If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Phys Org2)   You best be using at least 9 character passwords with lower and upper case letters and numbers and special characters and umlauts and gerunds and dingos   (phys.org) divider line 64
    More: Scary, strong password, Oslo, special case, lowercases, server computers, security question, GPUs, computer clusters  
•       •       •

4062 clicks; posted to Geek » on 12 Dec 2012 at 11:25 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



64 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2012-12-12 08:27:41 AM  
That's OK, I'm behind seven proxies.
 
2012-12-12 08:30:52 AM  
päSsW¤rd1
 
2012-12-12 08:36:36 AM  
I put a glottal click in all my passwords.
 
2012-12-12 08:45:38 AM  
I believe 12345 meets all those criteria.
 
2012-12-12 09:17:14 AM  
imgs.xkcd.com
 
ZAZ [TotalFark]
2012-12-12 09:43:16 AM  
The US DOT recently changed its discussion board. The old system didn't require a password. You typed a name and that's how your post appeared. The questions were like "My agency recently installed some W29-307B symbolic dingo crossing signs. How long should we maintain the supplementary `Dingo Crossing' plate?" They hardly needed much security.

Somebody official noticed the government-run system did not meet government security standards. The result was a new requirement for prior approval of posting and use of a 12 character password with circles and arrows and a paragraph on the back of each one explaining how the character was secure against Canadian sign thieves. And a comparatively dead board.
 
2012-12-12 09:54:41 AM  
A dingo ate my babby.
 
2012-12-12 09:57:28 AM  
1-2-3-4-5-dingÖ
 
ZAZ [TotalFark]
2012-12-12 10:03:04 AM  
ArkAngel

You forgot the gerund: 1-2-3-4-5-dingÖing
 
2012-12-12 10:04:49 AM  
 
2012-12-12 10:05:34 AM  
apart from my html fail.
 
2012-12-12 10:14:17 AM  
Good thing all my passwords are 'crackthisshiatbiatches'
 
2012-12-12 10:35:33 AM  
That's great and all but most websites don't let you guess the password that many times a day, let alone per second.
 
ZAZ [TotalFark]
2012-12-12 11:00:24 AM  
jaylectricity

These machines are for offline cracking. Some sysadmins who ought to be put to death slowly and painfully allow hackers to steal their password databases. Some don't even bother making the databases hard to crack.

It's easy to design a system where the password database doesn't live on the web server. We had that when I was in college in the 1980s (minus the "web" part). The hashed version of your password lived in an encrypted file on a disk in a locked closet, attached to a secured server. That server talked to the outside world through an authentication protocol. I'm not sure if it even allowed remote logins.

You to workstation: Hi, I'm Drew.
Workstation to auth server: Hey, this guy says he's Drew, send me a blob of data.
Auth server to workstation: Here's your blob.
Workstation to you: Password, please.
You to workstation: 12345
Workstation to auth server: Here's your blob decrypted using what this 'Drew' says is his password and re-encrypted with the key I found inside.
Auth server to workstation: It's a match! He's cool.

I've skimmed over technical details of what gets encrypted and decrypted. See Kerberos authentication system. The important part is, the auth server is designed to assume client machines and the network are both insecure.
 
2012-12-12 11:10:25 AM  

ZAZ: jaylectricity


So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?
 
2012-12-12 11:30:51 AM  
I can't get into my most backwater forum account if I enter the password wrong 5 times in a couple minutes. What system lets you guess 350 billion times per second without penalty?
 
ZAZ [TotalFark]
2012-12-12 11:32:05 AM  
So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?

Depends on the circumstances.

Some of these crackers are looking to exploit people who reuse passwords. Maybe they don't care about LinkedIn, but figure LinkedIn users have access to the secret Federal Reserve bboard.

In the old Kerberos system I described if you get to the database and the master key (which requires peeking inside process memory on a secure server) you win. The network is set up to trust the authentication server.

Some web servers are misconfigured so you can do HTTP GET /etc/passwd (or equivalent), giving you read access to hashed passwords, but not more valuable data.
 
2012-12-12 11:32:31 AM  

jaylectricity: ZAZ: jaylectricity

So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?


Yes and no. Think about it like this. They hack Fark and get the passwords, in hashed format. Then they crack the file (offline). Now they have your email address and a password. Sure, that password is the one you use for Fark, but how much do you want to bet that 50% of the Fark passwords also work for a banking site or Amazon (where they have your credit card), or Facebook (where they get tons of other information), etc.
 
2012-12-12 11:33:02 AM  

jaylectricity: ZAZ: jaylectricity

So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?


On the vast majority of networks, the combination of user ID and password is what they want. Who gives a fark about your accounting spreadsheets with next quarter's revenue projections? If they have a list of three hundred user IDs and passwords from a white-collar company, that's probably a few hundred user IDs and passwords for checking accounts, 401(k) accounts, credit card accounts, etc.
 
2012-12-12 11:34:16 AM  

ampoliros: I can't get into my most backwater forum account if I enter the password wrong 5 times in a couple minutes. What system lets you guess 350 billion times per second without penalty?


*sigh* This is an offline attack. They get the file with hashed passwords and crack them offline. No web necessary.
 
2012-12-12 11:41:16 AM  
But this is easier to remember

1-2-3-4-5-dingÖingÖbÖingÖ
 
2012-12-12 11:42:05 AM  

ChubbyTiger: ampoliros: I can't get into my most backwater forum account if I enter the password wrong 5 times in a couple minutes. What system lets you guess 350 billion times per second without penalty?

*sigh* This is an offline attack. They get the file with hashed passwords and crack them offline. No web necessary.


My fault for skimming the article.

Still, unless your site is really poorly configured, getting the hash file would likely involve someone on the inside or some other way to get physical access. And once you have physical access to the system, all bets are off anyway.
 
2012-12-12 11:46:15 AM  
That's why I don't use any online services that require a password.
 
2012-12-12 11:54:58 AM  
I have a cat that died 13 years ago. Nobody on earth besides me, my daughter and my wife can remember that beast's name. Not even my own mother knows it.

But the 3 of us will never forget it, as long as we live. So that's our default password for accounts we share.
 
2012-12-12 11:55:04 AM  
My passwords are nothing but dingos anyway.
 
2012-12-12 11:57:37 AM  

ChubbyTiger: jaylectricity: ZAZ: jaylectricity

So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?

Yes and no. Think about it like this. They hack Fark and get the passwords, in hashed format. Then they crack the file (offline). Now they have your email address and a password. Sure, that password is the one you use for Fark, but how much do you want to bet that 50% of the Fark passwords also work for a banking site or Amazon (where they have your credit card), or Facebook (where they get tons of other information), etc.


Every password I use online is the same EXCEPT for any site attached to my money (bank, Steam account, etc), attached to my medical data, or my email - every one of those is unique. So, grab my facebook password if you want...all it will get you access to are things like my Pandora account, and my AMC MovieWatcher account.
 
2012-12-12 12:02:12 PM  

DontMakeMeComeBackThere: ChubbyTiger: jaylectricity: ZAZ: jaylectricity

So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?

Yes and no. Think about it like this. They hack Fark and get the passwords, in hashed format. Then they crack the file (offline). Now they have your email address and a password. Sure, that password is the one you use for Fark, but how much do you want to bet that 50% of the Fark passwords also work for a banking site or Amazon (where they have your credit card), or Facebook (where they get tons of other information), etc.

Every password I use online is the same EXCEPT for any site attached to my money (bank, Steam account, etc), attached to my medical data, or my email - every one of those is unique. So, grab my facebook password if you want...all it will get you access to are things like my Pandora account, and my AMC MovieWatcher account.


Congratulations, you're ahead of 95% of the internet.
 
2012-12-12 12:07:58 PM  
news.discovery.com

Your passwords. I shall eat them!
 
2012-12-12 12:08:32 PM  
i.imgur.com

JFC Morpheus, your password was OMGPINKPONEYS1 ???
 
2012-12-12 12:12:38 PM  
Even with his fancy cracking array, which is pretty freaking sweet I might add. Unfortunately for him where I work we've been using that XKCD suggestion for awhile, I usually make passwords based on a few things on my desk, like "Knifedrivemagnet"
according to GRC's password haystack there's 2.91 x 10^27 possible passwords for that size and character set. Assuming 350billion guesses a second it would take 263,824,214 years to guess that. I think he might have better success mining bitcoins.
 
2012-12-12 12:12:43 PM  
Keepass is all I use.. If I sign up to a new site I just add a new entry and it auto generates a buttfark insane password for me and I'm g2g.
 
2012-12-12 12:21:08 PM  
I've switched to an image based password. It compares desktop backgrounds. Good luck brute forcing the 3MB anigif.
 
ZAZ [TotalFark]
2012-12-12 12:23:01 PM  
ampoliros: unless your site is really poorly configured

There are a lot of poorly configured sites, or sites using poorly configured hosting providers.

We should treat these sites like people who refuse vaccinations for the core plague-causing diseases, or people who leave guns or unlocked cars around to be stolen.
 
2012-12-12 12:25:48 PM  
Oh, well then I'll start requiring users to submit passwords that include an O, 0, ∅, and Ø. Just so you can't figure it out when written down. And then, we'll require Egyptian Hieroglyphs, for good measure.
 
2012-12-12 12:31:48 PM  

ZAZ: ampoliros: unless your site is really poorly configured

There are a lot of poorly configured sites, or sites using poorly configured hosting providers.

We should treat these sites like people who refuse vaccinations for the core plague-causing diseases, or people who leave guns or unlocked cars around to be stolen.


imokwiththis.jpg
 
2012-12-12 12:33:36 PM  
LOL...my wife is a paranoid BS in CS, so she refuses to run Java, scripts and a bunch of other shiat I can never recall, and she uses a ~20 digit password for everything...that she won't type...instead copy pasta from a text file.

Of course, she can only actually view about one page in three she clicks on, and can only change web pages about every 30 seconds, but nobody can see her baby pics.

*rolls eyes*
 
2012-12-12 12:40:47 PM  
Unless this machine can also magically intercept the text message and find the approval code that google, facebook, etc. sends me any time my account is accessed from non-approved machines, then I think I'll be OK subby.
 
2012-12-12 12:46:54 PM  
This is why I use sentences for my more...important passwords, and semisecure "words" for things like fark.
 
2012-12-12 12:58:42 PM  
I try to make my passwords as difficult as possible usually by randomly hitting keys, like this -- alsdkfjoweklrj,;cvjzxiocuvfklenwr,.uaer. However, they are so complex and yet so impossible to remember, hence I never go back to that website again.
 
2012-12-12 01:05:53 PM  
What about Obscene Gerunds?

/obscure?
 
2012-12-12 01:08:49 PM  

beantowndog: I believe 12345 meets all those criteria.


Phew. My luggage is secure
 
2012-12-12 01:14:51 PM  

Stone Meadow: LOL...my wife is a paranoid BS in CS, so she refuses to run Java, scripts and a bunch of other shiat I can never recall, and she uses a ~20 digit password for everything...that she won't type...instead copy pasta from a text file.

Of course, she can only actually view about one page in three she clicks on, and can only change web pages about every 30 seconds, but nobody can see her baby pics.

*rolls eyes*


As a fellow (pending. 1 more paper) BS in CS, and de facto family tech guru, she's right.

Basic rule:

Extensions:
Adblock - turn off ads
Flashblock - keep flash from running until you say so
Turn off Java
No(t)Script(s) - Turn off Javascript selectively.

Of course, NoScript breaks the internet, so I usually go with the first 3 until they get a virus, and then I give them NoScript, and a basic whitelist for most of their sites.

/Currently running without NoScript. It really does break the internet.
 
2012-12-12 01:25:19 PM  

Mr_Fabulous: I have a cat that died 13 years ago. Nobody on earth besides me, my daughter and my wife can remember that beast's name. Not even my own mother knows it.

But the 3 of us will never forget it, as long as we live. So that's our default password for accounts we share.



TOONCES1999

/never forget
//never forgive
 
2012-12-12 01:26:08 PM  

ChubbyTiger: jaylectricity: ZAZ: jaylectricity

So if they have access to the physical storage of passwords, don't they have access to anything they want anyway?

Yes and no. Think about it like this. They hack Fark and get the passwords, in hashed format. Then they crack the file (offline). Now they have your email address and a password. Sure, that password is the one you use for Fark, but how much do you want to bet that 50% of the Fark passwords also work for a banking site or Amazon (where they have your credit card), or Facebook (where they get tons of other information), etc.


That's why my Fark password isn't particularly difficult. I'd rather the goblins think they've scored big when the truth is they only stole my collection of farts in mason jars. I'd miss it but not that much.
 
2012-12-12 01:27:18 PM  
Yeah, make your nine character passwords, I will stick with seven characters. Everyone will fail trying to guess my password when they try nine characters.

My hotmail account was so old (before I stopped using it) that it had a four character password.
 
2012-12-12 01:40:50 PM  
362436?OnlyIfShes53!

Or similar. I figured out lyrics as passwords in college. If you want to use my NeXT account from 1994, the password is SoICanDieEasy, as I was listening to a lot of Zeppelin at the time.
 
2012-12-12 01:43:53 PM  
Most of America still thinks that the best way to deter password thieves is to make their password hard to guess.

When was the last time you saw a McDonald's employee trying to do something without a computer? Hackers are not sitting there with a pen and paper jotting down possible password.
 
2012-12-12 02:47:23 PM  

Smeggy Smurf: I'd rather the goblins think they've scored big when the truth is they only stole my collection of farts in mason jars. I'd miss it but not that much.


I particularly enjoyed pineapple salsa fart #4, 1998. It was a good year.
 
2012-12-12 02:55:06 PM  

meyerkev: Stone Meadow: LOL...my wife is a paranoid BS in CS, so she refuses to run Java, scripts and a bunch of other shiat I can never recall, and she uses a ~20 digit password for everything...that she won't type...instead copy pasta from a text file.

Of course, she can only actually view about one page in three she clicks on, and can only change web pages about every 30 seconds, but nobody can see her baby pics.

*rolls eyes*

As a fellow (pending. 1 more paper) BS in CS, and de facto family tech guru, she's right.

Basic rule:

Extensions:
Adblock - turn off ads
Flashblock - keep flash from running until you say so
Turn off Java
No(t)Script(s) - Turn off Javascript selectively.

Of course, NoScript breaks the internet, so I usually go with the first 3 until they get a virus, and then I give them NoScript, and a basic whitelist for most of their sites.

/Currently running without NoScript. It really does break the internet.


I told her about ratting her out on Fark and she said to mention that she doesn't keep any passwords or account numbers on her laptop's HD, either. Instead, she keeps them on an encrypted thumb drive that she sticks in when she needs it. Oh, and she never uses the "remember me" option with websites, either; empties the trash and dumps cookies when she logs off, etc.
 
2012-12-12 03:20:48 PM  
Personally, I am more concerned with a $5 wrench than this thing.
 
Displayed 50 of 64 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report