If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Phys Org2)   You best be using at least 9 character passwords with lower and upper case letters and numbers and special characters and umlauts and gerunds and dingos   ( phys.org) divider line
    More: Scary, strong password, Oslo, special case, lowercases, server computers, security question, GPUs, computer clusters  
•       •       •

4070 clicks; posted to Geek » on 12 Dec 2012 at 11:25 AM (5 years ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»

64 Comments     (+0 »)
View Voting Results: Smartest and Funniest

Oldest | « | 1 | 2 | » | Newest | Show all

2012-12-12 04:09:42 PM  
Keepass with its ability to generate & store random passwords does the job nicely. You can remember the random character strings if you use them often enough, and if a password's rarely used is no great problem to open Keepass to find it.

What is annoying is when a site insists on mixed case, numbers or worse. Because qysybeaw is so easy to guess, obviously. And it's not as if mixed case is a real pain in the arse to type on a phone or tablet touchscreen or anything.
2012-12-12 04:12:50 PM  

unyon: Smeggy Smurf: I'd rather the goblins think they've scored big when the truth is they only stole my collection of farts in mason jars. I'd miss it but not that much.

I particularly enjoyed pineapple salsa fart #4, 1998. It was a good year.

I"m glad you enjoyed it. I smurfed my pants making that
2012-12-12 04:41:32 PM  

FlashHarry: 1Password.a> totally worth it.

$50? Really?

Password Safe
2012-12-12 05:49:02 PM  

Bob the Internet Barbarian: FlashHarry: 1Password.a> totally worth it.

$50? Really?

Password Safe

for the mac environment, it's the best one out there. so, yeah, really.
2012-12-12 05:59:06 PM  

ChubbyTiger: ampoliros: I can't get into my most backwater forum account if I enter the password wrong 5 times in a couple minutes. What system lets you guess 350 billion times per second without penalty?

*sigh* This is an offline attack. They get the file with hashed passwords and crack them offline. No web necessary.

My fault for skimming the article.

Still, unless your site is really poorly configured, getting the hash file would likely involve someone on the inside or some other way to get physical access. And once you have physical access to the system, all bets are off anyway.

It's called SQL injection, and it happens ALL OVER the place. Huge sites that you know and trust have had this.
2012-12-12 06:29:41 PM  

Even with his fancy cracking array, which is pretty freaking sweet I might add. Unfortunately for him where I work we've been using that XKCD suggestion for awhile, I usually make passwords based on a few things on my desk, like "Knifedrivemagnet"
according to GRC's password haystack there's 2.91 x 10^27 possible passwords for that size and character set. Assuming 350billion guesses a second it would take 263,824,214 years to guess that. I think he might have better success mining bitcoins.

A generally safe assumption is that anything from GRC is wrong.

Combining words like this gives you about 12-13 bits of strength per word (the average person knows about ~16,000 words, but only uses/thinks about a fraction of that). For a target with specialized degrees it could be another bit per word, but it doesn't grow hugely in most cases.

This means your three-word password would end up being around 36-40 bits of strength. Using your assumption of 350 Billion a second, this would be a horrible hash like ntlm (md4), your password would be cracked in seconds.

There's a reason xkcd choose 4 words. You'll be far better off by the way if you change your tenses and uses a bit: "Alabaster sinGletoned: quiXotiCally flouridatIOn". And obviously five words is better than four, but don't use participles or other joiners like "at", "to", "with", "and", etc... There really are very few of these so if those are one of your words it barely adds any complexity.

More importantly, there's a reason no one should be using straight hashes anymore. Please see salts, PBKDF2, bcrypt, and scrypt. Lots of iterations, memory hard, and missing input information; these are your friends for password storage. Or just go nuts and get an HSM and never let the crypto see the light of day. Either way.
ZAZ [TotalFark]
2012-12-12 07:00:23 PM  
Please see salts

Half the people making these mistakes weren't even born when Unix started using salts in the world-readable /etc/passwd file to slow offline attacks. According to some guy on the internet salts were added in V7, which was in 1979. I'm sure they were in BSD 4.3, probably also 4.2, from the early to mid 1980s.
2012-12-12 07:13:05 PM  

Bob the Internet Barbarian: FlashHarry: 1Password.a> totally worth it.

$50? Really?

Password Safe

Password Safe is great, but I really only use it for "small sites" (like my login for a website that requires logins but doesn't maintain any real personal data, like my address or payment info). For "big" sites, I use longish phrases like "I can't believe I still use AOL" or "I know I keep my money here, but I hope they go bankrupt" or the like. OK, maybe not that long, but even my laptop password is over 25 characters in length.
2012-12-12 08:13:24 PM  

WayToBlue: It's called SQL injection

Little Bobby Tables, we call him.
2012-12-12 08:41:22 PM  
I just hold the "e" key until I hit the character limit.

Email password? eeeeeeeeeee

ATM PIN? eeee

Alarm Code for the office? eeeee

Every security question? eeeeeeeeeeeeeeeeeeeee

Sound the voice in my head makes? eeeeeeeeeeeeeeeeeeeeeeeeeeeee
2012-12-12 11:11:32 PM  

Ed Finnerty: I just hold the "e" key until I hit the character limit.

Email password? eeeeeeeeeee

ATM PIN? eeee

Alarm Code for the office? eeeee

Every security question? eeeeeeeeeeeeeeeeeeeee

Sound the voice in my head makes? eeeeeeeeeeeeeeeeeeeeeeeeeeeee

static.tvguide.comView Full Size
2012-12-13 05:17:46 AM  

ChubbyTiger: They hack Fark and get the passwords, in hashed format. Then they crack the file (offline). Now they have your email address and a password. Sure, that password is the one you use for Fark, but how much do you want to bet that 50% of the Fark passwords also work for a banking site or Amazon (where they have your credit card), or Facebook (where they get tons of other information), etc.

Sadly, THIS.

I say sadly because I had planned to go Christmas shopping Mon-Wed this week, put together some boxes of goodies for the relatives far away, and mail them.

Sunday: A friend pings me to let me know she got spam from "me." I ask what address. Oh, it's that Hotmail account I haven't used in years. Hardly a surprise - I get e-mail or MSN spam from friends' compromised Hotmail accounts several times a year. Being old, I guess that it probably has a password I used a lot a few years ago - 8 characters, a couple words mashed together with some letters swapped out for digits. By modern standards, "good" but not "very good."

Monday: I get email from Skype. "Registered email address successfully changed. We've updated your registered email address to..." oh, FARK FARK FARK. Yeah, the Skype account has been around forever too, and has the same password as the Hotmail one. Being able to type 90+ wpm comes in handy when you need to log into an account, reinstate your address as the primary registered address, delete the Yahoo address of some scum you've never heard of (after writing it down), and change your password, faster than they can do anything about it. Account secured, I contact Skype support and get them to reinstate my privileges. Then I spend a few hours going through my bookmarks and setting up unique passwords for every site or service that had used the old one.

Tuesday: I stop at the store, go to the ATM, and my available balance shows $-175. That's odd; there should be a little in checking, and if not, there was another $300 in savings to cover any overdrafts, and I know what I'd spent. I figure something's out of whack with the bank. By evening, the bank's website is saying $-475. I give their 24-hour line a call, and find out that the aforementioned scum had tried to charge 100 Euros of Skype credit, plus 15% VAT, five times (total ~$740). Yeah, Skype was linked to my debit card for those $10 auto-refills. And yeah, the debit card is linked to my checking account. Which in turn is linked to my savings account for overdraft protection. So it got cleaned out.

After a bit of late-night back-and-forth with Skype and the bank, Skype's authorization department escalated it up the ladder, but couldn't tell me how long it'd take to resolve. The bank said that if Skype didn't fix it within the next week, they'd reject the charges, but unless and until they actually posted to my account, I couldn't contest them - nor could I have my money back. Thanks, guys.

Wednesday, I woke up to my personal banker calling to ask whether there was anything I needed her to do. I think if I asked, she'd have given me an emergency loan or something, but I wanted to wait and see if Skype fixed it fast, which so far they didn't. I swung by the police station, they took down the basic info and told me to report it to IC3.gov. I pinged a lawyer friend who works at Yahoo; he said the same - IC3 would get it to people who knew who to talk to at Yahoo. I called the local FBI number; they said the same - IC3 is an FBI partnership, after all.

So... Christmas shopping did not happen. And now I'm heading off to work and won't be back for 128 hours, during which I hope this clusterfark gets sorted out. (Bonus points if FBI + Interpol + Yahoo + Skype can deliver a LART or drone strike to whatever organized crime syndicate or terror cell has another 18 gibberish-named Skype accounts registered to that same Yahoo account. ;)

On the bright side, every site or service I use now has a different password, so even if they hack Fark, they're not getting a password for me that works anywhere else, at all.
2012-12-13 06:36:01 AM  

sprawl15: I've switched to an image based password. It compares desktop backgrounds. Good luck brute forcing the 3MB anigif.

I vaguely remember something like that proposed to replace the irritating twisty words in captchas. There was, I think, a 3x3 grid with six pictures of puppies and three kittens arranged randomly and the challenge was to select the three kittens.

Another one asked users to find the three good-looking people in the grid of nine after choosing men or women for the picture test, but that one is a bit trickier as we don't all agree on what is attractive. See classic Fark boobies threads for more on varied views regarding acceptable knee sharpness.
2012-12-13 10:23:10 AM  
When I was a kid, one of the local libraries had a Unix-based card catalog system where the staff's passwords were saved as 32-bit salted hashes, using the standard crypt() function they used for the system's 'passwd' file at the time. Even so, all of the passwords could be cracked in a few seconds on (IIRC) a 16 Mhz 386-SX. Why? The card catalog system had a restriction at the UI level that required passwords to be all capital letters and exactly five characters long.
Displayed 14 of 64 comments

Oldest | « | 1 | 2 | » | Newest | Show all

View Voting Results: Smartest and Funniest

This thread is archived, and closed to new comments.

Continue Farking

On Twitter

Top Commented
Javascript is required to view headlines in widget.
  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.