midwestfisherman
Diamond Member
- Dec 6, 2003
- 3,564
- 8
- 81
Ichinisan
Lifer
- Oct 9, 2002
- 28,298
- 1,235
- 136
With a couple clicks and keystrokes, I can make IE or Chrome reveal an auto-filled password. Probably Firefox too.
Puppies04
Diamond Member
- Apr 25, 2011
- 5,909
- 17
- 76
Ichinisan
Lifer
- Oct 9, 2002
- 28,298
- 1,235
- 136
OutHouse
Lifer
- Jun 5, 2000
- 36,410
- 616
- 126
Gooberlx2
Lifer
- May 4, 2001
- 15,381
- 6
- 91
Personally, I use Lastpass. Keepass + drive or dropbox with 2-factor auth works well too.
JamesV
Platinum Member
- Jul 9, 2011
- 2,002
- 2
- 76
I'm curious if anyone can explain this to me.
Most sites, including AT, only allow so many attempts to login before you are locked out, and even if there was a site that let you continually try to login forever, you couldn't try hundreds of passwords a second anyway, because you'd have to wait for the site's response. On top of that, don't most login apps have some kind of security feature that would stop attempts or alert someone if the counter for login attempts is a large number (>20 or >100)?
So aren't these numbers claiming how long it takes to hack an account bullshit? In the 'perfect hackers world', where the system you are trying to get into is a super computer that can accept 1,000 attempts a second, and doesn't lock you out after so many tries, maybe the numbers would be correct, but in real world situations they seem like a scare tactic.
Most sites, including AT, only allow so many attempts to login before you are locked out, and even if there was a site that let you continually try to login forever, you couldn't try hundreds of passwords a second anyway, because you'd have to wait for the site's response. On top of that, don't most login apps have some kind of security feature that would stop attempts or alert someone if the counter for login attempts is a large number (>20 or >100)?
So aren't these numbers claiming how long it takes to hack an account bullshit? In the 'perfect hackers world', where the system you are trying to get into is a super computer that can accept 1,000 attempts a second, and doesn't lock you out after so many tries, maybe the numbers would be correct, but in real world situations they seem like a scare tactic.
Cracking is not attempted against the actual login mechanism but rather an offline 'source file' - the situation functions under the assumption that the file(s) holding the passwords were obtained through some kind of compromise.
JamesV
Platinum Member
- Jul 9, 2011
- 2,002
- 2
- 76
So unless a hacker already had infiltrated a site and stolen files which might contain my password, the idea of someone hacking my banking sites is pretty much just a scare tactic? Since I'm locked out for the day if I miss the password 5 times, and even a weak password needing thousands of attempts, it seems like it.
I understand if I had sensitive files on my PC and someone got a hold of them, that would only be a matter of time, but for websites the idea of being hacked seems to be blown way out of proportion. This is of course assuming equal security-consciousness with regards to Trojans, viruses, email, and so on - I understand a keylogger could get my password for example.
lxskllr
No Lifer
- Nov 30, 2004
- 60,030
- 10,521
- 126
You're trivializing the risk. Sites get hacked all the time, and huge databases of passwords make it into the wild. It doesn't matter how secure your machine is. You're only as secure as the weakest link, and you only control your machine. Not all the other machines that have your password on them.
You don't get locked out when you crack a password database. You get the password, and you get in first try. Nobody's trial/erroring password entry on the sites. If they're trying, they already have it.
alkemyst
No Lifer
- Feb 13, 2001
- 83,769
- 19
- 81
Some hackers do go direct. IPS/IDS systems can detect this at times if the hacker just goes full throttle. If one is using one of the top 10 types of passwords or if the hacker knows the user and knows what type of password they use (children's/SO's/pet's names are popular as are anniversary dates) they can go direct. The just burn through common usernames/email addresses and if they lock out one, they move to the next.
When I handled the desktops and training for my last job I was part of letting employees know that pinning up their passwords in their cubes or hiding them under the keyboard is not allowed. They'd still hang up a 'random' word here and there. 9 times out of 10, that random word would get me in their PC and I'd have to write it up.
For most large scale hacks, like others have stated; they are going after a stolen/compromised database and not going through the front end login page. They don't even get all the passwords usually...but once they get a few hundred email/password combos they go out and use them directly or sell them on the black market.
Chances are at least a few will be common to all the big sites (Chase/Wells Fargo/PNC/Amazon/Paypal/etc). Then they further glean account numbers, spending habits, sources of income/deposits, etc.
If they can get a Social Security number, you can be on the hook forever as the only way to get a new one is witness protection or having an actual $10,000 hard cost to yourself. This is rare as most credit/accounts have protection for the consumer.
Jeff7
Lifer
- Jan 4, 2001
- 41,596
- 20
- 81
And that's all you can hope for, is that their backend is using some pretty heavy encryption on the sensitive data, not like some of these moronic IT people who store passwords in plain text on their servers. "Our security is awesome! No one will ever get through the outer defenses!"
Encrypt the hell out of user data. Salt it. Make it such that you could ship it straight to the NSA and tie up their supercomputers for several decades trying to crack it. (Assuming they didn't "coerce" the programmers to build in a convenient backdoor.)
Gooberlx2
Lifer
- May 4, 2001
- 15,381
- 6
- 91
Exactly.
See major data leaks by Plenty of Fish, Sony, LinkedIn, Adobe, etc, etc...it gets exhausting.
Cappuccino
Diamond Member
- Feb 27, 2013
- 4,018
- 726
- 126
My password for Paypal is 'Cappuccino123' and my email password is 'email' and my Anandtech password is '123ABC' I think all my accounts are safe. No hackers can crack my logins. 
silverpig
Lifer
- Jul 29, 2001
- 27,703
- 12
- 81
The worry isn't that someone will hack your bank's files and steal your login info. Banks are pretty secure.
The worry is that someone will hack some stupid lolzcatsbl0g.org site that uses simple md5 hashing or even just stores login information in plain text. They then notice that there's a "JamesV" user, with a "jamesv@gmail.com" email address and has used the password "ajskdlf;2013".
They then log in to gmail using "jamesv" and "ajskdlf;2013", then get all your other logins and passwords, including paypal and other such things.
You can't control whether a website uses plain text, md5, or bcrypt to hash their passwords, and you can't control which ones get hacked. You can control what passwords you use where. This is why using completely random 24 character passwords that are different for each site is the best way to go. These passwords are very resistant to brute force attacks, and even if the site stores it in plain text, they only have the password for that site.
OutHouse
Lifer
- Jun 5, 2000
- 36,410
- 616
- 126
how does that work with both apps installed on a android device?
say lastpass and google authenticator?
for example i sign into gmail on my phone, then GA sends me a text with a code, i then copy/paste that code into the GA. soooo how does that keep somebody out of my gmail or lastpass if my phone gets lost and they somehow get past my droid login pattern.
Last edited:
alkemyst
No Lifer
- Feb 13, 2001
- 83,769
- 19
- 81
Exactly. So for my important sites, I use a secure random password so my passwords are different. For some critical stuff I reuse passwords if I can get 2FA. Not sure what's better...
16-20 character password versus 10 char + 2FA, but the reason I use a shorter password + 2FA is that I need to login more frequently, and I can't remember some random password obviously, and furthermore I can't always depend on LastPass.
I'm tired of these sites getting hacked. I was ok for the LinkedIn hack, eHarm, last.fm, but then Adobe hit me. It was my standard password used in many sites, and I had to change them all. At that point the only other password I could change to was my secure password. Therefore, I decided to just do a password makeover. I spent the last 3 days revamping my password strategy for all accounts, locking in 2FA where it counted.
The more I think about it, the more it makes sense to have a fingerprint reader on phones now. With 2FA software on phones, you really want that stuff locked down. Sure you can put passwords or PINs on those apps, but it's gonna get in the way of daily use or get easily compromised.
I really wish these banks jumped in this 2FA system a bit more. Sites like Dropbox, Facebook, and the whole Bitcoin industry has gone to very secure logins. Maybe most banks are secure as hell, so the chance of being hacked is pretty low, and even then I'd bet most financial companies are locked down tight and don't use something as dumb as sha1(password). But still, I like the fact that Bitcoin wallets online can be locked so you need a 2nd password to send money for example, or you need to use 2FA again for sending, or selling, or any account changing maneuver. It's very useful.
Last edited:
Gooberlx2
Lifer
- May 4, 2001
- 15,381
- 6
- 91
Well, they still need to know your gmail password to alter your google account, but yeah don't lose your phone.
Elsewise, you can hopefully disable that device before they've had the chance to compromise anything.
silverpig
Lifer
- Jul 29, 2001
- 27,703
- 12
- 81
Finger prints are terrible.
1. They can be used to identify you
2. You can't change them
Jeff7
Lifer
- Jan 4, 2001
- 41,596
- 20
- 81
Ichinisan
Lifer
- Oct 9, 2002
- 28,298
- 1,235
- 136
I'm sure a lot of massive password leaks are due to internal sabotage by employees with special access. We probably never hear about most of these.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 392
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
Facebook
Twitter