If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(CNN)   Hackers protect themselves from bugs like Heartbleed by making their passwords as extreme as Rob Liefeld drawing pouches on a gun from inside a pouch   (money.cnn.com) divider line 61
    More: Interesting, Rob Liefeld, Heartbleed, strong password, security researchers, consumer protection, bugs, rogue security software  
•       •       •

4162 clicks; posted to Geek » on 22 Apr 2014 at 9:41 AM (23 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



61 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | » | Last | Show all
 
2014-04-22 09:33:42 AM
Well duh, as an elite hacker myself, I learned to use p@$$\/\/0#D a long time ago.
 
2014-04-22 09:47:09 AM
Funny, because my password is R0b lIEf4Ld.
 
2014-04-22 10:08:48 AM
That headline is more Dennis Miller than Trotski's ration card.
 
2014-04-22 10:11:19 AM
webegeekspc.com
 
2014-04-22 10:11:41 AM
If all you use a computer for is browsing the web from a single machine, that's probably fine, Mr. Mom's Basement "Hacker".  Try visiting 20 users a day and having to type in your administrative password with them looking over your shoulder on their machine.  As you hunt-and-peck your 50 cryptic characters, you'll realize what an idiot you are as they write it down on a piece of paper.  If you can't remember it and touch-type it quickly and change it every two months, it's too complex.
 
2014-04-22 10:17:02 AM
Apple's iPhone 5s and Samsung Galaxy S5 include a fingerprint scanner. Other companies are also building out biometric technology.

Which is great, except biometric security is only as secure as the physical biometric reader because if the attacker is able to access the physical device they are able to record the biometric signature and then replay it at will.

And if there's one thing people NEVER do with their mobile devices, it's lose them or leave them unattended. And, of course, when somebody steals your password, you change it. When somebody steals your fingerprint? Have fun changing that.

upload.wikimedia.org
 
2014-04-22 10:24:29 AM

syrynxx: If all you use a computer for is browsing the web from a single machine, that's probably fine, Mr. Mom's Basement "Hacker".  Try visiting 20 users a day and having to type in your administrative password with them looking over your shoulder on their machine.  As you hunt-and-peck your 50 cryptic characters, you'll realize what an idiot you are as they write it down on a piece of paper.  If you can't remember it and touch-type it quickly and change it every two months, it's too complex.


That's why I just use easy to type sentences with numb3rs and what not.  If the password can't be typed fast, it's either not that good of a password or the person typing needs a few more typing lessons.  I don't see why people have such a hard time with passowrds.  "My d0g is a Blu3 H3el3r."  Takes minimal time, is typed fast, easy to remember, and contains lowercase, uppercase, numbers, spaces, and punctuation marks.  You're welcome.

/OK, there's only one punctuation mark
//But that's a better password than most people use
///That's nothing compared to my WiFi password
 
2014-04-22 10:25:54 AM
I just hate non-tech "articles" about very technical issues.  What a word salad article - the topics covered have little to nothing to do with each other.  Long passwords, encrypted password databases, a password for each site... it's like worrying about which shade of white the ceiling was painted at a murder scene.  Not high on anyone's list.  The APT style attacks enabled by leaking private keys from web servers just boggles the mind - and there is darn little an admin can do about it.
 
2014-04-22 10:34:51 AM
I have maybe a half dozen passwords. Some are unique to webistes/accounts that are important, others are "common" because if they get hacked it's only an inconvenience. Any time two-factor is available, I use it.

Each password is a fairly nonsensical phrase of around 25-30 characters containing numbers, letters and punctuation. To create them I basically mangled some quotes from books or old movies that I like.

"Here's looking at you kid." --> "B33r'sbrewedbydrunkDrewsk|d!!"

/not one of my passwords
//my Fark password is not secure by any measure
 
2014-04-22 10:37:09 AM

skeevy420: syrynxx: If all you use a computer for is browsing the web from a single machine, that's probably fine, Mr. Mom's Basement "Hacker".  Try visiting 20 users a day and having to type in your administrative password with them looking over your shoulder on their machine.  As you hunt-and-peck your 50 cryptic characters, you'll realize what an idiot you are as they write it down on a piece of paper.  If you can't remember it and touch-type it quickly and change it every two months, it's too complex.

That's why I just use easy to type sentences with numb3rs and what not.  If the password can't be typed fast, it's either not that good of a password or the person typing needs a few more typing lessons.  I don't see why people have such a hard time with passowrds.  "My d0g is a Blu3 H3el3r."  Takes minimal time, is typed fast, easy to remember, and contains lowercase, uppercase, numbers, spaces, and punctuation marks.  You're welcome.

/OK, there's only one punctuation mark
//But that's a better password than most people use
///That's nothing compared to my WiFi password


Once you put that many spaces in, you've increased complexity enough to drop the leetspeak.

"Floyd's Dad ate 300 bagels this year!!" is a very complex passphrase and easy to remember.

Or we could all just use keepass.
 
2014-04-22 10:42:58 AM

Joe USer: skeevy420: syrynxx: If all you use a computer for is browsing the web from a single machine, that's probably fine, Mr. Mom's Basement "Hacker".  Try visiting 20 users a day and having to type in your administrative password with them looking over your shoulder on their machine.  As you hunt-and-peck your 50 cryptic characters, you'll realize what an idiot you are as they write it down on a piece of paper.  If you can't remember it and touch-type it quickly and change it every two months, it's too complex.

That's why I just use easy to type sentences with numb3rs and what not.  If the password can't be typed fast, it's either not that good of a password or the person typing needs a few more typing lessons.  I don't see why people have such a hard time with passowrds.  "My d0g is a Blu3 H3el3r."  Takes minimal time, is typed fast, easy to remember, and contains lowercase, uppercase, numbers, spaces, and punctuation marks.  You're welcome.

/OK, there's only one punctuation mark
//But that's a better password than most people use
///That's nothing compared to my WiFi password

Once you put that many spaces in, you've increased complexity enough to drop the leetspeak.

"Floyd's Dad ate 300 bagels this year!!" is a very complex passphrase and easy to remember.

Or we could all just use keepass.


True, but e and 3 and o and 0 are easy to interchange since they use the same finger and are only a key up from the other character, but you would want a decent password like that for something like KeePass.
 
2014-04-22 11:05:50 AM
Er... what, exactly, is a strong password supposed to do against a vuln like Heartbleed?  It's not like we're talking about another, "Oops, wankrz.com let their hashtable get stolen!" hack, here.
 
2014-04-22 11:16:51 AM
I was way ahead of Heartbleed.  I simply always use passwords that are longer than 64KB.

Makes them a bugger to type in, but I'm safe. :-)
 
2014-04-22 11:18:39 AM

skozlaw: Apple's iPhone 5s and Samsung Galaxy S5 include a fingerprint scanner. Other companies are also building out biometric technology.

Which is great, except biometric security is only as secure as the physical biometric reader because if the attacker is able to access the physical device they are able to record the biometric signature and then replay it at will.

And if there's one thing people NEVER do with their mobile devices, it's lose them or leave them unattended. And, of course, when somebody steals your password, you change it. When somebody steals your fingerprint? Have fun changing that.

[upload.wikimedia.org image 850x673]


I never get how people think biometrics is a substitute for a solid password.  It's like having a password you can never change, and you leave parts of it all over the place daily.  And once it's out, that's it.  Done.  For the rest of your life.
 
2014-04-22 11:19:51 AM

Pinko_Commie: I was way ahead of Heartbleed.  I simply always use passwords that are longer than 64KB.

Makes them a bugger to type in, but I'm safe. :-)



I've developed a password system based on animated GIFs.
 
2014-04-22 11:24:51 AM

Khellendros: I never get how people think biometrics is a substitute for a solid password.


...but the CNN staff writer told me it was a solution!
 
2014-04-22 11:25:12 AM

Iblis824: Pinko_Commie: I was way ahead of Heartbleed.  I simply always use passwords that are longer than 64KB.

Makes them a bugger to type in, but I'm safe. :-)


I've developed a password system based on animated GIFs.


Mine is LOLCats.
 
2014-04-22 11:27:26 AM

China White Tea: Khellendros: I never get how people think biometrics is a substitute for a solid password.

...but the CNN staff writer told me it was a solution!


Also, I like how she called it a solution and, in the very next sentence, cited Apple and Samsung's phone fingerprint scanners... both of which have been subjects of ridicule for being trivially defeated.
 
2014-04-22 11:42:37 AM
I love the headline.
 
2014-04-22 12:08:31 PM
Correct horse battery stapler
 
2014-04-22 12:13:41 PM

skeevy420: True, but e and 3 and o and 0 are easy to interchange since they use the same finger and are only a key up from the other character, but you would want a decent password like that for something like KeePass.


For some reason I can never get to the numbers above without looking.  I can easily take my right hand and use the keypad without looking but those damn numbers up top always throw me.
 
2014-04-22 12:19:56 PM

The Beatings Will Continue Until Morale Improves: Correct horse battery stapler


Obligatory XKCD present. Leaving satisfied.
 
2014-04-22 12:26:15 PM

Pinko_Commie: I was way ahead of Heartbleed.  I simply always use passwords that are longer than 64KB.

Makes them a bugger to type in, but I'm safe. :-)


Isn't a main issue with heartbleed that it spams the command thereby generating pages of passwords and info? It would only break the long password up into two or three pieces, like a 160+ character text, right?

As for using similar looking numbers in replacement of letters, I would assume an actual algorithm would ALWAYS attempt the substitute second after a letter failed.

I would think you'd be better off with "corr7ect hor8se ba9ttery s0tapler"
 
2014-04-22 12:31:41 PM

Khellendros: skozlaw: Apple's iPhone 5s and Samsung Galaxy S5 include a fingerprint scanner. Other companies are also building out biometric technology.

Which is great, except biometric security is only as secure as the physical biometric reader because if the attacker is able to access the physical device they are able to record the biometric signature and then replay it at will.

And if there's one thing people NEVER do with their mobile devices, it's lose them or leave them unattended. And, of course, when somebody steals your password, you change it. When somebody steals your fingerprint? Have fun changing that.

[upload.wikimedia.org image 850x673]

I never get how people think biometrics is a substitute for a solid password.

Obviously you've never used your voice as your password.

 
2014-04-22 12:33:31 PM
Obviously I don't know how to correctly quote either.
 
2014-04-22 12:39:01 PM
hunter2
 
2014-04-22 12:46:39 PM
why not just move your fingers off home row when you type your password.  like up or down one spot, leaving the spaces as..well..spaces.

"sheep is awesome"
is
"wy330 8w q23w9j3"
 
2014-04-22 12:52:37 PM

The Beatings Will Continue Until Morale Improves: Correct horse battery stapler


Diceware pass phrases would be great if enough places actually allowed for them.  A lot of the places I've tried they don't allow spaces in passwords, or they demand special characters, or they truncate a password at some arbitrary and undisclosed length.  The least common denominator of passwords has expanded from an 8 character word to a 10-15 character word, but that's as far as it's gotten.
 
2014-04-22 12:52:51 PM

You Are All Sheep: why not just move your fingers off home row when you type your password.  like up or down one spot, leaving the spaces as..well..spaces.

"sheep is awesome"
is
"wy330 8w q23w9j3"


Because there are a LOT of systems and libraries used for passwords which will dump everything after a space or after a pre-set maximum password length.  So your password in this example is actually: wy330  but because it WILL hash whatever you type when you try to login... you'll never enter the correct password.
 
2014-04-22 12:53:36 PM

Joe USer: Or we could all just use keepass.


This ^

I don't even know my passwords now. And I don't worry about keyloggers. The password database is protected by password and a file and I simply copy/paste my passwords.
 
2014-04-22 01:01:44 PM
I don't get it.

Heartbleed could potentially reveal your passwords and other sensitive information due to a bug in SSL that affects the server that you are contacting.

So, it doesn't matter which password you use, whether in a password generator/key vault type thing, or just 12345 - the breach would reveal that information equally in a leak.  The server would be compromised regardless of your personal computer's security.

Of course - using randomly generated passwords at least limits the damage to the single website, but still, its not YOUR security you should be worried about, but rather your security and the services you use as well.
 
2014-04-22 01:18:59 PM

vonmatrices: I don't get it.

Heartbleed could potentially reveal your passwords and other sensitive information due to a bug in SSL that affects the server that you are contacting.

So, it doesn't matter which password you use, whether in a password generator/key vault type thing, or just 12345 - the breach would reveal that information equally in a leak.  The server would be compromised regardless of your personal computer's security.

Of course - using randomly generated passwords at least limits the damage to the single website, but still, its not YOUR security you should be worried about, but rather your security and the services you use as well.


It's not news. It's CNN.

Next on CNN Investigates: Is oxygen racist?
 
2014-04-22 01:22:02 PM

vonmatrices: I don't get it.

Heartbleed could potentially reveal your passwords and other sensitive information due to a bug in SSL that affects the server that you are contacting.

So, it doesn't matter which password you use, whether in a password generator/key vault type thing, or just 12345 - the breach would reveal that information equally in a leak.  The server would be compromised regardless of your personal computer's security.

Of course - using randomly generated passwords at least limits the damage to the single website, but still, its not YOUR security you should be worried about, but rather your security and the services you use as well.


I get the impression that the person CNN was talking to was actually referring to multi-factor authentication as the trick to being secured against password exposure and a combination of CNN's poor reporting skills and subby's poor reading skills wound up turning it into the first half of the headline we have here. After all, even if someone exposed your entire password to threeleggedgoatmilfs.com, if the site required your password AND a pseudo-random token your account would still be safe.
But, then, who knows. It's CNN. They could have been talking to a line cook they picked randomly off the street and he was just farking with them. They're not the brightest news organization on the planet.
 
2014-04-22 01:25:50 PM

skozlaw: vonmatrices: I don't get it.

Heartbleed could potentially reveal your passwords and other sensitive information due to a bug in SSL that affects the server that you are contacting.

So, it doesn't matter which password you use, whether in a password generator/key vault type thing, or just 12345 - the breach would reveal that information equally in a leak.  The server would be compromised regardless of your personal computer's security.

Of course - using randomly generated passwords at least limits the damage to the single website, but still, its not YOUR security you should be worried about, but rather your security and the services you use as well.

I get the impression that the person CNN was talking to was actually referring to multi-factor authentication as the trick to being secured against password exposure and a combination of CNN's poor reporting skills and subby's poor reading skills wound up turning it into the first half of the headline we have here. After all, even if someone exposed your entire password to threeleggedgoatmilfs.com, if the site required your password AND a pseudo-random token your account would still be safe.
But, then, who knows. It's CNN. They could have been talking to a line cook they picked randomly off the street and he was just farking with them. They're not the brightest news organization on the planet.


If your password was on Flight 370 it would be safe and CNN would remind you hourly of that fact ;)
 
2014-04-22 01:27:04 PM

give me doughnuts: [webegeekspc.com image 600x607]


that is better then a Rob painting: not enough obscuring has marks on the face, the anatomy still seems to good, it looks like the guy is actually holding the guns and not like they were just drawn in later and bent and facing the wrong direction.

he was the biggest farking comic artist in the 90's... what a low bar must have exsisted in comics prior to that
 
2014-04-22 01:35:03 PM
Not only is heartbleed a problem, password crackers are also cracking phrases, too. No phrase from xkcd is safe. Phrases from many books are cracked, as well. It is a scary time to rely on passwords.
 
2014-04-22 01:56:29 PM
I have to loop the code thru a retired ex-Navy cyber-enhanced Dolphin in realtime, so I can unlock my password.
 
2014-04-22 01:58:00 PM
1. Change your password to somethin2 like: qsz%@0253ZCc)*
2. Web site password "complexity checker" give it a thumbs up.
3. Click on the "submit" button
4. Web site says "Illegal Character in password -- only alphanumeric is permitted."
5. W.T.F.
 
2014-04-22 02:08:51 PM

Vaneshi: You Are All Sheep: why not just move your fingers off home row when you type your password.  like up or down one spot, leaving the spaces as..well..spaces.

"sheep is awesome"
is
"wy330 8w q23w9j3"

Because there are a LOT of systems and libraries used for passwords which will dump everything after a space or after a pre-set maximum password length.  So your password in this example is actually: wy330  but because it WILL hash whatever you type when you try to login... you'll never enter the correct password.


Name some sites that have this problem. You're telling me that it's not uncommon for a site to store the hash of the full password, but compare it against the hash of the truncated version? Come on.
 
2014-04-22 02:26:25 PM
I'm disappointed that this thread went the direction of talking about passwords, and not mocking Rob Liefeld.
 
2014-04-22 02:36:43 PM

Marcellinus: Obviously you've never used your voice as your password.


Verify me.
 
2014-04-22 02:48:01 PM

give me doughnuts: [webegeekspc.com image 600x607]


feet are too small
 
2014-04-22 02:49:41 PM

SkittlesAreYum: Vaneshi: You Are All Sheep: why not just move your fingers off home row when you type your password.  like up or down one spot, leaving the spaces as..well..spaces.

"sheep is awesome"
is
"wy330 8w q23w9j3"

Because there are a LOT of systems and libraries used for passwords which will dump everything after a space or after a pre-set maximum password length.  So your password in this example is actually: wy330  but because it WILL hash whatever you type when you try to login... you'll never enter the correct password.

Name some sites that have this problem. You're telling me that it's not uncommon for a site to store the hash of the full password, but compare it against the hash of the truncated version? Come on.


I've had a few where I entered a 15 character password and I knew I had it right but it was rejected, until I tried dropping 1, then 2, then 3 characters off the end.  Of course, nothing in their password creation page gave any clue about their length restrictions.
 
2014-04-22 02:53:48 PM

Kurohone: I'm disappointed that this thread went the direction of talking about passwords, and not mocking Rob Liefeld.


Here
and
Here

/oblig
 
2014-04-22 03:41:19 PM

give me doughnuts: [webegeekspc.com image 600x607]


That's obviously a fake cause you can see his feet.
 
2014-04-22 03:43:17 PM

SkittlesAreYum: Name some sites that have this problem. You're telling me that it's not uncommon for a site to store the hash of the full password, but compare it against the hash of the truncated version? Come on.


Wordpress.  Pretty much any site running it.
 
2014-04-22 04:12:56 PM
"When I close my browser, the cache and cookies are removed...all third party cookies are removed," he said. "All ads are removed. All tracking systems are disabled."

So what he is saying is that, by removing his cookies, he has to re-type his passwords in each time he uses the site. Which means if he gets a keylogger....

"Even if hackers got access, it's protected and encrypted and keeps it in encrypted format," said Kennedy, who has the tech skills to crack passwords easily.

Uh huh...
 
2014-04-22 04:27:04 PM

machoprogrammer: "When I close my browser, the cache and cookies are removed...all third party cookies are removed," he said. "All ads are removed. All tracking systems are disabled."

So what he is saying is that, by removing his cookies, he has to re-type his passwords in each time he uses the site. Which means if he gets a keylogger....

"Even if hackers got access, it's protected and encrypted and keeps it in encrypted format," said Kennedy, who has the tech skills to crack passwords easily.

Uh huh...


If you ain't got your ram soldered on the MB and explosive charges set...then the quarterback is toast, baby.

Cause we gots mad haXor skillz.
 
2014-04-22 04:27:34 PM
The main problem with really complex, long passwords is there are a lot of sites that have stupid, arbitrary rules for the length and types of characters you can use.
 
2014-04-22 04:31:27 PM

Marcellinus: machoprogrammer: "When I close my browser, the cache and cookies are removed...all third party cookies are removed," he said. "All ads are removed. All tracking systems are disabled."

So what he is saying is that, by removing his cookies, he has to re-type his passwords in each time he uses the site. Which means if he gets a keylogger....

"Even if hackers got access, it's protected and encrypted and keeps it in encrypted format," said Kennedy, who has the tech skills to crack passwords easily.

Uh huh...

If you ain't got your ram soldered on the MB and explosive charges set...then the quarterback is toast, baby.

Cause we gots mad haXor skillz.


aznbadger.files.wordpress.com

/first result in google images
 
Displayed 50 of 61 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report