ThePeter TWW CHAMPION 37709 Posts user info edit post |
2 weak passwords 6/18/2011 7:38:45 PM |
lewisje All American 9196 Posts user info edit post |
I wish there were a version of ighashgpu or igrargpu for a Radeon HD 4250 6/18/2011 8:24:10 PM |
Arab13 Art Vandelay 45180 Posts user info edit post |
Money's on China or corporate espionage. 6/18/2011 10:26:07 PM |
AndyMac All American 31924 Posts user info edit post |
Gonna have to start using random 10 digit passwords changed every 2 weeks. 6/19/2011 12:11:44 AM |
EuroTitToss All American 4790 Posts user info edit post |
What's the value in changing it often exactly? 6/19/2011 7:07:12 AM |
AndyMac All American 31924 Posts user info edit post |
If it takes 48 days to crack a 9 digit password like it says in the op's link, changing it every 2 weeks would keep it protected. 6/19/2011 9:30:55 AM |
EuroTitToss All American 4790 Posts user info edit post |
true, assuming the hacker has access to these unsalted hashes and gives a fuck about your specific password to spend 48 days on it. seems unlikely to me. 6/19/2011 10:28:04 AM |
TreeTwista10 minisoldr 148569 Posts user info edit post |
i like to make up fake words to use as passwords
like gangsterificationistic
[Edited on June 19, 2011 at 11:40 AM. Reason : .] 6/19/2011 11:40:28 AM |
EuroTitToss All American 4790 Posts user info edit post |
I just wanted to point out that the developer behind the largest bitcoin exchange decided to use md5 (which has been considered "broken" for years).
Oh and guess what the bitcoin community excels at more than anything else (collectively, 10 trillion times a second)?
HASHING 6/19/2011 6:51:55 PM |
qntmfred retired 40807 Posts user info edit post |
http://codahale.com/how-to-safely-store-a-password/
argument for using sloooow bcrypt implementations instead of the typical md5/sha algorithms 6/30/2011 11:18:10 PM |
qntmfred retired 40807 Posts user info edit post |
another password storage best practice article showed up in my feeds today
http://arr.gr/blog/2012/01/storing-passwords-the-right-way/
[Edited on February 7, 2012 at 2:52 PM. Reason : just cus i like stirring the salts in the db pot] 2/7/2012 2:51:43 PM |
robster All American 3545 Posts user info edit post |
So, as a user, expecting stupid devs to do insecure things with your passwords...
How about a browser add on that stores your own personal salt phrase in the browser add-on data.
Then, when you go to a website, and you start registering/signing up, in the "password" box, you click, and then hit a button for this addon, which pops up a text box that you type your *common* password into, and the add on takes your common password, salts with both the stored salt AND the domain name and Voila ... you have a way to store a unique password on every site, while still only remembering 1 single common password. Your browser could still save the password for you, and so you would not have to use the add-on except when registering/signing in the first time (or when you clear your passwords).
Any add-ons like this that people know of?
[Edited on February 7, 2012 at 3:38 PM. Reason : .] 2/7/2012 3:36:30 PM |
kiljadn All American 44690 Posts user info edit post |
salting's generally done server side to add an extra layer of protection to the user's encrypted and stored password value... completely transparent to the user.
what you're proposing isn't really user friendly.
think:
my tww password is "password123"
I have a new plugin/script/whatever that takes my value of "password123" and appends a string like... "tacobellisthebest1," but I - as the user - don't know what that string is.
If it's a locally contained script, with no web service to support it, then you can generally assume that the associative string used to salt your password is created and stored in plaintext/JSON/whatever. That's not secure.
Not only that, but you'd lose the ability to log in to any websites when on a new machine.
I suppose if you had a webservice created to back it, it could be better implemented... but at that point you're talking about delays, timeouts, what happens when the site goes down for repairs (users cant log in to their other sites)
Overall it's better to encourage the right behavior from the start. Make webdevs salt their shit on the server side so the user doesn't have to worry about security. Or just use OAuth or OpenID
[Edited on February 7, 2012 at 6:45 PM. Reason : .] 2/7/2012 6:44:49 PM |
Punter16 All American 2021 Posts user info edit post |
^^Not exactly as described, but LastPass is very similar 2/7/2012 7:33:05 PM |
robster All American 3545 Posts user info edit post |
^^ except for that you cant MAKE any devs do anything on the backend.
And actually, yes, you COULD use the same script on another machine, as long as you have the same strings being used for salts and the like.
Problem would be using an ipad or something that does not have the option of installing plugins ... you'd be out of luck, unless you could export to the ipad/iphone/(whatever non firefox/chrome supporting device) somehow to have them automatically saved.
Just a thought though ... if you could solve the multi-device "challenges", then I think it would be a reasonable solution.
Hackers typically wont have BOTH access to your local machine AND access to the password database they are hacking. And if they had access to your local machine, youd be screwed anyhow. 2/8/2012 11:27:07 AM |
jcgolden Suspended 1394 Posts user info edit post |
all this security stuff makes me think of how stupid street lights are. you chase the badguys off your block with streetlights, then so does everybody else, then there streetlightlights everywhere (expensive btw) then the badguys just get used to the streetlights. is there some esoteric term for this concept? 2/10/2012 11:29:02 PM |
qntmfred retired 40807 Posts user info edit post |
diminishing returns? 2/11/2012 12:02:02 AM |
lewisje All American 9196 Posts user info edit post |
also possibly comparative advantage
or tragedy of the commons 2/11/2012 4:18:58 AM |
BIGcementpon Status Name 11319 Posts user info edit post |
This thread reminded me how annoying it is when special characters aren't allowed in passwords on some banking/financial sites. WTF! 2/11/2012 4:59:14 PM |
lewisje All American 9196 Posts user info edit post |
even deader: http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/ 10/10/2013 9:28:58 PM |
jaZon All American 27048 Posts user info edit post |
haven't read any of this
will my 21 character long password hold up? 10/10/2013 9:48:20 PM |
ThatGoodLock All American 5697 Posts user info edit post |
mix of upper and lowercases? numbers? special characters? 10/10/2013 9:49:46 PM |
jaZon All American 27048 Posts user info edit post |
all of the above
and it's legitimately just random as hell - don't ask me how i came up with it one day and actually remember it
[Edited on October 10, 2013 at 9:55 PM. Reason : ] 10/10/2013 9:54:53 PM |
aaronburro Sup, B 53137 Posts user info edit post |
it'll be fine until you use it on a site whose passwords get compromised, then you're just as fucked as if you used "ilovegoofybitch" 10/10/2013 11:18:24 PM |
jaZon All American 27048 Posts user info edit post |
hahaha 10/11/2013 12:08:09 AM |
jcgolden Suspended 1394 Posts user info edit post |
i got norton 10/11/2013 6:11:54 AM |
0EPII1 All American 42550 Posts user info edit post |
The link that lewisje posted is a must read.
I just read this article and it is amazing and eye-opening. I recommend everybody should read it, including lay people.
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success. http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
It describes step by step how three password crackers cracked actual passwords from their hash codes easily, and they didnt even know which hash method was used to convert the passwords to the hash characters.
Conclusion? The only safe password is a string of at least 8 truly random characters. Like dk?,3/$V 10/11/2013 9:45:55 AM |