Online passwords!!!

ERD50 said:
I had wondered that too, but I think this is the answer. They aren't after your account, they are after any account, and as many as they can hack.

So they try once, maybe twice on yours, then move to the next one. They probably have millions that they can try. And then they come back a day or so later, and try again. Eventually, they get some open.

Makes no difference if they try your account a million times, or a million accounts one time. Odds are the same. Maybe someone who is/was in the security business can confirm/deny this?







-ERD50
Click to expand...
Interesting analysis. If that's the case then from an "individual" standpoint a short password wouldn't be a problem because they only get a couple of tries on MY account before they have to move on to another account out of the millions they are trying . I guess I'm not certain I actually understand exactly what the vulnerability is from an individual's standpoint of a short password.
 
ejman said:
Interesting analysis. If that's the case then from an "individual" standpoint a short password wouldn't be a problem because they only get a couple of tries on MY account before they have to move on to another account out of the millions they are trying . I guess I'm not certain I actually understand exactly what the vulnerability is from an individual's standpoint of a short password.
Click to expand...
Suppose they get in through the back door i.e. they get hold of the hashed database of all the users. This could happen through sophisticated hacking or maybe a person on the inside of the institution.

The most vulnerable in that case is (I think) the short password accounts. This is because the bad guys have all the tries they want only limited by computational speeds.
 
ejman said:
Interesting analysis. If that's the case then from an "individual" standpoint a short password wouldn't be a problem because they only get a couple of tries on MY account before they have to move on to another account out of the millions they are trying . I guess I'm not certain I actually understand exactly what the vulnerability is from an individual's standpoint of a short password.
Click to expand...

I would imagine that in their scans of millions of accounts, they start with short, easy passwords because many people don't bother with long ones, and special chars and such. So they go for the low hanging fruit. Those people are probably less secure about things in general, and easier to hack?

A few years ago, I downloaded a list of the 64,000 most common passwords. Lots of low hanging fruit there. A few samples:

momof2
momof3
momof4
momof5

etc.

editr/add: Also what Lsbcal just posted


-ERD50
 
Lsbcal said:
Suppose they get in through the back door i.e. they get hold of the hashed database of all the users. This could happen through sophisticated hacking or maybe a person on the inside of the institution.

The most vulnerable in that case is (I think) the short password accounts. This is because the bad guys have all the tries they want only limited by computational speeds.
Click to expand...
So, there is another electronic "door" to the account other than the logon I have to use that limits me to 3 tries before shutting down so the limitation doesn't apply and they get to try millions of combinations?
 
ERD50 said:
Sounds bad, but it sounds like you were logged in to request the password reset, so maybe that's how that worked?

This is another reason why having the login and the password on the same entry screen of the web page is important. If it fails, it should say that either login or password is incorrect, so no clue as to which. Otherwise, once they guess the login, they can request a password reset.

So yes, it is important to have a strong email password - in the case above, once they have your email, they can intercept password resets - especially dangerous if the login to the account is the email address!



But they wouldn't know which part was shared - I don't think it's adding any risk.

And what advantage is there to changing your password often? I think that has been exposed as a myth - it often leads to people using simpler passwords. It's not like a bad guy is going to sit on a hacked password for 6 months before using it.

-ERD50
Click to expand...

Shared password pattern- Your right to the extent that hacker is working on one account. If they should hack more than one account, they will likely start with a pattern to break your password. Hackers are not just using your pattern but the patterns of everyone. Or, they might be using your pattern if you are unlikely enough to have 2+ of your accounts hacked (Home Depot and Facebook) Hackers could look at similarities on password and user names to get a head start.
Many people on this string liked your approach. If they follow your password concept, hackers will start with the similar pattern. It is not a guarantee they will get into your account but easier than a unique and unpatterned approach as provided by password generators.

Password Updates - I do not agree that password updates are a myth. Hacking is an algorithm which means that longer and non-patterned passwords take more time to break. And changing them, forces a hacker to start all over. Putting time and difficulty on your side is a good idea.

No doubt people approach passwords differently. The generators make life fairly easy to develop unique and difficult passwords. and no doubt add a layer of safety since these passwords have no patterns and can be easily changed often. I know I am following an extra layer of caution but it seems as computer power gets stronger, this effort is important to protect my information.
 
ejman said:
So, there is another electronic "door" to the account other than the logon I have to use that limits me to 3 tries before shutting down so the limitation doesn't apply and they get to try millions of combinations?
Click to expand...
Another electronic door does not exist if there is excellent institutional security. We can only hope for the best and employ best practices ourselves.

I guess all bets are off if there is a cyber war. Individual accounts are pretty well protected as long as there are only a few attacks. But should it get massive ... who knows. Now I'm moving into the paranoid realm. :)
 
davef said:
...
Password Updates - I do not agree that password updates are a myth. Hacking is an algorithm which means that longer and non-patterned passwords take more time to break. And changing them, forces a hacker to start all over. Putting time and difficulty on your side is a good idea. ...
Click to expand...

I'm not following this. The hacker does not know if I changed it or not. They are trying one after another. I don't see how changing my PW in the middle of their attempt changes the odds at all.

Let's say they are half way through their attempt, they have not hit my PW yet, and I change it. Maybe I changed it to one they already tried - OK, but what are the odds (it probably means I changed it from a complex one to a simpler one)? If they didn't already get it (they would stop anyhow), that means my current PW is either not something they ever will try, or they just didn't hit it yet. So if I change my PW now, odds are it's another one they won't try, or just another one in their algorithm, and they will eventually hit the new one.

I just don't see how changing a PW (assuming equivalent strengths) does anything for me.

-ERD50
 
ERD50 said:
...

I just don't see how changing a PW (assuming equivalent strengths) does anything for me.

-ERD50
Click to expand...
For myself, I agree that having a strong PW is good enough. No need to constantly change it. That would be for the individuals like us who just have bank accounts to protect.

For someone involved in the kind of activities that could be useful to monitor (stealing information but leaving no trace), it is easy to see that frequent PW changes would close the door on the nefarious activity. I'm thinking of limiting corporate espionage, political espionage, etc. But in such an environment they might use biometric methods in addition to PW's? Anyone from the CIA here to tell us? :)
 
Last edited:
ERD50 said:
I'm not following this. The hacker does not know if I changed it or not. They are trying one after another. I don't see how changing my PW in the middle of their attempt changes the odds at all.

Let's say they are half way through their attempt, they have not hit my PW yet, and I change it. Maybe I changed it to one they already tried - OK, but what are the odds (it probably means I changed it from a complex one to a simpler one)? If they didn't already get it (they would stop anyhow), that means my current PW is either not something they ever will try, or they just didn't hit it yet. So if I change my PW now, odds are it's another one they won't try, or just another one in their algorithm, and they will eventually hit the new one.

I just don't see how changing a PW (assuming equivalent strengths) does anything for me.-ERD50
Click to expand...

A lot of hacks involve stealing the entire database, all they need is one admin password login and they have millions of user's information.
Now either they want to use it themselves or they sell the database or portions of it on the dark net.
So assuming the database is encrypted (some are not).
The buyer then can run programs against the encrypted passwords to break them.
Once broken they have your login, password, etc...

If you changed your password every 30 days, they would probably never be able to get access to your account as they would always have an old password.
Real life is nobody is going to do this, so it's important to change the password once you hear of a hack. (even if company says the database was not touched.).
 
The worst thing is some sites do not encrypt your data, even the passwords.
It would be small sites not banks.

Once I forgot my password and clicked on the "forgot password" link.
The site sent me my password in the email, which means it's not encrypted in any secure way.
Either it was stored as plain text, or they could decrypt it with a key, and you can be sure they use the same key for all accounts, so it was useless as a security effort.
 
ERD50 said:
I just don't see how changing a PW (assuming equivalent strengths) does anything for me.

-ERD50
Click to expand...

Hackers have been known to break into a web site database then offer off up the list of user names and passwords for sale. I just found out from a monitoring agency that I'm signed up with that my user account (email address) and password showed up on one such list. Who knows if my other user account names are showing up on such list, they aren't being tracked. Makes me think that having strong unique passwords and changing frequently is worthwhile.
 
This thread is very interesting and informative. Seems like the consensus is that an 8 character length password is not longer adequate. Which begs the question, how many characters (in today's world) is considered safe? 10? 12? at least 16? I know the longer the more secure, but if I was to input a randomized password in a smartphone, for example, I'd much rather only enter what is adequately safe and not go to typo hell :( with a really long password.
 
easysurfer said:
This thread is very interesting and informative. Seems like the consensus is that an 8 character length password is not longer adequate. Which begs the question, how many characters (in today's world) is considered safe? 10? 12? at least 16? I know the longer the more secure, but if I was to input a randomized password in a smartphone, for example, I'd much rather only enter what is adequately safe and not go to typo hell :( with a really long password.
Click to expand...

I use the maximum length and complexity (symbols, etc) allowed by each site for both user IDs and passwords. I also use Password Safe which has an Android version which I use on my smartphone. So the only password I ever type out (PC or phone) is the global password for the Password Safe application. Inspired by this thread, I increased the global password from 6 characters (with no symbols) to 19. I wanted the max that I could remember and easily type, but still use a complex mix of letters, numbers, and symbols.

As suggested earlier in the thread, there are lots of websites where you can test the strength of your password. I would suggest entering something "similar" to your proposed password rather than the actual. According to the tests I did, 19 is probably overkill. But I'm OK with that.
 
Cobra9777 said:
I use the maximum length and complexity (symbols, etc) allowed by each site for both user IDs and passwords. I also use Password Safe which has an Android version which I use on my smartphone. So the only password I ever type out (PC or phone) is the global password for the Password Safe application. Inspired by this thread, I increased the global password from 6 characters (with no symbols) to 19. I wanted the max that I could remember and easily type, but still use a complex mix of letters, numbers, and symbols.

As suggested earlier in the thread, there are lots of websites where you can test the strength of your password. I would suggest entering something "similar" to your proposed password rather than the actual. According to the tests I did, 19 is probably overkill. But I'm OK with that.
Click to expand...

There's no phone app version of the password manager I used on my computer. So, I just keep a few passwords (like for Facebook) on a different password manager on my phone. Some websites look too tiny for me anyhow when viewing by the phone.
 
I use LastPass and am happy with it. In addition to synching across multiple devices, it is a convenient way to let a trusted family member access my accounts should I become impaired (that is, more impaired:)).
 
Sunset said:
A lot of hacks involve stealing the entire database, all they need is one admin password login and they have millions of user's information.
Now either they want to use it themselves or they sell the database or portions of it on the dark net.
So assuming the database is encrypted (some are not).
The buyer then can run programs against the encrypted passwords to break them.
Once broken they have your login, password, etc...

If you changed your password every 30 days, they would probably never be able to get access to your account as they would always have an old password.
Real life is nobody is going to do this, so it's important to change the password once you hear of a hack. (even if company says the database was not touched.).
Click to expand...

OK, but if that's the scenario, then changing even every 30 days won't help, will it? At the point they crack it, they would have an average of 15 days before you changed it on them. Something tells me that once they crack it, someone gets to work on it, they don't let it 'age'.

Now changing after you've been notified of a hack - I agree with that.

So I'm still thinking that "change your password 'often'" is just a feel-good action, with little actual benefit.

-ERD50
 
Can anyone tell me what level of security is being used when I allow a browser to save my log-in info. Both Firefox and Edge offer every time I need to log-in. For any meaningful website, I have not been willing to allow log-in to be saved in fear of being easily recovered by unauthorized access.
Thanks
Nwsteve
 
As far as I know the browser locally encrypts your credentials in a password file.

So it's safe as long your PC is safe. If your computer gets infected with malware, all bets are off.

I wouldn't use it for important logins.
 
You must log in or register to reply here.

Similar threads

REWahoo
  • Sticky
The History of Early-Retirement.org
3 4 5
Replies
111
Views
108K
Helen
Helen

Latest posts

Back
Top Bottom