How To Keep Passwords Safe from Hackers

[HardOCP News]

This sure seems like a simple and effective way to protect passwords from hackers. Makes you wonder why no one is doing this.

Researchers at computer security company RSA have created a system that splits passwords in two and stores each half in different locations. The two halves never come together, even when a person logs in and has his password verified. That should make it harder for someone to steal them, because a thief would need to break into both those servers, which can be protected in different ways.

 

[rgraze911]

My passwords are kept on a pull out board in my desk. Try and hack that jerk faces!

 

[MindBuster]

My passwords are kept on a pull out board in my desk. Try and hack that jerk faces!

Pffh, I have mine in my head, and I'm wearing a tinfoil hat.

 

[Cbshahji]

so hackers would just need to find two sites where passwords are stored and hack into it, might take longer but it's not like it's going to stop them.

as far as my passwords goes, well, they'll need to meet my family to get'em as i tell everyone in my family my password. and then they wished they were never born.

 

[CommanderFrank]

I catch shit from all sides because I'm technologically capable of password storage in many capacities, I prefer to store all of my passwords on 3x5 index cards in a box on my desk. It has survived many crashes and formats that pre-cloud technologies could'nt have handled, but what worked then, still works for me now.

 

[DW-UK]

I have got all mine hidden in the ASCII character set.

 

[Red Falcon]

Don't do this?

 

[Semantics]

My passwords are kept on a pull out board in my desk. Try and hack that jerk faces!

So then it's less likely then actual hacking but someone breaks into your house takes your computer and while they are at it gets all your passwords, double down special.

 

[glutto]

Someone somewhere already has a software patent on this.

 

[Ur_Mom]

Someone somewhere already has a software patent on this.

Apple does. Or they will shortly, then say they did before...

 

[wra18th]

I use an old Palm M105 that is kept locked away.

 

[AceGoober]

Same with me except that if someone breaks into my residence who says the passwords file stored in my cabinet are the same as the ones I use to log into the various websites.

I catch shit from all sides because I'm technologically capable of password storage in many capacities, I prefer to store all of my passwords on 3x5 index cards in a box on my desk. It has survived many crashes and formats that pre-cloud technologies could'nt have handled, but what worked then, still works for me now.

 

[ninjaturtle]

Meh, I keep each half on my split personalities.

 

[hity645]

My passwords are kept on a pull out board in my desk. Try and hack that jerk faces!

Ha! Post it notes on the monitor!

 

[SkribbelKat]

Ugh, I don't get why people keep trying to find inventive ways to keep passwords safe. It'd be a lot easier just not to have passwords at all and then you don't need to worry about keeping them safe.

 

[hity645]

Well an idiot I work with has his passwords saved in emails to himself on his outlook account and on his iPhone.

 

[Red Squirrel]

I have a custom script I made with a web front end that stores it in AES256. The password to login to the system is part of the AES256 key. It's not the most secure setup in the world, but considering it's not on an online server it's good enough for me. Someone would need to hack from my firewall or break into my house to get to it.

 

[tehblue]

Meh, I keep each half on my split personalities.

Not to derail the topic but imagine if a persons split personality only knew the password but not the login. Of course there's always password recovery but what if that was setup by the other personality as too?! lol

sry...too much nyquil or not enough.

 

[octoberasian]

My method:
KeePass - http://keepass.info/download.html
(generate a randomized password between 8 to 36 characters, dependent on the website)

... plus...

TrueCrypt - http://www.truecrypt.org/downloads

and shared across Dropbox.

 

[the-one1]

I have an 8 character password stored as 1 character on one server X 8. The order of the password characters are determined by the build date of the server X version number of the OS.

 

[DualAmdMp]

I tell my talking parrot to remember all my passwords.

Try to hack him

 

[ekuest]

I have an 8 character password stored as 1 character on one server X 8. The order of the password characters are determined by the build date of the server X version number of the OS.

dafuq

 

[octoberasian]

I have an 8 character password stored as 1 character on one server X 8. The order of the password characters are determined by the build date of the server X version number of the OS.

dafuq

I think he's saying his password is split into eight parts, where each part is individually stored on quantum computers with the highest qubit designation in random orders whose order can only be determined by the actual build date of the operating system, which by the way is an experimental build of Windows 12 that is installed and stored on such a magnificent computer that not even the US government has the balls of spending our tax dollars on because taxpayers may end up blaming World-President-but-settles-for-US President Obama or Wishes-to-be-US President-elect Romney for all the ills in this country that's happened since 1776, when the first country was formed by British ex-pats that didn't know that the US Constitution would apply to digital technology some 200 years later long before Zefran Cochran made his first Warp Drive flight in the Phoenix, and it is at that moment one realizes they're reading a very long sentence that makes no sense whatsoever like the comment by "The One", who seems to be self-proclaiming himself as the savior of mankind from comments that make no sense due to the fact his super secret password to Redtube that gives him unabridged access to the best videos is stored on non-existent computer systems that are only dreamed up by the minds of nerds going ga-ga for anything that has two tits and a brain and only says, "Yes, master, please me harder," a phrase that seems to resonate from every computer user on this forum that turn on their computer hoping it'd be that wondrous computer "The ONE" has his password stored on, so in other words...

... pure bullshit.

(NOTE: The preceding sentence is the encrypted version of my password to my accounts on Youtube, Gmail, Facebook, LinkedIn, the FBI's backend server, superuser access to MI:6, and [H]ardForum, plus a few other websites no one ever hears about like Imgur, Reddit and Allrecipes.com.

Good luck, cracking my password!)

 

[Xee]

Just come up with a method/formula you can apply to each different website to create a password. That way you only have to remember the formula.

For example, say your formula is to take the first and last letter of the url, reverse them, and fill space in between them with periods numbering the same as the rest of the url. So you have:

hardforum = 7 characters not counting the "h" and "m"

password = m.......h

It's an overly simplistic formula but that password has the same strength as this:
$h092!x_^

Granted, if someone finds out your formula you're screwed but I can't really see anyone will be able to social engineer that out of you.

 

[almalino]

lastpass anyone?

 

[PrincessFrosty]

From a crypto point of view this is an extremely bad idea if they split the password then hash each chunk.

The time to brute force a hashed password grows exponentially with password length, brute forcing a small length such as 5 or 6 can be done in seconds whereas length 9 will have you waiting many years.

This was a problem with the windows XP LM password storage system it took a password, padded it to length 14, split that in half and hashed each half, so you're breaking 2 length 7 passwords instead of 1 length 14.

Storing salted passwords is a trivial way to defeat brute force attacks because it just raises the complexity of the brute force the passwords even if you steal the entire database, the reason places like LinkedIn had the passwords forced was because they used a weak storage system without salts.

 

[Meeho]

My method:
KeePass - http://keepass.info/download.html
(generate a randomized password between 8 to 36 characters, dependent on the website)

... plus...

TrueCrypt - http://www.truecrypt.org/downloads

Isn't that redundant?

 

[morinaga666]

From a crypto point of view this is an extremely bad idea if they split the password then hash each chunk.

The time to brute force a hashed password grows exponentially with password length, brute forcing a small length such as 5 or 6 can be done in seconds whereas length 9 will have you waiting many years.

This was a problem with the windows XP LM password storage system it took a password, padded it to length 14, split that in half and hashed each half, so you're breaking 2 length 7 passwords instead of 1 length 14.

Storing salted passwords is a trivial way to defeat brute force attacks because it just raises the complexity of the brute force the passwords even if you steal the entire database, the reason places like LinkedIn had the passwords forced was because they used a weak storage system without salts.

Wow, it really does seem like a stupid idea all round considering most of the passwords would be something like "Password" or "Mother" you would only need to get half the password cos the other half you could probably guess at.

 

[N2OInferno]

We have a program here that another guy on my team and I were beating our heads in trying to figure out what this user's password was..

After 30 minutes and an accidental click, turns out she didn't have one. We just had to click OK.

 

[frag.machine]

so hackers would just need to find two sites where passwords are stored and hack into it, might take longer but it's not like it's going to stop them.

Read the article again. They split the passwords, store the halves in two servers in random order, and periodically the halves are randomply swapped between servers, so even if one is able to take a snapshot for both databases they'll change in hours.

 

[#1RAGE]

My method:
KeePass - http://keepass.info/download.html
(generate a randomized password between 8 to 36 characters, dependent on the website)

... plus...

TrueCrypt - http://www.truecrypt.org/downloads

and shared across Dropbox.

You might find Lastpass more convenient.

 

[Wumpus]

From a crypto point of view this is an extremely bad idea if they split the password then hash each chunk.

