If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   You can salt your hash and break fast some toasted passwords, kiddies   (arstechnica.com) divider line 18
    More: Interesting, trick question, free education, mail server, command lines, passwords, hash marks, graphical user interfaces, MacBook Air  
•       •       •

1951 clicks; posted to Geek » on 27 Mar 2013 at 8:26 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



18 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2013-03-27 09:06:43 AM
So the take away is:  Running tools against pre-obtained password files is so easy even an english major can do it?
 
2013-03-27 09:14:57 AM
All of my passwords are generated by KeePassX.  Even I don't know what they are.  There is one master psw that only I know. You can't crack it, you can't reason with it.  It is out there and will absolutely not stop ever until you are dead.
 
2013-03-27 09:44:03 AM
Great find subby!

Anyone have a suggestion for password management on windows?  Is KeePassX a good product (from the post above)?
 
2013-03-27 09:45:03 AM
It looks like, to my totally ignorant of how most of this hacking stuff works brain, is that if we moved to passphrases instead of words we would be fairly secure.
 
2013-03-27 10:01:47 AM

manimal2878: It looks like, to my totally ignorant of how most of this hacking stuff works brain, is that if we moved to passphrases instead of words we would be fairly secure.


]

Y2K!!!!
 
2013-03-27 10:04:25 AM

manimal2878: It looks like, to my totally ignorant of how most of this hacking stuff works brain, is that if we moved to passphrases instead of words we would be fairly secure.


[obligatory xkcd.jpg]

The problem is that not only have we spent 20+ years training users (ourselves included) to make passwords that are easy for a machine to guess, we've spent 20+ years developing code libraries that only accept such easily broken passwords.

"Correct Horse Battery Staple" is an exceptionally strong password (well ok, that combination isn't it's well known in IT circles) but very few of the systems we use would accept it; not enough number substitution  too long, 'illegal' characters (the spaces). Hell I'm sure there are some libraries which will tell you that is too short a password because they terminate at the first space.

If businesses want to take security seriously, there needs to be a lot of expensive man hours refactoring a lot of code.  But they don't, they just write it in to their TOS that it's your problem not theirs.
 
imi
2013-03-27 12:01:51 PM

moistD: Great find subby!

Anyone have a suggestion for password management on windows?  Is KeePassX a good product (from the post above)?


I use KeePass on the Windows side of the aisle.  I'd say it's a very good choice as a password manager.
 
2013-03-27 12:07:12 PM
Great article that.  I'll be passing this one on.
 
2013-03-27 12:40:53 PM
I use KeePassX for linux as well. Works pretty good for me. It has a lot of things you can customize. If you are using it for things like linux or aix logins, you can use the URL feature to have it run your shell program (putty) and hand it the machine name, id and password. Makes it nice to automate things.
 
2013-03-27 12:41:05 PM

moistD: Great find subby!

Anyone have a suggestion for password management on windows?  Is KeePassX a good product (from the post above)?


I like LastPass so far.  Because of my concerns about central repositories like that being cracked (or worse, abused by dishonest staff)  I won't use it for critical things like banking - for that, I use long passwords that only live in my head.


Where LP is helping me is those lesser importance passwords like here or in forums.  I have over 100 forum accounts (that's forums for things of interest but also all those support forums that you have to create accounts for) and I'm slowly converting those to LastPass randomly generated passwords that are quite long.
.

The problem I see with forum passwords is that people like me have so many of them that it's nearly impossible to have unique passwords for all... and even if you alter them within a pattern, that pattern is usually guessable*.  Also, it seems that forum passwords are some of the most vulnerable because they don't get the same security attention that say, electronic payment does.

* interesting story... I used to have a password alteration system so that I could have unique passwords but they were all based off a root password.  One day a friend and I were talking about password length and cracking and he was telling me of his system to create longer passwords.  It was so similar to the way I was creating passwords it was spooky.  In effect, what I thought was clever was basically common knowledge.
 
2013-03-27 03:03:55 PM
This article is terrifying, because I'm realizing how much my passwords suck.
 
2013-03-27 04:04:25 PM
My password is 'mittens'.

hmmmmmm ...

maybe I shouldn't have mentioned that.
 
2013-03-27 04:21:22 PM
That was a surprisingly good article. I was expecting some sensationalist "OMG NOONE IS SAFE!" derp. Nice find, subby
 
2013-03-27 04:58:45 PM
I concur, and it's been 20 years since I futzed around with UNIX-like command lines.
 
2013-03-27 05:02:46 PM

moistD: Great find subby!

Anyone have a suggestion for password management on windows?  Is KeePassX a good product (from the post above)?


It's free, AES encrypted very strong, automates shells and execs....all wins. You can put it on a USB.  As long as you never share the master psw and no one gets a copy of your kbd file, it can't be cracked. Password complexity up to the ridiculous level if you wish.  I'm surprised no one has bought them up yet.  It's Open Source code, runs on *nix, Winders.....been running it for 3 years now and never has failed me.

KeePassx.org
 
2013-03-27 05:39:12 PM
Another vote for KeepassX. It even has an iOS client. I keep all my various devices sync'd to the same database via Dropbox and it couldn't be more convenient.

One thing that did suck is having to enter my Windows Live password (Xbox) with the controller. Entering 20 some characters of line noise that way was not fun.

This way all of your passwords are insanely strong and you just need to remember one of them. You really need to make that one a "real" password through. Equally gibberish.  10+ characters.

Using this app really exposes how shiatty most places are with their password policies. Many have a maximum password size (WTF?) or disallow a lot of non-alphanumeric characters. Stupid.
 
2013-03-27 07:25:51 PM
I only have 4 passwords:

1. The 'throwaway' password I use for forums and things like Fark. Someone could hack the hell out of it without a lot of effort, but...I really don't care.

2. The semi-serious password I use for personal email and social sites. Like correct horse battery, it's more of a phrase than a single word, and it's pretty freaking secure without requiring a huge set of stupid requirements.

3. The serious password I use for banking. This one follows all the 'strong password' rules, it never gets written down, and it gets changed every 3 months or so. 

4. My work password, conforming to whatever idiotic rules my current employer cares to impose. 

Yes, I know it's a bad plan to re-use passwords across sites, but the only thing worse than trying to remember a password like 'asdfW#R@)3U#q71ed!!' is trying to remember 35 different ones, for each of the sites I use. So instead, I slice them into tiers, according to importance and likelihood of serious harm being done to me if someone were to hack them.
 
2013-03-29 01:27:43 AM
 
Displayed 18 of 18 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report