Password's Security

[AppleQueso]

I'm with Hobie on adding characters to passwords.

I also cannot believe that people still use "password" as their password. Wait, yes I can.

It's so obvious and dumb that nobody would think I'd actually use it! IT'S GENIUS!

[Luke]

It's so obvious and dumb that nobody would think I'd actually use it! IT'S GENIUS!

There was a recent article in the WSJ that talked about atm pins. There's a BIG 80/20 rule with them,

[Cronozilla]

General_Norris has a pretty good point. It's easier to guess something if it's words, as opposed to individual characters. Then it's only 4 items in this instance, as opposed to 44 individual characters.

Doesn't this assume the attacker knows the password is comprised of several dictionary words? This doesn't seem likely, at least not before this cartoon became popular.

It's a standard early approach I think. If it isn't one of the trivial ones and is also not comprised of dictionary words, they probably can either not hack it fast enough for it to be worth their trouble or even can not hack it at all (i.e. it would take longer than their lifespan to brute force it).
So if it doesn't work they will either keep their method and move onto another target or if they specifically want that target they will try another method (social engineering?).

Yes. Step 1, standard passwords. Step 2 various configurations of words in the dictionary. Step 3, try to guess based on other potentially related accounts. Then they'd move onto brute forcing individual characters, since it's the lowest on the totem in desirability.

There are plenty of ones out there that crawl social sites and try to create account profiles to better guess the password. Or, find the most common password used by this potential user and just try it on all associated accounts. There's a lot of situations involving that old useless hotmail account that you don't care about ... but technically has the same password to your bank account and is thus an avenue.

They might not even give up ... they might have profiles per type of account and even provider and just keep running them on a schedule.

My point was just ... it's a mistake to assume most password cracking software will only try brute force methods.
Someone who only programs using brute force methods likely hasn't been properly trained or just hasn't been programming for very long. Which is not the case with people whom write this kind of software.

There's actually other ways of getting in that's likely easier. Has a lot to do with how something is created. A really big problem is when software "trusts" what a user inputs. Very dangerous territory. They could get in and just poll the database.

One of the best ways to protect yourself is to use words that aren't in dictionaries and just ... don't use the same password everywhere.

And the nice thing about random characters ... it ensures they have to use brute force.
That is unless you give a lousy answer for your recovery question ... then they don't even need to mess with the password!

[flex wood]

My favorite bad password I've ever used was playstation3 after the psn hack. I've changed it since then though so I don't care anymore.

[GameMasterGuy]

My favorite bad password I've ever used was playstation3 after the psn hack. I've changed it since then though so I don't care anymore.

Pfft, I can top that. Until about six years ago my universal password was "123456".

[RCBH928]

But as the XKCD cartoon says, the longer it gets, the more difficult. Even if you just had passwords that were number only. A 1 digit password has 10 possibilites. A 2 digit one has 100. And so on each additional character is 10 times more possibilities. Even limiting to lower case English letters, at 44 places, that's 26 x 26 x 26 and so on out 44 times.

So can I just use a password containing 15 digits of 1 ?
11111-11111-11111

but seriously I didnt get you guys, is a longer password better or a more complicated one with capitals and symbols?

I also think using different usernames is even better than find your password. If some one figures your password, he cant use it unless he knows your handle name. For example, if some one wanted to hack my email he will got to check
kingmohd84@gmail , kingmohd84@hotmail, kingmohd84@yahoo . But if I was using something like [email protected] . He cant find me...at least thats what I think

Can some one elaborate on how passwords are breached ? Accounts get stolen too often
-Do they use brute force software? guessing infinitely ?
-Do they capture data sent over a wire/wireless network?
-Do they gain access to your computer and search in some system file place where passwords are save?

its pretty scary to see huge companies like Sony gets hacked, makes you feel that your information is never safe.

[Hobie-wan]

its pretty scary to see huge companies like Sony gets hacked, makes you feel that your information is never safe.

Thin about it this way. Even in a huge company, there might be at most 100 people working on data security, but usually far less. Those people are up against thousands of potential hackers.

[Cronozilla]

Maybe. There's conceivable ways to get around different usernames, though ... like just tracking the address which isn't going to change all the time.

You're right, a longer password isn't better if it's all the same character. There's ways to go about cracking these things ... and again, it's not usually brute force. So any sort of repeating pattern is usually a bad idea.

One of the mistakes to make when thinking about this is thinking that a person is manually doing this to you. They're not. We're talking about large compiled databases that map out potential commonalities with various users they might have snagged on to and using heuristics and potentially some AI or ML sorting and searching techniques to match things up.

Sometimes it has nothing to do with users themselves, but the service you're using that is vulnerable. You could have the greatest password in the world ... but if the service itself is poorly operated it won't do you any real good if the service comes under any real threat. And sometimes malware can use your computer to help carry these things out, or to gather data from you.

Nothing, personally, peeves me more than a database scheme that stores things like passwords as text. It's just a really dumb thing to do. I'd argue it's better to salt and encrypt them using some RSA scheme ... but RSA has been broken. SSL can be spoofed. So, it's not really 100% from any direction ... there's just a risk involved with interacting with the online world.

[Ivo]

1. There's a lot of situations involving that old useless hotmail account that you don't care about ... but technically has the same password to your bank account and is thus an avenue.

(...)

2. There's actually other ways of getting in that's likely easier. Has a lot to do with how something is created. A really big problem is when software "trusts" what a user inputs. Very dangerous territory. They could get in and just poll the database.

(...)

3. That is unless you give a lousy answer for your recovery question ... then they don't even need to mess with the password!

These are 3 that I don't really get (but maybe it is just people doing silly stuff that I don't do.

With something like 1., ok it is a mistake to use the same password in the bank, but the hacker still has to get the hotmail account. Given that in this scenario it is an unused one, that rules out trojans. How does the hacker get the password then?

2. I just don't know exactly what you are referring to here, but that is I think in a scenario where it isn't the user's fault right?

3. And this is the other one I never understood. Unless this is really badly designed, guessing a security question should only reset the password. So to really compromise the account the hacker would have to intercept the transmission (not user's fault) or ALSO hack the respective e-mail account (which shouldn't even be mentioned on the site with the security question.

Could people in the know explain more about these 3?

Ivo.

[Cronozilla]

It's not simple stuff, for sure. And I am talking a bit too generally, so I apologize about that.

#1:

They crack the password through various means that we've already been talking about then it can be applied on various other accounts to see if it works. It's important to remember, it is NOT a human doing this, it's a piece of code running on some sort of server or server cluster ... it can do a lot of these per second ... 1000 times a second is somewhat of a reserved number considering how many connections the cluster system can make all at once on several accounts.

#2:

No. Not the user's fault. The programmer's fault. When you accept input from a user ... say a username or password, You need to check that it conforms to what you want. If you don't, and you assume that the data is "good" you make yourself vulnerable, because that data gets written to memory. There's a lot of tricks you can pull by doing that. You can write some stuff ... then some machine code. You can cause SQL injections which give you access to the database, things like that. It's very dangerous to just let user insert anything they like.

#3:

It depends on how the system is designed. Some allow you to reset the password right then and there and then get immediate access to the website.

For scope, it's important to recognize it's not some individual guy personally attacking you. It's generally a set of servers, or just linked computers, actively mining data, producing profiles, and trying to figure out various potential facts about users in that list.

The people whom design these things know computers better than most developers do. They also analyze and poll common pieces of software on testbeds for various vulnerabilities.

But, the only point I was making is that these people are clever ... and purely worrying about brute force methods for your password on a character by character basis almost seems silly at this point. I get the cartoon's joke, but it's somewhat missing the point if the cracker can just look the words up in several thousand dictionaries all at once and try millions of permutations fairly quickly (depending on algorithm efficiency ).

In terms of people individually hacking someone's account ... that's usually some tool assist junk that they likely downloaded. If you know the service, and who it is ... it makes things a bit easier.

What I know about this stuff is generally from the perspective of the programmer or how to stop the poor practices that even allows stuff like this to be possible in the design of your software. So, I know from the cracking perspective, I'm not 100% on the mark in all the information, but that's just because I don't do that kind of stuff. But I do have an understanding on how to safeguard against it, in general, and that's the perspective I'm speaking from.

Also, Long posts are long.