Page 1 of 10 123 ... LastLast
Results 1 to 10 of 99

Thread: OT: password protection

  1. #1
    Join Date
    Sep 2006
    Location
    Southwestern Ontario, Canada
    Posts
    5,140

    Default OT: password protection

    I was watching a You tube video about a guy explaining the current situation regarding how good or bad passwords are.

    Most people's are very bad!

    The criminal world hacks places like Facebook, banks or anywhere they can get large amounts of passwords, these are encrypted but mostly not well enough anymore. Then they run them through computers that are made to crack them. The one he was using was at a university, was a custom built machine, not for cracking passwords but other uni research. It was about the size of a desktop pc but 3 times higher and was composed of a base computer with 4 high end video cards in it that do the work. These cards have several thousands fairly simple processors in them that are optimized to do simple operations over and over like mining bit coins or cracking and don't really cost that much to build. This particular one could brute force attack a list of encrypted 6 letter (which is or was the standard size) passwords at a rate of, wait for it 40,000,000,000/sec. That is not a mistake, the right number of zeros are present. After that the cracking methods get more complex, so using things like caps and common symbol's and mixing numbers don't work anymore but it does take longer to crack them but they do.

    His recommendation is to use 4 common "unrelated" words (Like "cowbreadbeercoma" simpler to remember) with an underscore or symbol placed in one or more of the words ("cowbre_adbeerc&oma") at least 10 carters long, 16 is much better. this complicates the crack so much that even these fast cracking machines have problems. How long this will work???? A password manager that creates random 16 letter hashes is the best right now so you only have to remember one password but if you forget it or you 'puter goes up in smoke your buggered.

    P.S. using one of the AULT/KEY letters not used on a regular keyboard will add another level of complexity, at least until they wise up to that one.

    Be happy, don't worry - cause it won't help, better of offline anyway.
    The shortest distance between two points is a circle of infinite diameter.

    Bluewater Model Engineering Society at https://sites.google.com/site/bluewatermes/

  2. #2
    Join Date
    Feb 2016
    Location
    Edmonton, Alberta, Canada
    Posts
    980

    Default

    Yeah, for the vast majority of sites, I use a password of random numbers/letters/symbols generated by 1password, that also stores and fills in passwords in my browsers and on my iPhone.

  3. #3
    Join Date
    Jan 2009
    Location
    WV
    Posts
    384

    Default

    I don't understand how they can crack the passwords at places like Facebook with brute force type attacks. After getting the password wrong a few times the password process is locked and the user is notified by the registered phone or email that someone tried to access their account.

  4. #4
    Join Date
    Feb 2016
    Location
    Edmonton, Alberta, Canada
    Posts
    980

    Default

    Quote Originally Posted by Ridgerunner View Post
    I don't understand how they can crack the passwords at places like Facebook with brute force type attacks. After getting the password wrong a few times the password process is locked and the user is notified by the registered phone or email that someone tried to access their account.
    They "crack" the password by:
    -hack facebook or whoever, for the username/password database, passwords are "hashed" (a one-direction encryption method, so you can't go backwards to recover the original password from this value, there are/have been a variety of methods to hash these passwords)
    -they then run a password generation program through the same hashing algorithm, and compare the result with the hashed values they got from the website. If they match, you have the password

    Doing this to find the password for a single, specific person can take a lot of time, as it could be anything.
    But doing this against a whole bunch of users, depending on the hashing algorithm, you can quickly find the password for one or more of them.

  5. #5
    Join Date
    Mar 2015
    Posts
    2,611

    Default

    In High School, we used keyboard grabbers. It recorded every single keystroke made on the computer, so it was easy to find usernames and passwords to everyone, including the admins. This was in the 90's, and on Mac's. The keystrokes were recorded to a simple text file in a hidden folder.
    Later on, I had an internship with the IT department for the school system, and I kid you not, FIRST GRADERS were doing way worse things than we were in High School.

  6. #6
    Join Date
    Sep 2006
    Location
    Southwestern Ontario, Canada
    Posts
    5,140

    Default

    When I referred to the 40 Billion/sec I explained it wrong.

    A brute force attack is something like AAAAAA, AAAAAB, AAAAAC and so on. Each test of a password constitutes one operation and the computer can do 40 Billion operations like that per sec. Still a lot of passwords cracked. The more complex a password is requires a more complex coding, with more complex rules to crack them, so the number of cracks/sec drops but still significant, maybe a few thousand cracks/sec.

    Hope that is clear.
    The shortest distance between two points is a circle of infinite diameter.

    Bluewater Model Engineering Society at https://sites.google.com/site/bluewatermes/

  7. #7
    Join Date
    Sep 2004
    Location
    Oregon Coast
    Posts
    1,437

    Default

    I've been getting emails on my spam separating program, stating that if I did not send them any where from 5 to 8 hundred dollars in bitcoin that they would kill my computer. They say they have my password and list a password that I used maybe 15 years ago. My guess is they maybe got ahold of a old computer that I recycled and pulled the pass words off of it. Each email comes from a different country, by the way I don't have to open these email because I can look at them without opening them.
    I know that there are web pages and companies the make it their money mining this kind of information and I try not to fall into their trap.
    _____________________________________________
    Mel Larsen
    I would rather have tools that I never use, than not have a tool I need.

  8. #8
    Join Date
    Jan 2013
    Location
    Michigan
    Posts
    1,545

    Default

    Oh. Right. Yeah. Sure sure. Billions upon billions of guesses, all for my hsm password. Someone is going to get rich on that.

    So when I start posting a bunch of stuff for sale, I apologize! But it is surely because some miscreants have cracked my password.

  9. #9
    Join Date
    Jan 2004
    Location
    Missouri
    Posts
    30,107

    Default

    They do not care whose password it is. If they CAN crack one, either by bouncing it off a hash list, or whatever, then they have a saleable "product". I don;t know what they go for, but it probably depends on what it is to, what it gives access to.

    Maybe for a bank, they would rather have someone with serious assets in there than someone with only a little, because of the potential gain. But, the real deal there would be stealing, through phishing probably, a password for a bank employee with good access. Customers do not have access to more than their own stuff, unless the bank software is pretty bad.
    1601

    Keep eye on ball.
    Hashim Khan

  10. #10
    Join Date
    Aug 2016
    Location
    Appalachian Ohio
    Posts
    657

    Default

    Quote Originally Posted by Glug View Post
    Oh. Right. Yeah. Sure sure. Billions upon billions of guesses, all for my hsm password. Someone is going to get rich on that.

    So when I start posting a bunch of stuff for sale, I apologize! But it is surely because some miscreants have cracked my password.
    Nice to see that you are still well enough to post. Your original sales notices made it seem that you were not going to last too much longer. I just want to confirm that you will be home on Saturday when I come to pick up my new-to-me mill and lathe?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •