Passwords 101

<< < 1 > >>   Page of 1
NudeInMA

NudeInMA

Ultra Nudist [4976] | 3 years ago | More Info

Flag Quote Reply

#1

Male | Berkshires, Massachusetts United States | 71

Nudism is the Great Equalizer. It is impossible to put on airs when one is nude.-- NudeInMA<br>

Passwords 101

From an email received this morning comes a sobering bit of information about computer security (or the lack of it).

According to a report, most users still haven't answered the call by security experts to implement more robust passwords. In fact, in a list of the most easy to hack passwords, simply typing '123456' took a truly forgettable top prize.

Security firm Imperva recently released its list of the passwords most likely to be hacked based on 32 million instances of successful hacking. Imperva named their report "Consumer Password Worst Practices," and some of the entries near the top are truly simple and could lead to theft or identity fraud.


The top 10 bonehead passwords listed in the email:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

It's safe to the say that the clueless users who rely on those for security are begging to be compromised or worse.

What not to use as passwords, aside from those gems above:

* One's birthdate or anniversary date
* Names of family members
* Birthdates of family members
* Names of pets
* Movie or popular song titles
* Names of actors/actresses or other famous people

In short, if you use such things as passwords, you make the job of the bad guys much easier.

The recommended approach is random characters, e.g., upper- and lower-case letters and digits, and punctuation if the system allows it. Even if one is restricted to alphanumeric characters, here's the math.

Using just upper/lower case letters and digits 0 to 9, there are 62 possible characters for each position in the password. Here are the number of combinations for passcodes from 5 to 10 characters.

5 -- 916,132,832
6 -- 56,800,235,584
7 -- 3,521,614,606,208
8 -- 218,340,105,584,896
9 -- 13,537,086,546,263,552
10 -- 839,299,365,868,340,224

How long would it require for a badass to be absolutely cetain of getting the correct ten-character random code based on the above approach?

A solar year is 31,556,926 seconds. If the person has a computer generating 1 million combinations per second, guaranteeing the correct combination of a 10-character PW would require up to 26,596 years. No one reading this has anything so interesting or crucial that anyone would spend a month trying to crack such a code, let alone 26,596 years. And of course attempting to break it online would take far longer, because no Web connection would handle a million attempts per second.

"AuntMartha" is a piss-poor password. "Xa93dg41Pz" is guaranteed to defeat the most dedicated cracker.

ManOfWicklow

ManOfWicklow

Ultra Nudist [12077] | 3 years ago | More Info

Flag Quote Reply

#2

Male | Nr Tamworth, But Originally From Leicester, Leicestershire United Kingdom | 63

A lie has speed, but truth has endurance.

RE: Passwords 101

What Really annoys me is, when entering my password to whatever I'm trying to log in to, it will say, incorrect username or password. Knowing I have the right name and password, I think, ah yes' typed too quickly and hit a wrong key. Start again to no avail and only then do I remember changing the p/w but what is my new one, I did it in a hurry and had not written it down.

Never set a new password unless totally sober !
natureboy1776

natureboy1776

Undies Only [168] | 3 years ago | More Info

Flag Quote Reply

#3

Male | N/e, Massachusetts United States | 38

RE: Passwords 101

I just read of a new free program that uses a high-end GPU to crack any 8 character random password in 8 minutes. I will try to find the link tonight. Always use at least 10 random characters.
NudeInMA

NudeInMA

Ultra Nudist [4976] | 3 years ago | More Info

Flag Quote Reply

#4

Male | Berkshires, Massachusetts United States | 71

Nudism is the Great Equalizer. It is impossible to put on airs when one is nude.-- NudeInMA<br>

RE: Passwords 101

Be wary of such claims. If the random characters are all digits, perhaps that is possible. If they are 10 digits plus 26 capital letters plus 26 lower-case letters, the claim is, to be very kind, questionable.

The claim might well refer to a local machine in which the PW is entered, and which is connected directly to the GPU via a high-speed connection. In the real world, the threat to John J. Compuser is via an Internet connection. Thus we have many factors that make the claim absurd.

That aside, the major issue with passwords is not with breaking into personal computers, but with people who use absurdly simple ones for Internet banking and businesses, where identity theft and wholesale robbery can be done once a person's account is accessed. It doesn't take much to get a person's user ID to a bank or an online retailer. The damage is done when the baddie gets the account password because the user was careless or just plain dumb.
natureboy1776

natureboy1776

Undies Only [168] | 3 years ago | More Info

Flag Quote Reply

#5

Male | N/e, Massachusetts United States | 38

RE: Passwords 101

http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125



This is a similar article from around the same time. The issue is that GPUs are such number crunchers that they are working Billions per second not hundreds, thousand, or even millions... Yes there is the band-with restraints that NIM writes of, and thankfully most site now only give you three guesses before lockout.



The bottom line is use a password manager not post-its. Use passwords that are reasonable to the situation. Never reuse the same password at different locations. Whenever possible use two factor authentication.
DesertRat

DesertRat

Super Nudist [1687] | 3 years ago | More Info

Flag Quote Reply

#6

Couple | Phoenix, Arizona United States | 66 & 69

RE: Passwords 101

There are so many sites that require an ID and password to log in where the information is very mundane and available to anyone. An example of this is a crossword puzzle site. Why we have to log into these sites is beyond me. I guess it is so the site owners can do some form of tracking. For these types of sites I use a very simple ID and password. Ones that I can easily remember and use the same ones for all of these sites. When it comes to critical sites like banking or trading accounts, that is another story. This is where we need to be very diligent about our ID's and passwords.
NudeInMA

NudeInMA

Ultra Nudist [4976] | 3 years ago | More Info

Flag Quote Reply

#7

Male | Berkshires, Massachusetts United States | 71

Nudism is the Great Equalizer. It is impossible to put on airs when one is nude.-- NudeInMA<br>

RE: Passwords 101

Thanks for the link. What I gather is that the article is referring to a proof-of-concept demonstration, not a practical PW cracker for real-world use. When actually trying to break into a passworded system, the GPU would need to try each iteration on the system and wait for the pass/fail response. The speed of the process is then governed by the system being attacked, not the GPU.

How would the warp-drive GPU connect to a local target system? Other than via the Internet, the fastest peripheral connection method is USB 3.0 at 5 Gbps (625 MBps). That is a new technology that is not available on the vast majority of machines, ergo USB 2.0 or Firewire would be the available options on most boxes, and they would greatly curtail the attempt rate.

The GPU data stream would be occupying 100% of the target machine's CPU time, and the speed would be dragged down by the CPU repeatedly running the code to check the incoming password and then tell the cracker that it is wrong.

=================================================

IAC, unless the cracker has physical access to the machine, the Net is the only available way to get at it. Then the real world intrudes.

1. The cracker must have a Net connection to the target computer and be aware that the machine has interesting files protected by passwords.

2. The brute-force cracker must send combinations one set at a time and wait for a response from the victim machine that the target machine has recognized the PW.

3. The first time lag would be the machine processing the crack attempt. Depending on how busy it is, that could involve a considerable wait.

4. Once the machine responds, the major time lag is network latency or "ping time", the inate delay in Internet communications. It is based on several factors such as the number of routers in the loop, the traffic level on the Net, the unavoidable delay between a router's receiving a packet and sending it on to the next node, and the speed of light in a fiber optic cable (about 66% of the speed in a vacuum). To humans, the delays are usually too short to be detected, but to a ne'er-do-well trying to get into one's computer, latency severely crimps brute-force crack attempts.

~~ SIDEBAR ON ~~

The effect of latency, usually measured in milliseconds, can be minimal or it can be an experience akin to walking through mud. For an example, assume a network of 50 ms latency between A and B. If a large file, a video, or whatever is being transferred from A to B, after the initial negotiations, it won't matter whether B receives it 50 ms later than it is sent.

However, when the activity involves constant interaction, e.g., PW cracking, that 50 ms can be a crusher. Even ignoring the time wasted by the target machine, the math is daunting. The GPU sends a password attempt via the Net to the target: 50 ms. The target sends a response: 50 ms. One transaction requires 100 ms, and it is unavoidable. Thus, only ten tries per second can be achieved under ideal conditions. Add the time used by the target to process the incoming crack attempt, and the baddie would be lucky to get 5 attempts per second.

His owning a GPU password cracker won't do diddly squat for him.

~~ SIDEBAR OFF ~~

The article is fascinating as an idea, but random-character PWs are as safe as one will ever get or need. And what could render the task impossible is that even if the PW is broken, the desired files are all encrypted using one of the freeware encryption programs.

Suffice it to say that just getting through the PW is enough to make any sane baddies go after bigger targets. Joe Doakes' puter in East Woebegone is not interesting enough to waste all that time.

Careless users who self-infect their machines with back-door RATs (Remote Administration Tools) such as Sub7 that give the offender full control of a machine make the task of compromising it vastly simpler. However, that doesn't make breaking a password easier, unless the person foolishly stores the PW on the machine itself in a plain-text file named mypassword.txt.

Conclusion: it behooves anyone using a password-protected site to choose one that is as complex as the site allows. 123456 won't cut it.
<< < 1 > >>   Page of 1

Invite a Friend