- Sep 15, 2008
- 5,056
- 199
- 116
Why passwords have never been weakerand crackers have never been stronger
- Thread starter Chiefcrowe
- Start date
Does this really matter in real world? My bank give me 3 tries to login my account. after that it lockup the account. I have to call and explain and give all those security answers before the account open for another 3 tries. unless the "super computer' can take 3 wise guess, how can it get into the system?
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Definitely!
I now use a biometric fingerprint reader (by Authentec) at home and at work. The software (Protector Suite, in my case) has a strong-password-generator feature. Example:
In this example, I grabbed some non-keyboard characters from Windows' Character Map and had the generator use some of them. A rainbow table covering only the characters on a standard keyboard shouldn't be able to crack a password like this (as far as I know). Some sites won't let you use those characters, but if you can, why not throw one in there as a wild card.
Anyway, the fingerprint reader is one way to use different strong, maximum-length passwords on every site without having to remember or type them. The downside is that if I'm at someone else's computer, I'll need a flash drive with a text file containing my passwords.
These days I also have IE launch in InPrivate mode by default (add -private to the shortcut's Target line) and try to remember to check my email, then close the browser and restart it before commencing any random surfing. Ditto for other sensitive sites such as my banking, shopping/Ebay, or occasionally AnandTech Moderator work.
Last edited:
- Sep 15, 2008
- 5,056
- 199
- 116
I believe it does, at least if someone is trying to crack passwords that do not have a lockout
or certain weaker setups. Also, if someone happens to take your computer and then look on your system for passwords for windows, etc then they could be more hackable .. IMO.
or certain weaker setups. Also, if someone happens to take your computer and then look on your system for passwords for windows, etc then they could be more hackable .. IMO.
They won't attack your bank directly. For example, if you use the same password and id at your bank on an online forum, all they have to do is steal the password database from that online forum. Then, they can logon to your bank with the same logon id and password that you used in the online forum.
Likely, you are smart enough to not reuse the same id and password. But many people aren't.
For examples of password database theft see:
eHarmony confirms its members' passwords were posted online
Report: Thousands of Hotmail passwords posted
32 million passwords show most users careless about security
11 million passwords from hacked game website dumped online
Best of luck,
Uno
Well lucky thing for me, most of the banks are using unique id (their bank card) as login id, even if I want to use the same id, I still can't, guess that is a plus.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Another angle is discussed in this article, which is another good read: http://threatpost.com/en_us/blogs/own-email-own-person-082012 With a little patience and footwork, simply getting hold of one of your email accounts might pave the way for an attacker to request a password-reset, which they can then approve from your email account.
Nintendesert
Diamond Member
- Mar 28, 2010
- 7,761
- 5
- 0
Well any email service and bank worth a damn should have and in my opinion require one time passwords through an authenticator device or via SMS.
Everyone is quick to recommend retardidly complex passwords first, but one time passwords are a better underprescribed solution.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
I'd hate to be required to get a cell phone and service, just to log into my Gmail account. An authentication keyfob might be OK, I wonder what that costs.
my gmail account uses a 10 character non-word password. its just a pattern on the keyboard i made up.
anandtech uses a different 6 character password that i use for many web forums.
ALL other passwords use anywhere from 8-20 character random generated passwords using keepass. all the passwords are stored in an encrypted container, which needs a keyfile and a 23-character password that i remember by, again, a pattern on the keyboard that only i know.
i like my process anyway. i do keep my keepass file on my dropbox account. im not sure how safe that is... but oh well. scary though, because if someone ever did get into my keepass file there is about 60 passwords in there for everything i have ever signed up for. banks, credit cards, utilities, web stores... ugh... scary to think
anandtech uses a different 6 character password that i use for many web forums.
ALL other passwords use anywhere from 8-20 character random generated passwords using keepass. all the passwords are stored in an encrypted container, which needs a keyfile and a 23-character password that i remember by, again, a pattern on the keyboard that only i know.
i like my process anyway. i do keep my keepass file on my dropbox account. im not sure how safe that is... but oh well. scary though, because if someone ever did get into my keepass file there is about 60 passwords in there for everything i have ever signed up for. banks, credit cards, utilities, web stores... ugh... scary to think
Last edited:
which is why stories like these should be titled "passwords have never been weaker because people are lazy"
- Sep 15, 2008
- 5,056
- 199
- 116
I like your strategy!
As long as your keyfile is not in an insecure location you should be fine. If I were you i'd probably store a copy of that file on an encrypted usb or HD.
As long as your keyfile is not in an insecure location you should be fine. If I were you i'd probably store a copy of that file on an encrypted usb or HD.
oh it is. every few months i back it up to a usb key that only stores that and naked pics of my past gf's
i dont bother to back it up that much though. dropbox is on my laptop, server, and htpc... and since they provide previous version backup automatically too its just not much of a chance ill ever lose it.
the only thing about the way i do things that relates to this thread is my forum logins. if someone got ahold of my forum password, they would have potential access to about a dozen forum sites. but i really dont see how that can hurt me....
i dont bother to back it up that much though. dropbox is on my laptop, server, and htpc... and since they provide previous version backup automatically too its just not much of a chance ill ever lose it.
the only thing about the way i do things that relates to this thread is my forum logins. if someone got ahold of my forum password, they would have potential access to about a dozen forum sites. but i really dont see how that can hurt me....
Nintendesert
Diamond Member
- Mar 28, 2010
- 7,761
- 5
- 0
Well how do you log into Dropbox? That will tell you how weak your overall security is since that's your only real line of defense.
The type of characters and whatever pattern you make means nothing. The length is the single most important aspect of a password and at 10 characters for your email, that's pretty weak. The 15+ character ones are much better.
You really would be better served writing your password down and keeping it in a safe or even just hidden in your house than you would be keeping it on Dropbox. Unless of course that file is encrypted with a reputable file encryption scheme and has a password length as long as your overall Keepass password.
- Sep 15, 2008
- 5,056
- 199
- 116
I'm pretty sure wirednuts stores the passwords in an encrypted format on dropbox so if someone manages to get access to dropbox, they won't be able to get any of the passwords on there.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
One of the dangers is that if the attacker can get into the bank's network and steal the customers' password hashes, they have all the time in the world to try to crack them, then they'll try logging into your account. So as the article says, if you've followed in the footsteps of the millions of people whose passwords have already been cracked, you're a relatively easy target because they've got those identified already.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter