HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Mat Honan, the Wired editor that got uber-hacked this summer, wrote an article that says no matter how complex or unique, your passwords can no longer protect you.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Kill the Password?
- Thread starter HardOCP News
- Start date
If you read the article though it hinges on the fact that many people use the same password for everything, so sure, if they crack that they have access to everything but its simple enough to plug, use slightly different passwords for key accounts and you are safer. It also about how we make up our passwords, if construct them from things like our names and birth dates or addresses, things that can be found online, then its easier for the hacker to crack our passwords.
If they want what you have bad enough they will eventually figure a way to get it.
Passwords are nice but if you have multiple emails, bank accounts, or anything that requires a password. Eventually you may have to wright it down, or worse leave a hint so you can remember it.
Passwords are nice but if you have multiple emails, bank accounts, or anything that requires a password. Eventually you may have to wright it down, or worse leave a hint so you can remember it.
faugusztin
2[H]4U
- Joined
- Mar 9, 2008
- Messages
- 2,668
If i do that, i would end up at bank of Nikolai.
On serious note, which stupid bank has a "forgot password" link ? My bank requires a unique identifier issued by them, my own password and code from a electronic device given by them, which requires physical insertion of my debit card in the device and entering my debit card PIN code. LOL @ "Forgot password" at bank. If your bank has one, you deserve to be robbed, because you are stupid enough to use such bank.
That "Story" is so ridiculous! The short version is that he had all his accounts linked. He had his iPhone and Macbook "protected" by a feature that would allow him to wipe their data remotely if they were stolen. Then, because he's an Apple User and doesn't expect anything bad to happen to him, he probably didn't have very strong passwords.
So, after setting himself up, he was targeted because of his Twitter Handle according to the hacker. Or maybe it was something he said on Twitter? One can't rely on what a hacker might tell you afterward. They then compromised his accounts and remote wiped both his phone and laptop. Which contained approximately two years of photos of his baby. And of which he had no backup copies.
Now I can understand why he's so upset and feels the way he does about the situation. But the way he's now on a "mission from god" to change the system borders on ludicrous. Strong passwords work to keep the less determined hackers from messing with you. Two Factor Authentication can help. If its done correctly. But none of the alternatives are as absolutely secure as he claims without turning the Internet into a "Cyber" Police State. Where everything you do is monitored...
Personally I'm just going to keep backing up my data on a regular basis. That way it's easier for me to recover if/when I'm compromised. I just suspect the idea of "total Internet security" is an unreachable goal.
So, after setting himself up, he was targeted because of his Twitter Handle according to the hacker. Or maybe it was something he said on Twitter? One can't rely on what a hacker might tell you afterward. They then compromised his accounts and remote wiped both his phone and laptop. Which contained approximately two years of photos of his baby. And of which he had no backup copies.
Now I can understand why he's so upset and feels the way he does about the situation. But the way he's now on a "mission from god" to change the system borders on ludicrous. Strong passwords work to keep the less determined hackers from messing with you. Two Factor Authentication can help. If its done correctly. But none of the alternatives are as absolutely secure as he claims without turning the Internet into a "Cyber" Police State. Where everything you do is monitored...
Personally I'm just going to keep backing up my data on a regular basis. That way it's easier for me to recover if/when I'm compromised. I just suspect the idea of "total Internet security" is an unreachable goal.
B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
My thoughts exactly. Which bank sends e-mail to customers anyway? If the hacker is going to find any bank messages from my e-mail history it's going to be from scammers' phishing messages - good luck hunting down those!
And which bank has so crappy security that you could log on without a personal password and disposable list of keys unique to you? Any bank with a simple logon process would be a honeypot for cybercrime and nobody should ever use one.
If AOL accounts are that easy to hack nobody should use it. I also don't subscribe to Twitter, Facebook or anything of that nature and I always give my spam e-mail address for different subscriptions. If someone hacks into some service they're not going to even know my real name let alone passwords or addresses
People are spreading their information so much all around that it's no wonder they get owned in the end.
Monkey God
Mangina Full of Sand
- Joined
- May 7, 2007
- Messages
- 6,723
Welcome to modern technology "journalism."
