Long passwords threatened

[Chuckanut]

Here is an interesting article about a product that apparently is getting very good and very fast at guessing passwords made from various phrases.

“thereisnofatebutwhat­wemake”

As I understand it, if your password is phrase from just about anything on the internet, this thing has a good shot at guessing it. Even if it comes from some obscure phrase in a play written in 1810 about Venezuelan Beaver Cheese farmers.

Here is a quote from the article about how one very obscure phrase was cracked:

a security researcher who recently completed his MSc thesis on modern password cracking, was able to crack the password "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1." That's the fictional occult phrase from the H.P. Lovecraft short story The Call of Cthulhu. It would have been impossible to use a brute-force attack or even a combined dictionary to crack a phrase of that length. But because the phrase was contained in this Wikipedia article, it wound up in a word list that allowed Chrysannthou to crack the phrase in a matter of minutes.

If it's on the Internet, it's vulnerable.

 

[bUU]

And the problem is doing a search for it could possibly put it on a list!

 

[rbmrtn]

Note that this talking about offline hacking. That is they have actually stolen a database and are attempting to discover passwords by brute force. The password length is probably the best defense but using any known phrase will compromise the strength.

 

[Peter]

But most (all?) password protected sites limit the number of tries. Presumably the algorithm had to try millions of times, if it took some minutes.

 

[Bestwifeever]

I could see trying this on one computer/account owned by someone you know, but the threat is surely from hacker programs who just run every possible combination and have access to accounts outside the typical log in screen we deal with.

I really wonder how many passwords are stolen by hackers this way:

Kramer figures out George's secret code - YouTube

 

[bUU]

What rbmrtn pointed out is that they can use what they stole initially to make unlimited tries to break the passwords, and then once successful, return to the site to use the password that was broken (i.e., single try).

 

[Chuckanut]

What rbmrtn pointed out is that they can use what they stole initially to make unlimited tries to break the passwords, and then once successful, return to the site to use the password that was broken (i.e., single try).

Exactly. Since this software is easily available, people using a password based upon a phrase that can be found on the internet are at risk.

I like two factor authentification where possible.

 

[rodi]

Sounds like my poor spelling could work to my advantage. Just (consistently)
misspell the phrase you use.

 

[Mulligan]

Sounds like my poor spelling could work to my advantage. Just (consistently)
misspell the phrase you use.

I use a long mixture of letters, numbers, and Caps for my passwords. The trouble is after over a year of using them I still don't remember them. Have to consult my old school notebook that I have them all handwritten in on a near daily basis. A hacker would have a better chance of breaking into my accounts than I would from memory trying to get into them.

 

[Fermion]

I use the last 8 digits of PI for my password

 

[lemming]

What I hate is that when you forget a password they ask you to email them with nothing more then your account number and they send you an email back with a new code to reset it. It feels like I don't have a password at all. Sure they have to hack the email account first but it still seems too easy.
I don't use my name for the account name so they have to figure that then figure the password.

 

[gauss]

I use the last 8 digits of PI for my password

clever - grin!

-gauss

 

[audreyh1]

What I hate is that when you forget a password they ask you to email them with nothing more then your account number and they send you an email back with a new code to reset it. It feels like I don't have a password at all. Sure they have to hack the email account first but it still seems too easy.
I don't use my name for the account name so they have to figure that then figure the password.

Someone does this?

Usually, when you request a password reset they already have your email on file and that is one of the security steps (that they email you info).

 

[veremchuka]

There are extensive dictionaries filled with phrases and their abbreviations in all languages such as 1 letter of each word, substituting 3 for E 0 for O etc that are available. Using any phrase is a bad idea. I like:

Stranger stop and cast an eye,
as you are now, so once was I.
As I am now, so you will be,
prepare for death and follow me.

This is sometimes found on colonial era gravestones. If you used the 1st letter of each word that's be safe right? No!

So this is why you need long complex passwords that you can't remember and are extremely hard to guess. Using software like KeePass allows your to do this and will even create them for you.

I use passwords like this:

4R;mQ3!{kUVi9vr&\XaPk8+Jyf6*q#

There are also reasons to not start with an upper case letter or end with a special character or number I forget which because people often do that.

Here's some reading and the last 2 aren't easy to follow (35 years in IT helped me but a lot is over my head) but you can get a good idea just how serious this is and why bizarre passwords like I created above are necessary. If you use the 1st link DO NOT use any password you intend to use cuz who knows what that site does with what you type into it! I substitute my password's upper/lower case, numbers and special characters with different ones so the pattern and types are the same. When it take 2,300 billion years (2.3 trillion) to crack one I think you're pretty safe. But as GPU crackers get faster who knows?

https://www.grc.com/haystack.htm

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica

Why passwords have never been weaker

 

[pb4uski]

I use the last 8 digits of PI for my password

I use the 8 following the 8 that you use.

 

[timo2]

Someone does this?

Usually, when you request a password reset they already have your email on file and that is one of the security steps (that they email you info).

not only that, I've had two companies actually send me the actual password in the 'forgot my password' email.

 

[pb4uski]

I usually combine a phrase and one of my old phone numbers in passwords. I also substitute letters and numbers - like the letter "O" of zero in a number and the letter "E" for a 3, etc.

 

[Ed_The_Gypsy]

I use the last 8 digits of PI for my password

There are no 'last eight digits' of pi.

 

[Chuckanut]

I use the 8 following the 8 that you use.

Instead of copying him, why not use an imaginary number like the square root of -1!

Gosh, I love this stuff!! Math is great!!

 

[veremchuka]

I usually combine a phrase and one of my old phone numbers in passwords. I also substitute letters and numbers - like the letter "O" of zero in a number and the letter "E" for a 3, etc.

If you read the links I provided you'll see this is not a safe option. Hackers have dictionaries with words spelled correctly and for each word substitutions and randomized versions based upon analysis of stolen passwords.

No matter how clever you think your "system" is they can crack it unless you use very long random combinations of letters, numbers and special characters. This is when something like KeePass is very effective because it remembers them you don't, your database is encrypted and all you need to remember is your master password to get into the KeePass safe. Make that one long and complex but you can use phrases, dates, etc that mean something to you and devise a method of how to remember it. Not that hard to remember just 1 password.

 

[gauss]

not only that, I've had two companies actually send me the actual password in the 'forgot my password' email.

And this is the reason that now when I register at a new web site, I first use a temporary password. I then immediately 'forget' my password and have it reset.

Hopefully, this will start a process to reset my password to something new and the old password will not be displayed.

On the other hand, if they send me the actual password, I know that I need to create a one-off password for that sight so that I do not compromise my password patterns.

-gauss