Page 2 of 10 FirstFirst 1234 ... LastLast
Results 11 to 20 of 99

Thread: OT: password protection

  1. #11
    Join Date
    Feb 2016
    Location
    Edmonton, Alberta, Canada
    Posts
    980

    Default

    Quote Originally Posted by Glug View Post
    Oh. Right. Yeah. Sure sure. Billions upon billions of guesses, all for my hsm password. Someone is going to get rich on that.

    So when I start posting a bunch of stuff for sale, I apologize! But it is surely because some miscreants have cracked my password.
    It may be no big deal to you, if say, someone gets the hsm password database, and figures out your password, but for them, it can be quite valuable. Not necessarily yours, but there's a reasonable likelihood that at least one person here also uses the same email/user name/password on a banking or investment site, and that's a easy thing to automatically check without throwing up any security flags. And suddenly someone has a very bad day.

  2. #12
    Join Date
    Nov 2007
    Location
    Woodinville, WA
    Posts
    9,166

    Default

    To solve a lot of the problem with high value logins (this site is not one of these) simply use 2 factor authentication. One set by text is common...

  3. #13
    Join Date
    Feb 2016
    Location
    Edmonton, Alberta, Canada
    Posts
    980

    Default

    Texting is remarkably insecure, both for sending and receiving. If you have enough money to make it worthwhile, they will do things like clone your phone and intercept the verification text message (been done already).

    It is incredibly difficult to be certain that a specific person on the other end of a internet connection. And right now banks/investment houses treat the situation as " Well, we're pretty sure it was you, and if it wasn't, it's your fault."

  4. #14
    Join Date
    Jun 2012
    Location
    San Diego, Ca *** Please let us know where you are from too.
    Posts
    1,704

    Default

    Maybe hacking into a web site to steal or alter data is easier, But, I'm pretty sure that its not a simple thing to do to
    a bank or large company with an IT department. Sure you can show me where it's been done, but it's
    not like ..." well the first thing is just to hack in and get their password database " easy peasy, nope not.

    Also I believe you'll find large bit data encryption, harder than most think to crack.

    If anybody wants to read a cool story, look up PGP (pretty good privacy) a kick ass story.
    John Titor, when are you.

  5. #15
    Join Date
    Feb 2016
    Location
    Edmonton, Alberta, Canada
    Posts
    980

    Default

    Sure, bank's IT departments are now a lot more on the ball, but other websites aren't.

    If you follow the news, or even read your email, you likely have seen reports of data breaches where the password information was accessed, or even received a message from a website that you should change your password because the site was compromised.

    And there are some people who still use the same password for multiple things, like web sites, email, banking login, etc.

    This stuff doesn't have to work 100%, just every once in awhile, and you can make a LOT of money, and depending on where you live, you can face very little risk.

    And the cost and amount of effort needed to do this is going down (cpu/gpu's continually get cheaper for the same power, or more powerful for the same cost, cloning/hacking cell phones also cheaper). Heck, for most of the operations of doing this, you can hire people to do it.

    Security questions, used to be mother's maiden name, now you pick your own, but how many people wind up choosing questions that can be figured out from looking through their facebook page...

    But, good news, the gov't wants to force manufacturers to have a backdoor into your phone, and all your communications. No chance that goes wrong.

  6. #16
    Join Date
    Aug 2018
    Location
    Tai Tokerau - NZ
    Posts
    130

    Default

    https://xkcd.com/936/

    This topic has been covered here and elsewhere by people smarter than me, so I don't have much to add.
    *People* are more likely to be hacked than systems. If I know your dog's name and wife's birthday, I'm half way to most people's savings account.

    Quote Originally Posted by dave_r View Post
    ...

    But, good news, the gov't wants to force manufacturers to have a backdoor into your phone, and all your communications. No chance that goes wrong.
    Heard of this little company called intel?

  7. #17
    Join Date
    Jun 2004
    Posts
    1,010

    Default

    I use a different password for each site, all my passwords are a minimum of 15 characters with a mix of upper, lower, numeral and non-alpha-numeric and no common words at all, I can remember most of them but keep an Aide Memoire in a text file on my phone, the text file is of no use on its own so someone compromising my phone would still have nothing of great use.
    If you benefit from the Dunning-Kruger Effect you may not even know it ;-)

  8. #18
    Join Date
    Jan 2009
    Location
    WV
    Posts
    384

    Default

    Quote Originally Posted by dave_r View Post
    They "crack" the password by:
    -hack facebook or whoever, for the username/password database, passwords are "hashed" (a one-direction encryption method, so you can't go backwards to recover the original password from this value, there are/have been a variety of methods to hash these passwords)
    -they then run a password generation program through the same hashing algorithm, and compare the result with the hashed values they got from the website. If they match, you have the password

    Doing this to find the password for a single, specific person can take a lot of time, as it could be anything.
    But doing this against a whole bunch of users, depending on the hashing algorithm, you can quickly find the password for one or more of them.
    Thank you.

    What, ah "someone" did in college was write a program to duplicate the universities login screen. The "person" would login with their username and password and leave this program running on one of the terminals. When another student or staff (hopefully with higher level access) would sit at the terminal and log in, the username and password were saved to a file. It was not a keylogger. The program would then report a login error that would loop repeatably no matter what key was pressed to tell the student to reboot and by doing so would kill the program and bring up the schools correct login screen.

  9. #19
    Join Date
    Mar 2012
    Posts
    139

    Default

    I also knew "someone" who did a similar thing. It was 1974, so there were no criminal penalties yet. The timesharing system(remember those?) used a "preprocessor" computer to manage connections to the mainframe. The un-named person wrote a program on the preprocessor that was a duplicate of the login screen that intercepted the login request. It captured the user ID and password, popped up the "incorrect password" screen, and when that was acknowledged, it dropped the user into the legitimate login screen. It ran for a while and collected hundreds of password/UID pairs, until the person got nervous and deleted everything. I don't think the administration ever knew.

  10. #20
    Join Date
    Dec 2009
    Location
    Stevens Point, WI
    Posts
    7,606

    Default

    Passwords suck. Sucks to try and remember, each site asks for a different combination of letters and number and whatnot, can't ever remember the combo so every time you have to do the "forgot password" shpeal. Then repeat.


    Its like locking the doors to your house. Hassle for you all the time but won't stop anyone who wants in.
    Andy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •