If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Phys Org2)   You best be using at least 9 character passwords with lower and upper case letters and numbers and special characters and umlauts and gerunds and dingos   (phys.org) divider line 64
    More: Scary, strong password, Oslo, special case, lowercases, server computers, security question, GPUs, computer clusters  
•       •       •

4062 clicks; posted to Geek » on 12 Dec 2012 at 11:25 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



64 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2012-12-12 08:27:41 AM
That's OK, I'm behind seven proxies.
 
2012-12-12 08:30:52 AM
päSsW¤rd1
 
2012-12-12 08:36:36 AM
I put a glottal click in all my passwords.
 
2012-12-12 08:45:38 AM
I believe 12345 meets all those criteria.
 
2012-12-12 09:17:14 AM
imgs.xkcd.com
 
ZAZ [TotalFark]
2012-12-12 09:43:16 AM
The US DOT recently changed its discussion board. The old system didn't require a password. You typed a name and that's how your post appeared. The questions were like "My agency recently installed some W29-307B symbolic dingo crossing signs. How long should we maintain the supplementary `Dingo Crossing' plate?" They hardly needed much security.

Somebody official noticed the government-run system did not meet government security standards. The result was a new requirement for prior approval of posting and use of a 12 character password with circles and arrows and a paragraph on the back of each one explaining how the character was secure against Canadian sign thieves. And a comparatively dead board.
 
2012-12-12 09:54:41 AM
A dingo ate my babby.
 
2012-12-12 09:57:28 AM
1-2-3-4-5-dingÖ
 
ZAZ [TotalFark]
2012-12-12 10:03:04 AM
ArkAngel

You forgot the gerund: 1-2-3-4-5-dingÖing
 
2012-12-12 10:04:49 AM
 
2012-12-12 10:05:34 AM
apart from my html fail.
 
2012-12-12 10:14:17 AM
Good thing all my passwords are 'crackthisshiatbiatches'
 
2012-12-12 10:35:33 AM
That's great and all but most websites don't let you guess the password that many times a day, let alone per second.
 
ZAZ [TotalFark]
2012-12-12 11:00:24 AM
jaylectricity

These machines are for offline cracking. Some sysadmins who ought to be put to death slowly and painfully allow hackers to steal their password databases. Some don't even bother making the databases hard to crack.

It's easy to design a system where the password database doesn't live on the web server. We had that when I was in college in the 1980s (minus the "web" part). The hashed version of your password lived in an encrypted file on a disk in a locked closet, attached to a secured server. That server talked to the outside world through an authentication protocol. I'm not sure if it even allowed remote logins.

You to workstation: Hi, I'm Drew.
Workstation to auth server: Hey, this guy says he's Drew, send me a blob of data.
Auth server to workstation: Here's your blob.
Workstation to you: Password, please.
You to workstation: 12345
Workstation to auth server: Here's your blob decrypted using what this 'Drew' says is his password and re-encrypted with the key I found inside.
Auth server to workstation: It's a match! He's cool.

I've skimmed over technical details of what gets encrypted and decrypted. See Kerberos authentication system. The important part is, the auth server is designed to assume client machines and the network are both insecure.
 
2012-12-12 11:10:25 AM

ZAZ: jaylectricity


So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?
 
2012-12-12 11:30:51 AM
I can't get into my most backwater forum account if I enter the password wrong 5 times in a couple minutes. What system lets you guess 350 billion times per second without penalty?
 
ZAZ [TotalFark]
2012-12-12 11:32:05 AM
So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?

Depends on the circumstances.

Some of these crackers are looking to exploit people who reuse passwords. Maybe they don't care about LinkedIn, but figure LinkedIn users have access to the secret Federal Reserve bboard.

In the old Kerberos system I described if you get to the database and the master key (which requires peeking inside process memory on a secure server) you win. The network is set up to trust the authentication server.

Some web servers are misconfigured so you can do HTTP GET /etc/passwd (or equivalent), giving you read access to hashed passwords, but not more valuable data.
 
2012-12-12 11:32:31 AM

jaylectricity: ZAZ: jaylectricity

So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?


Yes and no. Think about it like this. They hack Fark and get the passwords, in hashed format. Then they crack the file (offline). Now they have your email address and a password. Sure, that password is the one you use for Fark, but how much do you want to bet that 50% of the Fark passwords also work for a banking site or Amazon (where they have your credit card), or Facebook (where they get tons of other information), etc.
 
2012-12-12 11:33:02 AM

jaylectricity: ZAZ: jaylectricity

So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?


On the vast majority of networks, the combination of user ID and password is what they want. Who gives a fark about your accounting spreadsheets with next quarter's revenue projections? If they have a list of three hundred user IDs and passwords from a white-collar company, that's probably a few hundred user IDs and passwords for checking accounts, 401(k) accounts, credit card accounts, etc.
 
2012-12-12 11:34:16 AM

ampoliros: I can't get into my most backwater forum account if I enter the password wrong 5 times in a couple minutes. What system lets you guess 350 billion times per second without penalty?


*sigh* This is an offline attack. They get the file with hashed passwords and crack them offline. No web necessary.
 
2012-12-12 11:41:16 AM
But this is easier to remember

1-2-3-4-5-dingÖingÖbÖingÖ
 
2012-12-12 11:42:05 AM

ChubbyTiger: ampoliros: I can't get into my most backwater forum account if I enter the password wrong 5 times in a couple minutes. What system lets you guess 350 billion times per second without penalty?

*sigh* This is an offline attack. They get the file with hashed passwords and crack them offline. No web necessary.


My fault for skimming the article.

Still, unless your site is really poorly configured, getting the hash file would likely involve someone on the inside or some other way to get physical access. And once you have physical access to the system, all bets are off anyway.
 
2012-12-12 11:46:15 AM
That's why I don't use any online services that require a password.
 
2012-12-12 11:54:58 AM
I have a cat that died 13 years ago. Nobody on earth besides me, my daughter and my wife can remember that beast's name. Not even my own mother knows it.

But the 3 of us will never forget it, as long as we live. So that's our default password for accounts we share.
 
2012-12-12 11:55:04 AM
My passwords are nothing but dingos anyway.
 
2012-12-12 11:57:37 AM

ChubbyTiger: jaylectricity: ZAZ: jaylectricity

So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?

Yes and no. Think about it like this. They hack Fark and get the passwords, in hashed format. Then they crack the file (offline). Now they have your email address and a password. Sure, that password is the one you use for Fark, but how much do you want to bet that 50% of the Fark passwords also work for a banking site or Amazon (where they have your credit card), or Facebook (where they get tons of other information), etc.


Every password I use online is the same EXCEPT for any site attached to my money (bank, Steam account, etc), attached to my medical data, or my email - every one of those is unique. So, grab my facebook password if you want...all it will get you access to are things like my Pandora account, and my AMC MovieWatcher account.
 
2012-12-12 12:02:12 PM

DontMakeMeComeBackThere: ChubbyTiger: jaylectricity: ZAZ: jaylectricity

So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?

Yes and no. Think about it like this. They hack Fark and get the passwords, in hashed format. Then they crack the file (offline). Now they have your email address and a password. Sure, that password is the one you use for Fark, but how much do you want to bet that 50% of the Fark passwords also work for a banking site or Amazon (where they have your credit card), or Facebook (where they get tons of other information), etc.

Every password I use online is the same EXCEPT for any site attached to my money (bank, Steam account, etc), attached to my medical data, or my email - every one of those is unique. So, grab my facebook password if you want...all it will get you access to are things like my Pandora account, and my AMC MovieWatcher account.


Congratulations, you're ahead of 95% of the internet.
 
2012-12-12 12:07:58 PM
news.discovery.com

Your passwords. I shall eat them!
 
2012-12-12 12:08:32 PM
i.imgur.com

JFC Morpheus, your password was OMGPINKPONEYS1 ???
 
2012-12-12 12:12:38 PM
Even with his fancy cracking array, which is pretty freaking sweet I might add. Unfortunately for him where I work we've been using that XKCD suggestion for awhile, I usually make passwords based on a few things on my desk, like "Knifedrivemagnet"
according to GRC's password haystack there's 2.91 x 10^27 possible passwords for that size and character set. Assuming 350billion guesses a second it would take 263,824,214 years to guess that. I think he might have better success mining bitcoins.
 
2012-12-12 12:12:43 PM
Keepass is all I use.. If I sign up to a new site I just add a new entry and it auto generates a buttfark insane password for me and I'm g2g.
 
2012-12-12 12:21:08 PM
I've switched to an image based password. It compares desktop backgrounds. Good luck brute forcing the 3MB anigif.
 
ZAZ [TotalFark]
2012-12-12 12:23:01 PM
ampoliros: unless your site is really poorly configured

There are a lot of poorly configured sites, or sites using poorly configured hosting providers.

We should treat these sites like people who refuse vaccinations for the core plague-causing diseases, or people who leave guns or unlocked cars around to be stolen.
 
2012-12-12 12:25:48 PM
Oh, well then I'll start requiring users to submit passwords that include an O, 0, ∅, and Ø. Just so you can't figure it out when written down. And then, we'll require Egyptian Hieroglyphs, for good measure.
 
2012-12-12 12:31:48 PM

ZAZ: ampoliros: unless your site is really poorly configured

There are a lot of poorly configured sites, or sites using poorly configured hosting providers.

We should treat these sites like people who refuse vaccinations for the core plague-causing diseases, or people who leave guns or unlocked cars around to be stolen.


imokwiththis.jpg
 
2012-12-12 12:33:36 PM
LOL...my wife is a paranoid BS in CS, so she refuses to run Java, scripts and a bunch of other shiat I can never recall, and she uses a ~20 digit password for everything...that she won't type...instead copy pasta from a text file.

Of course, she can only actually view about one page in three she clicks on, and can only change web pages about every 30 seconds, but nobody can see her baby pics.

*rolls eyes*
 
2012-12-12 12:40:47 PM
Unless this machine can also magically intercept the text message and find the approval code that google, facebook, etc. sends me any time my account is accessed from non-approved machines, then I think I'll be OK subby.
 
2012-12-12 12:46:54 PM
This is why I use sentences for my more...important passwords, and semisecure "words" for things like fark.
 
2012-12-12 12:58:42 PM
I try to make my passwords as difficult as possible usually by randomly hitting keys, like this -- alsdkfjoweklrj,;cvjzxiocuvfklenwr,.uaer. However, they are so complex and yet so impossible to remember, hence I never go back to that website again.
 
2012-12-12 01:05:53 PM
What about Obscene Gerunds?

/obscure?
 
2012-12-12 01:08:49 PM

beantowndog: I believe 12345 meets all those criteria.


Phew. My luggage is secure
 
2012-12-12 01:14:51 PM

Stone Meadow: LOL...my wife is a paranoid BS in CS, so she refuses to run Java, scripts and a bunch of other shiat I can never recall, and she uses a ~20 digit password for everything...that she won't type...instead copy pasta from a text file.

Of course, she can only actually view about one page in three she clicks on, and can only change web pages about every 30 seconds, but nobody can see her baby pics.

*rolls eyes*


As a fellow (pending. 1 more paper) BS in CS, and de facto family tech guru, she's right.

Basic rule:

Extensions:
Adblock - turn off ads
Flashblock - keep flash from running until you say so
Turn off Java
No(t)Script(s) - Turn off Javascript selectively.

Of course, NoScript breaks the internet, so I usually go with the first 3 until they get a virus, and then I give them NoScript, and a basic whitelist for most of their sites.

/Currently running without NoScript. It really does break the internet.
 
2012-12-12 01:25:19 PM

Mr_Fabulous: I have a cat that died 13 years ago. Nobody on earth besides me, my daughter and my wife can remember that beast's name. Not even my own mother knows it.

But the 3 of us will never forget it, as long as we live. So that's our default password for accounts we share.



TOONCES1999

/never forget
//never forgive
 
2012-12-12 01:26:08 PM

ChubbyTiger: jaylectricity: ZAZ: jaylectricity

So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?

Yes and no. Think about it like this. They hack Fark and get the passwords, in hashed format. Then they crack the file (offline). Now they have your email address and a password. Sure, that password is the one you use for Fark, but how much do you want to bet that 50% of the Fark passwords also work for a banking site or Amazon (where they have your credit card), or Facebook (where they get tons of other information), etc.


That's why my Fark password isn't particularly difficult. I'd rather the goblins think they've scored big when the truth is they only stole my collection of farts in mason jars. I'd miss it but not that much.
 
2012-12-12 01:27:18 PM
Yeah, make your nine character passwords, I will stick with seven characters. Everyone will fail trying to guess my password when they try nine characters.

My hotmail account was so old (before I stopped using it) that it had a four character password.
 
2012-12-12 01:40:50 PM
362436?OnlyIfShes53!

Or similar. I figured out lyrics as passwords in college. If you want to use my NeXT account from 1994, the password is SoICanDieEasy, as I was listening to a lot of Zeppelin at the time.
 
2012-12-12 01:43:53 PM
Most of America still thinks that the best way to deter password thieves is to make their password hard to guess.

When was the last time you saw a McDonald's employee trying to do something without a computer? Hackers are not sitting there with a pen and paper jotting down possible password.
 
2012-12-12 02:47:23 PM

Smeggy Smurf: I'd rather the goblins think they've scored big when the truth is they only stole my collection of farts in mason jars. I'd miss it but not that much.


I particularly enjoyed pineapple salsa fart #4, 1998. It was a good year.
 
2012-12-12 02:55:06 PM

meyerkev: Stone Meadow: LOL...my wife is a paranoid BS in CS, so she refuses to run Java, scripts and a bunch of other shiat I can never recall, and she uses a ~20 digit password for everything...that she won't type...instead copy pasta from a text file.

Of course, she can only actually view about one page in three she clicks on, and can only change web pages about every 30 seconds, but nobody can see her baby pics.

*rolls eyes*

As a fellow (pending. 1 more paper) BS in CS, and de facto family tech guru, she's right.

Basic rule:

Extensions:
Adblock - turn off ads
Flashblock - keep flash from running until you say so
Turn off Java
No(t)Script(s) - Turn off Javascript selectively.

Of course, NoScript breaks the internet, so I usually go with the first 3 until they get a virus, and then I give them NoScript, and a basic whitelist for most of their sites.

/Currently running without NoScript. It really does break the internet.


I told her about ratting her out on Fark and she said to mention that she doesn't keep any passwords or account numbers on her laptop's HD, either. Instead, she keeps them on an encrypted thumb drive that she sticks in when she needs it. Oh, and she never uses the "remember me" option with websites, either; empties the trash and dumps cookies when she logs off, etc.
 
2012-12-12 03:20:48 PM
Personally, I am more concerned with a $5 wrench than this thing.
 
2012-12-12 04:09:42 PM
Keepass with its ability to generate & store random passwords does the job nicely. You can remember the random character strings if you use them often enough, and if a password's rarely used is no great problem to open Keepass to find it.

What is annoying is when a site insists on mixed case, numbers or worse. Because qysybeaw is so easy to guess, obviously. And it's not as if mixed case is a real pain in the arse to type on a phone or tablet touchscreen or anything.
 
2012-12-12 04:12:50 PM

unyon: Smeggy Smurf: I'd rather the goblins think they've scored big when the truth is they only stole my collection of farts in mason jars. I'd miss it but not that much.

I particularly enjoyed pineapple salsa fart #4, 1998. It was a good year.


I"m glad you enjoyed it. I smurfed my pants making that
 
2012-12-12 04:41:32 PM

FlashHarry: 1Password.a> totally worth it.


$50? Really?

Password Safe
 
2012-12-12 05:49:02 PM

Bob the Internet Barbarian: FlashHarry: 1Password.a> totally worth it.

$50? Really?

Password Safe


for the mac environment, it's the best one out there. so, yeah, really.
 
2012-12-12 05:59:06 PM
ampoliros

ChubbyTiger: ampoliros: I can't get into my most backwater forum account if I enter the password wrong 5 times in a couple minutes. What system lets you guess 350 billion times per second without penalty?

*sigh* This is an offline attack. They get the file with hashed passwords and crack them offline. No web necessary.

My fault for skimming the article.

Still, unless your site is really poorly configured, getting the hash file would likely involve someone on the inside or some other way to get physical access. And once you have physical access to the system, all bets are off anyway.


It's called SQL injection, and it happens ALL OVER the place. Huge sites that you know and trust have had this.
 
2012-12-12 06:29:41 PM
Jormungandr

Even with his fancy cracking array, which is pretty freaking sweet I might add. Unfortunately for him where I work we've been using that XKCD suggestion for awhile, I usually make passwords based on a few things on my desk, like "Knifedrivemagnet"
according to GRC's password haystack there's 2.91 x 10^27 possible passwords for that size and character set. Assuming 350billion guesses a second it would take 263,824,214 years to guess that. I think he might have better success mining bitcoins.


A generally safe assumption is that anything from GRC is wrong.

Combining words like this gives you about 12-13 bits of strength per word (the average person knows about ~16,000 words, but only uses/thinks about a fraction of that). For a target with specialized degrees it could be another bit per word, but it doesn't grow hugely in most cases.

This means your three-word password would end up being around 36-40 bits of strength. Using your assumption of 350 Billion a second, this would be a horrible hash like ntlm (md4), your password would be cracked in seconds.

There's a reason xkcd choose 4 words. You'll be far better off by the way if you change your tenses and uses a bit: "Alabaster sinGletoned: quiXotiCally flouridatIOn". And obviously five words is better than four, but don't use participles or other joiners like "at", "to", "with", "and", etc... There really are very few of these so if those are one of your words it barely adds any complexity.

More importantly, there's a reason no one should be using straight hashes anymore. Please see salts, PBKDF2, bcrypt, and scrypt. Lots of iterations, memory hard, and missing input information; these are your friends for password storage. Or just go nuts and get an HSM and never let the crypto see the light of day. Either way.
 
ZAZ [TotalFark]
2012-12-12 07:00:23 PM
Please see salts

Half the people making these mistakes weren't even born when Unix started using salts in the world-readable /etc/passwd file to slow offline attacks. According to some guy on the internet salts were added in V7, which was in 1979. I'm sure they were in BSD 4.3, probably also 4.2, from the early to mid 1980s.
 
2012-12-12 07:13:05 PM

Bob the Internet Barbarian: FlashHarry: 1Password.a> totally worth it.

$50? Really?

Password Safe


Password Safe is great, but I really only use it for "small sites" (like my login for a website that requires logins but doesn't maintain any real personal data, like my address or payment info). For "big" sites, I use longish phrases like "I can't believe I still use AOL" or "I know I keep my money here, but I hope they go bankrupt" or the like. OK, maybe not that long, but even my laptop password is over 25 characters in length.
 
2012-12-12 08:13:24 PM

WayToBlue: It's called SQL injection


Little Bobby Tables, we call him.
 
2012-12-12 08:41:22 PM
I just hold the "e" key until I hit the character limit.

Email password? eeeeeeeeeee

ATM PIN? eeee

Alarm Code for the office? eeeee

Every security question? eeeeeeeeeeeeeeeeeeeee

Sound the voice in my head makes? eeeeeeeeeeeeeeeeeeeeeeeeeeeee
 
2012-12-12 11:11:32 PM

Ed Finnerty: I just hold the "e" key until I hit the character limit.

Email password? eeeeeeeeeee

ATM PIN? eeee

Alarm Code for the office? eeeee

Every security question? eeeeeeeeeeeeeeeeeeeee

Sound the voice in my head makes? eeeeeeeeeeeeeeeeeeeeeeeeeeeee


Approves:
static.tvguide.com
 
2012-12-13 05:17:46 AM

ChubbyTiger: They hack Fark and get the passwords, in hashed format. Then they crack the file (offline). Now they have your email address and a password. Sure, that password is the one you use for Fark, but how much do you want to bet that 50% of the Fark passwords also work for a banking site or Amazon (where they have your credit card), or Facebook (where they get tons of other information), etc.


Sadly, THIS.

I say sadly because I had planned to go Christmas shopping Mon-Wed this week, put together some boxes of goodies for the relatives far away, and mail them.

Sunday: A friend pings me to let me know she got spam from "me." I ask what address. Oh, it's that Hotmail account I haven't used in years. Hardly a surprise - I get e-mail or MSN spam from friends' compromised Hotmail accounts several times a year. Being old, I guess that it probably has a password I used a lot a few years ago - 8 characters, a couple words mashed together with some letters swapped out for digits. By modern standards, "good" but not "very good."

Monday: I get email from Skype. "Registered email address successfully changed. We've updated your registered email address to..." oh, FARK FARK FARK. Yeah, the Skype account has been around forever too, and has the same password as the Hotmail one. Being able to type 90+ wpm comes in handy when you need to log into an account, reinstate your address as the primary registered address, delete the Yahoo address of some scum you've never heard of (after writing it down), and change your password, faster than they can do anything about it. Account secured, I contact Skype support and get them to reinstate my privileges. Then I spend a few hours going through my bookmarks and setting up unique passwords for every site or service that had used the old one.

Tuesday: I stop at the store, go to the ATM, and my available balance shows $-175. That's odd; there should be a little in checking, and if not, there was another $300 in savings to cover any overdrafts, and I know what I'd spent. I figure something's out of whack with the bank. By evening, the bank's website is saying $-475. I give their 24-hour line a call, and find out that the aforementioned scum had tried to charge 100 Euros of Skype credit, plus 15% VAT, five times (total ~$740). Yeah, Skype was linked to my debit card for those $10 auto-refills. And yeah, the debit card is linked to my checking account. Which in turn is linked to my savings account for overdraft protection. So it got cleaned out.

After a bit of late-night back-and-forth with Skype and the bank, Skype's authorization department escalated it up the ladder, but couldn't tell me how long it'd take to resolve. The bank said that if Skype didn't fix it within the next week, they'd reject the charges, but unless and until they actually posted to my account, I couldn't contest them - nor could I have my money back. Thanks, guys.

Wednesday, I woke up to my personal banker calling to ask whether there was anything I needed her to do. I think if I asked, she'd have given me an emergency loan or something, but I wanted to wait and see if Skype fixed it fast, which so far they didn't. I swung by the police station, they took down the basic info and told me to report it to IC3.gov. I pinged a lawyer friend who works at Yahoo; he said the same - IC3 would get it to people who knew who to talk to at Yahoo. I called the local FBI number; they said the same - IC3 is an FBI partnership, after all.

So... Christmas shopping did not happen. And now I'm heading off to work and won't be back for 128 hours, during which I hope this clusterfark gets sorted out. (Bonus points if FBI + Interpol + Yahoo + Skype can deliver a LART or drone strike to whatever organized crime syndicate or terror cell has another 18 gibberish-named Skype accounts registered to that same Yahoo account. ;)

On the bright side, every site or service I use now has a different password, so even if they hack Fark, they're not getting a password for me that works anywhere else, at all.
 
2012-12-13 06:36:01 AM

sprawl15: I've switched to an image based password. It compares desktop backgrounds. Good luck brute forcing the 3MB anigif.


I vaguely remember something like that proposed to replace the irritating twisty words in captchas. There was, I think, a 3x3 grid with six pictures of puppies and three kittens arranged randomly and the challenge was to select the three kittens.

Another one asked users to find the three good-looking people in the grid of nine after choosing men or women for the picture test, but that one is a bit trickier as we don't all agree on what is attractive. See classic Fark boobies threads for more on varied views regarding acceptable knee sharpness.
 
2012-12-13 10:23:10 AM
When I was a kid, one of the local libraries had a Unix-based card catalog system where the staff's passwords were saved as 32-bit salted hashes, using the standard crypt() function they used for the system's 'passwd' file at the time. Even so, all of the passwords could be cracked in a few seconds on (IIRC) a 16 Mhz 386-SX. Why? The card catalog system had a restriction at the UI level that required passwords to be all capital letters and exactly five characters long.
 
Displayed 64 of 64 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report