The time to brute force a hashed password grows exponentially with password length, brute forcing a small length such as 5 or 6 can be done in seconds whereas length 9 will have you waiting many years.

This was a problem with the windows XP LM password storage system it took a password, padded it to length 14, split that in half and hashed each half, so you're breaking 2 length 7 passwords instead of 1 length 14.

Storing salted passwords is a trivial way to defeat brute force attacks because it just raises the complexity of the brute force the passwords even if you steal the entire database, the reason places like LinkedIn had the passwords forced was because they used a weak storage system without salts.

Sounds to me like you just salt the password and hash the thing with SHA512. Store the first 256 (not "randomly", and at this level it doesn't matter) on one machine the rest on the other. (Note: I am pretty sure SHA256 is enough, but if you assume that half the hash is compromised and a clever hacker can pull a birthday attack on the second half, I would just go with SHA512 and ignore the issue).

Note that including seeds is important for your wallet program. See here where I post a script for a wallet program (now fixed) where someone pointed how big a security hole lack of salting is.

My passwords are kept on a pull out board in my desk. Try and hack that jerk faces!

Ha! I told off the teacher to get access to your password. "Pencil"? You might as well use "password123".

 

[BillNutz]

My passwords requires an enigma machine to decode... Still waiting on my WTB navajo/windtalker upgrade.

 

[ravx25]

lastpass anyone?

Yes please. I used to use Roboform, but ever since I bought version 6 for a lifetime fee and they decided to upgrade to version 7 and charge again for it, I left them. It's not my fault they didn't think about major revisions. They sold me a lifetime license and didn't honor it. I used to pirate their newer versions ( I felt justified and still would if I used them), but I found Lastpass and like them even more now.

 

[DocFaustus]

I think he's saying his password is split into eight parts, where each part is individually stored on quantum computers with the highest qubit designation in random orders whose order can only be determined by the actual build date of the operating system, which by the way is an experimental build of Windows 12 that is installed and stored on such a magnificent computer that not even the US government has the balls of spending our tax dollars on because taxpayers may end up blaming World-President-but-settles-for-US President Obama or Wishes-to-be-US President-elect Romney for all the ills in this country that's happened since 1776, when the first country was formed by British ex-pats that didn't know that the US Constitution would apply to digital technology some 200 years later long before Zefran Cochran made his first Warp Drive flight in the Phoenix, and it is at that moment one realizes they're reading a very long sentence that makes no sense whatsoever like the comment by "The One", who seems to be self-proclaiming himself as the savior of mankind from comments that make no sense due to the fact his super secret password to Redtube that gives him unabridged access to the best videos is stored on non-existent computer systems that are only dreamed up by the minds of nerds going ga-ga for anything that has two tits and a brain and only says, "Yes, master, please me harder," a phrase that seems to resonate from every computer user on this forum that turn on their computer hoping it'd be that wondrous computer "The ONE" has his password stored on, so in other words...

... pure bullshit.

(NOTE: The preceding sentence is the encrypted version of my password to my accounts on Youtube, Gmail, Facebook, LinkedIn, the FBI's backend server, superuser access to MI:6, and [H]ardForum, plus a few other websites no one ever hears about like Imgur, Reddit and Allrecipes.com.

Good luck, cracking my password!)

Almost got it.. still not 100% if it is password7 or password8. I get 3 tries correct?

 

[srangara]

From a crypto point of view this is an extremely bad idea if they split the password then hash each chunk.

I guess it's a good thing that's not what this system does, then.

RSA's new scheme works by breaking a password into many small pieces and storing half of those pieces—selected at random—in one place, and the rest in another. RSA calls the approach distributed credential protection. "If one location is attacked, the passwords are still safe," says Juels. "Where the magic comes in is the ability of the system to check passwords without reassembling them."

Good luck ordering the half-chunk (with gaps) of randomly selected pieces (post-encryption) into something you can crack.

 

[Globox]

i prefer 256bit 7 layered encryption with keys that are thrown away after each use

 

[Azhar]

My password WAS 8068 until some big mouth told everyone.

 

[ianken]

Almost got it.. still not 100% if it is password7 or password8. I get 3 tries correct?

I sent the text to a supercondiucting quantum computer in the year 4568 via the wormhole in my ass where it was able to crack it in a few cycles.

The PW is: 1L1k3B00b13s

 

[firas]

I used to store them in a notepad file called passwords but I changed its nam to "notes" for maximum protection