PDA

View Full Version : How secure is your password?



Scott Shepherd
07-05-2014, 11:59 AM
Saw this link a while back, and it's got me split because in one way I think it's great info, on the other hand, it could be a bad thing.

It checks your password and tells you how safe it is. However, there's a note on the site that says "We could be stealing your password, but we're not, be careful where you enter your password".

Well, if you were stealing my password, do you think you'd say "I'm stealing your password?". Granted, having any password and not having any login information for anything at all is pointless, but it's still interesting to think how easy it would be to get people put it in their passwords.

I'd recommend if you're paranoid, don't type your password, but type something close. If your password is "William564", put in something similar instead. You'll get the same results.

I was a bit shocked to see how much can be cracked "instantly", but also quite happy to see my combinations run into the 100's of days to crack with a normal PC trying to crack it.

https://howsecureismypassword.net

Alan Gan
07-05-2014, 12:10 PM
It is always best to use a combination of Letters both capitols and not, numbers and special symbols, even though I have been to some sites that do not allow symbols (how dumb is that). You can be pretty safe as long as the password is long enough and does not spell anything. Password crackers 1st look for common words. For some reason I think you already know all this. :)

Mike Cutler
07-05-2014, 12:26 PM
My strongest password would take 58 years according to them. My weakest is about 10 seconds.

Tony Joyce
07-05-2014, 1:24 PM
Interesting site. I used my typical password generator using 20 characters and got this reply "It would take a desktop PC about 5 quintillion years to crack your password"

Sweet, I feel pretty confident about that. Using 30 characters, I get "It would take a desktop PC about 4 undecillion years to crack your password"

Tony

Art Mann
07-05-2014, 2:16 PM
Accounts that people would really want to keep secure - bank account access for example - will only allow three tries and then you are locked out until you get the password reset by some secure method. The probability that some thief would guess even 6 random letters that are known to be all caps with no numbers or special characters in three tries is approximately zero. The problem I see in password security is using the same combination of characters on multiple accounts. One should never do that. If the person who maintains this forum were to decide to fake the website and grab our passwords when we attempt to log in, he could probably gain access to hundreds of accounts just because so many people use only one password for everything.

Michael Weber
07-05-2014, 2:50 PM
lol mine was 26 THOUSAND years. Edited to say I went back and it actually looks like it might be an ad for Roboform or a way to drive customers to their website.

Dan Hintz
07-05-2014, 3:26 PM
I wouldn't hold too much of a candle to how they're determining the strength. It makes some assumptions about passwords that are not necessarily valid.

Bruce Page
07-05-2014, 5:20 PM
"It would take a desktop PC about 465 million years to crack your password"

Great, now I just have to remember it.

Alan Gan
07-06-2014, 12:52 AM
You all really went to the site, I'll just have to guess what it would have told me. Better change your passwords now. Lol

Dan Hintz
07-06-2014, 8:57 AM
You all really went to the site, I'll just have to guess what it would have told me. Better change your passwords now. Lol

Why? It has no concept of who I am other than my IP, nor does it know what possible accounts said passwords are attached to.

Paranoia is only useful when there's logic behind it...

Curt Harms
07-06-2014, 9:38 AM
Something that would help with password security is for sites where security matters - where financial and sensitive personal information reside - would be to not limit passwords to 8 or 12 characters. Something like fragments of 3 or 4 sentences is easier to remember than 10 or 15 random characters. Here is a similar site but gives strength when attacked with parallel GPUs or medium sized botnets. It also has a dictionary checker.

http://password-checker.online-domain-tools.com/

Here is the result of a password sort of relevant to a woodworking site:

Li3-Nielsen52+Ver1tas=WWBlis$

292426

Charlie Velasquez
07-06-2014, 11:21 AM
.... Something like fragments of 3 or 4 sentences is easier to remember than 10 or 15 random characters.
This.
For sites like Sawmill I have a one word password, sometimes with a number thrown in. For email, Amazon, insurance companies, financial institutions, I have a sentence related to that institution with special characters/numbers inserted in appropriate places. Even with a 12 character limit, something simple like "Iliv3@Iowa52" . Following capitalization rules-helps to remember; substituting 3's for all e's; finishing up the 12 character max with the numbers from my zip code, is easy to remember and gives a time of 344,000 years according to the first web site and 77% on the 2nd, which seems to be the best you can do with a 12 character limit.

My online banking is a twenty character sentence AND I opted to have the bank text me to send a 1-time use access code anytime I try to log in from an unfamiliar machine.

glenn bradley
07-06-2014, 11:30 AM
I'm sure we are all smart enough not to put our actual passwords into such a thing. As a service it is a nice barometer to let you know if the sort of format you use for your password is adequate. Certainly upper and lower case with a number and a special character would be a minimum. It would be nice if more folks would accept a set of characters divided by a space and if most common punctuation and math symbols were accepted. I carry over 60 passwords around in my head at work and these change on an irregular basis. After a few decades of doing this it is like walking and chewing gum . . . oops! Almost tripped there . . . better be more careful.

At any rate, if one gives it a bit of thought, a dozen characters that can be altered in some pattern per account is not real hard to come up with. On the other hand, just how interesting is my stuff, anyway? I don't mean my bank or credit cards and so forth. I mean how much is a small town in China focusing on one of my PC's? There is some protection in being boring BUT, if you want a real eye opener, hang a filter on your broadband connection at home and be awed and inspired by the amount of stuff hitting your machine! Who knew you were so interesting!?! ;-)

Dan Hintz
07-06-2014, 12:22 PM
On the other hand, just how interesting is my stuff, anyway? I don't mean my bank or credit cards and so forth. I mean how much is a small town in China focusing on one of my PC's? There is some protection in being boring BUT, if you want a real eye opener, hang a filter on your broadband connection at home and be awed and inspired by the amount of stuff hitting your machine! Who knew you were so interesting!?! ;-)

This ^^^^^^^^^^^^

Alan Gan
07-06-2014, 5:10 PM
I'm sure we are all smart enough not to put our actual passwords into such a thing.

There is some protection in being boring BUT, if you want a real eye opener, hang a filter on your broadband connection at home and be awed and inspired by the amount of stuff hitting your machine!

If any of you want some real fun try running WireShark. Talk about an interesting afternoon spent watching the world of CyberSpace fly by. :)~

Eric DeSilva
07-07-2014, 9:14 AM
I wouldn't put too much stock in how long that site says it will take to crack your password. Even for data vaults that are long term, those numbers are meaningless--given that the old adage was that processor speeds double every two years, processors will run at 16x today's speeds 10 years from now, so something that takes 160 years to crack is suddenly very crackable. And people who break passwords professionally use distributed processing anyway, which bring those numbers down by orders of magnitude.

I would also point out that having a super strong password doesn't do you any good if you use the same password everywhere and some site stores it without good encryption. I'm shifting everything I can to two factor authentication and long pass phrases with site-specific components...

Dave Sheldrake
07-07-2014, 12:45 PM
Only secure passworded system is one not connected to the internet.

cheers

Dave

Dan Hintz
07-07-2014, 7:49 PM
Only secure passworded system is one not connected to the internet.

Sorry, that won't necessarily help you, either ;)

Pat Barry
07-07-2014, 9:01 PM
Sorry, that won't necessarily help you, either ;)
Dan, why don't you provide some direction and guidance. If you have the knowledge then help us out.

Scott Shepherd
07-07-2014, 9:47 PM
Pat, I think he's referring to some of the reports that Snowden released. One of the plans in place was for "operatives" in a special task force to intercept new computer and computer equipment orders going to foreign governments and companies and insert something into that devices that would allow them to be remotely monitored even if they were not connected to the internet. It was a stunning report to read, meaning even being unplugged from the internet isn't safe. Smart phones are the worst. They have complete and total control over those, even if you have them turned off, completely turned off. They can access the cameras, microphones, etc.

My guess is it's that type of information that has led Dan to say you aren't safe when unplugged with a wink.

Dan Hintz
07-08-2014, 5:40 AM
Dan, why don't you provide some direction and guidance. If you have the knowledge then help us out.
Do some research using the term "air gap". Highly secure systems (or at least those thought to be) are air-gapped to prevent infiltration/exfiltration.

I'll also add... just because someone has knowledge of a subject does not mean they are allowed to help others out.

Scott Shepherd
07-08-2014, 8:04 AM
Dan, what about making your outside walls a faraday cage? Would that help? :)

Dan Hintz
07-08-2014, 1:46 PM
Dan, what about making your outside walls a faraday cage? Would that help? :)

Help? Yes. Solve the problem? No.

:D

Scott Shepherd
07-08-2014, 2:19 PM
Help? Yes. Solve the problem? No.

:D

You ubergeeks are some sneaky people ;)

Jessica Pierce-LaRose
07-08-2014, 9:25 PM
I don't know how that site works, so maybe it's not like this, but previous things like this I've seen, are estimating how long it might take a computer to "brute force" your password, trying all combos until it hits something that works. That's not usually the case. Usually, well thought out programs start with large compiled tables of known passwords, words in the dictionary (including things like substituting "1" or "I", etc.) common "patterns", (things like typing "squares" on your keyboard, etc.)

The other thing, is these sites generally aren't trying to log into a site over and over - they're usually working against a table of data, trying to match passwords from there.

A couple of interesting articles I remember from last year on this stuff:

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/


In my experience, one of the best things you can do is enable two factor authentication when you can. My bank, for example, if I log into the website from a different computer, I have to both enter my password and a code that is texted to my phone.

Scott Shepherd
07-09-2014, 8:06 AM
I don't worry too much about it. My belief is there's a lot better value for the time spent by trying to get into my bank, rather than trying to get into my individual account. Get into the bank, you have millions of people's information that could be worth a lot of money on the black market. I think it's far worse when someone hits someone like the Target breach months ago, since they've collected data about me that I didn't willingly sign up to give them by swiping my debit card. That, I can't control too much, other than paying cash for everything, but my passwords, I can control.

Get into a bank or medical database and you've got some pretty serious data bad people would love to have access too.

Pat Barry
07-09-2014, 8:58 AM
I don't worry too much about it. My belief is there's a lot better value for the time spent by trying to get into my bank, rather than trying to get into my individual account. Get into the bank, you have millions of people's information that could be worth a lot of money on the black market. I think it's far worse when someone hits someone like the Target breach months ago, since they've collected data about me that I didn't willingly sign up to give them by swiping my debit card. That, I can't control too much, other than paying cash for everything, but my passwords, I can control.

Get into a bank or medical database and you've got some pretty serious data bad people would love to have access too.
Related to this, I was talking with my financial advisor yesterday (Ameriprise) and they have a "Total View" money management system. You log into your Ameriprise account and then link it to your other financial accounts and it displays everything for you thru the Ameriprise portal. I'm curious what you guys think of that? Makes me nervous thinking about the level of security that would be needed. He also mentioned this is similar in some ways to a service you can get through Mint.com. Too risky?

Curt Harms
07-09-2014, 9:15 AM
Related to this, I was talking with my financial advisor yesterday (Ameriprise) and they have a "Total View" money management system. You log into your Ameriprise account and then link it to your other financial accounts and it displays everything for you thru the Ameriprise portal. I'm curious what you guys think of that? Makes me nervous thinking about the level of security that would be needed. He also mentioned this is similar in some ways to a service you can get through Mint.com. Too risky?

To me? Yeah.

Curt Harms
07-09-2014, 9:18 AM
I don't worry too much about it. My belief is there's a lot better value for the time spent by trying to get into my bank, rather than trying to get into my individual account. Get into the bank, you have millions of people's information that could be worth a lot of money on the black market. I think it's far worse when someone hits someone like the Target breach months ago, since they've collected data about me that I didn't willingly sign up to give them by swiping my debit card. That, I can't control too much, other than paying cash for everything, but my passwords, I can control.

Get into a bank or medical database and you've got some pretty serious data bad people would love to have access too.

Yup, and they have essentially unlimited time to hack on any (weakly?) encrypted data.

Scott Shepherd
07-09-2014, 9:33 AM
Yup, and they have essentially unlimited time to hack on any (weakly?) encrypted data.

And I'm sure if that were your target, you're not some hack in your parent's basement, you're backed by some serious money, which would allow you to step up to some fairly serious computing power where your supercomputer(s) did nothing but work on the issue 24/7 at a really fast pace. You could spend $20,000,000 on a state of the art computer center that did nothing but work on cracking it, and you'd still make a ton of money if you could ever crack it.

Val Kosmider
07-09-2014, 3:48 PM
Being particularly ignorant about passwords and computers, wouldn't I simply put a key stroke logger on your PC, or run some software which reads the Password file in your PC, if I wanted this information?

I always assume that anything I put in my PC, and anywhere in the net, is public information.

I equate it to having a security systems on a car..it takes a professional thief all of five seconds to penetrate the 'security'.

Curt Harms
07-10-2014, 7:23 AM
And I'm sure if that were your target, you're not some hack in your parent's basement, you're backed by some serious money, which would allow you to step up to some fairly serious computing power where your supercomputer(s) did nothing but work on the issue 24/7 at a really fast pace. You could spend $20,000,000 on a state of the art computer center that did nothing but work on cracking it, and you'd still make a ton of money if you could ever crack it.

I'm not even sure you'd need mega money to build a cracking setup. I don't understand the theory or practice but I've seen articles where people have built a chassis to hold a number of high end GPUs. As I understand it the sort of math operations that go into rendering 3D graphics are also useful for brute forcing passwords. GPUs are optimized for those math operations. Here's a 2 year old article:


In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.



(https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/)https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/

Scott Shepherd
07-10-2014, 7:59 AM
That would be true if a simple password was what was keeping them out of those large databases, but it's not. There's a lot more to getting into a bank database than guessing a password.

Dan Hintz
07-10-2014, 4:32 PM
I'm reminded of this XKCD (which, incidentally (but not accidentally) came out just a couple of days after the NSA changed their password requirements to 16 characters):
292769

Curt Harms
07-11-2014, 7:10 AM
That would be true if a simple password was what was keeping them out of those large databases, but it's not. There's a lot more to getting into a bank database than guessing a password.

I'm sure that's true. Cracking the POS system at a busy retailer may not be as lucrative as Chase or Bank of America but I'll bet it's a lot easier and still well worth the effort.

Brian Elfert
07-11-2014, 9:04 AM
The problem with requiring ridiculous long or complex passwords or frequent password changes is users will write their password down because they can't remember it. If someone's password is on a Post-It stuck to the monitor there is no security at all. I was at a Ford dealership about a decade ago and the monitor was completely surrounded by notes showing passwords for different systems.

There are serious questions if requiring password changes on a regular basis really improves security. If someone is able to break into an account the damage is usually done right away and the password may not change again for weeks. Frequent password changes make it more likely users will write down passwords.

Jack Jackson
07-11-2014, 10:46 AM
The only "good part" of people writing down their pw's because they're too complex to remember is that a hacker can't see the Post-it note in your desk drawer.. or the notecard in your wallet... (key phrase, "only good part")... just trying to see the silver lining

Kev Williams
07-11-2014, 11:04 AM
I've had 3 passwords, ever. Because of "rules", like 'your password must contain at least one captial, one letter, one number, one symbol, 1 Russian letter and 1 Chinese character' (groan), I've added them in when needed. And because of that I have a "login info" notepad stuck to the desktop of every computer I own so I can remember the additions. (but I don't actually spell out the passwords themselves)

2 of my passwords are actual words. My best password is an 11 character mishmash of letters that means completely nothing, and not one single real English-language word can be formed-not even a 2-letter word- from the characters when read left-to-right OR right-to-left. IMO it's completely un-guessable. My own invented, personal word. And, it's a word I can pronounce. Because of that, I'll never forget it. :)

Kent A Bathurst
07-11-2014, 7:14 PM
So .......

You are saying that 123abc can be improved on?

Hmmmm....may be something to that.

How about my first name and birthday? Is that better?


:p :p :p

Eric DeSilva
07-12-2014, 11:20 AM
I've always preferred this one:

http://www.explainxkcd.com/wiki/images/d/dc/password_reuse.png

Tom Fischer
07-13-2014, 2:38 PM
Accounts that people would really want to keep secure - bank account access for example - will only allow three tries and then you are locked out until you get the password reset by some secure method.

That's correct. And locked means locked to everybody, including the security engineers at the bank/brokerage, plus any and all hackers. The only way to unlock is usually to answer the "Memorable Questions" (e.g. "First name of your best man" ,etc.). So... don't ever store your memorable answers on your computer.

Financial transactions are very secure. Whenever you read about lists of passwords being stolen, that is from "flat files" (which Sawmillcreek.org probably uses), not encrypted security applications, like Siteminder, which all bank/brokerages use. At the latter, there are NO employees who have access to your password.

Disclaimer: worked at HSBC.com secure portal for 5 years.

Phil Thien
07-13-2014, 4:17 PM
And locked means locked to everybody, including the security engineers at the bank/brokerage, plus any and all hackers.

There is always someone that can get in.

Always.

Scott Shepherd
08-05-2014, 10:10 PM
Oh well, forget everything discussed.....

http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0

Dale Murray
08-06-2014, 8:34 AM
The most secure password I use regularly would take 88 nonillion years to crack according to that site.



Length: 26 characters
Character Combinations: 77
Calculations Per Second: 4 billion
Possible Combinations: 11 quindecillion

My least secure, and no longer used alone (due to various sites being hacked in the past) would last about 10 hours.

Now my password methodology consists of five separate passwords with each used in combination, and each password according to this site ranging from 6-14 years to hack.
1, 2, 3, 4, 5 passwords used in combination for a given site:
1+5
2+1+5
5+_+3

Pat Barry
08-06-2014, 1:28 PM
The most secure password I use regularly would take 88 nonillion years to crack according to that site.




Length: 26 characters
Character Combinations: 77
Calculations Per Second: 4 billion
Possible Combinations: 11 quindecillion

My least secure, and no longer used alone (due to various sites being hacked in the past) would last about 10 hours.

Now my password methodology consists of five separate passwords with each used in combination, and each password according to this site ranging from 6-14 years to hack.
1, 2, 3, 4, 5 passwords used in combination for a given site:
1+5
2+1+5
5+_+3
If the NY Times article Scott provided has any merit it don't matter how secure you think you are or what those fancy calculations tell you. You are at risk just like if you were using abc123 (one of my old passwords)

Phil Thien
08-06-2014, 2:05 PM
If the NY Times article Scott provided has any merit it don't matter how secure you think you are or what those fancy calculations tell you. You are at risk just like if you were using abc123 (one of my old passwords)

It probably does not have any merit, IMHO.

The outfit that announced this "discovery" (local to me, BTW, and they have a new office across the hall from a client of mine) indicates they get their information from chat rooms and discussion groups frequented by hackers. They (Hold Security), to the best of my knowledge, have not released any details that could be used to substantiate these statements.

IMHO, this is an effort by an outfit to make a name for themselves. Here, look at the Wikipedia article they apparently created about their announcement:

http://en.wikipedia.org/wiki/2014_Russian_hacker_password_theft

FWIW, these types of attacks would typically not net actual passwords, but hashes of passwords. You would need the key and the hash to get the actual password. But again, I'm doubting anyone has 1.2 billion of anything at this point.

Dan Hintz
08-06-2014, 3:22 PM
I'm (somewhat) inclined to agree with Phil... read the August 6th post on http://krebsonsecurity.com/ for a bit of background. The owner isn't exactly a household name in the security world (and we're a surprisingly small community). My guess is he came across a slew of material that was already stolen, then backtracked the source by listening to the people pawning it off for cash. It's a useful technique, but hardly worthy of a security company's resume... if that's their only real method of finding hacks, they're an info source, not a security company.

Myk Rian
08-06-2014, 10:13 PM
It would be prudent for everyone to change their sensitive passwords, now.

From:
http://fox6now.com/2014/08/06/russian-criminals-steal-1-2-billion-passwords/

NEW YORK (CNNMoney) — Russian criminals have stolen 1.2 billion Internet user names and passwords, amassing what could be the largest collection of stolen digital credentials in history, a respected security firm said Tuesday.
The news was first reported by The New York Times, which cited research from Milwaukee-based Hold Security. The firm didn’t reveal the identities of the targeted websites, citing nondisclosure agreements and a desire to prevent existing vulnerabilities from being more widely exploited.
Hold Security founder Alex Holden told CNNMoney that the trove includes credentials gathered from over 420,000 websites — both smaller sites as well as “household names.” The criminals didn’t breach any major email providers, he said.

Dan Hintz
08-07-2014, 6:19 AM
Myk,

See the last several posts...

Phil Thien
08-07-2014, 9:36 AM
Myk,

See the last several posts...

There is an article in the morning local newspaper that goes somewhat into Alex Holden's (Hold Security) background. Apparently his LinkedIn profile says he earned an engineering degree from UW-Milwaukee. He confirmed that during an interview w/ the newspaper. They (newspaper) called the university, and they say he attended and never graduated.

Now, I guess a lot of people pad their resumes. However, I (just a personal thing) can't stand cheaters. I cannot stand people that cheat on assignments or quizzes or exams. And misrepresenting your academic achievements has to be the highest form of cheating.

I do not trust anyone that would misrepresent what is so easily confirmed.

Just my humble opinion, but I would take anything this guy says with a giant grain of salt.

Ole Anderson
08-11-2014, 9:44 AM
Why would anyone try to individually hack your password when all they have to do is hack a website that stores passwords? And most secure websites give you a time out after three bad attempts. Even so, I upgraded my passwords to sites I wouldn't want hacked. No so with sites like this.

Garth Almgren
08-11-2014, 3:21 PM
Reminds me of this:

http://xkcd.com/936/
294662 (http://xkcd.com/936/)

And based on that comic, someone created a secure password generator that generates passwords that are easy to remember but hard for a computer to guess: http://correcthorsebatterystaple.net/

Ole Anderson
08-12-2014, 12:48 AM
Seems like every time I ask someone if I can fax a document to them, forgetting that I am not at the office anymore so I have no fax machine, I get the reply that they would prefer that I scan it and attach it to an email. Faxes are going the way of the Labrador Duck. An attachment can be saved "in the cloud" and forwarded in a split second, a fax can be saved in a manila folder and forwarded by snail mail. But I have no scanner in my RV, so when I am in FL during April, I usually need to walk to the park office and pay to fax something to my tax preparer.

Phil Thien
08-12-2014, 9:29 AM
Why would anyone try to individually hack your password when all they have to do is hack a website that stores passwords? And most secure websites give you a time out after three bad attempts. Even so, I upgraded my passwords to sites I wouldn't want hacked. No so with sites like this.

Websites don't store passwords, they store password hashes.

Watch this:
http://www.wimp.com/knowpassword/

So what these "hackers" have are databases of password hashes, mostly (worthless). About the only way to get an actual password is a phishing scheme, or a virus with a key logger.

Al Launier
08-12-2014, 9:44 AM
I may be paranoid, but I'm reluctant to enter my real password on a PW checker as that would be an easy way for a hacker to set up the software to get your PW.

Eric DeSilva
08-12-2014, 10:58 AM
Phil, not entirely true. Hashing isn't a sinecure:

http://lifehacker.com/5919918/how-your-passwords-are-stored-on-the-internet-and-when-your-password-strength-doesnt-matter

Ole Anderson
08-12-2014, 11:24 AM
So how insecure a site will allow a computer to start guessing passwords unchecked? I usually get three tries.

Phil Thien
08-12-2014, 11:51 AM
Phil, not entirely true. Hashing isn't a sinecure:

http://lifehacker.com/5919918/how-your-passwords-are-stored-on-the-internet-and-when-your-password-strength-doesnt-matter

Not understanding your use of the word "sinecure" here, but the article you linked has some fundamental errors. For example, it says "This means the strength of your password still matters, since the longer and more complex it is, the longer it will take to crack in a brute force attack." But if someone is using brute force, all that really matters is the weakest passwords in the hash. Once they have those, they have yours.

But of course, getting even the weakest passwords is difficult because they don't just hash your password. As the article states, they will typically prepend, append, and insert strings into the password which you provide before running whatever algorithm they use. Whatever text they are inserting is often dependent on the login name. So unless you have the tables _and_ the actual source code being used for authentication, you're not going to be able to convert those hashes into passwords.

Yes, there will always be exceptions (outfits that don't follow best practices). But the media sensationalizes this stuff and people think the movies are reality, where the tech guy "logs in through a back door and gets all the passwords." It just isn't that easy.

Eric DeSilva
08-12-2014, 12:16 PM
I've noticed that the older I get, the more I tend to think one thing and type another.

I understand what you are saying. But when a professional website like LinkedIn uses unsalted hashes and leaks 6.5M passwords, I'm not going to assume that unsalted hashes are "exceptions."

As I understand it, my linked article is correct. Just because you can do a brute force attack to identify the hash of a particular password does not mean, from what I've read, that you can reverse the hashing process to recover all of the passwords from a hash file. See http://en.wikipedia.org/wiki/SHA-1, and in particular, where it states: "Constructing a password that works for a given account requires a preimage attack (http://en.wikipedia.org/wiki/Preimage_attack), as well as access to the hash of the original password, which may or may not be trivial. Reversing password encryption (e.g. to obtain a password to try against a user's account elsewhere) is not made possible by the attacks. (However, even a secure password hash can't prevent brute-force attacks on weak passwords (http://en.wikipedia.org/wiki/Password_strength).)"

Phil Thien
08-12-2014, 1:07 PM
As I understand it, my linked article is correct. Just because you can do a brute force attack to identify the hash of a particular password does not mean, from what I've read, that you can reverse the hashing process to recover all of the passwords from a hash file. See http://en.wikipedia.org/wiki/SHA-1, and in particular, where it states: "Constructing a password that works for a given account requires a preimage attack (http://en.wikipedia.org/wiki/Preimage_attack), as well as access to the hash of the original password, which may or may not be trivial. Reversing password encryption (e.g. to obtain a password to try against a user's account elsewhere) is not made possible by the attacks. (However, even a secure password hash can't prevent brute-force attacks on weak passwords (http://en.wikipedia.org/wiki/Password_strength).)"

LOL, good point (slaps forehead). I was thinking encrypted again, not hashed.

Although, there are broken hashes where clear text can be derived. But that was not what I was thinking when I wrote that, I was just being dumb.

Scott Shepherd
08-12-2014, 1:18 PM
I still don't see what they gain. If that know my password to a forum, are they going to log in as me and post stupid things? Sorry, got that covered already.

If they get into my bank, I'll know about it after the first transaction or two, and the account will be locked and I'll get my money back from the bank.

If they get into my email, they'll see how boring my email life is. I'm not emailing the President. They might find out that a friend's kid hit a home run in a baseball. What will they do, email people with my account? Like I care?

I've not yet seen the reasoning in my life of how devastating it would be.

I think passwords have become the boogy man for the media. Now, if you're hacking into a business that has intellectual property, then I get it, but I don't see the value in the end, home user.

So you know have access to my netflix account? Good, could you send me the login, because I can't remember it.

Phil Thien
08-12-2014, 1:29 PM
If they get into my bank, I'll know about it after the first transaction or two, and the account will be locked and I'll get my money back from the bank.


That isn't universally true, I know a guy that lost $15k (IIRC) due to his password being compromised (got a key logger on his machine). The large bank said, "too bad."

Scott Shepherd
08-12-2014, 1:44 PM
That isn't universally true, I know a guy that lost $15k (IIRC) due to his password being compromised (got a key logger on his machine). The large bank said, "too bad."

If the bank is FDIC insured, he should be good to go. I'd contact a lawyer on that one.

Eric DeSilva
08-12-2014, 2:17 PM
I still don't see what they gain. If that know my password to a forum, are they going to log in as me and post stupid things? Sorry, got that covered already.

I think the issue for a lot of users--and this may not apply to you--is that they use the same password across different sites. Don't get me wrong, that is a bad practice, but it is something that people do because it is too hard to remember passwords that are unique. So, for a lot of people, getting your password to your LinkedIn account might also lead to your FB account and your work email and your bank account. Yeah, maybe you can get your bank to shut down unauthorized withdrawals and transfers, but it might take some time. And it will be a PITA.

There is also an issue these days with people taking over email accounts and using those accounts to reset other passwords on more secure systems. They lock you out of the account you need to authenticate yourself to other sites. Again, maybe not a big deal for you. But other people who have invested in a web presence for a business or who use cloud based storage for all their digital photos might think otherwise.

Phil Thien
08-12-2014, 2:24 PM
If the bank is FDIC insured, he should be good to go. I'd contact a lawyer on that one.

"FDIC insurance does not protect you against identity theft or unauthorized use of your bank account."

http://www.medscape.com/viewarticle/768184

Scott Shepherd
08-12-2014, 3:02 PM
"FDIC insurance does not protect you against identity theft or unauthorized use of your bank account."

http://www.medscape.com/viewarticle/768184

Has nothing to do with identity theft. It's fraud. Fraudulent transactions. You are protected under federal law. This is from a Federal website dealing with this exact thing :

"What does the bank have to do once I report it? Can I get my money back?
Once you notify your bank or credit union, it generally has 10 business days to investigate the issue (20 days if the account has been open less than 30 days). Your bank or credit union then has three business days to report its findings to you. If the bank or credit union can’t complete its investigation within 10 (or 20) business days as applicable, it must credit your account for the full disputed amount less a maximum of $50 while the investigation continues.
The bank or credit union must resolve the issue in 45 days, unless the transactions were conducted in a foreign country, were conducted within 30 days of account opening, or were debit card point-of-sale purchases. In those cases, you may have to wait as long as 90 days for the issue to be fully resolved. The bank or credit union must correct an error within one business day after determining that an error has occurred.
If the bank or credit union determines that the transactions were legitimate, it must provide you with written notice before taking the money that was credited to you during the investigation out of your account.
There are instances, such as tax liens or wage garnishment, where someone may take money out of your account to pay back a debt you owe and you will not be able to recover the funds.
Tip: Report your lost or stolen card within two business days of when you discover it is missing so you limit your losses to $50 or less, no matter how much is charged to your card."

Phil Thien
08-12-2014, 3:55 PM
Has nothing to do with identity theft. It's fraud. Fraudulent transactions. You are protected under federal law. This is from a Federal website dealing with this exact thing :

"What does the bank have to do once I report it? Can I get my money back?
Once you notify your bank or credit union, it generally has 10 business days to investigate the issue (20 days if the account has been open less than 30 days). Your bank or credit union then has three business days to report its findings to you. If the bank or credit union can’t complete its investigation within 10 (or 20) business days as applicable, it must credit your account for the full disputed amount less a maximum of $50 while the investigation continues.
The bank or credit union must resolve the issue in 45 days, unless the transactions were conducted in a foreign country, were conducted within 30 days of account opening, or were debit card point-of-sale purchases. In those cases, you may have to wait as long as 90 days for the issue to be fully resolved. The bank or credit union must correct an error within one business day after determining that an error has occurred.
If the bank or credit union determines that the transactions were legitimate, it must provide you with written notice before taking the money that was credited to you during the investigation out of your account.
There are instances, such as tax liens or wage garnishment, where someone may take money out of your account to pay back a debt you owe and you will not be able to recover the funds.
Tip: Report your lost or stolen card within two business days of when you discover it is missing so you limit your losses to $50 or less, no matter how much is charged to your card."

That is only for personal accounts, not business accounts.

There is no similar protection for business accounts.

Scott Shepherd
08-12-2014, 4:19 PM
That is only for personal accounts, not business accounts.

There is no similar protection for business accounts.

That's what I was saying, that's about anything you do to my personally, isn't going to matter. Businesses, as noted, are a different animal.

As an individual, I'm not sure where the risk is from having passwords compromised.

Phil Thien
08-12-2014, 4:40 PM
That's what I was saying, that's about anything you do to my personally, isn't going to matter. Businesses, as noted, are a different animal.

As an individual, I'm not sure where the risk is from having passwords compromised.

I thought you owned a sign business?

Scott Shepherd
08-12-2014, 7:00 PM
I thought you owned a sign business?

We do, however, I don't use the internet for anything financial for that (me personally). I just spend the money, I don't account for it :)

Greg Portland
08-12-2014, 7:04 PM
I still don't see what they gain. If that know my password to a forum, are they going to log in as me and post stupid things? Sorry, got that covered already.

If they get into my bank, I'll know about it after the first transaction or two, and the account will be locked and I'll get my money back from the bank.

It would be a lot easier to open up a bunch of credit card accounts with your hacked information. I've had 2 relatives whose credit was ruined in this manner and it took over a year working with the various financial institutions to get everything cleared up. One of them lost $5k from their bank... the bank said "too bad".

Greg Portland
08-12-2014, 7:09 PM
I'd add that 1password is a good (pay) option for maintaining all your passwords in a secure manner. You only need to remember 1 (secure) password; the tool takes care of the rest (updating existing passwords, etc.).

Also, always use 2 factor authorization when it's offered (i.e. text a confirmation code to your phone if you change your password, etc.).

Scott Shepherd
08-12-2014, 7:42 PM
It would be a lot easier to open up a bunch of credit card accounts with your hacked information.

What hacked information? That's my point. You're not going to gather enough personal data about me (SSN, etc.) from my Facebook account.

I don't know, I just don't see the threats. Does it happen? Sure. Did it happen because people clicked on phishing emails that said "your account has been locked, please click here to reactivate" and then they promptly entered way more private information than anyone should ever give into the form, which handed the people the keys to everything? Probably. You're not going to get enough information to open accounts in my name from my woodworking forum profile, I don't think. Could someone sit here and go across posts and build a profile about me, sure. But that takes time these people aren't interested in that sort of profile building, they are running scripts with the data to log into various things.

The vast majority of forums out there don't require you to use your real name. How's anyone going to do any damage to "FastRedCar34365" that's on a car forum? All they get is access to the forum. There's no address or personal information in there.

If they did get into my bank account, as soon as $100 was spent, I'd be notified, so I could shut it down in minutes after that notification.

Curt Harms
08-13-2014, 7:14 AM
I still don't see what they gain. If that know my password to a forum, are they going to log in as me and post stupid things? Sorry, got that covered already.

If they get into my bank, I'll know about it after the first transaction or two, and the account will be locked and I'll get my money back from the bank.

If they get into my email, they'll see how boring my email life is. I'm not emailing the President. They might find out that a friend's kid hit a home run in a baseball. What will they do, email people with my account? Like I care?

I've not yet seen the reasoning in my life of how devastating it would be.

I think passwords have become the boogy man for the media. Now, if you're hacking into a business that has intellectual property, then I get it, but I don't see the value in the end, home user.

So you know have access to my netflix account? Good, could you send me the login, because I can't remember it.

One example that comes to mind: If someone was able to use your email account to send things like child porn files as attachments, it seems like your life could get complicated until you got it straightened out.

Dan Hintz
08-13-2014, 7:53 AM
One example that comes to mind: If someone was able to use your email account to send things like child porn files as attachments, it seems like your life could get complicated until you got it straightened out.

Meh, not really. While it may come from his account, the login IPs would quickly resolve any doubt as to where it originated from. During investigations of such matters, email accounts are only useful in narrowing the parameters ("could person 'X' be sending this")... but the real evidence is the IP address for the connection. This would be resolved long before he was ever approached about such issues.

Ole Anderson
08-13-2014, 8:56 AM
I still don't see what they gain. If that know my password to a forum, are they going to log in as me and post stupid things? Sorry, got that covered already.

If they get into my bank, I'll know about it after the first transaction or two, and the account will be locked and I'll get my money back from the bank.

If they get into my email, they'll see how boring my email life is. I'm not emailing the President. They might find out that a friend's kid hit a home run in a baseball. What will they do, email people with my account? Like I care?

I've not yet seen the reasoning in my life of how devastating it would be.

I think passwords have become the boogy man for the media. Now, if you're hacking into a business that has intellectual property, then I get it, but I don't see the value in the end, home user.

So you know have access to my netflix account? Good, could you send me the login, because I can't remember it.

This is some funny stuff, man! I tend to agree with you. I had a credit card hacked last spring, 36 transactions in 2 hours for $5600 at bricks and mortar stores before the bank caught on. They never explained why it took so long. Didn't cost me a penny. Doubt it came from hacking my password though, probably someone swiping my card and selling the info online.

Jason Kowell
08-13-2014, 3:54 PM
Meh, not really. While it may come from his account, the login IPs would quickly resolve any doubt as to where it originated from. During investigations of such matters, email accounts are only useful in narrowing the parameters ("could person 'X' be sending this")... but the real evidence is the IP address for the connection. This would be resolved long before he was ever approached about such issues.

Not necessarily. Legal proceedings/criminal investigations are notoriously slow, and if the police/feds think you're involved in kiddy porn they're probably going to grab you immediately on probable cause. Sure, it'll get cleared up, but you're still going to have a very unpleasant experience. Granted, the chances of this actually happening if some random person got a hold of your account is probably less than the chances of you getting hit by lightning, but it isn't an impossibility.

Dan Hintz
08-13-2014, 4:04 PM
Not necessarily. Legal proceedings/criminal investigations are notoriously slow, and if the police/feds think you're involved in kiddy porn they're probably going to grab you immediately on probable cause. Sure, it'll get cleared up, but you're still going to have a very unpleasant experience. Granted, the chances of this actually happening if some random person got a hold of your account is probably less than the chances of you getting hit by lightning, but it isn't an impossibility.

Sorry, but no. I have intimate knowledge of how FBI investigations into CP transpire. There must be multiple, actionable loggings of activity, and those activities must be verified to avoid exactly what you describe. If the wrong person is pulled in, a case against the agency is wide open, so they are required to do their due diligence. Mistakes happen, but it's difficult to make them given the process in place.

BTW, stolen accounts (or "specifically created for that purpose" accounts) are often used for such activities, but eventually mistakes are made and the guilty parties are found out.

Curt Harms
08-14-2014, 9:07 AM
Meh, not really. While it may come from his account, the login IPs would quickly resolve any doubt as to where it originated from. During investigations of such matters, email accounts are only useful in narrowing the parameters ("could person 'X' be sending this")... but the real evidence is the IP address for the connection. This would be resolved long before he was ever approached about such issues.

It seems pretty easy to spoof MAC addresses. Is it as easy to spoof I.P. addresses? I have no clue.

Dan Hintz
08-14-2014, 11:46 AM
Is it as easy to spoof I.P. addresses? I have no clue.

Extremely (but only up to a specific point). Which is why so much more investigation goes into things. The ISPs are always involved to one degree or another to avoid IP spoofing from causing a case loss.