the foo.js you're looking at now is the same foo.js that is running in the window.

Haha! You did! You don't inspect the current request and response using source view, you use the debugger that populates with what you actually loaded. If you can't validate the safety of the current page with a full debugger, then I'm sorry, you can't be saved.

(This is the current behavior in Chrome, YMMV on other browsers)

This has been the behavior of most web browsers that support a separate source view since the dawn of time. I can safely assume you haven't been around that long.

That you can even make the argument means that you already, implicitly, trust the server on the other end.

Inaccurate. Accepting a page without HTTPS means that I already, implicitly, trust the DNS server to have directed me to the correct server and all of the hardware and software between that server and my client to have sent me the page unmodified.

Accepting a page with HTTPS only requires trust in my client, the server, and the third party that signed the certificate.

Wow, really? Okay, basic English time. When you place multiple sentences together to form paragraphs, usually that's because they're following the same topic. To make the point clearer, I followed that sentence up with:

As if the Javascript they intended to serve you is already safe, and thus making sure you receive it by using HTTPS is somehow an improvement.

Did it occur to you that the reason I only mentioned the end server, without mentioning any of the other members of the trust relationship, or even whether or not SSL was being used, was because I was suggesting that blindly trusting the server will do just as much damage whether or not they use SSL? The transport does not matter if they're already transporting poison.

For goodness sake, you commented about a site you've never seen before and the first thing you worry about is whether or not he's using HTTPS, and not whether or not the tool is even trustworthy? Are you understanding what I'm saying yet? Most simple random password generators are painfully simple by design because you're literally wiring a random number source up to a collection of valid characters. This isn't even a discussion we should be having, because you should be generating them from the security of your workstation to begin with, and please spare me the, "...but can I trust my workstation?" rubbish.

Re:Not a suprise

Did one in JS as well a while ago - http://obvious.pro
But I do not share your paranoid view. The end user can have keylogger or other more sophisticated malware that just records the passwords as they are being generated/typed/saved in memory/whatever.

This is up to the end user to protect its own device.

Re:Not a suprise

[Aighearach]

Worrying about https implies that you have increased trust if it is https.

This is the internet. Stop trusting.

I'm not saying not to use HTTPS. But complaining that things aren't trustworthy without it is daft. Things are not trustworthy.

There are a whole bunch of steps that should be taken before even being willing to consider trust. Those haven't been taken when it is a link from some guy in the comments on a website. There is no trust to be had. The only reason to worry about HTTPS in that case would be if the data you're submitting is confidential. In this case, it is just a demo script, not an actual password tool. There is no confidentiality implied.

Re:Not a suprise

I think you want Diceware: it's specifically designed for this.

Re:Not a suprise

[BlackPignouf]

Interesting, thanks.
Here's my modified version. I save my master password in ~/.master
The advantage is that I get the same password everytime, only depending on the domain name.

(cat ~/.master ; echo slashdot.org) | sha512sum | cut -f1 -d " " | base64 --decode | tr -dc "[:graph:]" | head -c20

=> [mwnwO;syq|m9^kWZsn7

Re:Not a suprise

[Quirkz]

More realistic scenarios, for people who need their password checked:

If your password is bob, send over mom and see what it says.

If your password is 1234, send over 5678. (Honestly, 5678 is a million times more secure than 1234, but it's still the same ballpark.)

If your password is Snuggie7, send over Cuddly9.

If your password is your current pet's name, send over your previous pet's name.

If your password is your kid's name, send over the name of a niece or nephew.

If your password is your spouse's name, if you were divorced you can use your ex. Otherwise, use your own.

If your password is more complicated than that, certainly by the time you get to "+cvcy9oTt", you don't need a checker to verify it.

Re: MSFT is Evil, but not for the reason you think

Perhaps you are a little young, I used several non MS OS'es and desktops before MS managed to put a stranglehold on development

Re:MSFT is Evil, but not for the reason you think.

[Coisiche]

If it hadn't been Microsoft then it would have been some other company that became dominant supplying operating systems to desktops. The move to smaller and more mobile computing would have happened regardless as the technology enabled it. Maybe a bit differently but still inevitably. And whatever company did gain the dominance on the desktop would have been unpopular too.

Is it too late?

I want to go enter 12345, hunter2, and the standard test machine password at both HP and Microsoft: abc123.

so many fails here

do not know where to begin. omfg. cnbc should stick to infomercials and 3rd rate olympics events every 2 years.

