Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 06-09-2016, 12:33 PM   #61
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,904
The schemes that rely on remembering what goes where on a lengthy password and what gets abbreviated or not sounds like a wonderful test for Alzheimers :-) The one security check I do subscribe to is to check my financial sites everyday for unusual activity.

This brings me to a question. Every financial institution I deal with has a system whereby access is permanently denied if one types the wrong password three times. There is a lengthy reauthorization process involving an actual phone call etc. How does the brute force approach manage to try millions of passwords if I get shut down after three attempts?
__________________

__________________
ejman is online now   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 06-09-2016, 12:43 PM   #62
Full time employment: Posting here.
 
Join Date: Jan 2011
Location: Just North of Boston
Posts: 519
Quote:
Originally Posted by tulak View Post
Lastpass user for over 3 years. I pay $12/year for their premium service.
I also use LastPass, for example, my last password I used for a site was: 6C#wy!H1#VI1ZaR

I could not tell you what any of my passwords are.
__________________

__________________
ChiliPepr is offline   Reply With Quote
Old 06-09-2016, 12:48 PM   #63
Full time employment: Posting here.
 
Join Date: Jan 2011
Location: Just North of Boston
Posts: 519
Quote:
Originally Posted by meierlde View Post
Another question issue, if your mother has passed on, her obituary will contain her maiden name and your name since the survivors are often listed.
I always use the same random string for those questions... mother maiden name "PumkinPie"; best friend in elementary school "PumkinPie"; street I grew up on, you guessed it, "PumkinPie"
__________________
ChiliPepr is offline   Reply With Quote
Old 06-09-2016, 01:05 PM   #64
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,271
Quote:
Originally Posted by ejman View Post
... This brings me to a question. Every financial institution I deal with has a system whereby access is permanently denied if one types the wrong password three times. There is a lengthy reauthorization process involving an actual phone call etc. How does the brute force approach manage to try millions of passwords if I get shut down after three attempts?
I had wondered that too, but I think this is the answer. They aren't after your account, they are after any account, and as many as they can hack.

So they try once, maybe twice on yours, then move to the next one. They probably have millions that they can try. And then they come back a day or so later, and try again. Eventually, they get some open.

Makes no difference if they try your account a million times, or a million accounts one time. Odds are the same. Maybe someone who is/was in the security business can confirm/deny this?


Quote:
Originally Posted by ChiliPepr View Post
I always use the same random string for those questions... mother maiden name "PumkinPie"; best friend in elementary school "PumkinPie"; street I grew up on, you guessed it, "PumkinPie"

I tried that once (I used ApplePie ), and the darn thing kicked them out, chiding me for using the same answer for multiple questions. Heck, how is a bad guy going to know I did that?

-ERD50
__________________
ERD50 is online now   Reply With Quote
Old 06-09-2016, 01:10 PM   #65
Thinks s/he gets paid by the post
ExFlyBoy5's Avatar
 
Join Date: May 2013
Posts: 1,977
Quote:
Originally Posted by ChiliPepr View Post
I always use the same random string for those questions... mother maiden name "PumkinPie"; best friend in elementary school "PumkinPie"; street I grew up on, you guessed it, "PumkinPie"
Will they let you use the same answer for multiple questions? I have not tried your approach but I think it wouldn't work in that case.
__________________
Founder and Head Lounger @ The Life of Leisure Institute
Retired in 2014 at the Ripe Age of 40.
ExFlyBoy5 is offline   Reply With Quote
Old 06-09-2016, 01:16 PM   #66
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,719
Quote:
Originally Posted by easysurfer View Post
Some password managers are a bit overkill which kind of defeats the purpose.

.......
... I'm happy with Password Corral (Windows only, though I also have it working on my Linux laptop). Password Corral isn't as popular as some of the others, but I think has a good interface, allows for copy/paste of user id/passwords, has freehand "comments" section for adding thing like the Q & A of those darn challenge questions, stored locally as encrypted file. Plus, it is free. I used to use Password Safe (among others), but IMO, found Password Corral easier to use.
You would probably like keepass since it runs on linux and windows and has everything you mentioned above plus wipes the copy memory automatically after a time you set.

One thing I like about password managers vs an encrypted excel spreadsheet is that if I turn off the computer the passwords are all gone, unlike a spreadsheet or text file I forgot to encrypt before shutting down.

KeePass Password Safe
__________________
Sunset is offline   Reply With Quote
Old 06-09-2016, 02:04 PM   #67
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,885
Quote:
Originally Posted by Sunset View Post
You would probably like keepass since it runs on linux and windows and has everything you mentioned above plus wipes the copy memory automatically after a time you set.

One thing I like about password managers vs an encrypted excel spreadsheet is that if I turn off the computer the passwords are all gone, unlike a spreadsheet or text file I forgot to encrypt before shutting down.

KeePass Password Safe
I may have to do some playing around with KeePass just for grins. Always like to know what is out there.

Looking at the screenshots, I think there are similarities to Password Corral. But as you mentioned, Keepass is not Windows only.

Cygnus Productions [Password Corral - Freeware]
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 06-09-2016, 03:01 PM   #68
Full time employment: Posting here.
sailor's Avatar
 
Join Date: May 2005
Location: Atlanta suburbs
Posts: 881
Quote:
Originally Posted by Options View Post
I would never use any password that is only eight words long
As a software engineer I would like to point out that 8 words password is huge. About 2^88 entropy there.
See here for an example of using only 4 words passwords: https://xkcd.com/936/
__________________
sailor is offline   Reply With Quote
Old 06-09-2016, 04:08 PM   #69
Recycles dryer sheets
 
Join Date: Jun 2012
Posts: 489
There is an interesting twist to consider in all this: how the law treats passwords versus biometrics. In the US, you can't be forced to divulge or supply a password. However, you can be forced to supply your fingerprint, among other biometric data. So if you are using only a thumb print to access your password DB, you could be legally forced to provide the "keys to your kingdom". Same with the newer iPhones with TouchID.

I think someone mentioned this already but IMO the biggest risk from hackers to most people is the following scenario:

1) Hackers penetrate a site that stores passwords in clear text. Storing passwords in clear text is a big no-no, but plenty of even large companies do it, sometimes in a secondary/test database.
3) Hackers download a huge number of username, email, password combinations.
3) Hackers then try username+password and email+password on dozens of other sites (e.g., Vanguard)

Even if only 1% of the combinations work, if #1 is a sufficiently large site, they have hit pay dirt. In this case, because there is no brute-force taking place, password complexity is irrelevant. This is obviously where schemes like ED50's or password managers come in.
__________________
someguy is offline   Reply With Quote
Old 06-09-2016, 04:42 PM   #70
Full time employment: Posting here.
CaliKid's Avatar
 
Join Date: Apr 2016
Location: Cali
Posts: 550
I love the info here. I think I am a slacker so need to beef things up on some sites.

However, most sites it's not that big of a deal if the hack in. My credit card for example has really good security. If you log in from a new computer they make you get a password from your phone or email. Ok, but what do I care if they hack into my credit card? Are they going to pay my bill for me? Ya, I get it that they can cause trouble but aren't most hackers looking for ways to get money!?

Also, it seems to me, that email is the most important. If a person figures out your email they can reset just about any website.
__________________
______________________
Hoping to get out around September 1, 2022... I hope, I hope, I hope. Until then off to work I go....
CaliKid is offline   Reply With Quote
Old 06-09-2016, 05:12 PM   #71
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,676
Quote:
Originally Posted by CaliKid View Post
...
Also, it seems to me, that email is the most important. If a person figures out your email they can reset just about any website.
+1

Today I wanted to update my password at a site that has my credit card to pay the small monthly bill. The only way I could do this was to request a password reset. So they just sent the reset to my email and I login using their link from my email. No verification it was me other then it comes from my email. No security questions.

That is why my email password is very strong.
__________________
Lsbcal is offline   Reply With Quote
Old 06-09-2016, 06:02 PM   #72
Full time employment: Posting here.
 
Join Date: Jul 2011
Posts: 571
From today's WSJ concerning the hacks of Twitter

The hacks primarily affect computer users who use the same password for multiple accounts and who donít use additional security measures such as text-message notifications when someone tries to access an account from a new computer. On Sunday, hackers used a password from the 2012 LinkedIn breach to take over Mark Zuckerbergís Twitter account. Monday, German software company TeamViewer GmbH said that criminals were using this data to take over the accounts of some of its customers.

I am even more convinced that passwords should not share any part of any password. I understand it is easier to remember but at least for important information, including finances, a long unique password, changed regularly, offers the best protection. And, two factor is an added layer that is worth the time to me.

Twitter: Passwords Leaked for Millions of Accounts - WSJ
__________________
davef is offline   Reply With Quote
Old 06-09-2016, 07:10 PM   #73
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,459
Quote:
Originally Posted by CaliKid View Post
I love the info here. I think I am a slacker so need to beef things up on some sites.

However, most sites it's not that big of a deal if the hack in. My credit card for example has really good security. If you log in from a new computer they make you get a password from your phone or email. Ok, but what do I care if they hack into my credit card? Are they going to pay my bill for me? Ya, I get it that they can cause trouble but aren't most hackers looking for ways to get money!?

Also, it seems to me, that email is the most important. If a person figures out your email they can reset just about any website.
They have to break into your email account and shut you out of it.

We own our own domain names, so it's not so easy for someone to take over our email addresses.

You hear about yahoo account break-ins and others though. I've always been leery of "free" email accounts considering how important an email address is to many accounts.

Here is how hackers use stolen cards to make money: they buy tons of gift cards - that can then be passed along as cash. They also stolen credit cards to buy popular items from big box stores that are easy to sell.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 06-09-2016, 07:20 PM   #74
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,271
Quote:
Originally Posted by Lsbcal View Post
+1

Today I wanted to update my password at a site that has my credit card to pay the small monthly bill. The only way I could do this was to request a password reset. So they just sent the reset to my email and I login using their link from my email. No verification it was me other then it comes from my email. No security questions.

That is why my email password is very strong.
Sounds bad, but it sounds like you were logged in to request the password reset, so maybe that's how that worked?

This is another reason why having the login and the password on the same entry screen of the web page is important. If it fails, it should say that either login or password is incorrect, so no clue as to which. Otherwise, once they guess the login, they can request a password reset.

So yes, it is important to have a strong email password - in the case above, once they have your email, they can intercept password resets - especially dangerous if the login to the account is the email address!

Quote:
Originally Posted by davef View Post
From today's WSJ concerning the hacks of Twitter
....

I am even more convinced that passwords should not share any part of any password. I understand it is easier to remember but at least for important information, including finances, a long unique password, changed regularly, offers the best protection. And, two factor is an added layer that is worth the time to me.
But they wouldn't know which part was shared - I don't think it's adding any risk.

And what advantage is there to changing your password often? I think that has been exposed as a myth - it often leads to people using simpler passwords. It's not like a bad guy is going to sit on a hacked password for 6 months before using it.

-ERD50
__________________
ERD50 is online now   Reply With Quote
Old 06-09-2016, 07:38 PM   #75
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,676
Quote:
Originally Posted by ERD50 View Post
Sounds bad, but it sounds like you were logged in to request the password reset, so maybe that's how that worked?

This is another reason why having the login and the password on the same entry screen of the web page is important. If it fails, it should say that either login or password is incorrect, so no clue as to which. Otherwise, once they guess the login, they can request a password reset.
...
Good point and never really thought about it that way.

Maybe that is why Vanguard went to the ogin and password on the same screen. They did away with the unique picture which was a shame as I kind of liked the chipmunk I chose. Anyway, they did add 2FA and beefed up the allowed number of characters in the password. It feels safer.
__________________
Lsbcal is offline   Reply With Quote
Old 06-09-2016, 07:56 PM   #76
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,904
Quote:
Originally Posted by ERD50 View Post
I had wondered that too, but I think this is the answer. They aren't after your account, they are after any account, and as many as they can hack.

So they try once, maybe twice on yours, then move to the next one. They probably have millions that they can try. And then they come back a day or so later, and try again. Eventually, they get some open.

Makes no difference if they try your account a million times, or a million accounts one time. Odds are the same. Maybe someone who is/was in the security business can confirm/deny this?







-ERD50
Interesting analysis. If that's the case then from an "individual" standpoint a short password wouldn't be a problem because they only get a couple of tries on MY account before they have to move on to another account out of the millions they are trying . I guess I'm not certain I actually understand exactly what the vulnerability is from an individual's standpoint of a short password.
__________________
ejman is online now   Reply With Quote
Old 06-09-2016, 08:25 PM   #77
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,676
Quote:
Originally Posted by ejman View Post
Interesting analysis. If that's the case then from an "individual" standpoint a short password wouldn't be a problem because they only get a couple of tries on MY account before they have to move on to another account out of the millions they are trying . I guess I'm not certain I actually understand exactly what the vulnerability is from an individual's standpoint of a short password.
Suppose they get in through the back door i.e. they get hold of the hashed database of all the users. This could happen through sophisticated hacking or maybe a person on the inside of the institution.

The most vulnerable in that case is (I think) the short password accounts. This is because the bad guys have all the tries they want only limited by computational speeds.
__________________
Lsbcal is offline   Reply With Quote
Old 06-09-2016, 08:44 PM   #78
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,271
Quote:
Originally Posted by ejman View Post
Interesting analysis. If that's the case then from an "individual" standpoint a short password wouldn't be a problem because they only get a couple of tries on MY account before they have to move on to another account out of the millions they are trying . I guess I'm not certain I actually understand exactly what the vulnerability is from an individual's standpoint of a short password.
I would imagine that in their scans of millions of accounts, they start with short, easy passwords because many people don't bother with long ones, and special chars and such. So they go for the low hanging fruit. Those people are probably less secure about things in general, and easier to hack?

A few years ago, I downloaded a list of the 64,000 most common passwords. Lots of low hanging fruit there. A few samples:

momof2
momof3
momof4
momof5

etc.

editr/add: Also what Lsbcal just posted


-ERD50
__________________
ERD50 is online now   Reply With Quote
Old 06-09-2016, 09:24 PM   #79
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,904
Quote:
Originally Posted by Lsbcal View Post
Suppose they get in through the back door i.e. they get hold of the hashed database of all the users. This could happen through sophisticated hacking or maybe a person on the inside of the institution.

The most vulnerable in that case is (I think) the short password accounts. This is because the bad guys have all the tries they want only limited by computational speeds.
So, there is another electronic "door" to the account other than the logon I have to use that limits me to 3 tries before shutting down so the limitation doesn't apply and they get to try millions of combinations?
__________________
ejman is online now   Reply With Quote
Old 06-09-2016, 09:52 PM   #80
Full time employment: Posting here.
 
Join Date: Jul 2011
Posts: 571
Quote:
Originally Posted by ERD50 View Post
Sounds bad, but it sounds like you were logged in to request the password reset, so maybe that's how that worked?

This is another reason why having the login and the password on the same entry screen of the web page is important. If it fails, it should say that either login or password is incorrect, so no clue as to which. Otherwise, once they guess the login, they can request a password reset.

So yes, it is important to have a strong email password - in the case above, once they have your email, they can intercept password resets - especially dangerous if the login to the account is the email address!



But they wouldn't know which part was shared - I don't think it's adding any risk.

And what advantage is there to changing your password often? I think that has been exposed as a myth - it often leads to people using simpler passwords. It's not like a bad guy is going to sit on a hacked password for 6 months before using it.

-ERD50
Shared password pattern- Your right to the extent that hacker is working on one account. If they should hack more than one account, they will likely start with a pattern to break your password. Hackers are not just using your pattern but the patterns of everyone. Or, they might be using your pattern if you are unlikely enough to have 2+ of your accounts hacked (Home Depot and Facebook) Hackers could look at similarities on password and user names to get a head start.
Many people on this string liked your approach. If they follow your password concept, hackers will start with the similar pattern. It is not a guarantee they will get into your account but easier than a unique and unpatterned approach as provided by password generators.

Password Updates - I do not agree that password updates are a myth. Hacking is an algorithm which means that longer and non-patterned passwords take more time to break. And changing them, forces a hacker to start all over. Putting time and difficulty on your side is a good idea.

No doubt people approach passwords differently. The generators make life fairly easy to develop unique and difficult passwords. and no doubt add a layer of safety since these passwords have no patterns and can be easily changed often. I know I am following an extra layer of caution but it seems as computer power gets stronger, this effort is important to protect my information.
__________________

__________________
davef is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo Passwords Hacked easysurfer Other topics 8 07-12-2012 06:57 PM
Keeping passwords safe summer2007 FIRE and Money 46 03-21-2008 12:34 PM
Default passwords cute fuzzy bunny Other topics 0 02-22-2006 11:13 AM
Website to Borrow Passwords? haha Other topics 9 06-23-2005 12:09 PM

 

 
All times are GMT -6. The time now is 11:14 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.