Separate names with a comma.
Discussion in 'Security' started by Chiefcrowe, Dec 5, 2012.
And this is a possible reason to periodically change one's passwords on high-priority sites. Let's say my bank's servers get pwned and the attackers steal password hashes from the bank's servers. If it'll take them two months to crack my encrypted password from its hash, but I change it every month as a policy, then I've defeated the attack a month in advance without even realizing it.
From the previous article Chiefcrowe posted, Hashcat also prioritizes on certain human-generated patterns, and millions of common human-generated passwords are already known by their hash based on the cracking of large batches of passwords in the past. Typical "leetspeak" substituting numerals for characters, or symmetrical or keyboard-patterned passwords, and so forth have been arbitrarily identified as easy prey.
Using an "inhuman" password like KQ63m7pP2Jjw1$Q means they really will have to brute-force the whole keyspace to guarantee a solution, whereas D3nv3rBr0nc0s is likely to be already known by its hash, based on cracking of previous batches of leaked passwords. Adding high-ANSI characters like ± and ™ force the attacker to take on an expanded keyspace as well. These techniques on an adequate-length password will make an attacker's job difficult.
The question is how to switch to strong "inhuman" passwords without losing your mind Personally I use biometrics, namely a fingerprint reader with software that remembers my crazy passwords and auto-enters them in most situations with a finger swipe. I've heard good remarks about LastPass and KeePass too, but haven't tried them yet.
good call mech - changing passwords often definitely is a good idea.
I really like KeePass, you should try it out.
Thumbs up for KeePass - I agree and have used it for years now in Corporate business
Just have to be careful as some forums with older software or other limitations seem to limit the password size to only 12 characters and won't allow any special characters.
As long as the site allows it you can easily use very strong passwords - the draw back is if you're traveling or at some other remote location you won't know the password to login.
I use something called Pwdhash developed by a guy at Stanford. It's an add-on for Firefox. Check it out. https://addons.mozilla.org/en-US/firefox/addon/pwdhash/?src=search
That looks interesting, but how is the disaster recovery? Can you recover the passwords if something happens to your system? I've had password managers in my head for awhile now, and finally setup KeePass last night. I went with the 1.x portable version as it has fewer dependencies, and I can easily use the same package on GNU/Linux or Windows. For backup, I put it on Dropbox and I'll spread it around a few thumb drives. To use a backup, I just have to open the folder and start using it. Everything's self contained, and if someone gets my file, they likely won't have anything useful. My password protecting KeePass is uber long.
I've been resistant to using a password manager because I think it promotes lazy thinking. You can lose track of what you've done where, and if the technology fails, you don't have a starting point to correct it. On the other hand, I reuse passwords, which can be bad. I have them segregated by strength for different purposes, but some are still reused. A little bit of bad luck could compromise my system, so here I am trying a password manager.
This is why I hate frequent password changes (some banks do that) because you'll need some type of password manager to keep up. And I don't like opening keepass for every login or bank transactions.
I'm thinking of only adding/changing the 'inhuman' part of a 2 part password and writing that part down in a book on my desk. If I wrote in a book (say a bible) at a certain page, I should be ok.
Reuse of passwords or using the same one on multiple sites is bad. I get users seeking help every once in a while on our forum where someone got their password and now was able to modify stuff in all their other accounts and pretty much block them from accessing or fixing it easily.
Everyone has to make their own choice for security but myself I've been putting up with the annoyance of having to open Keepass for passwords now for many years. I have accounts on numerous sites and different business networks and all of them have different passwords and all of them are very strong and get changed semi frequently. Without Keepass I cannot get into most accounts but I'm okay with that as it keeps me safe. Even if someone were to somehow break into one of my accounts they would not have access to any other accounts.
Digital Safety requires diligence in today's technological World.
how did you know my password?!
it really is getting annoying. i use a password manager, and thats annoying enough but now i have to change my passwords every month? i have over 100 entries! most of them are low risk sites but i probably have 20 sites with personal info and thats just a pain to keep changing them.
i wish there was a better way...
But that's gonna take a long while.
What I dont get is why the initial hash used to generate the keyfile isnt different between sites. This would cause a stolen hash file from one site to be completely useless on another site since the hash for the same password would be different.
For one thing, if they can back the password out of the hash at a sensitive site, that's bad enough right there, even if it doesn't help them anywhere else. Hey, where'd my WoW stuff go, where'd the money in my PayPal account go, etc.
Secondly, if the account they compromise is your "master" email account, where the password-reset request from your bank/PayPal/MMORPG would arrive, then they can commence trying to take over those accounts.
Third, some people use the same password at multiple sites, so if they can back the real password out of an unimportant site's hash (your account with Domino's Pizza or whatever), and you happen to use the same password for a critical account like your bank, then they can log in as you with the password they cracked from Domino's, or whatever.
When I was a senior info sec officer at a bank, we required all passwords to be changed every 28 days with an 8+ password history. Poor password choices and quickly shrinking password crack times were the biggest reasons... That was 9 years ago.
Phase phrase in a dialect that is misspelled will require brute force.
Increasingly, institutions are requiring additional security questions be answered even after entering the password correctly. There are obvious pros/cons to this extra layer. But I think its a good one.
The biggest thing one can do to protect themselves is ensure that their main email account is monitored carefully. Losing this could be really bad. You need to make sure this baby has minimum 12 random character. Never use the same password from another site on it, ever. And never login to it over free wifi unless your using VPN. That free wifi ain't free...