Re: MSFT is Evil, but not for the reason you think

Perhaps you are a little young, I used several non MS OS'es and desktops before MS managed to put a stranglehold on development

Maybe you forgot that the company was founded in 1975, and their forté in the early years was development tools (compilers and interpreters).

When reminded of that, people tend to go like 'ah yeah, MSX Basic'. No -- MSX was one of the later products, half way into the 1980's. I'm talking Fortran-80, Basic-80, Cobol-80.

With 80 not signifying a year or decade, but a microprocessor family.

Automatic Password Filter

It's good that Slashdot uses an automatic password filter that converts posted passwords into stars.

For example, my password is ******** but it doesn't show up in the post. Yeah, I know eight characters really isn't long enough but the first character is an uppercase letter and has a number at the end.

Why don't you all give it a try.

Re:Automatic Password Filter

[Coisiche]

**********

Seems legit.

Re:Automatic Password Filter

hunter2

doesnt look like stars to me

Re:Automatic Password Filter

It's working. All I see is seven stars.

Re:Automatic Password Filter

Heh, something similar actually happened to me some time ago, when I needed to modify an outdated URL.
The original URL was something like "/tas/secure/incident?unid=[-UNID-]&action=edit&field0=gereed&value0=1&j_username=HTTPrequest&j_password=*******" and braindead me called the guy who wrote this, to ask him for the real password XD

Re:Automatic Password Filter

http://bash.org/?244321

Re:Automatic Password Filter

[religionofpeas]

hunter2

Re:Automatic Password Filter

correcthorsebatterystaple is my password.

Re:Automatic Password Filter

[alphatel]

my voice is my passport. verify me.
MARTY!

Re:Automatic Password Filter

my voice is my passport. verify ME

Re:Automatic Password Filter

[PostPhil]

12345

I dunno, doesn't seem to be working.

Re:Automatic Password Filter

********'
Stars.

Stars all the way down.

Re:Automatic Password Filter

Amazing! That's the same combination I use on my luggage!

Re:Automatic Password Filter

[Actually,+I+do+RTFA]

I don't know. It seems awful susceptible to accidentally leaking the password in the case you accidentally use it in a ********.

Re:MSFT is Evil, but not for the reason you think.

What utter bollox. Computers were coming to everyone because the got vastly cheaper than central systems, and most people do not need jumped up pillocks like sys-admins acting as gatekeepers for everything.

There was no PC revolution. 8 bit micros were already in peoples' homes under various manufacturers and operating systems. The early machine on a office desk didn't even run DOS, twat.

my password from now on is...

[ZeRu]

CNBC is pants.

Re:my password from now on is...

Password invalid. Your password must be between 7.33 and 8.42 characters long and must contain at least one lowercase character, exactly two uppercase characters, three numbers, a Serbian saying written in Cyrillic, the true name of The One Who Waits Behind the Wall, and a stool sample.

Re:my password from now on is...

Password policy: Passwords must be changed at least once per month. This company prides itself on above average security, so new passwords must be longer than average.

-- BOFH

Re:my password from now on is...

Actual password policy I had to submit to at one time, and at a large company at that (one word, starts with an M and ends in icrosoft).

Passwords for one of their online services had to be reset at least every 3 months.
N previous passwords were remembered and could not be re-used.
If you did not reset your password before the end of the period, they would reset it for you and mail you the new password in unsecured plaintext e-mail.

Windows default password policy in Server 2008 etc.: must contain 3 out of uppercase, lowercase, digits and 'other stuff'.
I found out that the high ASCII line drawing character I had in my password in those days, one you won't find on any keyboard so it can only be entered through alt+number, counted towards neither of those four categories.

Re:my password from now on is...

[ihtoit]

Mathematically, a passphrase using four random dictionary words totalling 44 characters would be unbreakable through the heat death of the universe. On the other hand, a string of 10 random ASCII characters would take about... 6 hours to break on a Pentium 90?

Password policies have been doing it WRONG.

Re:my password from now on is...

Excuse me, but statistically the vocabulary of the American grade school student was 25,000 words in 1945 and about 10,000 today. The median user will draw their words from a list of 2,000 or less, with subconscious bias. It's pretty inevitable that there will be a lot of common passphrases, which will contain pop culture, hobby-related information, names, nearby locations, and will be reused in whole or in part.

Re:my password from now on is...

Well, *that* makes for a shitty password.

Re:my password from now on is...

It's only half the fun when the lusers don't recognize how they're being fucked.

Re:my password from now on is...

[rthille]

Hence the key word "random" in the phrase "using four random dictionary words"

Re:my password from now on is...

[ihtoit]

with 10k words that's still 416 trillion combinations. Even at 2k that's still 664 billion. Thing is you don't know which 10k or 2k to pool from (there are just over 1 million words in the English language as of January 2014 (source: Global Language Monitor)), so let's take from the entire pool: 1,025,000 words. That gives you 4.599E+22 possible combinations. That's forty six heptillion. Random words strung together don't necessarily make sense (horse correct battery staple makes fuck all sense to me, how long would it take a dumb bruteforce to break it?)

Let's do the numbers:

4.599E+22/400 billion (the high estimate of the power of a typical purpose built crackerbox with 200+ GPU cores, in attempts per second)=32 million hours. That's 3700 years.

Re:my password from now on is...

[sexconker]

2000 is very fucking generous. Most people would have a library under half that.
People need to stop taking technical advice from a shitty, shitty web comic.

Re:my password from now on is...

[elistan]

According to this site (I have no idea how accurate it is, sorry) a string of 10 random ASCII characters would take 19.24 years to crack at a rate of 100 billion guesses per second. (I assume that's beyond the capabilities off a P90 :) ) A text string like "thequickbrownFox" - 16 characters, just lower and upper alphas - would take 9.27 million centuries to brute force. Of course, using that password in a system that stores in plaintext that is later compromised means the password would be cracked in 0 seconds. And indeed as you say, a 44 character string of just lowercase characters would take much longer than the universe can accommodate.

Re:my password from now on is...

[ihtoit]

A P90 *year* is equivalent to about 10GFLOPS. IBM's BlueGene/L ran 596TFLOPS. That's about 1.8 trillion times faster.

Re:my password from now on is...

[ZeRu]

Maybe it does, but maybe also you don't know where the reference comes from.

Re:my password from now on is...

2000 is very fucking generous. Most people would have a library under half that.
People need to stop taking technical advice from a shitty, shitty web comic.

Really?

$ wc -l /usr/share/dict/words
479829 /usr/share/dict/words

Looks like you are off by two orders of magnitude.

Now you want a strong password based on a random pick of four words in the dictionary? Trivial to do:

$ shuf -n 4 /usr/share/dict/words

Example output:
contrapone
nonperjury
bearess
metapsychist

Re:my password from now on is...

But high-bit, alt-number character!

Re:my password from now on is...

[ihtoit]

that's where you get into the quintillion-year break times for relatively short strings. I'm talking about strings using purely the 26-character space in the Latin alphabet.

Re:my password from now on is...

[ihtoit]

Your example (thequickbrownFox) by simple virtue of the single character being uppercase actually doubles the character pool from 26 to 52. You get from relatively short timescales (3700 years at rack-full-of-Blade-GPU speeds) to break, to multiples of Universes by the addition of that character space. Now do the same again, only this time with the entire ASCII extended character set.

Yep, good luck bruteforcing THAT.

Re:my password from now on is...

[cwsumner]

Your example (thequickbrownFox) by simple virtue of the single character being uppercase actually doubles the character pool from 26 to 52...

Are you assuming that the crackers test all of the lower case patterns before they check upper case? How likely is that?

The odds depend on the algorithms the cracker uses, not so much the password. Unless it is something like "12345", that they check first.

Re:my password from now on is...

(sigh) Assuming that your four dictionary words were chosen from a compilation of the 16384 most-common words, then you only have a password strength of 16384^4. Which is a far smaller number then 26^44 (for all same-case) or 52^44 for completely random or 62^44 if you throw in digits as well into that 44 character password. Even if you went with a larger dictionary that was 128,000 words, it would still be weak.

16384^4 = 7.20e16

128000^4 = 2.68e20

26^44 = 1.81e62

52^44 = 3.19e75

62^44 = 7.33e78

A 56 bit key is only 7.20e16 and is definitely crackable via brute force (especially for MD5/SHA1 storage). A 64 bit key is 1.84e19, and is considered easily crackable via brute-force these days. Having 96 bits of security is 7.92e28 and 128 bits is 3.40e38.

So until you get that exponent above e25 to e28 for your password, you're weak. Unless you are also protected by IP address restrictions or a key-fob for 2FA. Picking four words out of a dictionary isn't going to cut it. Especially if you screw up and pick one of the 10,000 most common words for one of your words.

Re:my password from now on is...

Changing "thequickbrownfox" to "thequickbrownFox" only adds about 4 bits of security to the string (because there are 4 words, so four possible words that start with a capital letter).

Attackers are not dumb. They are going to first try just chaining the top 10000 words together as lower-case in chains of up to ~10 words. Then they'll try again, but play around with just making the first letter in each word capitalized. Then they'll start putting numbers and symbols between the words.

Your example is even worse because all four words are probably in the top 1000 dictionary. That means:

1000 attempts with just single words

1000 attempts with the first word capitalized

1000*1000 attempts with 2 words

1000*1000*3 attempts with capitalizing the first letter on one or both words

(etc)

Even if you stretch that out to 4 word chains, it's still a much smaller number of attempts then 52^16 (a completely random mixed-case alphabetic password). And a 16-letter, mixed-case, alphabetic password is only strength 2.86e27 (pretty good, around 75-80 bits or so).

Re:my password from now on is...

[ihtoit]

of course they don't if they don't need to, the math depends on the entire character space being tested using the given pool. Nobody I know switches between upper and lower case when say making a throwaway email acount.

Re:my password from now on is...

[cwsumner]

of course they don't if they don't need to, the math depends on the entire character space being tested using the given pool. ...

The point is that they don't know what the pool is, or whether they have to test that, until -after- they break the password. So what is chosen may have no difference at all in how long it takes. But they might run lower case test sequence first, just because so many people do it that way...

Re: MSFT is Evil, but not for the reason you think

[Nutria]

Nope. First used MS-BASIC in a 16KB TRS-80 (Model 1??) in 1979.

Re: MSFT is Evil, but not for the reason you think

I always thought 80 stood for 80 columns.

Re: MSFT is Evil, but not for the reason you think

[jovius]

That gives me an idea. In the modern world sys admins could sell their services like gardeners or pool guys do. One could have one's own sys admin butler person.

CNBC is a lame business site

CNBC would never attract real business people or investors. It's a lame mostly liberal business site that mostly caters to the consumer investor who is happy with mostly amateur investor advice. It's not surprising they would do something lame and a security problem. This remember is a site who worships Jim Cramer as some investment guru.

"Just" stop with the clickbait

[H_Fisher]

Can we please stop with the clickbait headlines? News that's more than one hour old did not "just" happen. Unless you're live-blogging on Twitter, whatever you're posting about is going to sound instantly dated. Moreover, it "just" sounds unprofessional — in terms of journalistic "voice," your news now lacks authority and sounds as if it's being delivered by a teenager.

I worked in journalism for 12 years, full-time and freelance. The dumbing-down of journalism and the rise of clickbait-style reporting are driving away readers, not attracting them. That's especially true for sites like /. where people do actually, sometimes, expect informative and accurate stories ...

Re: "Just" stop with the clickbait

Yeah. "Your" voice "doesn't" "sound" good. Use "more" quotes "."

Re:"Just" stop with the clickbait

Can we please stop with the clickbait headlines? News that's more than one hour old did not "just" happen. Unless you're live-blogging on Twitter, whatever you're posting about is going to sound instantly dated. Moreover, it "just" sounds unprofessional — in terms of journalistic "voice," your news now lacks authority and sounds as if it's being delivered by a teenager.

I worked in journalism for 12 years, full-time and freelance. The dumbing-down of journalism and the rise of clickbait-style reporting are driving away readers, not attracting them. That's especially true for sites like /. where people do actually, sometimes, expect informative and accurate stories ...

This one weird trick will attract readers to your website!

Re: "Just" stop with the clickbait

But he's so cute, he confused slashdot with journalism!

Re:"Just" stop with the clickbait

That made my day.

Re:"Just" stop with the clickbait

[Fotmasta]

Exactly. Thank you!

Re:"Just" stop with the clickbait

What ? I've lurked here for 15 years. I've maybe clicked through 5 links to actual articles. Probably all of them NASA. This isn't "real news". It's real nerds discussing things.

Re:"Just" stop with the clickbait

[nmb3000]

News that's more than one hour old did not "just" happen.

