If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Globe and Mail)   Hackers steal 11 million passwords, then find out 10.5 million of them are "password" or "12345"   (theglobeandmail.com) divider line 54
    More: Dumbass, Google, Twitter, Facebook, passwords  
•       •       •

2724 clicks; posted to Geek » on 07 Dec 2013 at 5:18 PM (31 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



54 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | » | Last | Show all
 
2013-12-07 04:59:00 PM
"Excuse me, I have to change something real quick"

www.movieactors.com
 
2013-12-07 05:31:53 PM
Again? Been a tough week for those silly bastards
 
2013-12-07 05:32:38 PM
fvi.s3.amazonaws.com

Isn't this a repeat?

http://www.fark.com/comments/8046470/

I'm still waiting to hear what the keylogger infection vector was
 
2013-12-07 05:35:03 PM
I'm glad FARK has that nifty filter that prevents you from accidentally posting your PW.

Look what happens when I type mine: *********
 
2013-12-07 05:37:28 PM
I like how this is supposed to be impressive despite 99% of the passwords probably being for stuff that no one cares is compromised like trash e-mail accounts and so on.

Then, Keyloggers usually require permissions that mean you have to actually approve/install untrusted software explicitly, so maybe a decent number of them are the bank accounts of terminally illiterate people.
 
2013-12-07 05:37:41 PM
How many times does he have to tell you before you get it?

i.imgur.com
 
2013-12-07 05:40:08 PM

Mugato: "Excuse me, I have to change something real quick"

[www.movieactors.com image 533x356]


Came here for Spaceballs reference, leaving at.... ludicrous speed.
 
2013-12-07 05:41:00 PM
Meh, passwords smashwords.  I'm more interested in the bitcoin zombie trojans.  When you don't have to pay for power or hardware it makes mining coins seem pretty enticing.
 
2013-12-07 05:50:33 PM
I know where they hide the password.

media.screened.com
 
2013-12-07 05:50:44 PM

23FPB23: I'm glad FARK has that nifty filter that prevents you from accidentally posting your PW.

Look what happens when I type mine: iLoveManbutt04


Yeah, it works great until someone quotes you....
 
2013-12-07 05:52:15 PM
Hah. Mine is password12345
 
2013-12-07 06:03:35 PM
done in one.

/Hail Scroob!
 
2013-12-07 06:18:46 PM
Even though my passwords aren't super strong, they aren't one of the "25 most common passwords", either, so I'm probably good to go. After all, the crooks are looking for easy pickings, so I'm guessing they hit each account with about 10,000 of the most common passwords, and if they don't get in they more on to the next account.

Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.

blogs.technet.com
/ * - don't use that password, as it's on "the list"
//my shortest password is 8 characters, and ALL of them use all 4 types of characters
///nobody gives a shiat about you or me, they're just looking for easily cracked accounts
 
2013-12-07 06:24:16 PM

Stone Meadow: Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.


Mine's a random collection of 7 uppercase letters, lowercase letters and numbers, which turns out is a pain in the ass to type on a phone but it's been my password for 15 years.

I read that two real words that are unrelated are harder to crack than random characters. Like elephantdildo would be harder to crack than kkdb37A1. I dunno. I almost flunked number theory.
 
2013-12-07 06:31:10 PM

Uzzah: 23FPB23: I'm glad FARK has that nifty filter that prevents you from accidentally posting your PW.

Look what happens when I type mine: iLoveManbutt04

Yeah, it works great until someone quotes you....


GODAMMIT!
 
2013-12-07 06:41:32 PM
So, 95% of people who accidentally install keyloggers are those with retarded passwords.
 
2013-12-07 06:41:42 PM

ISO15693: Hah. Mine is password12345


That's a strong one. According to the table above, it would take about a hundred thousand years to crack it with a brute force attack.

Can I use it too?
 
2013-12-07 06:44:45 PM

traylor: That's a strong one. According to the table above, it would take about a hundred thousand years to crack it with a brute force attack.


Unless you have the attack start with tries like password12345.
 
2013-12-07 06:55:38 PM

Mugato: Stone Meadow: Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.

Mine's a random collection of 7 uppercase letters, lowercase letters and numbers, which turns out is a pain in the ass to type on a phone but it's been my password for 15 years.

I read that two real words that are unrelated are harder to crack than random characters. Like elephantdildo would be harder to crack than kkdb37A1. I dunno. I almost flunked number theory.


I should clarify that it takes more than a week (at 10k attempts per second) to cover the entire 4-type 8-character space. The effort might get lucky in the first second.

Ignoring that your first example has more characters than your second, you're leaving number theory and getting into human factors. Actual attempts to crack passwords don't rely on brute force at first. They try thousands of common guesses first, everything from names and dates to easy strings (123456) and other easily typed combos like "cfT68ik,", which may look random, but is an easily typed 4-type, 8-character combination (and surely on the first 10k tries, so don't use it).

Anyway, human factors is why two random words together (really, words not found together in human writing) can be tougher to crack than seemingly random strings...there isn't any "psychology" to help guess the word.
 
2013-12-07 07:01:58 PM

Stone Meadow: Even though my passwords aren't super strong, they aren't one of the "25 most common passwords", either, so I'm probably good to go. After all, the crooks are looking for easy pickings, so I'm guessing they hit each account with about 10,000 of the most common passwords, and if they don't get in they more on to the next account.

Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.

[blogs.technet.com image 624x266]


10,000 attempts per second?  Try 20 twenty million for many home PCs.

Last week I wrote something that showed someone that their "encryption" was junk.  It generated the encrypted code for every card number in 6 seconds on a three year old cheap computer.

Most of the password cracking systems will try a common password against millions of user ids and not millions of passwords against one user id.

Like PIN on bank cards, if you can put a virus on a large stores point of sale network so that it tries the PIN of 1234 on every card, you can crack one in 10,000 cards but you don't care which ones.

Never use your banking password on another computer and don't use things like "password-fb" for facebook since there are tools that will try "password-eb" on ebay with the same email address if it ever is found in one of these huge dumps.

It would be interesting if Mike or Drew would say how many password scans they see.
 
2013-12-07 07:02:01 PM

ISO15693: Hah. Mine is password12345


mines better
password123456
 
2013-12-07 07:07:16 PM

Stone Meadow: Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.


A lot longer than that, most web-based stuff has a throttle on how many login attempts can be made for a given account.  Even something like 10 or 15 seconds between logins pushes that up well past the point where it's more time-efficient to try to steal the passwords by other means.

Basically, brute force can't really be used to crack anything useful nowadays.  This is why, as the above post mentions, the closest to brute techniques get tends to be common password and bruted account-name instead.
 
2013-12-07 07:09:34 PM
www.owasp.orgwashitapecrafts.com
 
2013-12-07 07:25:40 PM
Trustno1
 
2013-12-07 07:27:19 PM
Only 10.5?
 
2013-12-07 07:40:03 PM

Your Hind Brain: [www.owasp.org image 717x304][washiatapecrafts.com image 500x669]


System architects that decided to keep just the passwords in a hash without salting them with something (like the user name) were pretty short-sighted, eh?
 
2013-12-07 07:42:23 PM
DON.MAC and Jim_Callahan, your points are well taken. I was just giving a quick primer on the numerical difficulty involved...not the practicalities.
 
2013-12-07 07:51:43 PM
Who even uses the term "hacker" anymore? I've been in software engineering for more than a decade and I don't know anyone who is self identified as "hacker".
 
2013-12-07 08:03:52 PM

Vlad_the_Inaner: Your Hind Brain: [www.owasp.org image 717x304][washiatapecrafts.com image 500x669]

System architects that decided to keep just the passwords in a hash without salting them with something (like the user name) were pretty short-sighted, eh?


Always.

trialx.com
 
2013-12-07 08:07:09 PM
Sorry, I meant this:

www.algemeiner.com
 
2013-12-07 08:18:38 PM
Stone Meadow: Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.

10k guesses per second?

Stone Meadow: I should clarify that it takes more than a week (at 10k attempts per second)

There are people running hashcat doing 450k attempts per second against truecrypt.

10k per second is laughably slow in today's computing power.
 
2013-12-07 08:27:14 PM
who cares?

the NSA reads everything anyway
your password is moot.

/moot
 
2013-12-07 08:30:10 PM

lordargent: Stone Meadow: Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.

10k guesses per second?

Stone Meadow: I should clarify that it takes more than a week (at 10k attempts per second)

There are people running hashcat doing 450k attempts per second against truecrypt.

10k per second is laughably slow in today's computing power.


Relax...that was the graphic I could find with a quickie GIS. The point remains that a bit of complexity and added length make one's password a lot less vulnerable than those who can't be bothered. Think of it as the old adage about being chased by the bear: I don't have to outrun the bear...I just have to outrun you. ;^)
 
2013-12-07 08:40:42 PM
iWent2tHaton3weBsit#!anDsAwUrWoTh3RNek!d
 
2013-12-07 09:29:13 PM
www.movieactors.com
 
2013-12-07 09:31:26 PM
Correcthorsebatterypassword12345
 
2013-12-07 09:33:42 PM

fang06554: So, 95% of people who accidentally install keyloggers are those with retarded passwords.


The same dumbos that click on dodgy web ads are the same dumbos that choose stupid passwords.
 
2013-12-07 09:53:32 PM

kg2095: fang06554: So, 95% of people who accidentally install keyloggers are those with retarded passwords.

The same dumbos that click on dodgy web ads are the same dumbos that choose stupid passwords.



1.  One doesn't have to click an ad to be owned by it.  If an ad isn't vetted properly and contains a little script of nastiness, your browser will digest it after loading the page.  Once again, your browser simply downloading and displaying the ad can and will get you owned.  This was happening with YouTube's ad rotator this year, to give you an idea of the types of dodgy websites the "dumbos" of the world can get pwned by.

2.  Regarding permissions, which someone else referred to - Before we start blindly referring to these people as idiots who indiscriminately install software, let's remember how exploitation works.  Malware doesn't ask a vulnerable system to install software, in many cases it just does it - silently.  Last I checked we don't know the vector by which this was installed, but your culprits will be either spam, drive by exploit kit, or a heavy dose of both.  Obviously the former is much easier to avoid and people get less sympathy for opening the "resume.exe" type email attachments; however commodity exploit kits are all over, they're stealthy, and have become quite sophisticated.

My two cents - Malware no longer hides in the obvious deep dark corners of the internet, and the commodity stuff can be incredibly clever.  The picture really is quite bleak.
 
2013-12-07 10:12:12 PM
Correct horse battery staple
 
2013-12-07 11:29:36 PM

macross87: Correct horse battery staple


that took too long
 
2013-12-07 11:30:17 PM

Stone Meadow: DON.MAC and Jim_Callahan, your points are well taken. I was just giving a quick primer on the numerical difficulty involved...not the practicalities.


The numerical difficulty isn't important, only the practicality. Password crackers have gotten so good that only long, random strings are safe for now. Phrases that would take trillions of trillions of years to brute force have been cracked because they have been found in literature. Even simple phrases translated from English to Russian have been cracked.
 
2013-12-07 11:37:20 PM
Shut up I hack you?
 
2013-12-08 12:03:41 AM

neuroflare: macross87: Correct horse battery staple

that took too long


Well, it is orders of magnitude more time-consuming.
 
2013-12-08 12:43:48 AM
Stone Meadow : Relax...that was the graphic I could find with a quickie GIS. The point remains that a bit of complexity and added length make one's password a lot less vulnerable than those who can't be bothered.

Against brute forcing, yes, but brute forcing is the absolute last tool in a crackers toolbox, password cracking algorithms are far more advanced today.

The password you provided (Mom4!) contains a dictionary word, so would fall to a hybrid dictionary attack fairly quickly (take common words from the dictionary, run them through mutators to generate common variations (IE, people replace e with 3, i with 1, etc).

And every breach that reveals passwords allows the black hats to tune those algorithms even more (because those passwords represent passwords that were actually used in the wild).
 
2013-12-08 01:52:06 AM
i162.photobucket.com

This is obligatory.

/ Didn't RTFA.
 
2013-12-08 06:05:54 AM

lordargent: The password you provided (Mom4!) contains a dictionary word, so would fall to a hybrid dictionary attack fairly quickly (take common words from the dictionary, run them through mutators to generate common variations (IE, people replace e with 3, i with 1, etc).


Not only that but it's a standard construction that you see when a password policy is in place: Dictionary word, first letter capitalised, appended with number and special. I have JtR rules that specifically handle that form as well as the usual substitutions which means things like P@$$w0rd123! fall in seconds. The more specific the password policy, the tighter I can build the attack mask.
 
2013-12-08 06:28:24 AM
hebrewhilterhomeboy72 is unhackable!
 
2013-12-08 10:56:52 AM
mine is 12345ICaughtAHareAlive678910ILetHimGoAgain.
 
2013-12-08 11:03:49 AM

Kerr Avon: lordargent: The password you provided (Mom4!) contains a dictionary word, so would fall to a hybrid dictionary attack fairly quickly (take common words from the dictionary, run them through mutators to generate common variations (IE, people replace e with 3, i with 1, etc).

Not only that but it's a standard construction that you see when a password policy is in place: Dictionary word, first letter capitalised, appended with number and special. I have JtR rules that specifically handle that form as well as the usual substitutions which means things like P@$$w0rd123! fall in seconds. The more specific the password policy, the tighter I can build the attack mask.


Exactly.
 
2013-12-08 03:30:16 PM
Kerr Avon:The more specific the password policy, the tighter I can build the attack mask.

And 'correct horse battery staple' isn't secure these days either.

Take the 1,000 most commonly occurring words in a language.

Run for 4 words in sequence.

1,000 * 1,000 * 1,000 * 1,000 = 1,000,000,000,000 combos

/ 20,000,000 checks per second => 50,000 seconds (833 minutes or ~14 hours).

// though interestingly enough, "correct" and "horse" are on this list (pdf) of the top 1000 most common words, but "battery" and "staple" are nowhere to be found. Which makes me wonder how old the list is because since the advent of cell phones and the like I would think at least "battery" would break the top 1000 these days.

Anyway, my theory still stands, a random sequence of common words isn't super secure.

Now if you start doing substitutions into those words, the security goes way up BUT, that defeats the whole purpose of correcthorsebatterystaple (which was to make a secure, but easy to memorize, password. Start throwing letter substitutions and numbers in there and all you have is a really long password using the traditional methods).

// me, I do keyboard patterns, it's not in the dictionary, it's easy to add letters and punctuation, it's easy to remember, and as an added bonus, I don't know the actual password (so you can't get it via a psychic probe ... err, I've revealed too much).
 
Displayed 50 of 54 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report