|
|
06-01-2013, 11:37 AM
|
#1
|
Administrator
Join Date: Jan 2008
Location: Chicagoland
Posts: 40,585
|
Password Hacking
Interesting (a bit wonkish) article on hacking passwords. Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica
A couple of snippets
Quote:
The ease these crackers had in recovering as many as 90 percent of the hashes they targeted from a real-world breach also exposes the inability many services experience when trying to measure the relative strength or weakness of various passwords. A recently launched site from chipmaker Intel asks users "How strong is your password?," and it estimated it would take six years to crack the passcode "BandGeek2014". That estimate is laughable given that it was one of the first ones to fall at the hands of all three real-world crackers.
|
Their recommendation for a secure password.
Quote:
In the meantime, readers should take pains to make sure their passwords are a minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, and aren't part of a pattern.
|
The article says they will publish a primer on password managers.
|
|
|
|
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!
Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!
You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!
|
06-01-2013, 12:11 PM
|
#2
|
Moderator Emeritus
Join Date: Jan 2007
Location: New Orleans
Posts: 47,473
|
That was interesting! I was very pleased to see that making one's passwords 10+ characters long is so helpful. Wish that was all we needed to do.
__________________
Already we are boldly launched upon the deep; but soon we shall be lost in its unshored, harbourless immensities. - - H. Melville, 1851.
Happily retired since 2009, at age 61. Best years of my life by far!
|
|
|
06-01-2013, 02:27 PM
|
#3
|
Thinks s/he gets paid by the post
Join Date: Jul 2012
Location: Mississippi
Posts: 1,894
|
Quote:
Originally Posted by W2R
That was interesting! I was very pleased to see that making one's passwords 10+ characters long is so helpful. Wish that was all we needed to do.
|
The length is actually one of the most important inputs, just because it increases the permutations that have to be checked.
Here is a sight with some interesting info, it tells you about the time involved in hacking your password.
https://www.grc.com/haystack.htm
|
|
|
06-01-2013, 03:17 PM
|
#4
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Sep 2005
Location: Northern IL
Posts: 26,821
|
It is interesting, but as far as I could understand, only really relevant if the site has their password list stolen.
With a stolen file, the hackers can chomp away on it all they want, and make billions of guesses a second. But they can't do that without a list.
To just crack a site that I have a login/PW at, first they need to guess my login. Then they need to guess my PW. So unless the login is obvious, like a public forum that uses your screen name as the login, that adds to the complexity they have to crack. And for most sites, and I would hope all important ones, they lock you out for a time after three bad guesses. So they can't make billions of guesses a second (heck, the site and internet delay wouldn't respond that fast anyhow).
So if a bad guy is randomly attacking a financial site, I'd bet that first they test login names. When they have some that allow you to get through to the password page, they can then start guessing the password (so any site that has two separate screens for login/PW has a weakness - they give the cracker feedback when they guess only a login name, rather than login+PW). Then they hit one account with two guesses, and move on to the next, and come back after the time-out period. That slows them way down. So like the joke about the two hikers and a bear, you don't need to outsmart the hacker, you just need to be more secure than the other guy. Once they've cracked a few easy ones, I'd think the site would alert everyone.
Bottom line, the article seems to be saying it's very hard to have passwords that are good enough if the list gets stolen. So avoid the obvious/easy ones, and by then there should be enough alarm bells going off that the site managers reset everyone's passwords. Seems to me that 'good enough' is good enough.
I've finally cleaned up my password system. For all the sites that I don't really have security concerns about (who cares, and why would someone hack into my account to post to the Chicago Tribune or a hobby forum?), I have a somewhat complex, but easy for me to remember and type pw that I use for all of them. I don't need a list, or a program and it's plenty good enough, IMO.
For sites I am concerned about, I have a standard set of phrases that I use to 'salt' a unique password. The phrases are somewhat complex, but easy for me to remember - not enough to avoid the hacking in a list like this article, but I think 'good enough' to avoid an outside attack. The beauty is, all I need is a list with a reminder of my logon for the site, and the unique part. I can put that in my wallet, or stick it to my monitor, or keep it in a file. The 'salt' phrases I use are only in my head, and written down in some obscure place with no other info tied to it.
So if I wanted an easy to use, but secure password for this site, the unique part might be erorgFIRE, and I'd 'salt' that with my standard phrases, which might be (but aren't ) mfOSIU1204 IWMinb80 Those phrases have meaning to me, they stand for something easy to recall, and I combine them with the unique part. So all I need on a sheet of paper is:
ERD50 - erorgFIRE
and that is enough trigger for me to know how to put it together, with my 'salting' pattern. Actually, my standard phrases are shorter, some financial sites won't allow that many char, which I should write to them about.
-ERD50
|
|
|
06-01-2013, 03:24 PM
|
#5
|
Administrator
Join Date: Apr 2006
Posts: 22,973
|
Vanguard allows only 10 characters.
__________________
Living an analog life in the Digital Age.
|
|
|
06-01-2013, 03:33 PM
|
#6
|
Recycles dryer sheets
Join Date: Jun 2012
Location: Central Ga
Posts: 230
|
Quote:
Originally Posted by Gumby
Vanguard allows only 10 characters.
|
They must not want to make it to hard for them (LOL)...
In my last job I had access to 17 different systems - each with its own password and each of those had to be at least 12 - 16 characters long. Most people cannot remember monstrous passwords like that so they are forced to write them down - usually on a memo under their keyboard ...
__________________
If you want someone to believe in you - First you have to believe in yourself and then you go from there...
|
|
|
06-01-2013, 04:02 PM
|
#7
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Sep 2005
Location: Northern IL
Posts: 26,821
|
Quote:
Originally Posted by Gumby
Vanguard allows only 10 characters.
|
Yes, that was the one! I ended up using only one of my 'salt' phrases to keep it short enough. Ten char limit really is ridiculous for a financial site.
Also, about that icon thing that Vanguard and others show when you've logged on, but before you put in your password - it's an icon you picked, so it is some protection against a generically spoofed site to capture your password as they would not know your icon. But if they first guess your logon, they can capture your icon too. And now all they need is a 10 digit PW. Not good enough, IMO.
-ERD50
|
|
|
06-01-2013, 04:08 PM
|
#8
|
Moderator
Join Date: Feb 2010
Location: Flyover country
Posts: 25,198
|
I used to do consulting for a Fortune 100 company, and it had one of the best password policies I've ever seen.
First, your password had to be at least 10 characters (this was back in the 90s).
Second, you had to use mixed case and numbers.
Third, you had to change your password every 90 days, and you couldn't re-use any string of 3 characters or more.
AFAIK, they had very little problem with hackers. I often wonder what protection they're using today.
|
|
|
06-01-2013, 04:18 PM
|
#9
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Sep 2005
Location: Northern IL
Posts: 26,821
|
Quote:
Originally Posted by braumeister
Third, you had to change your password every 90 days, and you couldn't re-use any string of 3 characters or more.
|
The problem with the 'change it every 90 days' is that no one can remember the PW then. So they end up using simpler ones, and/or writing them down somewhere. I would end up adding the month to the password - how hard is that to guess? And it's just plain frustrating to come in Monday and be locked out, and have to create a new PW while you're still in a daze. So you chose an EZ one.
I think someone here posted a link to an article that explained that these policies ended up actually weakening the PW. If some one is going to crack it, they are trying random combos (maybe with some intelligence, like a dictionary combo) - so what if you change it? It had 90 days, and all it loses is if your new one was a previous failed attempt that it scratched off it's list. Seems like weaker passwords have more negatives that the 90 day change has positives?
-ERD50
|
|
|
06-01-2013, 04:22 PM
|
#10
|
Moderator Emeritus
Join Date: Jan 2007
Location: New Orleans
Posts: 47,473
|
Quote:
Originally Posted by braumeister
I used to do consulting for a Fortune 100 company, and it had one of the best password policies I've ever seen.
First, your password had to be at least 10 characters (this was back in the 90s).
Second, you had to use mixed case and numbers.
Third, you had to change your password every 90 days, and you couldn't re-use any string of 3 characters or more.
AFAIK, they had very little problem with hackers. I often wonder what protection they're using today.
|
My (federal) agency required all that PLUS at least one of those weird characters like )(*&^%. And, we had to change our password every 30 days and couldn't repeat an old password for years and years and years (if ever).
The biggest flaw in all of that was people who let other people see their password, kept it under their keyboard or in a little book in the center desk drawer, or on their whiteboard, or actually even told someone what their password was! We had unannounced cubicle checks and required training periodically about these practices but some people never learn.
As for me, at work I didn't even mind being rude to lookiloos who won't look away when I am logging in. I'd just sit there and look at them like they are nuts, and say, "EXCUSE ME?" Co-workers in my cubicle row would crack up when they heard me doing that.
__________________
Already we are boldly launched upon the deep; but soon we shall be lost in its unshored, harbourless immensities. - - H. Melville, 1851.
Happily retired since 2009, at age 61. Best years of my life by far!
|
|
|
06-01-2013, 04:36 PM
|
#11
|
Moderator
Join Date: Oct 2010
Posts: 10,656
|
Quote:
Originally Posted by Gumby
Vanguard allows only 10 characters.
|
Limited password length is indicative of a non-hashed password implementation, which is really weak. A good implementation takes any length password, hashes it with salt through a one-way crypto function that results in a fixed length code, and that is what the company has on their database (even the company doesn't know and can't tell you what your password is...only if the password you typed hashes to the same thing).
|
|
|
06-01-2013, 04:47 PM
|
#12
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: May 2004
Location: SW Ohio
Posts: 14,404
|
Quote:
Originally Posted by W2R
My (federal) agency required all that PLUS at least one of those weird characters like )(*&^%. And, we had to change our password every 30 days and couldn't repeat an old password for years and years and years (if ever).
|
And this is why people write passwords down, because the IT security folks have inflicted rules that make it very hard to create rememberable passwords for the 5-10 work accounts many of us have. And if you are working on another screen/computer/paper document, you can bet the first screen will time out (another thoughtful security feature) so you'll be typing that 16 digit "secure" password a LOT. So, many folks have gone to "geographic" passwords using the keyboard layout. That's not very secure, but it meets the IT folks' rules, they can by typed quickly, and it lets people actually get their work done.
The whole information security environment (to include periodic training requirements that don't recognize identical training you recently accomplished at another government organization) is not designed for people who frequently move between locations and networks, and who might not utilize a particular account for 4 months, but then it will be needed quickly. The systems are designed as if everyone goes to the same cubicle every day.
I used to fear the "big brother" and loss of privacy due to biometrics. Now I'd welcome the arrival of high-grade biometrics if it could let us dump these passwords. But, it wouldn't: Some IT security guy would get a promotion for keeping the "higher standard" of passwords AND biometrics. As far as I can tell, the IT security folks believe the only truly secure network is one that people can no longer access thanks to the security requirements.
But, no, this isn't a hot button issue with me.
|
|
|
06-01-2013, 05:11 PM
|
#13
|
Thinks s/he gets paid by the post
Join Date: Oct 2009
Posts: 2,107
|
Quote:
Originally Posted by samclem
And this is why people write passwords down, because the IT security folks have inflicted rules that make it very hard to create rememberable passwords for the 5-10 work accounts many of us have. And if you are working on another screen/computer/paper document, you can bet the first screen will time out (another thoughtful security feature) so you'll be typing that 16 digit "secure" password a LOT. So, many folks have gone to "geographic" passwords using the keyboard layout. That's not very secure, but it meets the IT folks' rules, they can by typed quickly, and it lets people actually get their work done.
The whole information security environment (to include periodic training requirements that don't recognize identical training you recently accomplished at another government organization) is not designed for people who frequently move between locations and networks, and who might not utilize a particular account for 4 months, but then it will be needed quickly. The systems are designed as if everyone goes to the same cubicle every day.
I used to fear the "big brother" and loss of privacy due to biometrics. Now I'd welcome the arrival of high-grade biometrics if it could let us dump these passwords. But, it wouldn't: Some IT security guy would get a promotion for keeping the "higher standard" of passwords AND biometrics. As far as I can tell, the IT security folks believe the only truly secure network is one that people can no longer access thanks to the security requirements.
But, no, this isn't a hot button issue with me.
|
It might be the IT security gang. But you might also look upstairs at the Internal Audit cubicles for the root folks to blame.
__________________
“Of all the paths you take in life, make sure a few of them are dirt.” John Muir
|
|
|
06-01-2013, 05:24 PM
|
#14
|
Moderator
Join Date: Feb 2010
Location: Flyover country
Posts: 25,198
|
I have no idea what 95% of my passwords are. Usernames too, for the most part.
By using password software, I can let it choose very difficult passwords that are too long and random to memorize, then simply use the software to login to whatever I need.
It takes a 12 character password to login to my machine, then a different 12 character password to access my password software.
Once I'm online, it's only two clicks to use the software to login to whatever I need.
|
|
|
06-01-2013, 05:51 PM
|
#15
|
Thinks s/he gets paid by the post
Join Date: Jul 2012
Location: Mississippi
Posts: 1,894
|
Quote:
Originally Posted by braumeister
I used to do consulting for a Fortune 100 company, and it had one of the best password policies I've ever seen.
First, your password had to be at least 10 characters (this was back in the 90s).
Second, you had to use mixed case and numbers.
Third, you had to change your password every 90 days, and you couldn't re-use any string of 3 characters or more.
|
We had similar, in addition you had to use their password generator which gave a string of gibberish for the password.
One system I worked on had a "challenge=response system". The gave you a magic decoder device, when you connected their system sent you a string that you had to run through the decoder, take the output from that, send it back and then you were actually able to login.
|
|
|
06-02-2013, 12:22 PM
|
#16
|
Recycles dryer sheets
Join Date: May 2013
Location: Western US
Posts: 226
|
Quote:
Originally Posted by Gumby
Vanguard allows only 10 characters.
|
Vanguard is also one of those sites that tell you if you type an invalid username. This is against standard security practices. A site should never give any indication whether you got the username or password wrong. If it's a site like Vanguard that prompts for the password on a second page, then the more secure approach would be to fake it and prompt for a password anyway. Don't give the hackers any clues.
|
|
|
06-02-2013, 01:13 PM
|
#17
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Sep 2005
Location: Northern IL
Posts: 26,821
|
Quote:
Originally Posted by cranberryjoe
Vanguard is also one of those sites that tell you if you type an invalid username. This is against standard security practices. A site should never give any indication whether you got the username or password wrong. If it's a site like Vanguard that prompts for the password on a second page, then the more secure approach would be to fake it and prompt for a password anyway. Don't give the hackers any clues.
|
Yes, and this is a big deal. I alluded to this in post #7, but it was kind of buried in my comments about the security image.
I'd suggest that everyone here at ER-ORG should contact Vanguard about this. We have a little more power in numbers. I don't post to bogleheads, but maybe someone should suggest it there too. Makes me wonder how secure their in-house algorithms are in case of a security breach (the real point of the article posted).
-ERD50
|
|
|
06-02-2013, 02:25 PM
|
#18
|
Thinks s/he gets paid by the post
Join Date: Feb 2007
Posts: 3,679
|
I was discussing passwords with another usher before a concert. He says he uses the name of the website interspersed with a standard phrase or number sequence that he has memorized. For example, for www.mybank.com it would be something like M9y0B2a1n0k combining MyBank with 90210. You could use every other character or go 2 characters from each. The idea was to use something easy to know for each website in combination with a secret word or number string.
__________________
Married, both 69. DH retired June, 2010. I have a pleasant little part time job.
|
|
|
06-02-2013, 03:00 PM
|
#19
|
Thinks s/he gets paid by the post
Join Date: Jul 2006
Posts: 1,901
|
My banking and brokerage accounts check my ip address and if unrecognized move to another level of security where you answer prearranged security questions. Seems pretty secure to me. Some even offer key-chain number generators that are entered after your password for additional security.
__________________
“I guess I should warn you, if I turn out to be particularly clear, you've probably misunderstood what I've said” Alan Greenspan
|
|
|
06-02-2013, 03:17 PM
|
#20
|
Thinks s/he gets paid by the post
Join Date: Jul 2012
Location: Mississippi
Posts: 1,894
|
Quote:
Originally Posted by Bikerdude
My banking and brokerage accounts check my ip address and if unrecognized move to another level of security where you answer prearranged security questions. Seems pretty secure to me. Some even offer key-chain number generators that are entered after your password for additional security.
|
Probably they leave a cookie, Most people have dynamic IP, if they did that most people would have trouble logging in.
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
» Recent Threads
|
|
|
|
|
|
|
|
|
|
|
|
|
» Quick Links
|
|
|