I love the Slashdot pedant tradition as much as the next guy, but is that really true? The "just" adverb is used for the present perfect in English. That site describes using "just" to denote "An action that was completed in the very recent past" and since the event in question happened yesterday, surely it qualifies. No?

I worked in journalism for 12 years, full-time and freelance.

But you can't tell the difference between someone's Twitter "what I shat today" feed and real news stories which sometimes take days to unfold and more days for the effects to be fully realized? I think in that case the span of less than one day qualifies as "very recent".

Re:"Just" stop with the clickbait

[penguinoid]

The trouble is, clickbait headlines always increase readership at first, until their credibility is lost. It is a very easy trap to fall into, as readership is the primary stat media is concerned with and has continuous statistics on, while reputation statistics are very infrequent.

Just two days short...

[dermoth666]

Just to days short and CNBC would have make fool of itself on April Fool's day! ;)

After researcher on Valve, season is starting early this year.

Re: MSFT is Evil, but not for the reason you think

Lucky! We only had the 4K models.

And the 16K TRS-80 Model III debuted at $4,299 in THOSE years' dollars!

No it didn't. Bloody clickbait headlines.

[wonkey_monkey]

CNBC Just Collected Your Password and Shared It With Marketers

No it didn't. Please try writing a real headline.

Re:No it didn't. Bloody clickbait headlines.

You'll never believe this one simple trick that CNBC used with your password...

Re:No it didn't. Bloody clickbait headlines.

You're quite right, I won't.

LOL

[MitchDev]

So the test password I entered:

$#%DFGSDFGHZafb39dg2##$!

is out there for everyone to use? *tears up sticky note attached to monitor with the password written on it*

(This joke inspired by a co-worker who used to have an index card with a 5x5 grid of UserIDs and passwords for 25 different internal/external sites he had to access regularly taped to his monitor....)

Re:LOL

[dargaud]

(This joke inspired by a co-worker who used to have an index card with a 5x5 grid of UserIDs and passwords for 25 different internal/external sites he had to access regularly taped to his monitor....)

I do have one such list on my wall, except that they are all fake and badly handwritten, with plenty of ambiguity (1/I/l, 0/O...), so subject to plenty of retries if an attacker has time to spend.

Re:LOL

I do have one such list on my wall, except that they are all fake and badly handwritten

I've seen a suggested strategy that if you need to write down your password due to ridiculous letter/number/character rules, change one of the characters by 1 and remember that. So if your password is fgw$4a5B!c0K, change the second character to an 'h' and write that down instead. I think that's too tricky to remember, so I don't do it. Alternatively, one can omit the first and last characters, and substitute them with dummy values, and remember them instead. Either way, someone reading your sticky note will still have to play some sort of guessing game.

Re:LOL

I use something similar for storing visa/mastercard PINs. I write down the value of each card's ($PIN - $magic) on the plastic itself with a marker. I only remember one $magic, to reconstruct each card's $PIN whenever needed.

I realize this scheme has disadvantages similar to having a global password. If an adversary is clever enough to figure out the PINs on the other cards if one of them is compromised, maybe they deserve to win.

Comments?

Re:LOL

[Quirkz]

You could also write the passwords backward, or shifted by one character. The former may still be guessable (particularly if any part of your password looks like a real word or date) and the latter may be tough to remember. I kind of like putting in a dummy first and last character and just remembering to drop them.

And a bathtub full of ice

[phorm]

I've always like the kidney harvesting joke myself

Re:And a bathtub full of ice

[U2xhc2hkb3QgU3Vja3M]

You laugh, but it actually happened to a friend of mine.

Re:my asshole

The asses of the many outweigh the asses of the few, or the one.

More than 90 and less than 180

[aoeusnth]

> Even worse, the tool claimed to not store the passwords, but an acute observer found they were actually being inputted into a Google Docs spreadsheet.

I dunno, I thought he was kind of ugly.

Ohhhh, you mean *obtuse*? Sorry.

Re:More than 90 and less than 180

> Even worse, the tool claimed to not store the passwords, but an acute observer found they were actually being inputted into a Google Docs spreadsheet.

I dunno, I thought he was kind of ugly.

Ohhhh, you mean *obtuse*? Sorry.

No...

Obtuse means the opposite of the word that you are looking for. Observant would be the word that you're looking for. Or keen. Or astute. Or....

Need I go on? But acute is *ALSO* a synonym for observant.

The same idiots just got farmed on Facebook

[ihtoit]

You see those "games" that leave you with "your dragon ninja name" or other such bullshit, after first collecting the first three digits of your ATM PIN then the name of your first pet then the last digit of your PIN? That's what I'm talking about.

The number of people that scam catches and they don't even realise it, makes me weep.

Re: MSFT is Evil, but not for the reason you think

[ihtoit]

nope. Intel 8080, which was the next step up from the 8008 and the predecessor to the 8085.

Re: MSFT is Evil, but not for the reason you think

Would they speak English?

Example of the media knowing nothing

[RogueWarrior65]

What people should learn from this is that while the media loves to think that they know everything about everything, they really don't know jack squat. Sadly, far too many people believe the media particularly when they cherry-pick elements of a story or pull the NPR tactic of reporting one specific incident hoping that the listener will generalize in that direction.

Another wake up call to use Ad Blocking

[DumbSwede]

Might Ad-blocking have stopped this? The industry wants to ban ad-blocking, but every other day there is a story about malicious 3rd party exploits using ads as a vector. Why does a news site have to have some horrible complicated Javascript Ad intwined code to function? Note to industry, the ad can be sandboxed as a static entity separate from the main page Javascript. Likely this time the passwords didn’t end up in the hands of hostiles, but who knows, especially since now they know to go look to see if it was collected as part of other behind the scenes shenanigans. The idea that the page should be “Collecting” page event information from the page for 3rd parties is pretty scary.

Re:Another wake up call to use Ad Blocking

Can't be assed to look at the page (ew gross), but it probably doesn't return the values (password strength rating or whatever, I already forgot what this POS promises) until you submit the form.

It MIGHT run in a local little script that you could lock down from leaking (preferably with RequestPolicy or something, not sure about ad blockers) or just by yanking the modem after the page is loaded.

But it probably doesn't so tldr: "No"

Why headlines now often start with "why"

Hit the jump for meandering anecdotal bullshit that never actually explains anything

This is the new normal.

I have Verizon FiOS service, and they provide a WiFi router that connects the home to the FiOS service. The router not only stores your router / WiFi password in plain-text, but it sends it back to Verizon where it's stored unencrypted. They not only don't tell you, but the entire thing is insecure by design.

I even complained, and their tech support denied it initially, and when I pointed out how I figured it out (namely that your password is displayed on the account page on their website, and you can alter the router password from that page), they changed their tune. It's not a security flaw, it's a feature, your service is secure -- even if your password is compromised.

That's cute. I don't see how anyone could prosecute a copyright case or even a child-porn investigation against a FiOS customer knowing that customer's router passwords are effectively public (at least, easily obtained by a knowledgable person).

Headline is inaccurate anyway

And besides that I've never visited CNBC and never checked my password on some web form, so the headline is false in my case.

LOL, too funny

[JustAnotherOldGuy]

"... an acute observer found they were actually being inputted into a Google Docs spreadsheet."

Now that's the absolute height of security, nothing could possibly be more secure than that.

Re:LOL, too funny

[Hentes]

They should've used LibreOffice, of course.

commentsubjectsaredumb

>Even worse, the tool claimed to not store the passwords, but an acute observer found they were actually being inputted into a Google Docs spreadsheet.
Disgusting. Yet the only surprise is that they chose a google doc for dumping.

"No, nooooo, you're being paranoid, it's not like everything that can scoop data does scoop data."

Herp.

Re: MSFT is Evil, but not for the reason you think

you were a latecomer, we had msft basic on my IMSAI 8080, had to load it via paper tape!

Now they have another article they can write

[Hotawa+Hawk-eye]

To be fair, the new article I hope they write about this scenario will only need to be two sentences long: DO NOT GIVE YOUR PASSWORDS TO ANYONE. DO NOT USE THE SAME PASSWORD FOR MULTIPLE SITES.

But if they wanted to make it more informative / memorable, they could describe how they may be able to impersonate someone if they can associate one of the entered passwords with one of their registered users (via IP address; not perfect but perhaps good enough) and if that the user used that same password on other sites, like Amazon, Facebook, Twitter, eBay, etc.

Oxymoron?

[tmjva]

By sharing data with a "news" service you get what you deserve! Isn't that what they do, is share?

(And here I am online on the double-entendre of wholly-owned subsidiary of a media company.)