Results 1 to 10 of 99

Thread: OT: password protection

Hybrid View

  1. #1
    Join Date
    Sep 2006
    Location
    Southwestern Ontario, Canada
    Posts
    5,140

    Default OT: password protection

    I was watching a You tube video about a guy explaining the current situation regarding how good or bad passwords are.

    Most people's are very bad!

    The criminal world hacks places like Facebook, banks or anywhere they can get large amounts of passwords, these are encrypted but mostly not well enough anymore. Then they run them through computers that are made to crack them. The one he was using was at a university, was a custom built machine, not for cracking passwords but other uni research. It was about the size of a desktop pc but 3 times higher and was composed of a base computer with 4 high end video cards in it that do the work. These cards have several thousands fairly simple processors in them that are optimized to do simple operations over and over like mining bit coins or cracking and don't really cost that much to build. This particular one could brute force attack a list of encrypted 6 letter (which is or was the standard size) passwords at a rate of, wait for it 40,000,000,000/sec. That is not a mistake, the right number of zeros are present. After that the cracking methods get more complex, so using things like caps and common symbol's and mixing numbers don't work anymore but it does take longer to crack them but they do.

    His recommendation is to use 4 common "unrelated" words (Like "cowbreadbeercoma" simpler to remember) with an underscore or symbol placed in one or more of the words ("cowbre_adbeerc&oma") at least 10 carters long, 16 is much better. this complicates the crack so much that even these fast cracking machines have problems. How long this will work???? A password manager that creates random 16 letter hashes is the best right now so you only have to remember one password but if you forget it or you 'puter goes up in smoke your buggered.

    P.S. using one of the AULT/KEY letters not used on a regular keyboard will add another level of complexity, at least until they wise up to that one.

    Be happy, don't worry - cause it won't help, better of offline anyway.
    The shortest distance between two points is a circle of infinite diameter.

    Bluewater Model Engineering Society at https://sites.google.com/site/bluewatermes/

  2. #2
    Join Date
    Feb 2016
    Location
    Edmonton, Alberta, Canada
    Posts
    980

    Default

    Yeah, for the vast majority of sites, I use a password of random numbers/letters/symbols generated by 1password, that also stores and fills in passwords in my browsers and on my iPhone.

  3. #3
    Join Date
    Jan 2009
    Location
    WV
    Posts
    384

    Default

    I don't understand how they can crack the passwords at places like Facebook with brute force type attacks. After getting the password wrong a few times the password process is locked and the user is notified by the registered phone or email that someone tried to access their account.

  4. #4
    Join Date
    Feb 2016
    Location
    Edmonton, Alberta, Canada
    Posts
    980

    Default

    Quote Originally Posted by Ridgerunner View Post
    I don't understand how they can crack the passwords at places like Facebook with brute force type attacks. After getting the password wrong a few times the password process is locked and the user is notified by the registered phone or email that someone tried to access their account.
    They "crack" the password by:
    -hack facebook or whoever, for the username/password database, passwords are "hashed" (a one-direction encryption method, so you can't go backwards to recover the original password from this value, there are/have been a variety of methods to hash these passwords)
    -they then run a password generation program through the same hashing algorithm, and compare the result with the hashed values they got from the website. If they match, you have the password

    Doing this to find the password for a single, specific person can take a lot of time, as it could be anything.
    But doing this against a whole bunch of users, depending on the hashing algorithm, you can quickly find the password for one or more of them.

  5. #5
    Join Date
    Mar 2015
    Posts
    2,604

    Default

    In High School, we used keyboard grabbers. It recorded every single keystroke made on the computer, so it was easy to find usernames and passwords to everyone, including the admins. This was in the 90's, and on Mac's. The keystrokes were recorded to a simple text file in a hidden folder.
    Later on, I had an internship with the IT department for the school system, and I kid you not, FIRST GRADERS were doing way worse things than we were in High School.

  6. #6
    Join Date
    Sep 2006
    Location
    Southwestern Ontario, Canada
    Posts
    5,140

    Default

    When I referred to the 40 Billion/sec I explained it wrong.

    A brute force attack is something like AAAAAA, AAAAAB, AAAAAC and so on. Each test of a password constitutes one operation and the computer can do 40 Billion operations like that per sec. Still a lot of passwords cracked. The more complex a password is requires a more complex coding, with more complex rules to crack them, so the number of cracks/sec drops but still significant, maybe a few thousand cracks/sec.

    Hope that is clear.
    The shortest distance between two points is a circle of infinite diameter.

    Bluewater Model Engineering Society at https://sites.google.com/site/bluewatermes/

  7. #7
    Join Date
    Jan 2009
    Location
    WV
    Posts
    384

    Default

    Quote Originally Posted by dave_r View Post
    They "crack" the password by:
    -hack facebook or whoever, for the username/password database, passwords are "hashed" (a one-direction encryption method, so you can't go backwards to recover the original password from this value, there are/have been a variety of methods to hash these passwords)
    -they then run a password generation program through the same hashing algorithm, and compare the result with the hashed values they got from the website. If they match, you have the password

    Doing this to find the password for a single, specific person can take a lot of time, as it could be anything.
    But doing this against a whole bunch of users, depending on the hashing algorithm, you can quickly find the password for one or more of them.
    Thank you.

    What, ah "someone" did in college was write a program to duplicate the universities login screen. The "person" would login with their username and password and leave this program running on one of the terminals. When another student or staff (hopefully with higher level access) would sit at the terminal and log in, the username and password were saved to a file. It was not a keylogger. The program would then report a login error that would loop repeatably no matter what key was pressed to tell the student to reboot and by doing so would kill the program and bring up the schools correct login screen.

  8. #8
    Join Date
    Mar 2012
    Posts
    139

    Default

    I also knew "someone" who did a similar thing. It was 1974, so there were no criminal penalties yet. The timesharing system(remember those?) used a "preprocessor" computer to manage connections to the mainframe. The un-named person wrote a program on the preprocessor that was a duplicate of the login screen that intercepted the login request. It captured the user ID and password, popped up the "incorrect password" screen, and when that was acknowledged, it dropped the user into the legitimate login screen. It ran for a while and collected hundreds of password/UID pairs, until the person got nervous and deleted everything. I don't think the administration ever knew.

  9. #9
    Join Date
    Aug 2018
    Location
    Tai Tokerau - NZ
    Posts
    143

    Default

    Quote Originally Posted by J Tiers View Post

    Only problem is that it fails entirely if you do not get to use a QWERTY keyboard to enter the password. But that may be avoidable.
    I touch type dvorak. Unfortunately my phone has only qwerty.(Bluetooth keyboard to phone is dvorak), Once you bounce between one and the other a couple of times it's fairly obfuscated.

    As the thing I linked earlier. Computers "think" differently to people. going "one up" is arbitrary and "people-think" It's not even a consideration for a computer.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •