User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » Strong passwords dead, killed by GPUs Page 1 [2], Prev  
ThePeter
TWW CHAMPION
37709 Posts
user info
edit post

2 weak passwords

6/18/2011 7:38:45 PM

lewisje
All American
9196 Posts
user info
edit post

I wish there were a version of ighashgpu or igrargpu for a Radeon HD 4250

6/18/2011 8:24:10 PM

Arab13
Art Vandelay
45180 Posts
user info
edit post

Money's on China or corporate espionage.

6/18/2011 10:26:07 PM

AndyMac
All American
31924 Posts
user info
edit post

Gonna have to start using random 10 digit passwords changed every 2 weeks.

6/19/2011 12:11:44 AM

EuroTitToss
All American
4790 Posts
user info
edit post

What's the value in changing it often exactly?

6/19/2011 7:07:12 AM

AndyMac
All American
31924 Posts
user info
edit post

If it takes 48 days to crack a 9 digit password like it says in the op's link, changing it every 2 weeks would keep it protected.

6/19/2011 9:30:55 AM

EuroTitToss
All American
4790 Posts
user info
edit post

true, assuming the hacker has access to these unsalted hashes and gives a fuck about your specific password to spend 48 days on it. seems unlikely to me.

6/19/2011 10:28:04 AM

TreeTwista10
minisoldr
148569 Posts
user info
edit post

i like to make up fake words to use as passwords

like gangsterificationistic

[Edited on June 19, 2011 at 11:40 AM. Reason : .]

6/19/2011 11:40:28 AM

EuroTitToss
All American
4790 Posts
user info
edit post

I just wanted to point out that the developer behind the largest bitcoin exchange decided to use md5 (which has been considered "broken" for years).

Oh and guess what the bitcoin community excels at more than anything else (collectively, 10 trillion times a second)?

HASHING

6/19/2011 6:51:55 PM

qntmfred
retired
40807 Posts
user info
edit post

http://codahale.com/how-to-safely-store-a-password/

argument for using sloooow bcrypt implementations instead of the typical md5/sha algorithms

6/30/2011 11:18:10 PM

qntmfred
retired
40807 Posts
user info
edit post

another password storage best practice article showed up in my feeds today

http://arr.gr/blog/2012/01/storing-passwords-the-right-way/

[Edited on February 7, 2012 at 2:52 PM. Reason : just cus i like stirring the salts in the db pot]

2/7/2012 2:51:43 PM

robster
All American
3545 Posts
user info
edit post

So, as a user, expecting stupid devs to do insecure things with your passwords...

How about a browser add on that stores your own personal salt phrase in the browser add-on data.

Then, when you go to a website, and you start registering/signing up, in the "password" box, you click, and then hit a button for this addon, which pops up a text box that you type your *common* password into, and the add on takes your common password, salts with both the stored salt AND the domain name and Voila ... you have a way to store a unique password on every site, while still only remembering 1 single common password. Your browser could still save the password for you, and so you would not have to use the add-on except when registering/signing in the first time (or when you clear your passwords).

Any add-ons like this that people know of?

[Edited on February 7, 2012 at 3:38 PM. Reason : .]

2/7/2012 3:36:30 PM

kiljadn
All American
44690 Posts
user info
edit post

salting's generally done server side to add an extra layer of protection to the user's encrypted and stored password value... completely transparent to the user.


what you're proposing isn't really user friendly.


think:

my tww password is "password123"

I have a new plugin/script/whatever that takes my value of "password123" and appends a string like... "tacobellisthebest1," but I - as the user - don't know what that string is.

If it's a locally contained script, with no web service to support it, then you can generally assume that the associative string used to salt your password is created and stored in plaintext/JSON/whatever. That's not secure.

Not only that, but you'd lose the ability to log in to any websites when on a new machine.


I suppose if you had a webservice created to back it, it could be better implemented... but at that point you're talking about delays, timeouts, what happens when the site goes down for repairs (users cant log in to their other sites)


Overall it's better to encourage the right behavior from the start. Make webdevs salt their shit on the server side so the user doesn't have to worry about security. Or just use OAuth or OpenID

[Edited on February 7, 2012 at 6:45 PM. Reason : .]

2/7/2012 6:44:49 PM

Punter16
All American
2021 Posts
user info
edit post

^^Not exactly as described, but LastPass is very similar

2/7/2012 7:33:05 PM

robster
All American
3545 Posts
user info
edit post

^^ except for that you cant MAKE any devs do anything on the backend.

And actually, yes, you COULD use the same script on another machine, as long as you have the same strings being used for salts and the like.

Problem would be using an ipad or something that does not have the option of installing plugins ... you'd be out of luck, unless you could export to the ipad/iphone/(whatever non firefox/chrome supporting device) somehow to have them automatically saved.

Just a thought though ... if you could solve the multi-device "challenges", then I think it would be a reasonable solution.

Hackers typically wont have BOTH access to your local machine AND access to the password database they are hacking. And if they had access to your local machine, youd be screwed anyhow.

2/8/2012 11:27:07 AM

jcgolden
Suspended
1394 Posts
user info
edit post

all this security stuff makes me think of how stupid street lights are. you chase the badguys off your block with streetlights, then so does everybody else, then there streetlightlights everywhere (expensive btw) then the badguys just get used to the streetlights. is there some esoteric term for this concept?

2/10/2012 11:29:02 PM

qntmfred
retired
40807 Posts
user info
edit post

diminishing returns?

2/11/2012 12:02:02 AM

lewisje
All American
9196 Posts
user info
edit post

also possibly comparative advantage

or tragedy of the commons

2/11/2012 4:18:58 AM

BIGcementpon
Status Name
11319 Posts
user info
edit post

This thread reminded me how annoying it is when special characters aren't allowed in passwords on some banking/financial sites. WTF!

2/11/2012 4:59:14 PM

lewisje
All American
9196 Posts
user info
edit post

even deader: http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

10/10/2013 9:28:58 PM

jaZon
All American
27048 Posts
user info
edit post

haven't read any of this

will my 21 character long password hold up?

10/10/2013 9:48:20 PM

ThatGoodLock
All American
5697 Posts
user info
edit post

mix of upper and lowercases? numbers? special characters?

10/10/2013 9:49:46 PM

jaZon
All American
27048 Posts
user info
edit post

all of the above

and it's legitimately just random as hell - don't ask me how i came up with it one day and actually remember it

[Edited on October 10, 2013 at 9:55 PM. Reason : ]

10/10/2013 9:54:53 PM

aaronburro
Sup, B
53137 Posts
user info
edit post

it'll be fine until you use it on a site whose passwords get compromised, then you're just as fucked as if you used "ilovegoofybitch"

10/10/2013 11:18:24 PM

jaZon
All American
27048 Posts
user info
edit post

hahaha

10/11/2013 12:08:09 AM

jcgolden
Suspended
1394 Posts
user info
edit post

i got norton

10/11/2013 6:11:54 AM

0EPII1
All American
42550 Posts
user info
edit post

The link that lewisje posted is a must read.

I just read this article and it is amazing and eye-opening. I recommend everybody should read it, including lay people.

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/


It describes step by step how three password crackers cracked actual passwords from their hash codes easily, and they didnt even know which hash method was used to convert the passwords to the hash characters.

Conclusion? The only safe password is a string of at least 8 truly random characters. Like dk?,3/$V

10/11/2013 9:45:55 AM

 Message Boards » Tech Talk » Strong passwords dead, killed by GPUs Page 1 [2], Prev  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.