LeninGHOLA
Vladimir Hayt
- Joined
- Aug 26, 2009
- Messages
- 18,416
Well, it is "Wired".
cptnjarhead
Crossfit Fast Walk Champion Runnerup
- Joined
- Mar 9, 2010
- Messages
- 1,669
android has a similar type of thing, like "lookout" if hacked, someone can lockout or wipe your phone. his major flaw was not using the 2 step security option. it is a hassle but that could have saved him a lot of grief.
It has to change. The DoD already uses three factor security and biometrics are rapidly moving toward a standard for one of those three factors. Personally I can't wait till passwords are a thing of the past. As a contractor working on military contracts doing sysad work, passwords are a nightmare for us. I have two for my company I work for, one that is unclass admin, one that is classified admin, and about 14 different admin and bda related passwords that are not standard user account passwords. Most of them I can't even change are at least 14 characters long and almost impossible to remember so yes, they are all written down. Not supposed to write them down, hell, they are written down, passed around, I couldn't tell you how many people have them and we can't change them. Yea, I can't wait to just drop in a smart card and stick my eye-ball up to a scanner and maybe speak my current password into a voice analyzer with a pin number as a distant fourth.
Ashbringer
Supreme [H]ardness
- Joined
- Jan 25, 2010
- Messages
- 5,522
That's because people's passwords consist of the fallowing.
Type 1:
<name of favorite thing> + numbers
Type 2:
numbers + <name of favorite thing>
Type 3:
<name of favorite thing> + <name of favorite thing>
Type 4:
<name of favorite thing but with numbers randomly thrown in>
Though majority of the time the issue is that they use the same password for everything. So for example if say [H]ardOCP gets hacked and you use the same password for your bank account, then you're screwed.
Another one is that your computer is so riddled with viruses that anything you type is recorded by an application and sent to some server that catalogs it. A key logger is usually a big reason why accounts are compromised, and the virus or malware is usually from a porn website.
Viruses only enter your computer from 3 sources. Porn, junk mail, or torrents. If you use something decent like Gmail, junk mail is pretty rare, and you'd have to be stupid to click on it. Majority of it is Viagra. Torrents says you have to have some intelligence, so we can rule that out. That leaves porn, and I doubt you're the purist that you make yourself out to be.
Type 1:
<name of favorite thing> + numbers
Type 2:
numbers + <name of favorite thing>
Type 3:
<name of favorite thing> + <name of favorite thing>
Type 4:
<name of favorite thing but with numbers randomly thrown in>
Though majority of the time the issue is that they use the same password for everything. So for example if say [H]ardOCP gets hacked and you use the same password for your bank account, then you're screwed.
Another one is that your computer is so riddled with viruses that anything you type is recorded by an application and sent to some server that catalogs it. A key logger is usually a big reason why accounts are compromised, and the virus or malware is usually from a porn website.
Viruses only enter your computer from 3 sources. Porn, junk mail, or torrents. If you use something decent like Gmail, junk mail is pretty rare, and you'd have to be stupid to click on it. Majority of it is Viagra. Torrents says you have to have some intelligence, so we can rule that out. That leaves porn, and I doubt you're the purist that you make yourself out to be.
The guy is an idiot and deserved to have his accounts stolen. And passwords are not the problem in and of themselves. Some websites are just idiotic in how they deal with passwords and the password reset process. For websites I develop, passwords are required to be 8 characters or longer and contain at least 1 number. They are also stored using bcrypt so a brute force attack is just about impossible. Using garbage like md5 or sha1 or any other hashing algorithm designed to be fast is retarded, and any developer using such algorithms should be fired, as they are incompetent. On top of that, using password reset questions such as where you were born is also retarded. Anyone who knows you will be able to answer the questions, and people who don't know you might be able to find out.
For myself personally, I use 2-factor auth (yubikey + something like lastpass, keypass, etc) to store all of my passwords. Every website I use gets its own unique and very complicated password. And if any website asks questions such as mothers maiden name or birthplace, I type in random garbage that I never know or write down or store anywhere. The weak link in all of this is your email account. All they have to do is access your email and they can gain access to just about everything. To mitigate this, I have multiple email accounts that are each designed for specific purposes. I use one email address for my bank account. I do not use social networks, but if I did they would all have their own email address. Then I use a different email address for message boards such as this, a different one for all online shopping, and finally an email account used specifically for signing up for crap where I know I'll get spammed. Each email address has their own unique password, and I do not store those passwords anywhere. Every single one is committed to memory. By doing it this way, even if a hacker or whatever is able to get into one of my accounts, the amount of damage they can do is limited. Linking all of your accounts and especially using the same email address and password for everything is a recipe for disaster. Unfortunately, the general public just doesn't care and they will not give up convenience for security. I'm not sure what the solution to that problem is.
For myself personally, I use 2-factor auth (yubikey + something like lastpass, keypass, etc) to store all of my passwords. Every website I use gets its own unique and very complicated password. And if any website asks questions such as mothers maiden name or birthplace, I type in random garbage that I never know or write down or store anywhere. The weak link in all of this is your email account. All they have to do is access your email and they can gain access to just about everything. To mitigate this, I have multiple email accounts that are each designed for specific purposes. I use one email address for my bank account. I do not use social networks, but if I did they would all have their own email address. Then I use a different email address for message boards such as this, a different one for all online shopping, and finally an email account used specifically for signing up for crap where I know I'll get spammed. Each email address has their own unique password, and I do not store those passwords anywhere. Every single one is committed to memory. By doing it this way, even if a hacker or whatever is able to get into one of my accounts, the amount of damage they can do is limited. Linking all of your accounts and especially using the same email address and password for everything is a recipe for disaster. Unfortunately, the general public just doesn't care and they will not give up convenience for security. I'm not sure what the solution to that problem is.
Ashbringer
Supreme [H]ardness
- Joined
- Jan 25, 2010
- Messages
- 5,522
A portable device is a double edge sword when it comes to putting security on it. BTW, if you use your portable device for things like banking and what not, then I would have it setup to enter a password each time to log in, and not remember.
Putting security on it means the only way to use the device is to wipe it clean, which would reduce the chances of recovering it. If you had remote GPS software on the device, you could simply remotely log into it, and go to the address where it happens to be.
Just like this guy did with his machine.
Chill out, bro.
Biometrics are not the answer for this. Biometrics may work when the authenticator can trust the biometric reading device (laptop for laptop's login, doorlock, etc.). But over the internet, the biometric data can be spoofed.
And since its unchangable, if someone get's your fingerprint's biometric data, how do you change it? You're screwed for that forever.
And since its unchangable, if someone get's your fingerprint's biometric data, how do you change it? You're screwed for that forever.
drescherjm
[H]F Junkie
- Joined
- Nov 19, 2008
- Messages
- 14,941
Obviously he missed this comic
As others above said, the dude made poor choices and bought way too far into the security of Apple products lol.
He should retire into a hermit, for his e-shame is great.
As a programmer this comic frustrates me for the simple reason is no human will type 1000 passwords in a second or more than 1 for that matter. We need better servers that instead of totally avoiding DOS attacks shut down when sensible.
drescherjm
[H]F Junkie
- Joined
- Nov 19, 2008
- Messages
- 14,941
What I meant to say is temporarily lock a users account when it is detected that a non human is stuffing passwords.
Ding! Machines work for us, not the other way around.
Yah I agree with everything you said. Dude is just salty and wants to use his Wired access as a platform to wine.
This as well. QFT.My thoughts exactly. Which bank sends e-mail to customers anyway? If the hacker is going to find any bank messages from my e-mail history it's going to be from scammers' phishing messages - good luck hunting down those!
And which bank has so crappy security that you could log on without a personal password and disposable list of keys unique to you? Any bank with a simple logon process would be a honeypot for cybercrime and nobody should ever use one.
If AOL accounts are that easy to hack nobody should use it. I also don't subscribe to Twitter, Facebook or anything of that nature and I always give my spam e-mail address for different subscriptions. If someone hacks into some service they're not going to even know my real name let alone passwords or addresses
People are spreading their information so much all around that it's no wonder they get owned in the end.
Yup. But Wired has it's own lemmings and they will regurgitate that man's nonsense for the rest of the herd.
Ur_Mom
Fully [H]
- Joined
- May 15, 2006
- Messages
- 20,688
We invented missionary style. You're welcome.
Different passwords can get very difficult to manage. So, for some sites I use the same password. If it gets compromised, there is nothing that would really benefit the person that has it. Sure, they can post a few things at a few various forums. No big loss.
Banks and other sites that have information about me have unique passwords for each.
Ashbringer
Supreme [H]ardness
- Joined
- Jan 25, 2010
- Messages
- 5,522
That's how I pretty much work as well. I remember Gizmodo got hacked and passwords were stolen, but I didn't care cause I use that password for websites like that. Things like bank accounts and credit cards use different passwords. Even my Email uses a separate password.
DeathPrincess
Fully [H]
- Joined
- May 15, 2010
- Messages
- 18,205
My bank will let you reset the password by putting in the card no and then various information off the card... So if you've stolen the card...
Normal people learn from their mistakes. Apple fanboys don't, and will blame something else.
No, passwords simply no longer work (no claim that they ever did). If you store your passwords in your memory, they just aren't any good. Judging by the official "lists of people who can memorize pi to n places", there about 100 people who can memorize 10 or so truly random passwords (good luck getting enough places to accept a "correctbatteryhorsestaple" as a password). Storing your passwords online is only asking them to be looted as well.
Presumably you could maintain a USB key that does public key encryption on it, but a quick scan of actual hardware security products makes this an unbelievably naive belief, at best.
Electronic security sucks. People don't care about security, and every time you deal with people who don't understand computers down to boolean equations they are going to screw it up. Deal with it.
You can make fun of a reporter all day long, but understand that in the unlikely event that anyone in charge of security protocols understands the issues, the odds of them getting to implement a system that doesn't have gaping holes at multiple points is pretty much zero.
My bank will let you reset the password by putting in the card no and then various information off the card... So if you've stolen the card...
Right but you report the card stolen as soon as you know its stolen, problem solved. There is a small window where the account could be compromised sure.
As stated above, it wasn't the passwords that were the problem. It seems like it was a combination of websites using insecure password reset mechanisms, and him making the foolish mistake of tying all of his accounts together. There's nothing wrong with passwords as long as they are implemented and used correctly. The problem is they aren't. I can make fun of the reporter because he made mistakes that allowed his accounts to be compromised. But he made the same mistakes that nearly everyone does. So maybe it's just human nature that is the problem. I just can't really point the finger squarely at the concept of passwords as being the sole problem. To me it's a lot like blaming a gun instead of a person when someone gets shot. I really don't know what the solution is to be honest. People want convenience above all else. And yes, people suck at memorizing strong passwords.
freethnker
n00b
- Joined
- Jan 31, 2012
- Messages
- 51
meh.
GaryJohnson
[H]ard|Gawd
- Joined
- Feb 1, 2010
- Messages
- 1,053
In most implementations, a password is just a shortcut to an encryption key. I like the idea of cutting out the middle man and just keeping keys on a thumb drive. The problem is preventing unauthorized electronic access to the keys. I envision some sort of software mechanism that works with a physical mechanism on the thumb drive to quarantine the keys from one another and control electronic access.
Ur_Mom
Fully [H]
- Joined
- May 15, 2006
- Messages
- 20,688
Really? You don't need to replicate it, only obtain it. Little prick for blood, toothbrush, etc.. Easy to obtain, easier than a password.
Lol, 7 characters make a "robust" password?
And "cracking a long password with brute force computation takes just a few million extra cycles"?
Try trillions. An AMD Radeon HD7970 GPU tries 8.2 billion passwords per second, and even using a computer with 8 of them working in parallel, complex passwords would still take years to crack.
And that assumes that you have stolen a local copy of the user and password database, not that you are trying to hack the account on the web site directly, which would take millenniums.
http://arstechnica.com/security/2012/08/passwords-under-assault/
And "cracking a long password with brute force computation takes just a few million extra cycles"?
Try trillions. An AMD Radeon HD7970 GPU tries 8.2 billion passwords per second, and even using a computer with 8 of them working in parallel, complex passwords would still take years to crack.
And that assumes that you have stolen a local copy of the user and password database, not that you are trying to hack the account on the web site directly, which would take millenniums.
http://arstechnica.com/security/2012/08/passwords-under-assault/