Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(MacRumors)   Apple's multimillion dollar advanced security system foiled by a Scrabble dictionary and a shiatty graphics card. No, that isn't snark, that is the actual truth   (macrumors.com) divider line 90
    More: Fail, Scrabble, security systems, iOS, Scrabble dictionary, wifi hotspots, GPUs, random numbers, gas generator  
•       •       •

7438 clicks; posted to Geek » on 19 Jun 2013 at 10:52 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



90 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2013-06-19 08:10:26 PM  
This should make for a totally calm and rational discussion on Apple security.
 
2013-06-19 08:19:35 PM  
Um, how does Apple's auto-generating password thingy constitute an advanced security system?

I mean, if you were really interested in secure connections, wouldn't you create your own complicated alphanumeric strings with symbols? If you weren't worried or otherwise didn't care about security at all, this little password generator would probably be your first choice and should meet your expectations.
 
ZAZ [TotalFark]
2013-06-19 08:35:16 PM  
a combination of a short English word along with random numbers

If only there were some geek who couldn't draw to make a webcomic instruction on creating easily remembered but hard to crack passwords.
 
2013-06-19 08:47:13 PM  

dr_blasto: Um, how does Apple's auto-generating password thingy constitute an advanced security system?

I mean, if you were really interested in secure connections, wouldn't you create your own complicated alphanumeric strings with symbols? If you weren't worried or otherwise didn't care about security at all, this little password generator would probably be your first choice and should meet your expectations.


You actually can create your own - you don't have to keep the one the phone chooses for you.
 
2013-06-19 08:50:56 PM  

rwhamann: dr_blasto: Um, how does Apple's auto-generating password thingy constitute an advanced security system?

I mean, if you were really interested in secure connections, wouldn't you create your own complicated alphanumeric strings with symbols? If you weren't worried or otherwise didn't care about security at all, this little password generator would probably be your first choice and should meet your expectations.

You actually can create your own - you don't have to keep the one the phone chooses for you.


I know, that's the point. IF you really cared, you would make your own and not just rely on the simple auto-generated one. The point being, this is a ridiculous complaint. Anyone interested in security wouldn't be affected.
 
2013-06-19 08:56:47 PM  
And buried in the second last paragraph, we find this:

As noted by ZDNet though Apple's password generation system is flawed, it is a more robust solution than what is used by other companies like Microsoft. For example, the Windows 8 phone utilizes default passwords that consist of eight digit numbers.
 
2013-06-19 09:04:43 PM  

bingethinker: And buried in the second last paragraph, we find this:

As noted by ZDNet though Apple's password generation system is flawed, it is a more robust solution than what is used by other companies like Microsoft. For example, the Windows 8 phone utilizes default passwords that consist of eight digit numbers.


But but sensationalism and CLICKS!
 
2013-06-19 09:17:28 PM  
I hate Scrabble dictionaries.

I have an abridged two volume OED and that's what a real man uses for Scrabble.

And ALL the words count, biatches.
 
2013-06-19 09:22:17 PM  

Marcus Aurelius: I hate Scrabble dictionaries.

I have an abridged two volume OED and that's what a real man uses for Scrabble.

And ALL the words count, biatches.


Real men use the unabridged OED.
 
2013-06-19 09:26:39 PM  
A 6990 isn't exactly a shiatty card, even if it is a generation old, that is all.
 
2013-06-19 09:37:10 PM  

Marcus Aurelius: I hate Scrabble dictionaries.

I have an abridged two volume OED and that's what a real man uses for Scrabble.

And ALL the words count, biatches.


Real men use Hungarian Phrasebooks.
 
2013-06-19 09:46:05 PM  
img.fark.net
Does not approve.
 
2013-06-19 09:58:01 PM  
The ios7 "default" password is way more difficult than the old one.  for example, the suggested password on my phone is in the format aaa1aaaa1a11, and there are no dictionary or even fake dictionary words included.

So, it's a good thing this is going to be an issue for about 3 more months.
 
2013-06-19 10:04:22 PM  

Shostie: Marcus Aurelius: I hate Scrabble dictionaries.

I have an abridged two volume OED and that's what a real man uses for Scrabble.

And ALL the words count, biatches.

Real men use the unabridged OED.


In that case, all the words count.

/my hero\
 
2013-06-19 10:15:44 PM  
In the battle between guns and armor, guns always win in the end.

That observation notwithstanding, this story is impossible. According to the fanbois, nobody hacks Apple stuff.
 
2013-06-19 10:16:54 PM  

Kredal: So, it's a good thing this is going to be an issue for about 3 more months.


Fixing a security issue in three months?  That's got to be a record for Apple.
 
2013-06-19 10:20:04 PM  

hardinparamedic: Real men use Hungarian Phrasebooks.


Look, I won't judge you, if you don't judge me.
 
2013-06-19 10:27:50 PM  

demaL-demaL-yeH: This should make for a totally calm and rational discussion on Apple security.


I hear that if you seal them into an oak barrel with bees wax and sink them into a deep river in the late summer, they will stay fresh until the following spring.  You just have to make sure no one sees where you anchor them.
 
2013-06-19 10:35:49 PM  

Wintermute6: A 6990 isn't exactly a shiatty card, even if it is a generation old, that is all.


No kidding. 5.4 Tflops @ single precision
 
2013-06-19 10:38:56 PM  

Marcus Aurelius: demaL-demaL-yeH: This should make for a totally calm and rational discussion on Apple security.

I hear that if you seal them into an oak barrel with bees wax and sink them into a deep river in the late summer, they will stay fresh until the following spring.  You just have to make sure no one sees where you anchor them.


Argon gas.
 
2013-06-19 10:55:35 PM  

demaL-demaL-yeH: This should make for a totally calm and rational discussion on Apple security.


Rational discussions don't equate to high click rates.
 
2013-06-19 10:56:05 PM  
FTFA: As noted by ZDNet though Apple's password generation system is flawed, it is a more robust solution than what is used by other companies like Microsoft. For example, the Windows 8 phone utilizes default passwords that consist of eight digit numbers.

Meh. They both let you create your own instead of default.

I use my dad's work phone number from when I was a kid, alternating the numerals and the the letter a row below it. So if part were 1234 I'd use 1w3r.
 
2013-06-19 11:01:28 PM  

dr_blasto: rwhamann: dr_blasto: Um, how does Apple's auto-generating password thingy constitute an advanced security system?

I mean, if you were really interested in secure connections, wouldn't you create your own complicated alphanumeric strings with symbols? If you weren't worried or otherwise didn't care about security at all, this little password generator would probably be your first choice and should meet your expectations.

You actually can create your own - you don't have to keep the one the phone chooses for you.

I know, that's the point. IF you really cared, you would make your own and not just rely on the simple auto-generated one. The point being, this is a ridiculous complaint. Anyone interested in security wouldn't be affected.


Not only that, but the device shows you how many devices are connected. It does so on the home and lock screens. So, in the unlikely confluence of events where you are using your iOS device as a hotspot and 1) You didn't change the password, 2) Somebody nearby was trying to crack your password, and 3) You are in proximity long enough for it to happen, then you STILL will likely notice "Hey, I show two/three/etc. devices connected and I only connected one. I ought to do something."

If you're THAT obtuse, fark it, you have it coming.
 
2013-06-19 11:05:51 PM  
correct horse battery staple
 
2013-06-19 11:08:28 PM  
As others have said, sure the generated default password isn't as secure as it could be, but I think the odds of someone bothering to do so is slim, you are constantly shown the number of connected users, and worst case - oh no, they're surfing on your bandwidth - and that's it. No personal data is exposed.
 
2013-06-19 11:11:53 PM  
Who the fark uses a default password on anything?
 
2013-06-19 11:16:38 PM  

hardinparamedic: Marcus Aurelius: I hate Scrabble dictionaries.

I have an abridged two volume OED and that's what a real man uses for Scrabble.

And ALL the words count, biatches.

Real men use Hungarian Phrasebooks.




My hovercraft is full of eels.
 
2013-06-19 11:21:46 PM  

demaL-demaL-yeH: Marcus Aurelius: demaL-demaL-yeH: This should make for a totally calm and rational discussion on Apple security.

I hear that if you seal them into an oak barrel with bees wax and sink them into a deep river in the late summer, they will stay fresh until the following spring.  You just have to make sure no one sees where you anchor them.

Argon gas.


What a waste.

I see your lazy gas and raise you several thousand atmospheres.

/silly englishman
 
2013-06-19 11:46:06 PM  
And by a shiatty graphics card you mean the highest end graphics card of the last generation or four of the second fastest single-chip cards of this generation, right?

Cards that probably won't be feasible anywhere near where people feel the need to create a wifi hotspot.

/Still hate Apple
//Love desktop hardware
 
2013-06-19 11:50:17 PM  
Wow! Whoever wrote this headline straight up doesn't know what they are talking about. All they are talking about is when you turn on an option to create a hotspot. It's no "advanced security system." It's a short algorithm that generates an 8 character password consisting of letters and numbers that probably took some guy 10 minutes to create. The simplicity is for the sake of users who can't be bothered to input a secure password (I've ran into people who couldn't be assed to put in a password with symbols. They actually complained.) Subby is a total dumbass.
 
2013-06-19 11:53:16 PM  
The default password for my Comcast router is like 40 "random" hexadecimal characters. I thought that was a bit overkill.
 
2013-06-19 11:59:05 PM  

RealAmericanHero: Wow! Whoever wrote this headline straight up doesn't know what they are talking about. All they are talking about is when you turn on an option to create a hotspot. It's no "advanced security system." It's a short algorithm that generates an 8 character password consisting of letters and numbers that probably took some guy 10 minutes to create. The simplicity is for the sake of users who can't be bothered to input a secure password (I've ran into people who couldn't be assed to put in a password with symbols. They actually complained.) Subby is a total dumbass.


If you don't think it's unreasonable to choose a password consisting of at least 3 of the following that changes every 2 months and can't re-use any 6 character chunk...
number
lower case letter
upper case letter
special character

I think that merits complaining. Even assuming you chose part of the opening sentence of your favorite book... "Now is the winter of our discontent", for example, the time it would take to crack my sentence is somewhere on the order of 200x longer than the 8 character garble I am forced to use at work. In my case, it's actually worse, as a contractor, my company has a 2mo cycle, the client has a 3mo cycle. So I am have numerous of these stupid passwords at a go.

Logically, If I chose say... a 30 character phrase, I should be able to keep my password at least a year. I'm sick of managing passwords.
 
2013-06-20 12:02:55 AM  

dyhchong: And by a shiatty graphics card you mean the highest end graphics card of the last generation or four of the second fastest single-chip cards of this generation, right?

Cards that probably won't be feasible anywhere near where people feel the need to create a wifi hotspot.

/Still hate Apple
//Love desktop hardware


Came here to post this. Subby may have thought they were talking about something from the GeForce 6000 series, but the 6990 is about as "shiatty" as a GTX 590.
 
2013-06-20 12:10:36 AM  

GreenAdder: Who the fark uses a default password on anything?


Apple users.
 
2013-06-20 12:16:50 AM  

bingethinker: And buried in the second last paragraph, we find this:

As noted by ZDNet though Apple's password generation system is flawed, it is a more robust solution than what is used by other companies like Microsoft. For example, the Windows 8 phone utilizes default passwords that consist of eight digit numbers.


Bu-bu-bu-but Microsoft!
 
2013-06-20 12:21:44 AM  
Not into IT at all, but wouldn't it be easy to avoid brute force attempts like this by simply limiting the number of attempted connections from one device (or all devices, to prevent spoofing of the device id) per minute?
 
2013-06-20 12:21:52 AM  

Shostie: Marcus Aurelius: I hate Scrabble dictionaries.

I have an abridged two volume OED and that's what a real man uses for Scrabble.

And ALL the words count, biatches.

Real men use the unabridged OED.


Beat me to it
 
2013-06-20 12:33:27 AM  

bingethinker: And buried in the second last paragraph, we find this:

As noted by ZDNet though Apple's password generation system is flawed, it is a more robust solution than what is used by other companies like Microsoft. For example, the Windows 8 phone utilizes default passwords that consist of eight digit numbers.


But it's not more robust.

Microsoft's is ten digits, which is 108.
Apple's is a word chosen from a list of less than two-thousand words followed by four numeric digits, which works out to be less than 107.3 .

It isn't a gigantic difference, but still...
 
2013-06-20 12:43:51 AM  

dr_blasto: The point being, this is a ridiculous complaint. Anyone interested in security wouldn't be affected.


It's a very valid complaint.  The people who aren't "interested in security" need it the most.

They need strong automagically generated passwords, because they wouldn't know that they have weak ones.
 
2013-06-20 12:54:59 AM  
A note to all you passphrase people. Add a number or symbol to somewhere in the middle of one of the words or purposely misspell one of them. (If I assume it's an English phrase of not more than 10 words, it's a lot easier to brute force than having to check each character in the phrase)

//to infinity and b3yond
 
2013-06-20 01:04:07 AM  
Have you ever tried to set up a password in Fedora Linux?

It is like shoving glass into your penile hole and then breaking said glass. Its very painful.
 
2013-06-20 01:07:27 AM  

Shostie: Marcus Aurelius: I hate Scrabble dictionaries.

I have an abridged two volume OED and that's what a real man uses for Scrabble.

And ALL the words count, biatches.

Real men use the unabridged OED.


Real men use SOWPODS when it comes to scrabble.
 
2013-06-20 01:08:42 AM  
I think most of the posters here are missing the point. I'm not going to get into 'Apple vs. MS' or 'default PW vs. making up your own', or even 'No one would ever set up a cracking rig like this anywhere near where someone is setting up a mobile hotspot'.

For me, the real takeaway from the article was the description of Apple's PW generation algorithm. Really? That's the best you can come up with?

I would fire the guy who designed/coded a password generator that pathetic.
 
2013-06-20 01:17:47 AM  
Quantumbunny: lower case letter
upper case letter
special character


And that substitution crap is dead as well.

You know, where you use an ! or 1 in place of I, or a 0 instead of O, or 3 instead of E.

// These days, common word passwords get run through mutators that generate all of the variants. It's basically no better than using the bare word itself.
 
2013-06-20 01:34:04 AM  
Oblig: img.fark.net
 
2013-06-20 01:40:25 AM  

lewismarktwo: Oblig: [img.fark.net image 740x601]


That's why all my passwords are correcthorsebatterystaple. It's the most secure password ever.
 
2013-06-20 01:44:01 AM  

akula: Not only that, but the device shows you how many devices are connected. It does so on the home and lock screens. So, in the unlikely confluence of events where you are using your iOS device as a hotspot and 1) You didn't change the password, 2) Somebody nearby was trying to crack your password, and 3) You are in proximity long enough for it to happen, then you STILL will likely notice "Hey, I show two/three/etc. devices connected and I only connected one. I ought to do something."


This. The security code is basically just there to stop random people at the airport or the hotel from hopping on your phone's hotspot when you fire it up to avoid using the molasses slow free wi-fi. It's not really there to keep your SSN and taxes secure. It's like someone being really proud of themselves for being able to figure out how to pick the cheap lock you stuck on your garden shed to keep the neighbor kid from rifling through your crap. It's REALLY unlikely that you'd be near anyone with a gaming laptop and the know how to hack your temporary hot spot.
 
2013-06-20 01:56:03 AM  

spamdog: bingethinker: And buried in the second last paragraph, we find this:

As noted by ZDNet though Apple's password generation system is flawed, it is a more robust solution than what is used by other companies like Microsoft. For example, the Windows 8 phone utilizes default passwords that consist of eight digit numbers.

Bu-bu-bu-but Microsoft!


img.fark.net
 
2013-06-20 02:09:18 AM  

Kredal: The ios7 "default" password is way more difficult than the old one.  for example, the suggested password on my phone is in the format aaa1aaaa1a11, and there are no dictionary or even fake dictionary words included.

So, it's a good thing this is going to be an issue for about 3 more months.


I count eight words and three brand names, along with one word and two proper names with simple "l33t" substitution spellings.  I've probably missed some.
 
2013-06-20 02:56:46 AM  
Isn't it easier to set your own password? That's what I've always done.
 
2013-06-20 03:38:24 AM  
Fun fact:  Carnegie Mellon web-based email used to send everything plaintext, all it took was a sniffer on the hotspot to gain full access to an email account.
 
2013-06-20 06:17:21 AM  

LockeOak: Not into IT at all, but wouldn't it be easy to avoid brute force attempts like this by simply limiting the number of attempted connections from one device (or all devices, to prevent spoofing of the device id) per minute?


Yes, it would. It is a disgrace that Apple (and probably other companies) didn't do that. 1 attempt/second, 5 second wait after 3 fails and a 15 minute lockout after 5 fails would boost the time required to several years. Or just put a (manually revocable) lifetime ban on the device that reaches 10 fails. The ban could probably be circumvented by spoofing a different ip/mac address but it would probably be more effort than it is worth anyway. Or the hotspot could turn off if more than a 1 device has reached the level at which bans are given.

The hacker wouldn't be nearby for longer than a few hours anyway, considering that this is about mobile hotspots.
 
2013-06-20 06:29:39 AM  
Before I forget:

The team discovered that only a small set of Apple's larger word list was being used, so with GPU cluster of four AMD Radeon HD 7970s, they narrowed their iOS-generated hotspot password cracking time down to just 50 seconds.

That is 4 video cards which according to Newegg are at least $360 each. Good luck putting that on a mobile platform.
 
2013-06-20 06:39:19 AM  

hardinparamedic: Real men use Hungarian Phrasebooks.


Drop your panties, Ilsa, I cannot wait 'til lunchtime!

/I cannot buy this tobacconist's, it is scratched
//All my passwords contain MAD onomatopoeia or words I've made up myself
 
2013-06-20 07:13:12 AM  

hamdinger: GreenAdder: Who the fark uses a default password on anything?

Apple users.


Hell, I might in this case.

1. The hotspot is only on temporarily.
2. I would only be using it in a place where I can't get a normal wifi connection, so even a coffee shop is too connected for this scenario.
3. It would be incredibly unlikely that someone would have the hardware and software available and be attempting to hack a wifi connection in the short time I am using the hotspot.
4. Even if they got on to the hotspot, unless they are mailing out threatening emails to the President or downloading kiddie porn, who the hell cares.
5. That is a long/expensive way for someone to go to get access to the Internet.

An analogy would be the fact that I don't put metal bars over all the windows in my house even though breaking a window is a trivially easy way to bypass the locked door. Some security measures are really there to put up enough of a barrier to keep most people honest.
 
2013-06-20 07:16:57 AM  
Isn't the real question why Apple didn't use a random password? It doesn't need to be memorable or pronouncable. Why use dictionary words at all? 12 random characters would be easier and more secure.
 
2013-06-20 07:39:00 AM  

DerAppie: LockeOak: Not into IT at all, but wouldn't it be easy to avoid brute force attempts like this by simply limiting the number of attempted connections from one device (or all devices, to prevent spoofing of the device id) per minute?

Yes, it would. It is a disgrace that Apple (and probably other companies) didn't do that. 1 attempt/second, 5 second wait after 3 fails and a 15 minute lockout after 5 fails would boost the time required to several years. Or just put a (manually revocable) lifetime ban on the device that reaches 10 fails. The ban could probably be circumvented by spoofing a different ip/mac address but it would probably be more effort than it is worth anyway. Or the hotspot could turn off if more than a 1 device has reached the level at which bans are given.

The hacker wouldn't be nearby for longer than a few hours anyway, considering that this is about mobile hotspots.


While it's a good idea (and some systems do have this sort of security), it wouldn't be applicable, as WiFi cracking is an offline exercise.  You capture traffic from the air and then crack that traffic locally.
 
2013-06-20 07:52:09 AM  

Pinko_Commie: DerAppie: LockeOak: Not into IT at all, but wouldn't it be easy to avoid brute force attempts like this by simply limiting the number of attempted connections from one device (or all devices, to prevent spoofing of the device id) per minute?

Yes, it would. It is a disgrace that Apple (and probably other companies) didn't do that. 1 attempt/second, 5 second wait after 3 fails and a 15 minute lockout after 5 fails would boost the time required to several years. Or just put a (manually revocable) lifetime ban on the device that reaches 10 fails. The ban could probably be circumvented by spoofing a different ip/mac address but it would probably be more effort than it is worth anyway. Or the hotspot could turn off if more than a 1 device has reached the level at which bans are given.

The hacker wouldn't be nearby for longer than a few hours anyway, considering that this is about mobile hotspots.

While it's a good idea (and some systems do have this sort of security), it wouldn't be applicable, as WiFi cracking is an offline exercise.  You capture traffic from the air and then crack that traffic locally.


Stupid me... Forgot that the security data needs to be sent along with the rest of the transmission.
 
2013-06-20 09:14:07 AM  

Quantumbunny: RealAmericanHero: Wow! Whoever wrote this headline straight up doesn't know what they are talking about. All they are talking about is when you turn on an option to create a hotspot. It's no "advanced security system." It's a short algorithm that generates an 8 character password consisting of letters and numbers that probably took some guy 10 minutes to create. The simplicity is for the sake of users who can't be bothered to input a secure password (I've ran into people who couldn't be assed to put in a password with symbols. They actually complained.) Subby is a total dumbass.

If you don't think it's unreasonable to choose a password consisting of at least 3 of the following that changes every 2 months and can't re-use any 6 character chunk...
number
lower case letter
upper case letter
special character

I think that merits complaining. Even assuming you chose part of the opening sentence of your favorite book... "Now is the winter of our discontent", for example, the time it would take to crack my sentence is somewhere on the order of 200x longer than the 8 character garble I am forced to use at work. In my case, it's actually worse, as a contractor, my company has a 2mo cycle, the client has a 3mo cycle. So I am have numerous of these stupid passwords at a go.

Logically, If I chose say... a 30 character phrase, I should be able to keep my password at least a year. I'm sick of managing passwords.


This
 
2013-06-20 09:22:58 AM  
Just tested my WIFI password at https://howsecureismypassword.net/

Results:

It would take a desktop PC about A million years to crack your password


I think I'm good.
 
2013-06-20 09:27:42 AM  
Tested the password I have at work:

It would take a desktop PC about 3 quadrillion years to crack your password

Guess I'm good there too.
 
2013-06-20 09:28:47 AM  

ZAZ: If only there were some geek who couldn't draw to make a webcomic instruction on creating easily remembered but hard to crack passwords.


"battery staple correct horse"!  Crap, that didn't work... maybe "correct horse staple battery"?  Hm.

If I were a password cracker focusing on Reddit-type I'm-a-nerd-LOL-me-too sites, I'd give a strong weight to "four dictionary words separated by spaces" in my cracking algorithm after the publication of that xkcd comic.
 
2013-06-20 09:48:06 AM  

imfallen_angel: Tested the password I have at work:

It would take a desktop PC about 3 quadrillion years to crack your password

Guess I'm good there too.


I did the same thing to my wifi password and got 312 nonillion years. I had never even heard of a nonillion
 
2013-06-20 10:25:04 AM  
Penisx12 takes 62 unvigintillion years to crack according to that site.
 
2013-06-20 10:30:32 AM  
Isn't this one of the plot points from Ocean's 14?
 
2013-06-20 10:59:59 AM  
From the comments:

"Wow, I guess next time I setup a personal hotspot to check my email on my laptop, I'd better watch out for someone nearby with a "GPU cluster of four AMD Radeon HD 7970s".

BTW Subby, the card you listed in the headline is far from 'shiatty" - it only is if you're a "733t gamer"
 
2013-06-20 11:41:57 AM  

imfallen_angel: Just tested my WIFI password at https://howsecureismypassword.net/

Results:

It would take a desktop PC about A million years to crack your password


I think I'm good.


That (and all the sites like it) is actually a really crappy and misleading place to test strength. "A desktop PC" doesn't tell you what's actually doing it. Are they saying a dual core, 3.2Ghz processor? How about a couple GPUs? Or is it a 4, 8, 12 core processor? What's the power in like? What's the latency on the hardware?

The only absolute measurement is mathematic, expressed as entropy (as referenced in the XKCD comic above). With that knowledge, you can then apply the degrees of entropy to the actual machine doing the cracking. Here's a much better page that also gives guidelines on good passwords, and why they're good:

http://rumkin.com/tools/password/passchk.php

For example, a password I use for non-essential non-financial stuff would take "4 thousand years" on the crappy first site, while that same password gives me this result from my link:

Length: 11
Strength: Reasonable - This password is fairly secure cryptographically and skilled hackers may need some good computing power to crack it. (Depends greatly on implementation!)
Entropy: 45.3 bits
Charset Size: 72 characters

In other words, one site says OMG NEVER, the other says "yeah, you're going to have to buy some more GPUs."
 
2013-06-20 11:43:21 AM  

imfallen_angel: Just tested my WIFI password at https://howsecureismypassword.net/

Results:

It would take a desktop PC about A million years to crack your password


I think I'm good.


It would take a desktop PC about 177 quintillion years to crack your password (wow) I guess I can cut that one back
 
2013-06-20 12:07:54 PM  

HeFixesTheCable: In other words, one site says OMG NEVER, the other says "yeah, you're going to have to buy some more GPUs."


Problem is... the way that a password cracker works can differ from one to the other.  Using one that would be able to guess (or test) words upon the first letters received in an intelligent manner, would be able to crack just about any word combination.

If I had "CorrectHorseStapleBattery" for example, as a very good algorithm would start with breaking the chain ********************* into multiple possible length of words (considering that most password cannot take spaces).

Now, if you take a system that allows a letter by letter echo.. like you see in movies where each character is guessed one by one, instead of simply "all or nothing" approach that I assume is more of a reality for most systems, the "cracking" is infinitely different.

So the password isn't the only factor here, the system is also.  Lock down after 5 tries? complete lockout or timer that requires 1-12-24 hours before 5 more tries?

Heck, a decent serious system could have a system that the password would also have a time factor such as one character requires to be different according to time or any other factor (temperature, weather condition, colour for background that's rotating, all of them assigned a particular character) so that the password isn't static, but yet, very easy to use.

If I wanted to design a bulletproof system, I'd be sure to incorporate such a device.

We also have the whole biometrics (fingerprints and eyeball scans), that movies has shown can be bypassed with gum or cutting someone's finger or eyeball out.

But seriously, it's a question of how far does one goes for their access to be protected?

I wouldn't want someone playing in my bank accounts, of course, but how much of a target am I, or do I make myself to be.

Our PIN for bank cards are 4-5 digits... very far from secure according to these sites, but yet, that's what we use every day.
 
2013-06-20 12:08:17 PM  

HeFixesTheCable: That (and all the sites like it) is actually a really crappy and misleading place to test strength. "A desktop PC" doesn't tell you what's actually doing it. Are they saying a dual core, 3.2Ghz processor? How about a couple GPUs? Or is it a 4, 8, 12 core processor? What's the power in like? What's the latency on the hardware?


The performance difference between an entry-level desktop and a high-end one at any given time is what, one order of magnitude?  Maybe two?   Does it matter to someone if the site reports back that it will take a million years to brute-force the solution, or "only" ten thousand years?

Keep in mind also that these estimates, whether based on bits of entropy, or arbitrary hardware time required to resolve bits of entropy, are always for the most pessimal case: a solution is guaranteed within  n attempts, but if the algorithm is smart or lucky it will likely take far fewer than that.
 
2013-06-20 01:03:54 PM  

poot_rootbeer: HeFixesTheCable: That (and all the sites like it) is actually a really crappy and misleading place to test strength. "A desktop PC" doesn't tell you what's actually doing it. Are they saying a dual core, 3.2Ghz processor? How about a couple GPUs? Or is it a 4, 8, 12 core processor? What's the power in like? What's the latency on the hardware?

The performance difference between an entry-level desktop and a high-end one at any given time is what, one order of magnitude?  Maybe two?   Does it matter to someone if the site reports back that it will take a million years to brute-force the solution, or "only" ten thousand years?

Keep in mind also that these estimates, whether based on bits of entropy, or arbitrary hardware time required to resolve bits of entropy, are always for the most pessimal case: a solution is guaranteed within  n attempts, but if the algorithm is smart or lucky it will likely take far fewer than that.


You are quite correct that the order of magnitude may be as little as 2, just doing a simple example to illustrate how vague these sites are. I should also have made the point that "no one's using an off the shelf desktop PC who is doing this full-time/for a living."

I can tell you, too, that the password I typed in would take WAY less than 4 thousand years for a "smart" program. It uses a semi-common word, in a VERY familiar password format: First letter uppercase, #s and symbols after. The original site doesn't take that into account, because it's not measuring entropy. As another person noted, if you're already using "correcthorsebatterystaple," it might seem uncrackable...if you didn't speak english.

And yep, it may get lucky much sooner than that, which is true of every password. Adding entropy means that it will hopefully take longer to get lucky. All your points are valid, however.
 
2013-06-20 02:42:57 PM  

imfallen_angel: Just tested my WIFI password at https://howsecureismypassword.net/


imfallen_angel: Tested the password I have at work:


MightyPez: I did the same thing to my wifi password and got 312 nonillion years.


Mcaffolder: It would take a desktop PC about 177 quintillion years to crack your password (wow) I guess I can cut that one back


So y'all just went and typed your passwords into a random page on the internet to see what would happen? I hope you're not the ones complaining about "weak security" in the automated device handshakes... I believe that's what tech service reps call a DSBKF error.
 
2013-06-20 03:20:20 PM  

LoneVVolf: So y'all just went and typed your passwords into a random page on the internet to see what would happen? I hope you're not the ones complaining about "weak security" in the automated device handshakes... I believe that's what tech service reps call a DSBKF error.


Meh, the fact is that I doubt very much that someone from that particular site would be able to figure out which system, etc. that uses said passwords, as I don't think their WIFIs can reach that far.
 
2013-06-20 03:25:51 PM  

LoneVVolf: So y'all just went and typed your passwords into a random page on the internet to see what would happen? I hope you're not the ones complaining about "weak security" in the automated device handshakes... I believe that's what tech service reps call a DSBKF error.


Yes, I'm sure that web site is nefariously wringing its hands at a password I soley use for my wifi at home. And I did this from a place that wasn't from that network, so clearly these evil deeds they are doing will come back to haunt me.

It's also a shame I can't change it any time if I feel these ne'er-do-wells somehow find my small geographic location and start leeching my meager bandwidth to fuel their plot of nebulous evil.
 
2013-06-20 03:29:05 PM  

HeFixesTheCable: And yep, it may get lucky much sooner than that, which is true of every password. Adding entropy means that it will hopefully take longer to get lucky. All your points are valid, however.


So technically, if you have a routine cracker that uses a replacement parameter to test all characters one at a time:  aaaaaaaaa is pretty useless, ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ (being the last ASCII character) should be the best (using same number of characters)

LOL

/just jesting, but still funny....
 
2013-06-20 03:29:47 PM  

MightyPez: to fuel their plot of nebulous evil.


NARF!
 
2013-06-20 04:41:13 PM  

imfallen_angel: Tested the password I have at work:

It would take a desktop PC about 3 quadrillion years to crack your password

Guess I'm good there too.



In case somebody else hasn't sufficiently congratulated you.
You've just added your home and work passwords to a database that tracks your IP.
Mazal tov.
 
2013-06-20 05:01:06 PM  

demaL-demaL-yeH: imfallen_angel: Tested the password I have at work:

It would take a desktop PC about 3 quadrillion years to crack your password

Guess I'm good there too.


In case somebody else hasn't sufficiently congratulated you.
You've just added your home and work passwords to a database that tracks your IP.
Mazal tov.


It's ok, I'm being a bunch of moxies...
 
2013-06-20 05:20:50 PM  

imfallen_angel: demaL-demaL-yeH: imfallen_angel: Tested the password I have at work:

It would take a desktop PC about 3 quadrillion years to crack your password

Guess I'm good there too.


In case somebody else hasn't sufficiently congratulated you.
You've just added your home and work passwords to a database that tracks your IP.
Mazal tov.

It's ok, I'm being a bunch of moxies...


Ya, 'cause nobody would ever think of adding them to a dictionary.
 
2013-06-20 05:31:14 PM  

demaL-demaL-yeH: Ya, 'cause nobody would ever think of adding them to a dictionary.


Well, the fact that they'd need a loooooot of power to have their WIFIs reach mine, and odds are, mine doesn't broadcast that far either, and well... having other restrictions such as MAC address limitations, etc.

You'd still need to get the other passwords for the machines too.  The worse they'd do is might be able to print on the WIFI printers. Oh dear.... the world will crumble.

I'm not really much of a foil wearing nut that has a government reading everything you write online.... but it appears that you are.. so good luck with that.
 
2013-06-20 05:51:55 PM  

imfallen_angel: demaL-demaL-yeH: Ya, 'cause nobody would ever think of adding them to a dictionary.

Well, the fact that they'd need a loooooot of power to have their WIFIs reach mine, and odds are, mine doesn't broadcast that far either, and well... having other restrictions such as MAC address limitations, etc.

You'd still need to get the other passwords for the machines too.  The worse they'd do is might be able to print on the WIFI printers. Oh dear.... the world will crumble.
I'm not really much of a foil wearing nut that has a government reading everything you write online.... but it appears that you are.. so good luck with that.


Interesting. I'm fairly certain that my email is of no interest to the federal government, although some of my fark comments might be vaguely amusing. I am concerned that so much traffic is being intercepted, and even more concerned that the agencies doing the interceptions claim, for all sorts of specious excuses, that Amendment IV doesn't apply to private correspondence. The vacuum-cleaner approach has one, huge, obvious, glaring flaw: False positives are overwhelming investigative resources.

That sworn officers of the United States would excuse this approach is disgusting, but unsurprising: CYA is a rational trait of bureaucrats. That the Supreme Court keeps giving their bullshiat arguments any credence - to the point of barring suits because the plaintiff can't prove standing so they can dodge striking down clearly unconstitutional laws - is distressing. The courts grant undue deference to the executive branch. I do state as fact that FISA as originally written and implemented was more than sufficient to get the job done.

If that falls into tinfoil hat territory, so be it.
 
2013-06-20 05:57:46 PM  

demaL-demaL-yeH: imfallen_angel: demaL-demaL-yeH: Ya, 'cause nobody would ever think of adding them to a dictionary.

Well, the fact that they'd need a loooooot of power to have their WIFIs reach mine, and odds are, mine doesn't broadcast that far either, and well... having other restrictions such as MAC address limitations, etc.

You'd still need to get the other passwords for the machines too.  The worse they'd do is might be able to print on the WIFI printers. Oh dear.... the world will crumble.
I'm not really much of a foil wearing nut that has a government reading everything you write online.... but it appears that you are.. so good luck with that.

Interesting. I'm fairly certain that my email is of no interest to the federal government, although some of my fark comments might be vaguely amusing. I am concerned that so much traffic is being intercepted, and even more concerned that the agencies doing the interceptions claim, for all sorts of specious excuses, that Amendment IV doesn't apply to private correspondence. The vacuum-cleaner approach has one, huge, obvious, glaring flaw: False positives are overwhelming investigative resources.

That sworn officers of the United States would excuse this approach is disgusting, but unsurprising: CYA is a rational trait of bureaucrats. That the Supreme Court keeps giving their bullshiat arguments any credence - to the point of barring suits because the plaintiff can't prove standing so they can dodge striking down clearly unconstitutional laws - is distressing. The courts grant undue deference to the executive branch. I do state as fact that FISA as originally written and implemented was more than sufficient to get the job done.

If that falls into tinfoil hat territory, so be it.


That's like thinking that a piece of glass will stop a person from getting inside your house and doing vile things to you or your property...

People are funny that way...
 
2013-06-20 06:08:05 PM  

imfallen_angel: That's like thinking that a piece of glass will stop a person from getting inside your house and doing vile things to you or your property...

People are funny that way...


What in the blue blazes are you doing throwing out a non-sequitur like that?
 
2013-06-20 06:21:41 PM  

demaL-demaL-yeH: imfallen_angel: That's like thinking that a piece of glass will stop a person from getting inside your house and doing vile things to you or your property...

People are funny that way...

What in the blue blazes are you doing throwing out a non-sequitur like that?


Guess the point is too high for you to reach....

Just saying, regardless of how secure one would assume something to be, it's simply not, there's always a way to do it.

Security as a whole is an illusion, on the internet, even more so.

A house you can protect with a fence, barriers, etc. and can be controlled,while the internet, well, anything one does is flying on wires, going through servers, etc... the only way to secure a computer 100% is to not plug it in into such a network.

But anyways, the thing is that if you're worried about the government, I'd worry more about Google's tracking every more you do.
 
2013-06-20 07:06:29 PM  

imfallen_angel: demaL-demaL-yeH: imfallen_angel: That's like thinking that a piece of glass will stop a person from getting inside your house and doing vile things to you or your property...
People are funny that way...

What in the blue blazes are you doing throwing out a non-sequitur like that?

Guess the point is too high for you to reach....
Just saying, regardless of how secure one would assume something to be, it's simply not, there's always a way to do it.
Security as a whole is an illusion, on the internet, even more so.
A house you can protect with a fence, barriers, etc. and can be controlled,while the internet, well, anything one does is flying on wires, going through servers, etc... the only way to secure a computer 100% is to not plug it in into such a network.
But anyways, the thing is that if you're worried about the government, I'd worry more about Google's tracking every more you do.


Nice try, eh. Take a gander at what you quoted with your comment, apologize, and move on.
(Do you believe that your communications are sacrosanct? Because Jenny S. seems to have some concerns.)
 
2013-06-20 08:10:55 PM  

demaL-demaL-yeH: Nice try, eh. Take a gander at what you quoted with your comment, apologize, and move on.
(Do you believe that your communications are sacrosanct? Because Jenny S. seems to have some concerns.)


Ok, I'm so very sorry that you couldn't understand my point and have a need to have a superiority complex.

We good?
 
2013-06-20 08:49:09 PM  
imfallen_angel : So technically, if you have a routine cracker that uses a replacement parameter to test all characters one at a time: aaaaaaaaa is pretty useless, ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ (being the last ASCII character) should be the best (using same number of characters)

But brute force is the very very very last thing you try.

long, but good read
 
2013-06-20 08:51:42 PM  
^ edit. I specifically meant the untargeted brute force that you were implying.

IE, try every character combination in sequence until you find the password.
 
2013-06-20 09:05:39 PM  

imfallen_angel: demaL-demaL-yeH: Nice try, eh. Take a gander at what you quoted with your comment, apologize, and move on.
(Do you believe that your communications are sacrosanct? Because Jenny S. seems to have some concerns.)

Ok, I'm so very sorry that you couldn't understand my point and have a need to have a superiority complex.

We good?


Project much, or do you save it up for fark, eh?
 
2013-06-20 11:53:53 PM  

demaL-demaL-yeH: imfallen_angel: demaL-demaL-yeH: Nice try, eh. Take a gander at what you quoted with your comment, apologize, and move on.
(Do you believe that your communications are sacrosanct? Because Jenny S. seems to have some concerns.)

Ok, I'm so very sorry that you couldn't understand my point and have a need to have a superiority complex.

We good?

Project much, or do you save it up for fark, eh?


Now talk about not being able to move on.. shessss...
 
Displayed 90 of 90 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter





In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report