passwords

Discussion in 'Computer Science & Culture' started by leopold, May 5, 2014.

  1. leopold Valued Senior Member

    Messages:
    17,455
    everyone knows how important passwords are.
    some people might be surprised at how easily most passwords can be hacked.
    check out some combinations you would think secure:
    blog.kaspersky.com/password-check/*

    now for the good and bad news.
    some passwords are almost unhackable, the bad news is you can't remember them.
    check out some of these:
    https://www.grc.com/passwords.htm
    copy/paste some of the above into the checker
    refresh page for a different string.

    *edit:
    this is what appears in my address bar.
    i have no idea why it isn't hotlinking.
    apparently the forum software checks for the preceding www or http when auto linking.
    manually adding the URL tags fixes the problem
     
  2. Google AdSense Guest Advertisement



    to hide all adverts.
  3. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    There are a few "password management" programs you can pickup online which allow you to generate passwords and stored them under one main password. They can be quite handy although some sites and software attempt to stop the paste method from copying a password from one location and pasting it to another, this means you can sometimes still find yourself having to go through the process of typing it out by hand.

    While it would be great to have a 64 character password (or greater), it's not practical for most applications or even for use online, the reason for this is actually down to the limitations in the development of the application or the database where the password field is limited to a maximum number of characters. (Some sites will not allow more than 8 characters, others allow only up to 16 characters)
     
  4. Google AdSense Guest Advertisement



    to hide all adverts.
  5. Quantum Quack Life's a tease... Valued Senior Member

    Messages:
    23,328
    There is a trend, I believe, towards using a separate set of username credos to the log on credos. So that the username field can also become a pseudo passwords field. Currently I am exploring the potential of this approach.
    That is to differentiate from the credo's you use to participate with and the credo's you use to log on with.

    The above approach allows the user name to become a password field which means that a log on form contains two password fields instead of the typical one.
    Often people forget that the user name field has to be hacked as well.
    Example:
    log-on-name: 456H%-23#$""cv
    password: /*89Hhglmnd:&

    and by linking elements of both together for simultaneous submission exponential-izers the hacking effort required to break in. [I believe]
     
  6. Google AdSense Guest Advertisement



    to hide all adverts.
  7. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    I did use to use that method in a server environment, sometimes people make mistakes in where they enter passwords like for instance in the username field and this can be problem if someone gains access to the logs. So to have usernames that look like passwords it's difficult to tell which username is actually a real one or a password mistake.
     
  8. Quantum Quack Life's a tease... Valued Senior Member

    Messages:
    23,328
    mistake! oh no... not allowed!

    Please Register or Log in to view the hidden image!



    hmmm... I guess the whole idea is simply to have two passwords, no username, and link those two passwords by some form of relationship.
    I am not suggesting that it makes it easier from a user perspective... but I believe it would be very effective against bot attempting to hack the log on form. As submission requires simultaneously applying both fields.
    If you are going to have to copy and paste one password then you may as well copy and paste two... is the rational...

    The actual user name is then not linked directly to the passwords except by encryption [ back end ] and never entered into a log on form to avoid browser middle man thefts of username. [ which makes the actual username a third layer of protection]
    ...just thinking out loud...
     
  9. leopold Valued Senior Member

    Messages:
    17,455
    good point about the user name.
    but then again some sites use your email address as the logon name.
    banks probably will not refer to you as "5g&z!#mt"
    forums such as this one puts your logon name on every post.
     
  10. Quantum Quack Life's a tease... Valued Senior Member

    Messages:
    23,328
    Currently a major banking institution I use here uses a username that is a log on identity number. There is no mention of account number nor account title.There is no reason why web sites generally couldn't do this. By separating the log on identifier [ username ] from the actual participation name means that the log on credos become both password types fields.

    ie:
    Web - bank Account id as a password [generated and controlled by the bank not the user] >>encrypted link to >>> username/account name [for participation]
    password [generated and controlled by the user>>encrypted link to >>>username/account name [ for participation]

    Therefore separating the log on from the actual membership.

    A popular online community software extension for the Joomla CMS package offers a pseudo set up that allows log on to be username yet the members real name is used during participation. [Of course they haven't attempted to encrypt or hide the relationship between username and real name but I would imagine this would be reasonably easy to do. [in this online community software at least any how]

    The Bank I mentioned uses a multi layered security approach as do most online banks. It appears to work well and whilst not making hacking impossible it renders hacked returns minimal and increases the hackers vulnerability significantly to the point where by any attempt to hack the Banks interface is simply not worth the high risk and low returns. yet retains a "genuine" customer friendly environment.
     
  11. Quantum Quack Life's a tease... Valued Senior Member

    Messages:
    23,328
    Using sciforums as an example, it is easy for a bot to crawl and collect username data and declare half the problem of hacking solved.
    If the username was cryptic and not used for anything else but log on , the hacker would not have this benefit of half his hacking challenge being handed to him on a plate.

    Of course this doesn't address the issue of how to remember log on credos and in fact makes it worse... however if you are going to keep a record in some form you may as well go all the way.
     
  12. R1D2 many leagues under the sea. Valued Senior Member

    Messages:
    2,321
    To me you all spoke a different form of english. But if I understand anything. I may need to rethink my passwords. But I had heard you need to alter your passwords once in a while. And use "signs" and letters and numbers. And write it down somewhere. Military has some guidlines I was told. And big companies.
     
  13. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    Passwords being changed is really about changing encase either someone is able to cache a copy of your hash (encoded form of password) or if someone has attempted to attack it prior (resetting the password can reduce the chances of them ever guessing it), however the actual point of a password being reset can also be misused to undermine the password itself. Imagine if a person was to maliciously rewrite the reset form to replace all passwords with "0000"... they'd be in everything if everyone reset their passwords once every 30 days.

    Corporations, Governments and Militaries do have guidelines however it's always a balance of ease of use versus security when it comes to how closely those guidelines are followed. If something is suppose to be secure then they will likely be sticklers to follow the guidelines (or better them), however if it "seems pretty secure" in an office they might negate a few important security protocols to save time.
     
  14. leopold Valued Senior Member

    Messages:
    17,455
    i posted this thread mainly because it's a good way of locking down your WIFI.
    the random password generator is, well, random AND unique.

    playing with the checker gives some interesting results.
     
  15. mapsdnasggeyerg fubar Registered Senior Member

    Messages:
    63
    That password checker also displays some interesting behaviour.
    With one password I was trying it said it could brute force it in 2 centuries but I just added another letter and then it could brute force it in 77 years.
    For fun I added a non-ASCII character ä and then it was 10000+ centuries

    Please Register or Log in to view the hidden image!

     
  16. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    Passwords tend to be converted into a hash string of a predefined length. If it's just an MD5 hash that might only be 12-15 characters, this means if you create a string of any length it won't increase or decrease beyond that character limit, so while you might assume adding a character will make a stronger password, it can based upon the cryptology used that makes it weaker.

    The higher number of "bits" assumes a larger hash, again depending on the strength of the cryptology algorithm itself, a password that would seem naturally complex can appear to the backend as something less than so.
     
    Last edited: Jun 19, 2014
  17. Andrus Registered Member

    Messages:
    19
    It's a pity how vulnerable people are due to using simple passwords.

    Number one suggestion is perhaps to invent yourself long AND absurd passwords.
    Easiest to remember would be if you combine things that are not combined in real life.
    E.g. CosmicYellowPiggyThinksBumpyBeforeSand
    NB: please do not use this as your password

    Please Register or Log in to view the hidden image!


    Even if you combine it with a service name where you log into then it's still fairly good - hard to both break and guess, but still possible to remember.

    More suggestions could be:
    1. always have unique password for your e-mail, bank-account and other sites where a real damage can happen to you. E-mail account is important because it can be used to detect or reset passwords on other services you use.
    2. always check the address-bar of your browser before entering any password. E.g. something like "gmail dot com dot nz" is NOT Gmail.
    3. never enter your password elsewhere in the internet than the service where you want to login. Not Kaspersky nor web search.
    4. do not allow your browser to save passwords.
     
  18. Syzygys As a mother, I am telling you Valued Senior Member

    Messages:
    12,671
    How can they try passwords when most services lock you out after X bad tries? And if they use other methods to get your password, then making it complicated won't save you...
     
  19. Andrus Registered Member

    Messages:
    19
    It's like driving a car - you can only reduce risks but never bring them to zero.
     
  20. leopold Valued Senior Member

    Messages:
    17,455
    you forgot one.
    routinely change your password.
    the perfect option would be every time you used the password, in other words use the password only once.
    this isn't practical.
    the next best option would be every day or week.
    the less you use a particular password the less chance it has of being deciphered.
    changing your password routinely, and often, makes it possible to use "less secure" passwords and still maintain a high level of security.
     
  21. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Messages:
    13,938
    Well... you can actually make it so you use your passwords only once, and that they are randomly generated.

    THe problem is, it requires you to keep your phone/pda on you as a "master key" that generates the new, random passwords every time... and GOD HELP YOU if you lose it or it is stolen...
     
  22. leopold Valued Senior Member

    Messages:
    17,455
    this would be okay for a small number of passwords, say 2 or 3.
    changing your password isn't always as simple as typing in the new "word".
    you have to visit the site, and login, then you need to confirm who you are.
    you might get an email as "talk back" that you need to respond to.
    only then are you allowed to change it.
     
  23. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Messages:
    13,938
    *nods* On most sites,this can be done in a few seconds... multiply that by the 10-20 sites many people visit each day that require a login ... yeah, it gets bad quick!
     

Share This Page