If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Your password is slightly more secure than that piece of wire that keeps the door to your storage shed closed   (arstechnica.com) divider line 103
    More: Scary, passwords, phishing scam, Center for Democracy, dry cask storage, kingdom, Ancient art, Web User, CSC  
•       •       •

4745 clicks; posted to Geek » on 23 Aug 2012 at 8:34 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



103 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | 3 | » | Last | Show all
 
2012-08-23 08:22:24 AM
What kind of idiot uses only a piece of wire? You augment the wire with a brick to hold shut the bottom corner, everybody knows that.
 
2012-08-23 08:27:38 AM
HA! I make it a point to tape razor blades onto the backs of all my passwords. That way, anyone that tries to steal them will get A FISTFUL OF STAINLESS STEEL, BIATCHES!
 
2012-08-23 08:28:44 AM
Actually, mine is considerably more secure than average, and it's rather easy for me to remember.
 
2012-08-23 08:38:07 AM
Based on my 5 second scan of the article its about brute forcing passwords. The simple fact is this is a solvable problem and has been for some time. It just takes clueful infosec people and clueful systems people.

/which - admittedly - most companies lack
//infosec guy
 
jgi
2012-08-23 08:38:59 AM
How Secure Is My Password?

JavaScript rendered client side, so no passwords are stored on their servers. You can load the page, shut off your internet connection, and it'll still work.

My password, easy for me to remember, would take 20 billion years. Not too shabby. Add one more character to it and it's 849 billion years.
 
2012-08-23 08:40:58 AM
There are a lot of sites that I use the same password for, particularly if it doesn't really matter if someone were to hack it.

Ooh, someone has access to my lite Fark and slashdot account. My life would just be over.

Banking and things like that which involve real money or reputation do get their own passwords.
 
2012-08-23 08:42:01 AM
imgs.xkcd.com
 
2012-08-23 08:43:47 AM
Can someone explain the Rainbow Tables a little better? That math went right over my head.
 
2012-08-23 08:45:36 AM
According to the website, my root password would take a desktop PC over 200 trillion years to crack using brute force.

/I used something that is "similar" to my root password because I'm not dumb enough to type it into a website just because someone else says its okay
 
2012-08-23 08:48:10 AM
Takeaway FTA? Don't use the same flippin' password for different services/resources.
 
2012-08-23 08:49:13 AM
KeePassx.org

durrrr.......you're welcome

oooga booga
 
2012-08-23 08:50:48 AM

moistD: Can someone explain the Rainbow Tables a little better? That math went right over my head.


Knowing a password algorithm, you pre-generate a table of password hashes for all the possible passwords, then instead of having to crack each password individually, you just compare to your rainbow table, you get a match there, you then know what the password is.
 
2012-08-23 08:55:48 AM

Pinko_Commie: moistD: Can someone explain the Rainbow Tables a little better? That math went right over my head.

Knowing a password algorithm, you pre-generate a table of password hashes for all the possible passwords, then instead of having to crack each password individually, you just compare to your rainbow table, you get a match there, you then know what the password is.


I thought those were just the hash tables. The Rainbow Tables were some crazy way of compacting all of that data so they can store more data in less space and that flowchart lost me.
 
2012-08-23 08:58:19 AM
But the Fark Social Security number filter is still safe, right? Let's see.

XXX-XXX-XXXX

Thank goodness.
 
2012-08-23 08:58:39 AM

jgi: How Secure Is My Password?

JavaScript rendered client side, so no passwords are stored on their servers. You can load the page, shut off your internet connection, and it'll still work.

My password, easy for me to remember, would take 20 billion years. Not too shabby. Add one more character to it and it's 849 billion years.


157 billion years for my Fark password (no caps, no special characters). This site is sort of entertaining.

Although if I used my full name it would take 67 trillion years. Hmm. Not gonna do that.
 
2012-08-23 08:59:43 AM
media.screened.com
 
2012-08-23 09:01:31 AM
Your password is only as good as your ability to remember it.
 
2012-08-23 09:05:30 AM
I'm going for a security by obscurity kind of thing. My passwords aren't overbearingly strong but they are different across different sites and key sites like email, twitter, facebook and amazon all have unique passwords.

That XKCD is great if you only have one hard to guess master password and use a password tool but most people have services and accounts and that requires multiple passwords. I probably have close to fifity passwords, some unique, some not depending on importance.

Someone should post the XKCD about password re-use. This is more relevant to most people. There are a billion people on the internet. Who has 3 days to brute force a password especially since the most competent services limit log-in, require captcha and monitor for attacks. More likely they steal your password from a less secure service and use it on a more secure one.
 
2012-08-23 09:05:42 AM
NAME's shed door wire is live at 50,000 volts and no warning sign.

Heh.
 
2012-08-23 09:06:37 AM
A friend of mine had the brilliant idea of using non-English words. Since it seems that the brute force methods use lists of words from Websters, then maybe some form of "La voiture rouge est en feu" would work rather well.

//Not my password.
///Srsly.
 
2012-08-23 09:10:28 AM
gingerjet
Based on my 5 second scan of the article its about brute forcing passwords.


Not really.
It's more about stuff that is done instead of just brute-forcing:

The main point probably was that you can easily get the majority of passwords using a combination of more horse power (adding multiple GPUs) and looking at the millions of already cracked passwords to fine-tune your dictionaries and rules to generate password guesses.
While the general approach of dictionaries and rules isn't new, crackers now don't have to guess the most likely words and methods which people use to come up with their passwords, they now have a gigantic data set of real-world examples available.
 
2012-08-23 09:11:21 AM

ModernLuddite: A friend of mine had the brilliant idea of using non-English words. Since it seems that the brute force methods use lists of words from Websters, then maybe some form of "La voiture rouge est en feu" would work rather well.

//Not my password.
///Srsly.


That is covered in the article, they have so many standard algorithms now that do character replacement in strings that it doesn't matter. Also, dictionary dumps are not used anymore. Now that sites are being hacked and they have had plain text password dumps. They know how people create passwords which means they have made their algorithms even smarter, Some absurd % of people who use capital letters always put it at the beginning, etc. all of the letter replacement with numbers is easily written in code. And then look at how many words they can process in seconds, its amazing. Truly read the entire article, its quite fascinating.
 
2012-08-23 09:20:20 AM
According to howsecureismypassword.net, the password howsecureismypassword would take four trillion years to crack.
 
2012-08-23 09:24:32 AM
consider this
Great, now I'm paranoid about my passwords, thanks subby.


consider this
19 seconds for the password I use on most sites.


Ah, so it's you first name followed by your birthdate.
 
2012-08-23 09:30:40 AM

Wellon Dowd: According to howsecureismypassword.net, the password howsecureismypassword would take four trillion years to crack.


Not for them, since you just offered them your password.
 
2012-08-23 09:39:03 AM

jgi: How Secure Is My Password?

JavaScript rendered client side, so no passwords are stored on their servers. You can load the page, shut off your internet connection, and it'll still work.

My password, easy for me to remember, would take 20 billion years. Not too shabby. Add one more character to it and it's 849 billion years.


Wow, that was an eye opener! My now new Fark password, easy for me to remember, would take 112 quadrillion years.

They should make that site so that if someone enters 12345, in addition to the things it already says, it also says "That's the combination an idiot would use on his luggage!"
 
2012-08-23 09:42:29 AM

Wellon Dowd: But the Fark Social Security number filter is still safe, right? Let's see.

XXX-XXX-XXXX

Thank goodness.


Woah, really?? 968-23-1298
 
2012-08-23 09:43:04 AM
Hey!!! Damnit, can a mod please delet?!?@! WTF YOU JERK!
 
2012-08-23 09:43:41 AM
that was a joke, feel free to try using that SS# on whatevs you want!
 
2012-08-23 09:46:36 AM

Kurmudgeon: Your password is only as good as your ability to remember it.


That's what Post-it notes are for.
 
2012-08-23 09:48:43 AM
I was thinking about this the other day. I eventually came to realize that it would be trivially easy for me to start using a 40ish character password. What I was considering was my home phone number growing up (10 digits) and my current cell phone number (another 10 digits) with a medium length word after each phone number.

The phone numbers give you 20 characters. Two words that are each 6 characters (add a punctuation mark after each for good measure) and you've already got a 34 character password. Easy to remember.

The failure of this plan was that I definitely do NOT want to start typing in a 30+ character password multiple times a day.

Another option is to just start using encrypted key files. We use a hash for authentication on our important machines at work. The "password" is thousands of characters long.
 
2012-08-23 09:54:26 AM

jgi: How Secure Is My Password?


81 sexdecillion years using the method I just described. Phone number, leet speak version of my GF's name, phone number, short sentence (Superman save me!).
 
2012-08-23 09:57:42 AM

moistD: I thought those were just the hash tables. The Rainbow Tables were some crazy way of compacting all of that data so they can store more data in less space and that flowchart lost me.


I'll give this a shot but I make no guarantees as I'm not super confident in my understanding of it either...

In a normal hash table you just store a huge list of precomputed passwords and, as you said, this has serious size implications.

In a rainbow table, instead of just using a hash function and storing every result you can build, you use two functions: the hash function the generates the passwords and a reduction function. The reduction function turns hashed passwords into some plaintext (not to be confused with breaking the password, it just turns a hash into a corresponding plaintext value based on your reduction function's rules which don't necessarily have anything to do with the hashing function).

You then compute "chains" to form the table. Each link in the chain is a plaintext or a hash, alternating back and forth. The first link is a plaintext password say 'abc123'. You hash it and get 38DF239D. Then you apply your reduction function to that hash and get fghv3c. You hash that and get M339CCM3 and so on and so forth until you've generated a chain of some chosen length, stopping on a plaintext value. If we reduced one more time we get might 'vjdkqi'

You store ONLY the first link (abc123) and the last link (vjdkqi).

Repeat this procedure a number of times, using different reduction functions (to reduce "collisions" where the chains start producing the same values) to generate each chain.

Now, when you have some hash you want to reverse, you run it through used to build your table and get a corresponding plaintext value. Then you look at your table and see if that plaintext value appears as the last link in any of your chains. If not, you do your next reduction function and see if that plaintext value appears as the last link in any chain and keep going like that until you run out (at which point the attack fails).

When a reduction function DOES produce a plaintext that is the last link in one of your chains, you move to the start of that chain and just start rebuilding that chain using the same process that originally built it (alternating between hashing and reduction). If the chain contains the password you're looking for, eventually you will produce the hash value you're currently holding so you know the plaintext value that produced it is the password you're looking for.

The downside here is that two chains can "collide", where you start from different points but they ultimately merge on some shared value and wind up producing the same end results, which produces useless data. Also, there's no guarantee that the chains will compute every possible value in a given set of passwords. For example, if you did "all alpha-numeric lower case passwords of 6 characters" it may only generate chains containing (just as a bullshiat, random, out of my ass for illustrative purposes number) 90% of all values in that space.

The key in all this is understanding the reduction functions and it's not exactly an easy or exact science. Very smart people have to pick out those reduction functions for the resulting table to be very useful, which is why very few people build their own rainbow tables.
 
2012-08-23 10:01:43 AM
Might be time to trot out The Password Manifesto again.

A lot of the things the article talks about are here, too. Don't store passwords in plaintext, salt them, but also *tell* your users what you are doing. And don't force them to make strong passwords when they don't care about whether their account that you forced them to get to sign up for a silly online quiz or something gets hacked.
 
2012-08-23 10:02:25 AM
Maybe I'm missing some critical detail, since I'm not really too knowledgeable of the tech side of computers, but wouldn't having the account locked out after a few wrong attempts prevent most of this?
 
2012-08-23 10:03:55 AM

ranak: [imgs.xkcd.com image 740x601]


That's fun to type into your iPhone every time you want to update Angry Birds.
 
2012-08-23 10:07:07 AM

Grither: Hey!!! Damnit, can a mod please delet?!?@! WTF YOU JERK!


It shows up for because you typed it in. The rest of us just see xxz-xx-xxxx.
 
2012-08-23 10:12:36 AM

manimal2878: Maybe I'm missing some critical detail, since I'm not really too knowledgeable of the tech side of computers, but wouldn't having the account locked out after a few wrong attempts prevent most of this?


No, that's stupid.

I mean, it sure would prevent password cracking. Now, imagine for a minute that I'm a bored asshole from 4chan or similar. I feel like being a jerk today, so I come to Fark, and start trying to log in as every user name I can find, using only the password "a". Within minutes, I've done two things. First, I've found anyone on Fark who uses just the letter "a" as a password. Secondly, I've broken Fark.

There are steps you can take to prevent that, and they add complexity. I really like Google's current two-factor authorization. If I want to log in to GMail on a new computer, I put in my password, Google sends me a 6-digit code via text message, I put that in, and THEN I'm verified. It's not perfect, but it's pretty good.
 
2012-08-23 10:13:04 AM

manimal2878: Maybe I'm missing some critical detail, since I'm not really too knowledgeable of the tech side of computers, but wouldn't having the account locked out after a few wrong attempts prevent most of this?


Only in cases where they're actively attempting to enter guesses. In these cases they're talking more about a situation where someone has stolen a database full of encrypted passwords. In that case, you can just start encrypting strings of text and seeing if the hash it produces matches a hash in the stolen data. So if I encrypt 'password1' and it become 'DKDV#V!NVKP}', and I see that manimal2878's hashed password is "'DKDV#V!NVKP}'" I know his plaintext password is "password1" and I can just go enter it in one try.
 
2012-08-23 10:15:24 AM

jgi: How Secure Is My Password?


The passphrase to my GPG key would "about 273 undecillion years."
 
2012-08-23 10:22:23 AM
Hmm... According to howsecureismypassword

My throw away password would take about 19 seconds.

My "Go to Hell script kiddies!" password would take 69 tredecillion years. Tredecillion. I didn't even know that was a word.
 
2012-08-23 10:24:41 AM

jgi: How Secure Is My Password?

JavaScript rendered client side, so no passwords are stored on their servers. You can load the page, shut off your internet connection, and it'll still work.

My password, easy for me to remember, would take 20 billion years. Not too shabby. Add one more character to it and it's 849 billion years.


Heh, adding an exclamation point to the end of my passphrase jumps it from 511 years to 12 million. Duly noted.
 
2012-08-23 10:30:01 AM

THE GREAT NAME: NAME's shed door wire is live at 50,000 volts and no warning sign.

Heh.


Amateur. Galoshes shed sits in the center of a high voltage switching station, and you have to wade out to it.
 
2012-08-23 10:31:34 AM

Wellon Dowd: But the Fark Social Security number filter is still safe, right? Let's see.

XXX-XXX-XXXX

Thank goodness.


Hey, that's pretty neat. Let's see if it works... 078-05-1120... 

/I hate being late to the post your personal data jokes
//But I love this story.
 
2012-08-23 10:32:52 AM

Galloping Galoshes: THE GREAT NAME: NAME's shed door wire is live at 50,000 volts and no warning sign.

Heh.

Amateur. Galoshes shed sits in the center of a high voltage switching station, and you have to wade out to it.


Your both amateurs. S1uggo's shed is actually a decoy containing an attack dog, armed with a rifle, and she's off her meds.

My real shed is at an undisclosed location that can only be found by deciphering a series of clues.
 
2012-08-23 10:34:29 AM
10 days for my weak passwords(sites like Fark where I don't really care if someone "hacks" my account)
4000 Years for the "secure version" of that one
157 Billion years for my actual secure passwords/variations
12 Trillion years for my secure work passwords/variations
 
2012-08-23 10:37:40 AM

Pocket Ninja: What kind of idiot uses only a piece of wire? You augment the wire with a brick to hold shut the bottom corner, everybody knows that.


Wait, you're supposed to use a piece of wire?

Forget the wire, my weather-proof tools are even hanging on the outside. Quite a change from where I used to live, and friends who visit sometimes can't get over the shock. "Dude, wait, you don't lock up your lawnmower?" The ultimate security through obscurity: No one locks anything, so no one is an easier target, and the only theft seems to be "kid's methy friend robs the kid's house" every once in a blue moon. It's a little weird, but I'm adapting.

As for passwords, the other xkcd seems more on the money:

imgs.xkcd.com
 
2012-08-23 10:40:01 AM
FTFA: "Recently, he recovered a 13-character password that he had spent several months trying to crack."

Go ahead...spend a month or two cracking my Fark password. Then you can pretend to be a Christian fundie all you like.

New Fark handle...I can haz one.
 
2012-08-23 10:46:34 AM

Vegan Meat Popsicle: manimal2878: Maybe I'm missing some critical detail, since I'm not really too knowledgeable of the tech side of computers, but wouldn't having the account locked out after a few wrong attempts prevent most of this?

Only in cases where they're actively attempting to enter guesses. In these cases they're talking more about a situation where someone has stolen a database full of encrypted passwords. In that case, you can just start encrypting strings of text and seeing if the hash it produces matches a hash in the stolen data. So if I encrypt 'password1' and it become 'DKDV#V!NVKP}', and I see that manimal2878's hashed password is "'DKDV#V!NVKP}'" I know his plaintext password is "password1" and I can just go enter it in one try.


I see, so they kind of work in reverse. Figure out the hashing algorithm, then go plug it into the website of the account. But they need to have some stolen data.
 
2012-08-23 10:50:25 AM

Gonz: manimal2878: Maybe I'm missing some critical detail, since I'm not really too knowledgeable of the tech side of computers, but wouldn't having the account locked out after a few wrong attempts prevent most of this?

No, that's stupid.

I mean, it sure would prevent password cracking. Now, imagine for a minute that I'm a bored asshole from 4chan or similar. I feel like being a jerk today, so I come to Fark, and start trying to log in as every user name I can find, using only the password "a". Within minutes, I've done two things. First, I've found anyone on Fark who uses just the letter "a" as a password. Secondly, I've broken Fark.

There are steps you can take to prevent that, and they add complexity. I really like Google's current two-factor authorization. If I want to log in to GMail on a new computer, I put in my password, Google sends me a 6-digit code via text message, I put that in, and THEN I'm verified. It's not perfect, but it's pretty good.


I guess that's only true if your screen name is the same as your account name. Is it on Fark? I don't remember.
 
Displayed 50 of 103 comments

First | « | 1 | 2 | 3 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report