Page 4 of 10 FirstFirst ... 23456 ... LastLast
Results 31 to 40 of 99

Thread: OT: password protection

  1. #31
    Join Date
    Dec 2016
    Location
    Helsinki, Finland, Europe
    Posts
    2,794

    Default

    Quote Originally Posted by J Tiers View Post

    Use the SAME passwords..... Why bother to remember a few dozen?

    Low security..... the lowest common denominator.... use that password for any ordinary needs. like this forum, etc.

    Intermediate..... use this for other sites, mail etc.

    High security.... individual ones, but ones you can remember, phrases if possible, referencing something about the site for easy recall.

    Of course, there are many sites that FORCE a 6 character password with letters only, or letters and numbers.... Those fools you have to just humor and use what they demand.... Use the first 6 of the low security password, they don;t matter anyway.

    With luck, you will only need to remember a half dozen or less.
    This is what I also use.
    "sh1ttypassword" for everything low priority.

  2. #32
    Join Date
    Aug 2018
    Location
    Tai Tokerau - NZ
    Posts
    143

    Default

    Quote Originally Posted by J Tiers View Post

    Only problem is that it fails entirely if you do not get to use a QWERTY keyboard to enter the password. But that may be avoidable.
    I touch type dvorak. Unfortunately my phone has only qwerty.(Bluetooth keyboard to phone is dvorak), Once you bounce between one and the other a couple of times it's fairly obfuscated.

    As the thing I linked earlier. Computers "think" differently to people. going "one up" is arbitrary and "people-think" It's not even a consideration for a computer.

  3. #33
    Join Date
    Jan 2004
    Location
    Missouri
    Posts
    30,101

    Default

    Quote Originally Posted by fjk View Post
    If one person has figured out a “system” for passwords (such as commingling two words or using keys with certain relationships to the letters of a word) then another person can also figure it out.
    And that second person can be a bad actors.
    GPUs (the system referred to in the original post) and cloud computing services give the bad actors unprecedented amounts of cheap computing power.
    It is then easy to use such guessed passwords as patterns to try to break an encrypted password.

    Frank
    The number of personally targeted hacks is tiny. Most are phishing, or larger steals. Personal ones are more work and need a large potential gain. Which is rare.

    The easy word with shift to other keys keeps password cops happy, but makes your recall easy. and foils word guesses also.
    1601

    Keep eye on ball.
    Hashim Khan

  4. #34
    Join Date
    Oct 2009
    Posts
    550

    Default

    a little assistance for those who don't quite get it:

    you hack the password file, as noted above

    you get the code which turns the password into gobbledegook

    you throw every variation you can think of at it, and record them all

    if anyone anywhere ever used "abc123" as as password, you have that hashed password in your list.

    you don't have to crack individual passwords. you just have to compare what you find in the password list files with the billion or so already cracked passwords. if anyone anywhere ever used it, it's already cracked. no skill, no programing, just compare lists

    writing down passwords - no. use the serial number of something in your office. it's written, but not by you, not in your handwriting, and not where you sit.

  5. #35
    Join Date
    Sep 2006
    Location
    Southwestern Ontario, Canada
    Posts
    5,140

    Default

    Quote Originally Posted by loose nut View Post
    Take several words and then use the keyboard keys above them to scramble them. Throw in a couple of extras just to mix things up.

    Black blue red green -plain text password

    Goqdig_o7343et"433h -confused password.
    Use an ALt code like (hold down alt key + #) 5 and you get a ♣ that will add some complexity to a well secured 10+ digit password.
    Last edited by loose nut; 01-09-2019 at 11:40 AM.
    The shortest distance between two points is a circle of infinite diameter.

    Bluewater Model Engineering Society at https://sites.google.com/site/bluewatermes/

  6. #36
    Join Date
    Nov 2008
    Location
    SF East Bay.
    Posts
    6,183

    Default

    AD5MB has it correct. The hackers get the list of encrypted passwords from a place like Facebook via subterfuge, intrusion or other means. That file has the user name and password and not much else that is useful. Then they use another group of computers that run a program that will compare those encryptions to previously cracked passwords. This process uses very little processing power and can identify the previously broken passwords in a million user password file in a matter of minutes. And they can spend as long as they want doing it.

    What the hackers love to find is people who, like JTiers, who use the same password on many systems. This is not valuable in and of itself, but many systems have flaws that can only be exploited once you get logged into the system. Once they have a single user/password combination their automated attack systems can use it on every mail system, every bank and every financial institution in a matter of minutes. If it works, they have a choice of harvesting your information, emptying your accounts or leveraging the access to try to exploit the flaws in that system.

    Someone mentioned that brute force login attempts does not work. Unfortunately, it is hard to prevent brute force attacksif you run a public service. I had to write special code and rules to detect and block attempts that were spread out over hours using different usernames and passwords as well as dozens of attack computers. Once I knew what to look for, it was obviously a botnet looking for systems that it could corrupt using previously cracked username+password combinations.

    What pattern did I see? What gave them away? At about 5 minute intervals each system would try 3 different usernames in alphabetical order. Each attack system had a portion of the cracked list. They would try each name just once and disconnect after each attempt. This avoids triggering most alert programs. They were doing more than 500 attempts per hour, and it had been going on for weeks before I noticed it. Now the originating system is blocked for a day after 3 failed attempts in succession using different usernames. That's not perfect, but I only have a small number of users that should reach that system. I can't imagine how I would do that on Facebook without risking a DOS (denial of service) attack.

    Dan
    There is a profound difference between spare parts and extra parts.

  7. #37
    Join Date
    Dec 2004
    Location
    East Coast, USA
    Posts
    7,466

    Default

    Quote Originally Posted by danlb View Post
    AD5MB has it correct. The hackers get the list of encrypted passwords from a place like Facebook via subterfuge, intrusion or other means. That file has the user name and password and not much else that is useful. Then they use another group of computers that run a program that will compare those encryptions to previously cracked passwords. This process uses very little processing power and can identify the previously broken passwords in a million user password file in a matter of minutes. And they can spend as long as they want doing it.
    Every system/domain encrypts their passwords with a different private key so it's always a brute force and highly compute intensive process to crack just a single password. Any previous data from another system is irrelevant.
    Work hard play hard

  8. #38
    Join Date
    Jan 2004
    Location
    Missouri
    Posts
    30,101

    Default

    Quote Originally Posted by danlb View Post
    ....

    What the hackers love to find is people who, like JTiers, who use the same password on many systems. ...
    Dan
    It's small joy they will get from me.

    The important passwords are individual. And never re-used. Just as I said originally.

    But I see no need to provide snd remember elaborate passwords for junk uses like this site. If someone really wants to spend the effort to be able to post messages as if they were me, there is a remedy for that, but I hardly think anyone would bother.

    Then also, a person would have to know, or discover, what passwords were used on which systems..... There are many systems requiring passwords, I use few of them, and those few that might have the same password are not worth the electrons to hack.

    But, by all means use me as a bad example if it pleasures you......
    Last edited by J Tiers; 01-09-2019 at 06:45 PM.
    1601

    Keep eye on ball.
    Hashim Khan

  9. #39
    Join Date
    Nov 2008
    Location
    SF East Bay.
    Posts
    6,183

    Default

    Quote Originally Posted by 3 Phase Lightbulb View Post
    Every system/domain encrypts their passwords with a different private key so it's always a brute force and highly compute intensive process to crack just a single password. Any previous data from another system is irrelevant.
    It's been a few years since I last qualified as a CCSP (Certified Computer Security Professional.) Things may have changed.

    For those in the computer field: At that time the vast majority of the password systems used by every web server was a one way hash based on known algorithms. The seed was generally available for each hashed password so that you could compare the stored has with the generated hash.

    For every:else: Instead of storing passwords in plain text, it's common to store the result of encrypting the password. When you log in, the system then uses the same encryption method on the password you type and compares the result of that encryption with what was stored.

    A vastly oversimplified example using just numbers follows.

    Your password is 1234. The system does the following: multiply it by 1234567 to get 1523455678. Then throw away everything more than 6 digits. It stores 455678 as your hash. Each time you log in it does the same calculation and compares it. If the hash does not match what is in the file, you are not allowed in. Note that since most of the number is not stored, you can't use the file's copy of the hash to determine what the original number was.

    The real calculations are much more complicated and are designed to make it time consuming. On some of my earlier Unix systems it took a full second or more to perform those calculations. By 1985 I had an Atari ST that could do 2000 password hashes per second. That made it possible to decode a password in a Unix password file in less than a month. This was significant since the password file was open to everyone in the system in the early 1980s. Modern systems can brute force a short encrypted bit of data in very little time if they have a way to validate it. That's where the one way hash breaks down. If you have the hash and the algorithm you can just keep trying different passwords till one matches one of the hashes in the file.

    TLDR: Many (or most) systems are using 1 way hashes to store passwords and they are keeping THOSE hashes as secret as they could be. When the bad guys get a copy of those hashes they are easy to decode through clever guesswork and lots of computing power.
    There is a profound difference between spare parts and extra parts.

  10. #40
    Join Date
    Nov 2008
    Location
    SF East Bay.
    Posts
    6,183

    Default

    Quote Originally Posted by J Tiers View Post

    Then also, a person would have to know, or discover, what passwords were used on which systems..... There are many systems requiring passwords, I use few of them, and those few that might have the same password are not worth the electrons to hack.
    Post #36, second paragraph explains in easy to understand terms why they don't need to know what passwords are used on which systems. Once discovered, your password will be tested against thousands of other web sites and applications on the off chance that it might work. Consultants are often fished since they tend to have login credentials for corporate systems, and are often lazy enough to use the same one for most of them.

    When possible, don't use the same password for a large number of systems. It's just a bad thing to do if you are at all concerned with security.

    Dan
    There is a profound difference between spare parts and extra parts.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •