- Sep 15, 2008
- 5,055
- 198
- 116
Need a new password? Don't choose one of these 306 million
- Thread starter Chiefcrowe
- Start date
Is this just some sort of extension of the general maxim "don't use words that appear in any dictionary"? 'Cos otherwise, while I may just be as dim as a 10 year old fluorescent bulb, I don't see what the fact that "a" password used in conjunction with "some" UID was "once" pwned has to do with anything?
Last edited:
- Sep 15, 2008
- 5,055
- 198
- 116
Basically what they are getting at is you shouldn't use any old passwords that may have been compromised or are on that list. Since people who are trying to break into these accounts probably have huge lists that are in the public domain, it is safest to generate new passwords, preferably using a random generator in a password manager.
HutchinsonJC
Senior member
- Apr 15, 2007
- 467
- 207
- 126
Most common passwords are already part of dictionary password attacks. Things like baseball, qwerty, password1, etc. Now that all of these passwords are public domain, they can be included in future similar attacks.
Which means if Bob used to always use superduper007 as a password for steam (example only), was compromised and on this list, you can expect that if Sue, John, or anyone else uses superduper007 as their password, that it'll easily be cracked in any dictionary attack, even if superduper007 was a super complex and unobvious password, and even if superduper007 was some kind of password that was complete gibberish... and in no way or part included any real meaningful words in any language.
There's an active directory file that if stolen, or handed over, that the bad guys can run all the processing power they want against it to check for what any users of that domain might be using for passwords. And without the restrictions that usually come from trying to login locally on that domain or through the usual remote login, something like "3 tries and you're locked out" goes out the window, they can try as hard as they care to try unhindered while in possession of such a file.
If I glance an article I've got open at the moment, I see a password that was 9 characters in length that by a brute force attack, would have taken roughly 4 years to break back in 2000. In 2016, that same password would take almost 3 months. I don't know what type of hardware they used for their figures, if they used any at all, but the point is to show how advances in technology have weakened passwords over the years.
As time continues on, and password lists are disclosed and processing power becomes more powerful, you can expect that darn near any password less than 12 to 14 characters in length will not be remotely classified as safe. I mean, there's a pretty sizeable amount of safety in most fairly complex passwords as long as the attacker is using the same methods you'd usually use to login because of rules like "3 times and you're locked out". It's not particularly practical for hackers to use that approach, though... and the big hackers likely won't even bother with that method. They want those big encrypted password files/databases where they can run their dictionary or brute force methods against the file all day long on their local machine... without having to even go over a network for each password attempt.
2 factor login will increase in popularity as a result: Logins that require you to enter a silly pass phrase or set of numbers that will be texted to your phone (you would have provided/setup the phone number before hand), or some kind of app that produces a code to be entered, etc.
JimKiler
Diamond Member
- Oct 10, 2002
- 3,561
- 206
- 106
current 2 factor authentication is not the answer, it can be hacked and i don't want to have a phone to login into every web site or app.
HutchinsonJC
Senior member
- Apr 15, 2007
- 467
- 207
- 126
I'm not aware of any glaring issues with 2 factor such that it can be hacked. The point of it is that you need two things to login: Your password (which only you should know - unless its part of one of these big databases stolen and brute/dictionary attacked) and the code or phrase on your phone in the form of a text message or from within an app, which even if hacked... they still need your password. It's basically impossible for 2 factor to be less secure than simply entering a password.
*Edit* If you're talking about SS7 issues (phone system/signaling issues), you have a relatively minor point. Though truthfully, it's not the 2 factor being hacked specifically, it's phone systems being hacked and then data being sent across being snooped on. The people targeting you after intercepting a code texted to you would have to likely really know you for them to specifically target your computer for malware to steal your password ('cause they need that too). And then you'd have to click/open the malware attachment assuming they didn't already have physical access to your computer to do that for you*End Edit*
Nobody likes added complexities to access their information: Must contain a cap, a number, a symbol, no spaces, and can not be one of the last 3 passwords used... then on top of that you need your code provided by your phone app.
A lot of these complexities result in weaker passwords for a lot of people because they're sick of memorizing so many different complex passwords for that 28th web site, app, service, etc they sign up for. So they rotate through the same handful of passwords for all 28 sites.
It's that, or you use password managers: You end up with HUGE portions of your life at the mercy of an app on your phone or addon/extension on a computer to track/memorize/create passwords for you. How will some of these people cope if their phone is stolen and never to be seen again?
*Edit* If you're talking about SS7 issues (phone system/signaling issues), you have a relatively minor point. Though truthfully, it's not the 2 factor being hacked specifically, it's phone systems being hacked and then data being sent across being snooped on. The people targeting you after intercepting a code texted to you would have to likely really know you for them to specifically target your computer for malware to steal your password ('cause they need that too). And then you'd have to click/open the malware attachment assuming they didn't already have physical access to your computer to do that for you*End Edit*
Nobody likes added complexities to access their information: Must contain a cap, a number, a symbol, no spaces, and can not be one of the last 3 passwords used... then on top of that you need your code provided by your phone app.
A lot of these complexities result in weaker passwords for a lot of people because they're sick of memorizing so many different complex passwords for that 28th web site, app, service, etc they sign up for. So they rotate through the same handful of passwords for all 28 sites.
It's that, or you use password managers: You end up with HUGE portions of your life at the mercy of an app on your phone or addon/extension on a computer to track/memorize/create passwords for you. How will some of these people cope if their phone is stolen and never to be seen again?
Last edited:
Maybe I should've used the word "lexicon" rather than dictionary (since the relevant fact in this context is that the "words" are in a "publicly available list", rather than that they're "defined" in one way or another), but in other words, the answer to my question: "Is this just some sort of extension of the general maxim "don't use words that appear in any dictionary"? is "yes".
PeterRoss
Member
- May 31, 2017
- 81
- 5
- 11
It is only natural that passwords, in general, are a less secure measurement. With all of the techniques and capabilities that modern hacks expose, it is normal that security evolves past one device and one password. And even sequence of passwords is significantly more secure and adding other devices, on demand confirmation codes and other means of protections is a good solid step forward.
Also, I do not trust password managers myself..... As Hutchinson stated just before, being at mercy of other people or application to protect you, is simply way too much risk.
Also, I do not trust password managers myself..... As Hutchinson stated just before, being at mercy of other people or application to protect you, is simply way too much risk.
HutchinsonJC
Senior member
- Apr 15, 2007
- 467
- 207
- 126
While I've never relied upon password managers, I can see where it would be possible to program them in such a way to allow the option to export or backup the information it manages. Assuming any managers allow for this, and assuming you're smart enough to monthly (at least) make such backups or exports, I think they'd probably be fine as long as the password you set on the manager itself is something you don't use anywhere else. The backups you make should definitely be saved on a separate device or two (a backup to the same device is useless if that device is stolen, lost, or irreparably damaged.)
If the manager saves all your passwords to the cloud, I know for me that my personal response to using it would be: "Forget that!"
With all the hacks that happen: Yahoo, Albertsons, KMart, etc
Even if I look beyond me and my preferences and assume that password managers offer exportation/backup features and aren't hosted in the cloud, people in general are oblivious to the full options available to them [backups in this case] (in most apps/software/websites), or are too trusting to the point they disregard any/all precautionary measures with no real understanding of where that trust potentially leads.
And sometimes we just get complacent: "I'll do it next week" and then next week comes and goes and you still haven't made the backup.
I'd wager a guess that easily less than 40% of the folks that use password managers do so safely/effectively. And I think that's a pretty conservative guess.
If the manager saves all your passwords to the cloud, I know for me that my personal response to using it would be: "Forget that!"
With all the hacks that happen: Yahoo, Albertsons, KMart, etc
Even if I look beyond me and my preferences and assume that password managers offer exportation/backup features and aren't hosted in the cloud, people in general are oblivious to the full options available to them [backups in this case] (in most apps/software/websites), or are too trusting to the point they disregard any/all precautionary measures with no real understanding of where that trust potentially leads.
And sometimes we just get complacent: "I'll do it next week" and then next week comes and goes and you still haven't made the backup.
I'd wager a guess that easily less than 40% of the folks that use password managers do so safely/effectively. And I think that's a pretty conservative guess.
- Mar 4, 2000
- 27,370
- 239
- 106
Agree about using the Cloud. I put nothing on the Cloud - and, rarely use Wi-Fi. I backup my password manager encrypted to my personal thumb drive. The same encrypted file is also on my laptop.
HutchinsonJC
Senior member
- Apr 15, 2007
- 467
- 207
- 126
So many people don't understand how easy it is to be taken advantage of just by using random wi-fi!
There's things you can do to try to ensure your safety on a wi-fi, but the large majority of folks are oblivious to those measures.
All it takes is someone on the same hotel, campground, or whatever wi-fi network running something like WireShark and you're very potentially game over. rofl
PeterRoss
Member
- May 31, 2017
- 81
- 5
- 11
Regards to public Wi-fi's completely agreed. I usually have everything sandboxed and only certain connections to the websites that I need available. Going as far as not logging in to anything and using private browser modes. To be fair, it doesn't happen as much as people think it might, but it does happen regularly enough to be concern about your privacy.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter