Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Long passwords threatened
Old 08-27-2013, 10:26 AM   #1
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,337
Long passwords threatened

Here is an interesting article about a product that apparently is getting very good and very fast at guessing passwords made from various phrases.

“thereisnofatebutwhat*wemake”

As I understand it, if your password is phrase from just about anything on the internet, this thing has a good shot at guessing it. Even if it comes from some obscure phrase in a play written in 1810 about Venezuelan Beaver Cheese farmers.

Here is a quote from the article about how one very obscure phrase was cracked:

Quote:
a security researcher who recently completed his MSc thesis on modern password cracking, was able to crack the password "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1." That's the fictional occult phrase from the H.P. Lovecraft short story The Call of Cthulhu. It would have been impossible to use a brute-force attack or even a combined dictionary to crack a phrase of that length. But because the phrase was contained in this Wikipedia article, it wound up in a word list that allowed Chrysannthou to crack the phrase in a matter of minutes.
If it's on the Internet, it's vulnerable.
__________________

__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 08-27-2013, 11:24 AM   #2
Thinks s/he gets paid by the post
bUU's Avatar
 
Join Date: Dec 2012
Location: Georgia
Posts: 1,914
And the problem is doing a search for it could possibly put it on a list!
__________________

__________________
bUU is online now   Reply With Quote
Old 08-27-2013, 11:46 AM   #3
Thinks s/he gets paid by the post
 
Join Date: Jul 2012
Location: Mississippi
Posts: 1,878
Note that this talking about offline hacking. That is they have actually stolen a database and are attempting to discover passwords by brute force. The password length is probably the best defense but using any known phrase will compromise the strength.
__________________
rbmrtn is offline   Reply With Quote
Old 08-27-2013, 11:48 AM   #4
Recycles dryer sheets
 
Join Date: Dec 2003
Posts: 447
But most (all?) password protected sites limit the number of tries. Presumably the algorithm had to try millions of times, if it took some minutes.
__________________
Peter is offline   Reply With Quote
Old 08-27-2013, 11:54 AM   #5
Moderator Emeritus
Bestwifeever's Avatar
 
Join Date: Sep 2007
Posts: 16,375
I could see trying this on one computer/account owned by someone you know, but the threat is surely from hacker programs who just run every possible combination and have access to accounts outside the typical log in screen we deal with.

I really wonder how many passwords are stolen by hackers this way:

__________________
“Would you like an adventure now, or would you like to have your tea first?” J.M. Barrie, Peter Pan
Bestwifeever is offline   Reply With Quote
Old 08-27-2013, 11:54 AM   #6
Thinks s/he gets paid by the post
bUU's Avatar
 
Join Date: Dec 2012
Location: Georgia
Posts: 1,914
What rbmrtn pointed out is that they can use what they stole initially to make unlimited tries to break the passwords, and then once successful, return to the site to use the password that was broken (i.e., single try).
__________________
bUU is online now   Reply With Quote
Old 08-27-2013, 12:20 PM   #7
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,337
Quote:
Originally Posted by bUU View Post
What rbmrtn pointed out is that they can use what they stole initially to make unlimited tries to break the passwords, and then once successful, return to the site to use the password that was broken (i.e., single try).
Exactly. Since this software is easily available, people using a password based upon a phrase that can be found on the internet are at risk.

I like two factor authentification where possible.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 08-27-2013, 04:10 PM   #8
Moderator
rodi's Avatar
 
Join Date: Apr 2012
Location: San Diego
Posts: 8,817
Sounds like my poor spelling could work to my advantage. Just (consistently)
misspell the phrase you use.
__________________
rodi is offline   Reply With Quote
Old 08-27-2013, 04:21 PM   #9
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Mulligan's Avatar
 
Join Date: May 2009
Posts: 7,384
Quote:
Originally Posted by rodi View Post
Sounds like my poor spelling could work to my advantage. Just (consistently)
misspell the phrase you use.
I use a long mixture of letters, numbers, and Caps for my passwords. The trouble is after over a year of using them I still don't remember them. Have to consult my old school notebook that I have them all handwritten in on a near daily basis. A hacker would have a better chance of breaking into my accounts than I would from memory trying to get into them.
__________________
Mulligan is offline   Reply With Quote
Old 08-27-2013, 05:16 PM   #10
Thinks s/he gets paid by the post
 
Join Date: Sep 2012
Location: Seattle
Posts: 2,906
I use the last 8 digits of PI for my password
__________________
Fermion is offline   Reply With Quote
Old 08-27-2013, 05:18 PM   #11
Recycles dryer sheets
lemming's Avatar
 
Join Date: May 2008
Posts: 415
What I hate is that when you forget a password they ask you to email them with nothing more then your account number and they send you an email back with a new code to reset it. It feels like I don't have a password at all. Sure they have to hack the email account first but it still seems too easy.
I don't use my name for the account name so they have to figure that then figure the password.
__________________
lemming is offline   Reply With Quote
Old 08-27-2013, 08:10 PM   #12
Thinks s/he gets paid by the post
gauss's Avatar
 
Join Date: Aug 2011
Posts: 1,712
Quote:
Originally Posted by Fermion View Post
I use the last 8 digits of PI for my password
clever - grin!

-gauss
__________________
gauss is offline   Reply With Quote
Old 08-27-2013, 09:02 PM   #13
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,517
Quote:
Originally Posted by lemming View Post
What I hate is that when you forget a password they ask you to email them with nothing more then your account number and they send you an email back with a new code to reset it. It feels like I don't have a password at all. Sure they have to hack the email account first but it still seems too easy.
I don't use my name for the account name so they have to figure that then figure the password.
Someone does this?

Usually, when you request a password reset they already have your email on file and that is one of the security steps (that they email you info).
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 08-27-2013, 09:13 PM   #14
Thinks s/he gets paid by the post
veremchuka's Avatar
 
Join Date: Oct 2010
Location: irradiated - too close to the nuclear furnace
Posts: 1,294
There are extensive dictionaries filled with phrases and their abbreviations in all languages such as 1 letter of each word, substituting 3 for E 0 for O etc that are available. Using any phrase is a bad idea. I like:

Stranger stop and cast an eye,
as you are now, so once was I.
As I am now, so you will be,
prepare for death and follow me.

This is sometimes found on colonial era gravestones. If you used the 1st letter of each word that's be safe right? No!

So this is why you need long complex passwords that you can't remember and are extremely hard to guess. Using software like KeePass allows your to do this and will even create them for you.

I use passwords like this:

4R;mQ3!{kUVi9vr&\XaPk8+Jyf6*q#

There are also reasons to not start with an upper case letter or end with a special character or number I forget which because people often do that.

Here's some reading and the last 2 aren't easy to follow (35 years in IT helped me but a lot is over my head) but you can get a good idea just how serious this is and why bizarre passwords like I created above are necessary. If you use the 1st link DO NOT use any password you intend to use cuz who knows what that site does with what you type into it! I substitute my password's upper/lower case, numbers and special characters with different ones so the pattern and types are the same. When it take 2,300 billion years (2.3 trillion) to crack one I think you're pretty safe. But as GPU crackers get faster who knows?

https://www.grc.com/haystack.htm

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica

Why passwords have never been weaker
__________________
veremchuka is offline   Reply With Quote
Old 08-27-2013, 09:57 PM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
pb4uski's Avatar
 
Join Date: Nov 2010
Location: Vermont & Sarasota, FL
Posts: 16,464
Quote:
Originally Posted by Fermion View Post
I use the last 8 digits of PI for my password
I use the 8 following the 8 that you use.
__________________
If something cannot endure laughter.... it cannot endure.
Patience is the art of concealing your impatience.
Slow and steady wins the race.
pb4uski is online now   Reply With Quote
Old 08-27-2013, 10:24 PM   #16
Thinks s/he gets paid by the post
timo2's Avatar
 
Join Date: Jul 2011
Location: Rio Rancho
Posts: 1,438
Quote:
Originally Posted by audreyh1 View Post
Someone does this?

Usually, when you request a password reset they already have your email on file and that is one of the security steps (that they email you info).

not only that, I've had two companies actually send me the actual password in the 'forgot my password' email.
__________________
"We live the lives we lead because of the thoughts we think" Michael O’Neill
timo2 is offline   Reply With Quote
Old 08-28-2013, 08:09 AM   #17
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
pb4uski's Avatar
 
Join Date: Nov 2010
Location: Vermont & Sarasota, FL
Posts: 16,464
I usually combine a phrase and one of my old phone numbers in passwords. I also substitute letters and numbers - like the letter "O" of zero in a number and the letter "E" for a 3, etc.
__________________
If something cannot endure laughter.... it cannot endure.
Patience is the art of concealing your impatience.
Slow and steady wins the race.
pb4uski is online now   Reply With Quote
Old 08-28-2013, 10:00 AM   #18
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Ed_The_Gypsy's Avatar
 
Join Date: Dec 2004
Location: the City of Subdued Excitement
Posts: 5,293
Quote:
Originally Posted by Fermion View Post
I use the last 8 digits of PI for my password
There are no 'last eight digits' of pi.
__________________
my bumpersticker:
"I am not in a hurry.
I am retired.
And I don't care how big your truck is."
Ed_The_Gypsy is offline   Reply With Quote
Old 08-28-2013, 10:43 AM   #19
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,337
Quote:
Originally Posted by pb4uski View Post
I use the 8 following the 8 that you use.
Instead of copying him, why not use an imaginary number like the square root of -1!

Gosh, I love this stuff!! Math is great!!
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 08-28-2013, 06:11 PM   #20
Thinks s/he gets paid by the post
veremchuka's Avatar
 
Join Date: Oct 2010
Location: irradiated - too close to the nuclear furnace
Posts: 1,294
Quote:
Originally Posted by pb4uski View Post
I usually combine a phrase and one of my old phone numbers in passwords. I also substitute letters and numbers - like the letter "O" of zero in a number and the letter "E" for a 3, etc.
If you read the links I provided you'll see this is not a safe option. Hackers have dictionaries with words spelled correctly and for each word substitutions and randomized versions based upon analysis of stolen passwords.

No matter how clever you think your "system" is they can crack it unless you use very long random combinations of letters, numbers and special characters. This is when something like KeePass is very effective because it remembers them you don't, your database is encrypted and all you need to remember is your master password to get into the KeePass safe. Make that one long and complex but you can use phrases, dates, etc that mean something to you and devise a method of how to remember it. Not that hard to remember just 1 password.
__________________

__________________
veremchuka is offline   Reply With Quote
Reply

Tags
password hash


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


 

 
All times are GMT -6. The time now is 08:05 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.