How secure is your password? Who wins?!

[compcons]

I'd suspect a lot of forum "hacks" are due to more important databases that were cracked, and people reusing login credentials. IOW, a lot of people will use their yahoo login for everything. Search a username, then use the same password from yahoo. Good chances of it working, especially in years past. Hopefully people are getting smarter about it, but I wouldn't put money on it.

This. Threat actors not only use brute force attacks but they compile (and sell) databases/dictionaries of leaked and usernames and passwords. So that old Yahoo, Experian, facebook, etc. breach has helped create lists of valid (at one time) password, usernames, or cominations of both that are easily used in attacks. So instead of guessing, the bad guys just repeatedly apply that dictionary to websites to try to gain access to accounts.

Want to know what service from "not-a-security-company-but-we-offer-marginal-security-solutions" allows unlimited log-in attempts by default? It rhymes with "poffice365". The default is unlimited login attempts without account lockout. Bad guys can spend infinite hours throwing dictionaries and random garbage at those accounts. Since so many people use their corporate email for personal things AND recycle passwords between sites, we see compromised account in O365 ALL.THE.TIME.

And congratulations on helping add valid passwords to a list of valid passwords that the bad people use to access accounts. If I were a bad guy, this is probably a nice list of passwords to add to the bucket. Now they only have to apply some of the best passwords to all their attempts.

IP address helps since it gives them geo-location so it isn't trivial. So they now know what country/state you are in and your password. Perhaps there are lists of people, their email address and where they live in that Facebook breach? Maybe you re-use your username or parts of it for your on-line banking? Maybe you have re-used that password you just entered into my cool "check your password" site or maybe that site gets breached? Cross referencing that password to my know list could yield some data. Just speculating...

I also am waiting to see someone apply some true analytics to something like the list of passwords to see if there are any subtle indicators on how people choose passwords. That could be an evolutionary step in cracking passwords. Or I could just email you and tell you your credit card bill is due or your mailbox is at quota and link you to a fake site. A lot of people give up the goods on this one. Waaaaay easier than trying to crack a password. I can't spend time hacking. I'm busy. I'm a goddam Nigerian prince with money to give away.

 

[Zeze]

I'm glad I finally memorized my long ass complex password full of diff symbols and random capitalizaitons

 

[PliotronX]

This. Threat actors not only use brute force attacks but they compile (and sell) databases/dictionaries of leaked and usernames and passwords. So that old Yahoo, Experian, facebook, etc. breach has helped create lists of valid (at one time) password, usernames, or cominations of both that are easily used in attacks. So instead of guessing, the bad guys just repeatedly apply that dictionary to websites to try to gain access to accounts.

Want to know what service from "not-a-security-company-but-we-offer-marginal-security-solutions" allows unlimited log-in attempts by default? It rhymes with "poffice365". The default is unlimited login attempts without account lockout. Bad guys can spend infinite hours throwing dictionaries and random garbage at those accounts. Since so many people use their corporate email for personal things AND recycle passwords between sites, we see compromised account in O365 ALL.THE.TIME.

And congratulations on helping add valid passwords to a list of valid passwords that the bad people use to access accounts. If I were a bad guy, this is probably a nice list of passwords to add to the bucket. Now they only have to apply some of the best passwords to all their attempts.

IP address helps since it gives them geo-location so it isn't trivial. So they now know what country/state you are in and your password. Perhaps there are lists of people, their email address and where they live in that Facebook breach? Maybe you re-use your username or parts of it for your on-line banking? Maybe you have re-used that password you just entered into my cool "check your password" site or maybe that site gets breached? Cross referencing that password to my know list could yield some data. Just speculating...

I also am waiting to see someone apply some true analytics to something like the list of passwords to see if there are any subtle indicators on how people choose passwords. That could be an evolutionary step in cracking passwords. Or I could just email you and tell you your credit card bill is due or your mailbox is at quota and link you to a fake site. A lot of people give up the goods on this one. Waaaaay easier than trying to crack a password. I can't spend time hacking. I'm busy. I'm a goddam Nigerian prince with money to give away.

Along with that, 365 has no GeoIP blocking so the script kiddies don't even need to bother with a VPN. I was disturbed when I found that out. We moved larger clients to on prem federation so that we could block IPs and manage IDS.

 

[Chaotic42]

My password:

(~R∊R∘.×R)/R←1↓ιR←{↑1 ⍵∨.∧3 4=+/,¯1 0 1∘.⊖¯1 0 1∘.⌽⊂⍵}■ □ ▢ ▣ ▤ ▥ ▦ ▧ ▨ ▩ ▪ ▫ ▬ ▭ ▮ ▯U+25Bx ▰ ▱ ▲△

would take 18,478,120,470 NONAGINTILLION YEARS to break.

 

[paperfist]

Semi-related: I had a customer say that they were recently told to change their password for xyz and because that password was similar/same as for a few other sites, they decided to go on a password-changing binge.

Now I would have thought that common sense would have kicked in and they would think "what's the best way to do this" (ie. better take some notes etc), but no. They just went ahead and started password resetting. Could they remember the new password for one of those sites? No.

I have to admit I've done that before. Not mass password change, but I usually right the rather complex ones down and a few times I marked the sites they were for down wrong.

I'd suspect a lot of forum "hacks" are due to more important databases that were cracked, and people reusing login credentials. IOW, a lot of people will use their yahoo login for everything. Search a username, then use the same password from yahoo. Good chances of it working, especially in years past. Hopefully people are getting smarter about it, but I wouldn't put money on it.

I tend to use the same somewhat easy password on 'spam' sites that don't seem high value to me. It's linked to an email other then my main. It's worked great for a long time, but recently a dating site I use someone 'hacked' my account and made me into a woman. I can't believe they guessed my password. Now I've had to change what seems like millions of them.

 

[lxskllr]

I have to admit I've done that before. Not mass password change, but I usually right the rather complex ones down and a few times I marked the sites they were for down wrong.



I tend to use the same somewhat easy password on 'spam' sites that don't seem high value to me. It's linked to an email other then my main. It's worked great for a long time, but recently a dating site I use someone 'hacked' my account and made me into a woman. I can't believe they guessed my password. Now I've had to change what seems like millions of them.

A password manager makes it easy. I like the keepass variants, and use them on my phone as well as traditional computers. Come up with one ridiculous password you can remember for your database, and let keepass make completely unmemorable passwords for various sites. I also use keepass to store notes, and prepaid credit card numbers with running account balances.

 

[paperfist]

A password manager makes it easy. I like the keepass variants, and use them on my phone as well as traditional computers. Come up with one ridiculous password you can remember for your database, and let keepass make completely unmemorable passwords for various sites. I also use keepass to store notes, and prepaid credit card numbers with running account balances.

I've been using Dashlane, but I didn't go back to change the old simple passwords I had. Dashlane can be a PITA when you want it to change passwords for you. I'll have to check out keepass, thanks.

 

[lxskllr]

I've been using Dashlane, but I didn't go back to change the old simple passwords I had. Dashlane can be a PITA when you want it to change passwords for you. I'll have to check out keepass, thanks.

Keepass /may/ be more primitive than what you're used to. AFAIK, it doesn't do form filling, or anything like that. I honestly haven't looked though. I like keeping the bits separate, and doing copy/pastes to enter data. Keeps it simple with fewer moving parts to break. Also, there's no syncing. I copy my database between devices, and keep it on a cloud locker.

 

[Red Squirrel]

This just reminded me I have a login system that still uses MD5, I need to switch that to bcrypt. It's just a pain because you need to install 3rd party libraries for that, so have not gotten a chance to look into it yet.

 

[ImpulsE69]

Semi-related: I had a customer say that they were recently told to change their password for xyz and because that password was similar/same as for a few other sites, they decided to go on a password-changing binge.

Now I would have thought that common sense would have kicked in and they would think "what's the best way to do this" (ie. better take some notes etc), but no. They just went ahead and started password resetting. Could they remember the new password for one of those sites? No.

Unfortunately there is no 'great' way to create and/or reset/remember passwords. The thing is that no one really talks about is that there are so many ways around not even needing the password. If someone wants in, they'll get in eventually. The "50 million years" might be correct for the password itself, but what about the tech behind the password on the hosting side?

 

[Red Squirrel]

Also have to remember that when they say it takes NN years they mean with consumer hardware. If the an alphabet agency like the CIA or NSA wants to crack something, they'll do it with their computing farms and it will take a fraction of the time. These agencies have virtually unlimited resources and budgets. If they want something, they'll get it.

 

[Thebobo]

A password manager makes it easy. I like the keepass variants, and use them on my phone as well as traditional computers. Come up with one ridiculous password you can remember for your database, and let keepass make completely unmemorable passwords for various sites. I also use keepass to store notes, and prepaid credit card numbers with running account balances.

Agree its so much easier with a password manager. I been using Last pass for about 5 years now.

 

[lxskllr]

Also have to remember that when they say it takes NN years they mean with consumer hardware. If the an alphabet agency like the CIA or NSA wants to crack something, they'll do it with their computing farms and it will take a fraction of the time. These agencies have virtually unlimited resources and budgets. If they want something, they'll get it.

Maybe, maybe not. They had to pay hackers to get into Farook's iphone, using a flaw. With enough attention, a lot of things are breakable, even if it's not a direct attack, but it isn't guaranteed.

I believe there's an ongoing cp case in PA that's at a stalemate due to being unable to crack a truecrypt volume. That's not the NSA, and perhaps the NSA won't get involved since they don't want to give up some sweet tools. Hard to say, but encrypting and following good security procedures is better than not. You can only do your best, or at least give good effort.

 

[sdifox]

86 UNVIGINTILLION YEARS

Doesn't help that wpa2 is crap though

 

[JujuFish]

Since we're talking about password managers, you could further secure yourself by using authentication hardware like YubiKey or Google's new Titan, if your password manager allows it.

 

[Belegost]

I change my password at work on an IT enforced 6 month schedule, so I put a previous one in: 145T year. 18 alphanumeric with varying case.

 

[mikeymikec]

I change my password at work on an IT enforced 6 month schedule

Maybe your IT department will at some point take off their clown shoes. I am amazed that there are still people who think they're "in the biz" who still think this is a good idea, it would be almost as ridiculous as some IT department geek who thinks that constant defragging is going to make the computers faster because they read that in a 90s computer mag.

 

[snoopy7548]

Maybe your IT department will at some point take off their clown shoes. I am amazed that there are still people who think they're "in the biz" who still think this is a good idea, it would be almost as ridiculous as some IT department geek who thinks that constant defragging is going to make the computers faster because they read that in a 90s computer mag.

Our IT department at work instituted a new password system about a year ago and it sucks. I think we need to reset our passwords every three months, it needs to be at least eight characters, with at least one symbol, uppercase letter, and numeric character, and cannot resemble any of our last three passwords.

They've also instituted a policy block (per some industry-standard regulation one of our larger customers requested) on all external storage devices - insert a flash drive into your PC and it's blocked. At least they've temporarily allowed flash drives for my department (R&D) because without flash drives it would be a huge hassle to do parts of our job. This one is absolute BS as I looked up the standard and external storage devices are allowed if a database of them is maintaned; our IT department is just being lazy.

I also heard that we're starting a new computer rotation policy. Every six months or something employees get a brand new laptop and their old one is passed down to new employees. This is pissing a lot of people off because our IT department typically sucks at installing every program we need, and we have next to zero rights on our laptops, not even power user privileges, so we need to submit a ticket for every little thing like removing desktop icons from the Public Desktop folder.

 

[Meghan54]

It would take a computer

Forever

to crack your password

 

[mikeymikec]

It would take a computer

Forever

to crack your password

Go with pi or dividing by zero, it's the smart thing to do.

 

[UglyCasanova]

Mine is pretty good:



http://howsecureismypassword.net/

Try to use your real password, not random crap just to get a good rating. :biggrin:

It says 5 seconds. On here I still use my system generated random password that it assigned me back when I signed up in 2001

 

[compcons]

Reading the title only my response is:

The bad guys who setup a bogus "password evaluation" page to collect legitimate password so they can sell them on the dark web.

 

[Rifter]

well it says 24 TREDECILLION YEARS so i think im good.

a few years ago when all this you need one upper case one lower case at least one number crap started i just started using random UUID's for my passwords and keep them written down both at home and in my safety deposit box.

 

[mikeymikec]

Reading the title only my response is:

The bad guys who setup a bogus "password evaluation" page to collect legitimate password so they can sell them on the dark web.

That had occurred to me too, an only slightly less obvious hunter2 scenario Combine it with some browser privacy safeguard bypasses to read off peoples' current webmail/fb login details...