2 weak passwords

6/18/2011 7:38:45 PM

I wish there were a version of ighashgpu or igrargpu for a Radeon HD 4250

6/18/2011 8:24:10 PM

Money's on China or corporate espionage.

6/18/2011 10:26:07 PM

Gonna have to start using random 10 digit passwords changed every 2 weeks.

6/19/2011 12:11:44 AM

What's the value in changing it often exactly?

6/19/2011 7:07:12 AM

If it takes 48 days to crack a 9 digit password like it says in the op's link, changing it every 2 weeks would keep it protected.

6/19/2011 9:30:55 AM

true, assuming the hacker has access to these unsalted hashes and gives a fuck about your specific password to spend 48 days on it. seems unlikely to me.

6/19/2011 10:28:04 AM

i like to make up fake words to use as passwords

like gangsterificationistic

[Edited on June 19, 2011 at 11:40 AM. Reason : .]

6/19/2011 11:40:28 AM

I just wanted to point out that the developer behind the largest bitcoin exchange decided to use md5 (which has been considered "broken" for years).

Oh and guess what the bitcoin community excels at more than anything else (collectively, 10 trillion times a second)?

HASHING

6/19/2011 6:51:55 PM

http://codahale.com/how-to-safely-store-a-password/

argument for using sloooow bcrypt implementations instead of the typical md5/sha algorithms

6/30/2011 11:18:10 PM

another password storage best practice article showed up in my feeds today

http://arr.gr/blog/2012/01/storing-passwords-the-right-way/

[Edited on February 7, 2012 at 2:52 PM. Reason : just cus i like stirring the salts in the db pot]

2/7/2012 2:51:43 PM

So, as a user, expecting stupid devs to do insecure things with your passwords...

How about a browser add on that stores your own personal salt phrase in the browser add-on data.

Then, when you go to a website, and you start registering/signing up, in the "password" box, you click, and then hit a button for this addon, which pops up a text box that you type your *common* password into, and the add on takes your common password, salts with both the stored salt AND the domain name and Voila ... you have a way to store a unique password on every site, while still only remembering 1 single common password. Your browser could still save the password for you, and so you would not have to use the add-on except when registering/signing in the first time (or when you clear your passwords).

Any add-ons like this that people know of?

[Edited on February 7, 2012 at 3:38 PM. Reason : .]

2/7/2012 3:36:30 PM

salting's generally done server side to add an extra layer of protection to the user's encrypted and stored password value... completely transparent to the user.


what you're proposing isn't really user friendly.


think:

my tww password is "password123"

I have a new plugin/script/whatever that takes my value of "password123" and appends a string like... "tacobellisthebest1," but I - as the user - don't know what that string is.

If it's a locally contained script, with no web service to support it, then you can generally assume that the associative string used to salt your password is created and stored in plaintext/JSON/whatever. That's not secure.

Not only that, but you'd lose the ability to log in to any websites when on a new machine.


I suppose if you had a webservice created to back it, it could be better implemented... but at that point you're talking about delays, timeouts, what happens when the site goes down for repairs (users cant log in to their other sites)


Overall it's better to encourage the right behavior from the start. Make webdevs salt their shit on the server side so the user doesn't have to worry about security. Or just use OAuth or OpenID

[Edited on February 7, 2012 at 6:45 PM. Reason : .]

2/7/2012 6:44:49 PM

^^Not exactly as described, but LastPass is very similar

2/7/2012 7:33:05 PM

^^ except for that you cant MAKE any devs do anything on the backend.

And actually, yes, you COULD use the same script on another machine, as long as you have the same strings being used for salts and the like.

Problem would be using an ipad or something that does not have the option of installing plugins ... you'd be out of luck, unless you could export to the ipad/iphone/(whatever non firefox/chrome supporting device) somehow to have them automatically saved.

Just a thought though ... if you could solve the multi-device "challenges", then I think it would be a reasonable solution.

Hackers typically wont have BOTH access to your local machine AND access to the password database they are hacking. And if they had access to your local machine, youd be screwed anyhow.

2/8/2012 11:27:07 AM

all this security stuff makes me think of how stupid street lights are. you chase the badguys off your block with streetlights, then so does everybody else, then there streetlightlights everywhere (expensive btw) then the badguys just get used to the streetlights. is there some esoteric term for this concept?

2/10/2012 11:29:02 PM

diminishing returns?

2/11/2012 12:02:02 AM

also possibly comparative advantage

or tragedy of the commons

2/11/2012 4:18:58 AM

This thread reminded me how annoying it is when special characters aren't allowed in passwords on some banking/financial sites. WTF!

2/11/2012 4:59:14 PM

even deader: http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

10/10/2013 9:28:58 PM

haven't read any of this

will my 21 character long password hold up?

10/10/2013 9:48:20 PM

mix of upper and lowercases? numbers? special characters?

10/10/2013 9:49:46 PM

all of the above

and it's legitimately just random as hell - don't ask me how i came up with it one day and actually remember it

[Edited on October 10, 2013 at 9:55 PM. Reason : ]

10/10/2013 9:54:53 PM

it'll be fine until you use it on a site whose passwords get compromised, then you're just as fucked as if you used "ilovegoofybitch"

10/10/2013 11:18:24 PM

hahaha

10/11/2013 12:08:09 AM

i got norton

10/11/2013 6:11:54 AM

The link that lewisje posted is a must read.

I just read this article and it is amazing and eye-opening. I recommend everybody should read it, including lay people.

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/


It describes step by step how three password crackers cracked actual passwords from their hash codes easily, and they didnt even know which hash method was used to convert the passwords to the hash characters.

Conclusion? The only safe password is a string of at least 8 truly random characters. Like dk?,3/$V

10/11/2013 9:45:55 AM