Go Back   AnandTech Forums > Software > Security

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 12-05-2012, 05:30 PM   #1
Chiefcrowe
Diamond Member
 
Chiefcrowe's Avatar
 
Join Date: Sep 2008
Posts: 3,664
Default Update: New 25 GPU Monster Devours Passwords In Seconds

http://securityledger.com/new-25-gpu...rds-in-seconds
Chiefcrowe is offline   Reply With Quote
Old 12-05-2012, 09:12 PM   #2
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,699
Default

And this is a possible reason to periodically change one's passwords on high-priority sites. Let's say my bank's servers get pwned and the attackers steal password hashes from the bank's servers. If it'll take them two months to crack my encrypted password from its hash, but I change it every month as a policy, then I've defeated the attack a month in advance without even realizing it.

From the previous article Chiefcrowe posted, Hashcat also prioritizes on certain human-generated patterns, and millions of common human-generated passwords are already known by their hash based on the cracking of large batches of passwords in the past. Typical "leetspeak" substituting numerals for characters, or symmetrical or keyboard-patterned passwords, and so forth have been arbitrarily identified as easy prey.

Using an "inhuman" password like KQ63m7pP2Jjw1$Q means they really will have to brute-force the whole keyspace to guarantee a solution, whereas D3nv3rBr0nc0s is likely to be already known by its hash, based on cracking of previous batches of leaked passwords. Adding high-ANSI characters like and ™ force the attacker to take on an expanded keyspace as well. These techniques on an adequate-length password will make an attacker's job difficult.

The question is how to switch to strong "inhuman" passwords without losing your mind Personally I use biometrics, namely a fingerprint reader with software that remembers my crazy passwords and auto-enters them in most situations with a finger swipe. I've heard good remarks about LastPass and KeePass too, but haven't tried them yet.
mechBgon is offline   Reply With Quote
Old 12-06-2012, 11:32 AM   #3
Chiefcrowe
Diamond Member
 
Chiefcrowe's Avatar
 
Join Date: Sep 2008
Posts: 3,664
Default

good call mech - changing passwords often definitely is a good idea.

I really like KeePass, you should try it out.
Chiefcrowe is offline   Reply With Quote
Old 12-12-2012, 06:47 PM   #4
AdvancedSetup
Junior Member
 
Join Date: Dec 2012
Location: USA
Posts: 9
Default

Thumbs up for KeePass - I agree and have used it for years now in Corporate business

keepass.info

Just have to be careful as some forums with older software or other limitations seem to limit the password size to only 12 characters and won't allow any special characters.

As long as the site allows it you can easily use very strong passwords - the draw back is if you're traveling or at some other remote location you won't know the password to login.

?w?ʰ%;P?}?+?6`W?v{$G
AdvancedSetup is offline   Reply With Quote
Old 12-15-2012, 10:48 PM   #5
John Connor
Diamond Member
 
John Connor's Avatar
 
Join Date: Nov 2012
Location: Somewhere with an encrypted radio mocking the NSA
Posts: 7,543
Default

I use something called Pwdhash developed by a guy at Stanford. It's an add-on for Firefox. Check it out. https://addons.mozilla.org/en-US/fir...sh/?src=search
John Connor is offline   Reply With Quote
Old 12-16-2012, 05:55 AM   #6
lxskllr
Lifer
 
lxskllr's Avatar
 
Join Date: Nov 2004
Location: Somewhere over the rainbow
Posts: 38,435
Default

Quote:
Originally Posted by John Conner View Post
I use something called Pwdhash developed by a guy at Stanford. It's an add-on for Firefox. Check it out. https://addons.mozilla.org/en-US/fir...sh/?src=search
That looks interesting, but how is the disaster recovery? Can you recover the passwords if something happens to your system? I've had password managers in my head for awhile now, and finally setup KeePass last night. I went with the 1.x portable version as it has fewer dependencies, and I can easily use the same package on GNU/Linux or Windows. For backup, I put it on Dropbox and I'll spread it around a few thumb drives. To use a backup, I just have to open the folder and start using it. Everything's self contained, and if someone gets my file, they likely won't have anything useful. My password protecting KeePass is uber long.

I've been resistant to using a password manager because I think it promotes lazy thinking. You can lose track of what you've done where, and if the technology fails, you don't have a starting point to correct it. On the other hand, I reuse passwords, which can be bad. I have them segregated by strength for different purposes, but some are still reused. A little bit of bad luck could compromise my system, so here I am trying a password manager.
lxskllr is offline   Reply With Quote
Old 12-16-2012, 09:41 PM   #7
bononos
Platinum Member
 
Join Date: Aug 2011
Posts: 2,563
Default

Quote:
Originally Posted by mechBgon View Post
.....

The question is how to switch to strong "inhuman" passwords without losing your mind Personally I use biometrics, namely a fingerprint reader with software that remembers my crazy passwords and auto-enters them in most situations with a finger swipe. I've heard good remarks about LastPass and KeePass too, but haven't tried them yet.
This is why I hate frequent password changes (some banks do that) because you'll need some type of password manager to keep up. And I don't like opening keepass for every login or bank transactions.

I'm thinking of only adding/changing the 'inhuman' part of a 2 part password and writing that part down in a book on my desk. If I wrote in a book (say a bible) at a certain page, I should be ok.
bononos is offline   Reply With Quote
Old 12-17-2012, 02:23 AM   #8
AdvancedSetup
Junior Member
 
Join Date: Dec 2012
Location: USA
Posts: 9
Default

Reuse of passwords or using the same one on multiple sites is bad. I get users seeking help every once in a while on our forum where someone got their password and now was able to modify stuff in all their other accounts and pretty much block them from accessing or fixing it easily.

Everyone has to make their own choice for security but myself I've been putting up with the annoyance of having to open Keepass for passwords now for many years. I have accounts on numerous sites and different business networks and all of them have different passwords and all of them are very strong and get changed semi frequently. Without Keepass I cannot get into most accounts but I'm okay with that as it keeps me safe. Even if someone were to somehow break into one of my accounts they would not have access to any other accounts.

Digital Safety requires diligence in today's technological World.
AdvancedSetup is offline   Reply With Quote
Old 12-20-2012, 07:33 PM   #9
AkumaX
Lifer
 
AkumaX's Avatar
 
Join Date: Apr 2000
Posts: 12,515
Default

Quote:
Originally Posted by AdvancedSetup View Post
Thumbs up for KeePass - I agree and have used it for years now in Corporate business

keepass.info

Just have to be careful as some forums with older software or other limitations seem to limit the password size to only 12 characters and won't allow any special characters.

As long as the site allows it you can easily use very strong passwords - the draw back is if you're traveling or at some other remote location you won't know the password to login.

?w?ʰ%;P?}?+?6`W?v{$G
how did you know my password?!
__________________
............................
HeetWear
(o_
(o_ (o_ / /
(/)_ (\)_ V_/_
AkumaX is offline   Reply With Quote
Old 12-20-2012, 10:44 PM   #10
wirednuts
Diamond Member
 
Join Date: Jan 2007
Posts: 7,121
Default

it really is getting annoying. i use a password manager, and thats annoying enough but now i have to change my passwords every month? i have over 100 entries! most of them are low risk sites but i probably have 20 sites with personal info and thats just a pain to keep changing them.

i wish there was a better way...
wirednuts is offline   Reply With Quote
Old 12-20-2012, 10:45 PM   #11
kache
Senior Member
 
kache's Avatar
 
Join Date: Nov 2012
Location: Travelling, from Italy
Posts: 486
Default

Quote:
Originally Posted by wirednuts View Post
it really is getting annoying. i use a password manager, and thats annoying enough but now i have to change my passwords every month? i have over 100 entries! most of them are low risk sites but i probably have 20 sites with personal info and thats just a pain to keep changing them.

i wish there was a better way...
Biometric signature!
But that's gonna take a long while.
__________________
Ipsa scientia potestas est
kache is offline   Reply With Quote
Old 01-08-2013, 01:13 PM   #12
Ryland
Platinum Member
 
Ryland's Avatar
 
Join Date: Aug 2001
Posts: 2,571
Default

What I dont get is why the initial hash used to generate the keyfile isnt different between sites. This would cause a stolen hash file from one site to be completely useless on another site since the hash for the same password would be different.
__________________
HeatWare 86-0-0
eBay Rating(350-0-1)
GA-Z68X-UD3H-B3, Corsair 650 PSU, Intel 2500K, Corsair DDR3 16GB , Samsung and Seagate SATA drives, OCZ Vertex 3, Gigabyte 660
Ryland is offline   Reply With Quote
Old 01-09-2013, 12:06 AM   #13
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,699
Default

Quote:
Originally Posted by Ryland View Post
What I dont get is why the initial hash used to generate the keyfile isnt different between sites. This would cause a stolen hash file from one site to be completely useless on another site since the hash for the same password would be different.
For one thing, if they can back the password out of the hash at a sensitive site, that's bad enough right there, even if it doesn't help them anywhere else. Hey, where'd my WoW stuff go, where'd the money in my PayPal account go, etc.

Secondly, if the account they compromise is your "master" email account, where the password-reset request from your bank/PayPal/MMORPG would arrive, then they can commence trying to take over those accounts.

Third, some people use the same password at multiple sites, so if they can back the real password out of an unimportant site's hash (your account with Domino's Pizza or whatever), and you happen to use the same password for a critical account like your bank, then they can log in as you with the password they cracked from Domino's, or whatever.
mechBgon is offline   Reply With Quote
Old 01-12-2013, 10:54 AM   #14
Dravic
Senior Member
 
Dravic's Avatar
 
Join Date: May 2000
Posts: 887
Default

Quote:
Originally Posted by mechBgon View Post
And this is a possible reason to periodically change one's passwords on high-priority sites. Let's say my bank's servers get pwned and the attackers steal password hashes from the bank's servers. If it'll take them two months to crack my encrypted password from its hash, but I change it every month as a policy, then I've defeated the attack a month in advance without even realizing it..

When I was a senior info sec officer at a bank, we required all passwords to be changed every 28 days with an 8+ password history. Poor password choices and quickly shrinking password crack times were the biggest reasons... That was 9 years ago.
__________________
Gamer/Workstation: FX 8150 @ 4.55Ghz, Crosshair V 990FX, H100 , 7970, 120GB SSD, 16 gig DDR3 @ 1600, Haf 932

Linux Workstation: Phenom II 1055T, MSI 790FX, Nvidia GTX 460, PC Power & Cooling 610W, 16 gig DDR3 @ 1600, Antec Titan 550
Dravic is offline   Reply With Quote
Old 01-13-2013, 10:22 PM   #15
power_hour
Senior Member
 
power_hour's Avatar
 
Join Date: Oct 2010
Location: nowhere important
Posts: 789
Default

Phase phrase in a dialect that is misspelled will require brute force.

Increasingly, institutions are requiring additional security questions be answered even after entering the password correctly. There are obvious pros/cons to this extra layer. But I think its a good one.

The biggest thing one can do to protect themselves is ensure that their main email account is monitored carefully. Losing this could be really bad. You need to make sure this baby has minimum 12 random character. Never use the same password from another site on it, ever. And never login to it over free wifi unless your using VPN. That free wifi ain't free...
power_hour is offline   Reply With Quote
Old 01-14-2013, 03:20 PM   #16
imported_paulc871
Member
 
Join Date: Feb 2009
Posts: 28
Default

That's fast!
imported_paulc871 is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:00 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.