Update: New 25 GPU Monster Devours Passwords In Seconds

Discussion in 'Security' started by Chiefcrowe, Dec 5, 2012.

  1. mechBgon

    mechBgon Super Moderator<br>Elite Member

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    And this is a possible reason to periodically change one's passwords on high-priority sites. Let's say my bank's servers get pwned and the attackers steal password hashes from the bank's servers. If it'll take them two months to crack my encrypted password from its hash, but I change it every month as a policy, then I've defeated the attack a month in advance without even realizing it.

    From the previous article Chiefcrowe posted, Hashcat also prioritizes on certain human-generated patterns, and millions of common human-generated passwords are already known by their hash based on the cracking of large batches of passwords in the past. Typical "leetspeak" substituting numerals for characters, or symmetrical or keyboard-patterned passwords, and so forth have been arbitrarily identified as easy prey.

    Using an "inhuman" password like KQ63m7pP2Jjw1$Q means they really will have to brute-force the whole keyspace to guarantee a solution, whereas D3nv3rBr0nc0s is likely to be already known by its hash, based on cracking of previous batches of leaked passwords. Adding high-ANSI characters like ± and &#8482; force the attacker to take on an expanded keyspace as well. These techniques on an adequate-length password will make an attacker's job difficult.

    The question is how to switch to strong "inhuman" passwords without losing your mind :D Personally I use biometrics, namely a fingerprint reader with software that remembers my crazy passwords and auto-enters them in most situations with a finger swipe. I've heard good remarks about LastPass and KeePass too, but haven't tried them yet.
     
  2. Chiefcrowe

    Chiefcrowe Diamond Member

    Joined:
    Sep 15, 2008
    Messages:
    4,324
    Likes Received:
    4
    good call mech - changing passwords often definitely is a good idea.

    I really like KeePass, you should try it out.
     
  3. AdvancedSetup

    AdvancedSetup Junior Member

    Joined:
    Dec 12, 2012
    Messages:
    9
    Likes Received:
    0
    Thumbs up for KeePass - I agree and have used it for years now in Corporate business

    keepass.info

    Just have to be careful as some forums with older software or other limitations seem to limit the password size to only 12 characters and won't allow any special characters.

    As long as the site allows it you can easily use very strong passwords - the draw back is if you're traveling or at some other remote location you won't know the password to login.

    ?Ûw?îÊ°ÅËíÌ%;óPÓ?}?+Á?ª6ñ`W?v{Ðä$G
     
  4. John Connor

    John Connor Lifer

    Joined:
    Nov 30, 2012
    Messages:
    17,746
    Likes Received:
    49
  5. lxskllr

    lxskllr Lifer

    Joined:
    Nov 30, 2004
    Messages:
    44,651
    Likes Received:
    86
    That looks interesting, but how is the disaster recovery? Can you recover the passwords if something happens to your system? I've had password managers in my head for awhile now, and finally setup KeePass last night. I went with the 1.x portable version as it has fewer dependencies, and I can easily use the same package on GNU/Linux or Windows. For backup, I put it on Dropbox and I'll spread it around a few thumb drives. To use a backup, I just have to open the folder and start using it. Everything's self contained, and if someone gets my file, they likely won't have anything useful. My password protecting KeePass is uber long.

    I've been resistant to using a password manager because I think it promotes lazy thinking. You can lose track of what you've done where, and if the technology fails, you don't have a starting point to correct it. On the other hand, I reuse passwords, which can be bad. I have them segregated by strength for different purposes, but some are still reused. A little bit of bad luck could compromise my system, so here I am trying a password manager.
     
  6. bononos

    bononos Diamond Member

    Joined:
    Aug 21, 2011
    Messages:
    3,207
    Likes Received:
    8
    This is why I hate frequent password changes (some banks do that) because you'll need some type of password manager to keep up. And I don't like opening keepass for every login or bank transactions.

    I'm thinking of only adding/changing the 'inhuman' part of a 2 part password and writing that part down in a book on my desk. If I wrote in a book (say a bible) at a certain page, I should be ok.
     
  7. AdvancedSetup

    AdvancedSetup Junior Member

    Joined:
    Dec 12, 2012
    Messages:
    9
    Likes Received:
    0
    Reuse of passwords or using the same one on multiple sites is bad. I get users seeking help every once in a while on our forum where someone got their password and now was able to modify stuff in all their other accounts and pretty much block them from accessing or fixing it easily.

    Everyone has to make their own choice for security but myself I've been putting up with the annoyance of having to open Keepass for passwords now for many years. I have accounts on numerous sites and different business networks and all of them have different passwords and all of them are very strong and get changed semi frequently. Without Keepass I cannot get into most accounts but I'm okay with that as it keeps me safe. Even if someone were to somehow break into one of my accounts they would not have access to any other accounts.

    Digital Safety requires diligence in today's technological World.
     
  8. AkumaX

    AkumaX Lifer

    Joined:
    Apr 20, 2000
    Messages:
    12,639
    Likes Received:
    2
    how did you know my password?!
     
  9. wirednuts

    wirednuts Diamond Member

    Joined:
    Jan 26, 2007
    Messages:
    7,121
    Likes Received:
    1
    it really is getting annoying. i use a password manager, and thats annoying enough but now i have to change my passwords every month? i have over 100 entries! most of them are low risk sites but i probably have 20 sites with personal info and thats just a pain to keep changing them.

    i wish there was a better way...
     
  10. kache

    kache Senior member

    Joined:
    Nov 10, 2012
    Messages:
    486
    Likes Received:
    0
    Biometric signature!
    But that's gonna take a long while. :(
     
  11. Ryland

    Ryland Platinum Member

    Joined:
    Aug 9, 2001
    Messages:
    2,709
    Likes Received:
    0
    What I dont get is why the initial hash used to generate the keyfile isnt different between sites. This would cause a stolen hash file from one site to be completely useless on another site since the hash for the same password would be different.
     
  12. mechBgon

    mechBgon Super Moderator<br>Elite Member

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    For one thing, if they can back the password out of the hash at a sensitive site, that's bad enough right there, even if it doesn't help them anywhere else. Hey, where'd my WoW stuff go, where'd the money in my PayPal account go, etc.

    Secondly, if the account they compromise is your "master" email account, where the password-reset request from your bank/PayPal/MMORPG would arrive, then they can commence trying to take over those accounts.

    Third, some people use the same password at multiple sites, so if they can back the real password out of an unimportant site's hash (your account with Domino's Pizza or whatever), and you happen to use the same password for a critical account like your bank, then they can log in as you with the password they cracked from Domino's, or whatever.
     
  13. Dravic

    Dravic Senior member

    Joined:
    May 18, 2000
    Messages:
    890
    Likes Received:
    0

    When I was a senior info sec officer at a bank, we required all passwords to be changed every 28 days with an 8+ password history. Poor password choices and quickly shrinking password crack times were the biggest reasons... That was 9 years ago.
     
  14. power_hour

    power_hour Senior member

    Joined:
    Oct 16, 2010
    Messages:
    789
    Likes Received:
    1
    Phase phrase in a dialect that is misspelled will require brute force.

    Increasingly, institutions are requiring additional security questions be answered even after entering the password correctly. There are obvious pros/cons to this extra layer. But I think its a good one.

    The biggest thing one can do to protect themselves is ensure that their main email account is monitored carefully. Losing this could be really bad. You need to make sure this baby has minimum 12 random character. Never use the same password from another site on it, ever. And never login to it over free wifi unless your using VPN. That free wifi ain't free...
     
  15. imported_paulc871

    Joined:
    Feb 14, 2009
    Messages:
    28
    Likes Received:
    0