HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Just great, my awesome "1234567890abcdefghijklmnopqrstuvxyz!@#$%^&*()+" password isn't much better than my old password "123."
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Complex Passwords Arent That Much Safer
- Thread starter HardOCP News
- Start date
Well, dur, but I know for a fact first hand that NON-pattern complex patterns do work. Our bike forum was hacked, and they got everyone's password but mine. It was interesting, we even found the hacker forum where the guy was posting about it and asking for help cracking all our user accounts, and mine was the only one missing (which was a password that's the equivelent of punching a keyboard with your face repeatedly).
bigdogchris
Fully [H]
- Joined
- Feb 19, 2008
- Messages
- 18,707
cdr_74_premium
[H]ard|Gawd
- Joined
- Oct 20, 2010
- Messages
- 1,577
I let KeePass generate my passwords. It's been a while and no problems at all (yet?).
The problem is generating a random password, it's using one. I have over 2 dozen logins, two of which require quarterly changes, and I use at least a dozen of them on a daily basis. This makes it incredibly difficult to create passwords that are both secure and memorable.
That said, none of the user efforts matter if the thing I struggle to keep secure doesn't exhibit the same tenacity. As mentioned in the article:
Why are we burdening users with demands to chose stronger and stronger things with the goal of withstanding increasingly sophisticated guessing attacks when 1.2 billion credentials are just spewed from servers that are improperly protected, says Herley. That seems like a big waste of effort.
Despite the fact that we are constantly warned against putting all of our assets in one place, or of writing down our passwords, the companies we trust to protect our information do just that, storing user credentials in central locations and in plain text.
TwistedAegis
[H]F Junkie
- Joined
- Oct 7, 2009
- Messages
- 8,958
That, and keyloggers could give a damn how complex or long your password is.
- Joined
- Aug 20, 2006
- Messages
- 13,000
Actually, they are.
Yubikey all their passwords are single use. If I ran a company and felt my employees could expose sensitive data, I'd pay for Yubikey. Hate to sound like a commercial, but don't understand why a lot of 'security experts' seem to have a vague idea what they offer.
Most people can't remember a password like that to several different accounts unless they reuse it. That opens them up to theft of one openning up all the rest.
Same problem, no way I can keep up with all my passwords and the gov isn't going to let me load an app to manage them. I don't want to write them down and although I might could put them in a safe there are still issues with that.
In the end I have to rely on slowly evolving pattern passwords and a few oddballs written down usually hidden as a phone number.
The requirement to continually change them and make them more complex only ensures that I will have to find ways to cheat in order to keep up with them.
Sigh..idiotic article.
First lets clarify what we are talking about here. The hacked website stored passwords in "Plain Text", not hashed. In the context of that argument, no password is safe, no anything is safe if the site storing it Fails to follow best practices when it comes to password security. You cannot hold an argument that passwords are unsafe when the failure in question was not related to passwords. Once you understand that, then that entire article is reduced to hyperbolic fear mongering.
A password that is of sufficient length is more than secure. Sure anything under 10 characters or so is essentially insecure. However the real problem is that many places (most?) are failing to follow best practices based on what we know to be passwords that are both easy to remember and yet too complex to crack. The real battle is forcing companies into a mindset that we need to retrain people on what a proper password is. I will issue two examples;
1) DAgwe$151$@^%^cdfesFDS4DS
2) TheBoyRodeHisBikeHomeAt11!
So now let's talk about the two example passwords. The first one clearly adheres to modern conventions of Multiple case letters, numbers and symbols. However the second one does as well. Both are roughly the same length and both are such that a computer would have a significantly difficult time cracking them barring the topic trash article of being stored in plain text. The key difference? Well one is such that there is no way a human would ever remember it, the second is something that can be easily remembered by anyone. It is also an example of something that anyone who uses a computer can come up with that is personal to them and easy to remember.
The problem isn't the "password", the problem is how we Teach and force people to create passwords and how sites are securing them.
First lets clarify what we are talking about here. The hacked website stored passwords in "Plain Text", not hashed. In the context of that argument, no password is safe, no anything is safe if the site storing it Fails to follow best practices when it comes to password security. You cannot hold an argument that passwords are unsafe when the failure in question was not related to passwords. Once you understand that, then that entire article is reduced to hyperbolic fear mongering.
A password that is of sufficient length is more than secure. Sure anything under 10 characters or so is essentially insecure. However the real problem is that many places (most?) are failing to follow best practices based on what we know to be passwords that are both easy to remember and yet too complex to crack. The real battle is forcing companies into a mindset that we need to retrain people on what a proper password is. I will issue two examples;
1) DAgwe$151$@^%^cdfesFDS4DS
2) TheBoyRodeHisBikeHomeAt11!
So now let's talk about the two example passwords. The first one clearly adheres to modern conventions of Multiple case letters, numbers and symbols. However the second one does as well. Both are roughly the same length and both are such that a computer would have a significantly difficult time cracking them barring the topic trash article of being stored in plain text. The key difference? Well one is such that there is no way a human would ever remember it, the second is something that can be easily remembered by anyone. It is also an example of something that anyone who uses a computer can come up with that is personal to them and easy to remember.
The problem isn't the "password", the problem is how we Teach and force people to create passwords and how sites are securing them.
lollerwaffle
Gawd
- Joined
- Feb 3, 2008
- Messages
- 665
Dekoth-E-
Indeed the article rides on conditions that are bad to begin with and does little to help.
People are bad an random passwords, or perhaps not.
Introduce the randomness in how you generate your passwords.
Start with something you know well, make a sentence from it, and intersperse in your own way the name of the site.
So for example a hardocp.com forum password.
Sentence:
My dog's name is "dakota" (and I adopted him from the) SPCA in November 2013.
I will say I like using the 2nd vowel as a number/symbol or, if not possible, caps.
SPCA will be $
2013 is 2k3
I also will put a short name of the site in the beginning or at the end. Let's use the beginning:
hofmdn1d$2k3
I know this isn't a great description but you get the gist.
everything past hof can be remembered because you re-use it.
If that gets skimmed/compromised, it may not be very easy for a hacker to think that hof stands for 'hardocp forum' but you can get more inventive there.
The point is to introduce some rules you make up on the fly and then stick to them to individualize how you generate passwords.
No password is safe, ultimately, but this I think is a half-decent strategy to make it somehow work for a human.
Indeed the article rides on conditions that are bad to begin with and does little to help.
People are bad an random passwords, or perhaps not.
Introduce the randomness in how you generate your passwords.
Start with something you know well, make a sentence from it, and intersperse in your own way the name of the site.
So for example a hardocp.com forum password.
Sentence:
My dog's name is "dakota" (and I adopted him from the) SPCA in November 2013.
I will say I like using the 2nd vowel as a number/symbol or, if not possible, caps.
SPCA will be $
2013 is 2k3
I also will put a short name of the site in the beginning or at the end. Let's use the beginning:
hofmdn1d$2k3
I know this isn't a great description but you get the gist.
everything past hof can be remembered because you re-use it.
If that gets skimmed/compromised, it may not be very easy for a hacker to think that hof stands for 'hardocp forum' but you can get more inventive there.
The point is to introduce some rules you make up on the fly and then stick to them to individualize how you generate passwords.
No password is safe, ultimately, but this I think is a half-decent strategy to make it somehow work for a human.
TwistedAegis
[H]F Junkie
- Joined
- Oct 7, 2009
- Messages
- 8,958
123456 or asdfg are much better.
Zepher
[H]ipster Replacement
- Joined
- Sep 29, 2001
- Messages
- 20,939
I use the forum I am on as part of the password, like HardForum1296, FaceBook1296, etc.. makes it easy to remember.
I get that even the best password doesn't make up for bad network security, but it's still a piece of the puzzle. I never understood why they don't just store a hash of the password and salt it with something like the user ID before hashing. This would defeat precompiled rainbow tables and help keep the data secure even if there was a leak.
I hope you're kidding.
I memorize one randomly-generated strong password and rotate that every six months. That gets me into lastpass which then keeps all my other passwords that are all very complex.
If your work doesn't allow you to use a password manager I recommend a password journal (the paper kind). They're quite secure and have automatic notifications if your password has been compromised (the book is missing).
It's not possible for a human to remember enough complex passwords today. If you want a demonstration of how easy it is to hack hashes download a copy of oclhashcat and run it against a set of hashes of your favourite passwords. It's unbelievably more rapid than hashing programs from just a few years ago. I have 2x Radeon 7970s with just that it tears through hashes.
Auditing customer's password hashes for complexity is a nightmare too. It's basically impossible to get less technically competent users to pick reasonable passwords and if you randomly assign them they can't even read them off an email and type them in accurately. I don't know what the solution is but at the moment, if they get the hashes, assume they're cracked.
Suprfire
2[H]4U
- Joined
- Sep 1, 2008
- Messages
- 2,116
I've started to use Password Safe to generate passwords like " 8*(Du^(pQlR6! ", ever since I lost some bitcoins from using the same password on an exchange website as i do on all my other logins. It's not till something happens that you start to reform your ways. This doesn't prevent exposure due to sites keeping plain-text passwords, but at least one password being compromised wont affect another.
serpretetsky
2[H]4U
- Joined
- Dec 24, 2008
- Messages
- 2,180
You could do what I do:
Inspired by xkcd.
I made it in a spreadsheet. It will generate random character boxes based on certain criteria (numbers, special characters, capital letters, etc). I print out a copy and keep it with me and also back it up somewhere else. I only remember the pattern that I draw, I do not remember any of my passwords. Changing passwords is easy, I simply regenerate the boxes with new random characters, the pattern I memorized does not change
BladeVenom
Supreme [H]ardness
- Joined
- Jun 29, 2005
- Messages
- 7,707
They mention fingerprints, but that would only be good for a few weeks, until one fingerprint database is compromised then everyone's fingerprints will be available to all criminals.
Grahamkracka
[H]ard|Gawd
- Joined
- Feb 4, 2008
- Messages
- 1,052
You could do what I do:
Inspired by xkcd.
I made it in a spreadsheet. It will generate random character boxes based on certain criteria (numbers, special characters, capital letters, etc). I print out a copy and keep it with me and also back it up somewhere else. I only remember the pattern that I draw, I do not remember any of my passwords. Changing passwords is easy, I simply regenerate the boxes with new random characters, the pattern I memorized does not change
This is a really good idea. I use 4 word phrases with each word being a different language. The problem is when I need special characters....
sfsuphysics
[H]F Junkie
- Joined
- Jan 14, 2007
- Messages
- 15,994
Love how in my office (emphasis on MY office) my computer requires a password to login, every 6-12 months it asks me to change it, it can't be the same password as the last 3 passwords... hence I just don't use the god damn computer and simply use my laptop which serves the same purpose.
Note: I say 6-12 months because I so rarely use it I forget how often the change cycle is... either way I do keep it written somewhere in my office, but you wouldn't know it was my password
Note: I say 6-12 months because I so rarely use it I forget how often the change cycle is... either way I do keep it written somewhere in my office, but you wouldn't know it was my password
Starcrossed
2[H]4U
- Joined
- Sep 27, 2008
- Messages
- 2,160
Depends on who is cracking them and how. Rules do defeat the purpose of their making to a degree.
I use and recommend this. I have no idea how secure it is.
1. pick two random people you know.
2 use the name of one and the birthday/anniversary or date you will remember about them. Alternate the letters and numbers, but reverse the order of one of those two sets, and start with the number, and only capitalize the 3rd letter of the last name (or whatever trick you like, just do the same each time so you remember what your trick is). As long as you remember how you coupled the people, you'll always remember the password you created from them, but it will still be somewhat of a jumbled mess to anyone else.
While these passwords aren't perfect, it has gotten my friends to stop using things like their dog's name for their passwords while banking, for example. And while they're harder to type when you first start, it becomes easier the more you use them.
1. pick two random people you know.
2 use the name of one and the birthday/anniversary or date you will remember about them. Alternate the letters and numbers, but reverse the order of one of those two sets, and start with the number, and only capitalize the 3rd letter of the last name (or whatever trick you like, just do the same each time so you remember what your trick is). As long as you remember how you coupled the people, you'll always remember the password you created from them, but it will still be somewhat of a jumbled mess to anyone else.
While these passwords aren't perfect, it has gotten my friends to stop using things like their dog's name for their passwords while banking, for example. And while they're harder to type when you first start, it becomes easier the more you use them.
MrLonghair
[H]ard|Gawd
- Joined
- Jun 7, 2004
- Messages
- 1,764
Memorable jibberish, word, jibberish, word, jibberish until you reach 24+ characters and you're set. Unless the server hosting it gets cracked open hard or it's a password-protected something that can be given enough crunch-computing time to open it up.
S
shade91
Guest
More services need to implement two-factor authentication to overcome this.
mastaBlasta
Gawd
- Joined
- Jan 27, 2011
- Messages
- 605
I think most of you password algorithm ninjas are completely missing the point.
Who cares about your facebook password? It's useless! You want to know a genuine hack? A genuine hack is when they stole the DB containing names, DOBs and SS# from 10 years worth of students from the University of Maryland. Me being on of these students.
The biggest problem with security is server security not passwords. My company public web servers get constant bombardments of random attack vectors. From silly things like exploits with phpMyAdmin (BTW never use phpMyAdmin in production), to complicated code execution patterns, ping traces etc. Hackers want control of the machine not your bullshit personal account.
Who cares about your facebook password? It's useless! You want to know a genuine hack? A genuine hack is when they stole the DB containing names, DOBs and SS# from 10 years worth of students from the University of Maryland. Me being on of these students.
The biggest problem with security is server security not passwords. My company public web servers get constant bombardments of random attack vectors. From silly things like exploits with phpMyAdmin (BTW never use phpMyAdmin in production), to complicated code execution patterns, ping traces etc. Hackers want control of the machine not your bullshit personal account.
You could do what I do:
Inspired by xkcd.
I made it in a spreadsheet. It will generate random character boxes based on certain criteria (numbers, special characters, capital letters, etc). I print out a copy and keep it with me and also back it up somewhere else. I only remember the pattern that I draw, I do not remember any of my passwords. Changing passwords is easy, I simply regenerate the boxes with new random characters, the pattern I memorized does not change
That and Password Card operate on the same principle. You never really remember your password. Yours might actually be better, due to the numbers shifting every X days.
I was going to ask how you made it, but it looks like
Code:
=char(randbetween(33,126))
Wrecked Em
Supreme [H]ardness
- Joined
- Sep 14, 2004
- Messages
- 8,169
And now your luggage takes forever to open.
sfsuphysics
[H]F Junkie
- Joined
- Jan 14, 2007
- Messages
- 15,994
Happened about 15 years ago at UC Berkeley too, someone stole a laptop that contained all that information about everyone who ever applied to school there, me being one applying for graduate school, thing is I applied about 5 years before that AND was denied so why the fuck were they keeping all my information still? Sure California has laws that say we need to be notified within a "reasonable" (year or so?) period but what does that really do? You're fucked anyway you slice it if anyone wants to do anything with that data, new SSN? Yeah right they're not going to do that, DOB? Can't exactly change that. Change my name? Fuck you that's why! Seriously the way people are parsed down is scary, you don't even need all that information, last time I applied for car insurance was told I had an accident in 2010 for X amount of damage in a car I don't own... seems someone else with the same name in the same region and now I have to explain all that shit anytime I change insurance.
serpretetsky
2[H]4U
- Joined
- Dec 24, 2008
- Messages
- 2,180
Almost, but I wanted the characters to be full customizable, so I used a second sheet where I list the characters that I want. Each time i add a new character to the second sheet an "isblank()" function will check that square and output a 1 instead of a 0. I sum up all of the "isblank()" functions to determine the total number of possible symbols I can have. I then use the "randbetween()" function to generate a random number between 0 and the sum i obtained. Using that, I "offset()" to select one of the symbols on the second sheet.
serpretetsky
2[H]4U
- Joined
- Dec 24, 2008
- Messages
- 2,180
That is not correct.
DreamsJacketInverseFantastic
is FAR FAR FAR less secure than
Pp0joXQnBkPiWmKVDisJYzwwwmkH
I assume that, maybe, you meant generating small random passwords is not as secure as generating long word-based passwords?
Meaning:
DreamsJacketInverseFantastic
might be comparable in security to:
YMenXmzG
but the first one is much easier to memorize.
I agree only so far Dekoth-E, one the one hand there is nothing wrong with what you are saying here, you are correct. the problem comes in the application of standard password policies.
What you have here is great when you are talking about the work force in general, normal users. But as soon as you push into the IT workforce, developers are mostly like other users, no problem, but infrastructure and enterprise management people are another thing entirely.
As stated above, I have over a dozen work related passwords and the Security policies are not uniformly implemented between different OSs, etc, so it becomes a nightmare to keep it all straight and proper. Some systems I am on daily, some rarely, some change every 30 days, some 90. Some require special characters some will not allow special characters. It means that some I can remember and some must be recorded somehow and the risk of serious damage due to a compromise is far greater with my accounts because of the permissions and access that they have.
There needs to be something else for these kinds of accounts. they need a multi-factor authentication system that relies on a single password across multiple systems or that uses something in place of the password.
Something you have. A smart card
Something you ARE. A biometric
Someone who knows you. A Vouch-Safe system, where someone else with current active access has to approve your access almost like the dual-key system the Air Force uses for launching nuclear weapons. This would only work for large scale Enterprise outfits where you have shift work going on, etc.
Now is this the best, I doubt it, but those with a high rate of password "turnover" and serious admin privileges need a different system that takes into account the reality that they don't just have one or two passwords to keep up with or else they accounts with the most power are the most vulnerable.
That's a central point of the article. Pushing mandatory password complexity on users is pointless when many websites are "credentials are just spewed from servers that are improperly protected,". There's nothing idiotic about this observation.
Starcrossed
2[H]4U
- Joined
- Sep 27, 2008
- Messages
- 2,160
It is another hyperbolic article that in the end has some root in the notion of creating news. Were it level-headed, the author may believe that it would not be newsworthy! Unfortunately, these writers do not realize how to venture into the article themselves. It is as if they aren't a part of their own audience. Were they, they would not be so oblique.
What is hyperbolic about the article? They are citing actual security researcher's work on password complexity.
Starcrossed
2[H]4U
- Joined
- Sep 27, 2008
- Messages
- 2,160
The article plays a sort of shell game with the reader. if it had been reasonably composed it would have ordered its facts in such a way that the headline would have had to been changed and thus induced less excitement.
The headline is a summary of a finding of actual security research. If may excite you, but it's not misleading or inaccurate.