Announcement

Collapse
No announcement yet.

how secure is your password?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • how secure is your password?

    according to this article
    http://www.baekdal.com/articles/usab...ity-usability/

    passwords don't have to be as complex as allot of people think.

    i thinks its also a good read

  • #2
    Re: how secure is your password?

    There are a couple things wrong with this
    • 1. The author assumes that the supposed hacker's machine can only make 100 guesses a second. That is incredibly slow. Say "One one-thousand" in your head. That was about a second. A proper computer can generate plenty of guesses in that time frame. Proper computers, such as one that is completely dedicated to cracking a password, can easily do several hundred in a second.

      2. The author assumes that the password is a password to get into something, not a key of any sort, and that there can be a possibility of a delay. What if you are encrypting something, such as a file on your file system or a file being sent over a network? No such delay can be added because the hacker will be using their own software that they wrote themself. This makes cracking much easier.

      Edit: 3. The author also assumes that the dictionary attack will go alphabetical. A smarter dictionary attack will start with smaller words and work up to larger words, so finding "sun" will take much, much less than one hour.


    The average person often confuses a key with a password. The kind of people that read the article are average people. The author hasn't acknowledged the difference between a password and a key, so he subtly makes the reader believe that a three-word dictionary key is better than any hacker can crack. A proper filesystem will encrypt everything using a key created by the user. To the average user's eyes, this key is just a password. The same goes with files being sent over a network. When you sign into Gmail, you enter a password. This password is also a key that you and Google use to encrypt and decrypt the files being sent and retrieved.



    A proper password isn't hard to remember at all. Just make up an 8-charactor phrase in your head (numbers and letters, or if you are really smart, numbers, letters, and a symbol). Type it out, make one or two letters capitalized, and spend the next ten minutes reciting it either out loud or in your head. Since you made it up in the first place, you will have an easier time remembering it than if someone shouted it in your face.

    BTW, I use a few keys, all eight-characters long, including upper and lowercase letters, numbers, and symbols. One of them I can type with either both hands or just my right hand. With only my right hand it is a little awkward, but it makes life much easier when you just want to sit down and get going. I don't have to move my whole body, which is nice.
    Last edited by Waldo_II; 04-04-2009, 04:18 PM. Reason: Editing for wording, I reread the article a few times and had to change some stuff around.
    Waldo II

    Comment


    • #3
      Re: how secure is your password?

      As Waldo_II says, Using a pass phrase would be a better form of protection, such as *Iom4T3* this actually says "I am 43" or something like \\MyyP8TIsM00Lie// which means "my pet is molly".
      Think of a phrase and change some of the letters for numbers and use symbols also, this will make it easier to remember until you get used to typing it in.
      It also takes a very long time to crack such pass phrases due to the fact that the software has to go through every number, letter and symbol, it will also do a dictionary attack which looks for words in the dictionary, so if you change how the words are spelt by replacing letters with numbers it will make it so much harder to crack it.

      This would be a great password 1258744*/*-/+8898/fsdgereyuTGER8796i][-= but also impossible to remember..

      Comment


      • #4
        Re: how secure is your password?

        thos are all fair points waldo

        Originally posted by Waldo_II View Post

        1. The author assumes that the supposed hacker's machine can only make 100 guesses a second. That is incredibly slow. Say "One one-thousand" in your head. That was about a second. A proper computer can generate plenty of guesses in that time frame. Proper computers, such as one that is completely dedicated to cracking a password, can easily do several hundred in a second.
        if you re-read the article you will note, however, that the author states that
        the actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second.
        meaning not the hackers machine which probably can handle 1000's of attacks a second, can only do 100 or a so a second. Rather the web application for the login would only be able to handle around 100 or so attempts a second.

        As i said above tho your comments are very good. Just thought some people might like to see this.

        Comment


        • #5
          Re: how secure is your password?

          Originally posted by Waldo_II View Post
          There are a couple things wrong with this
          • 1. The author assumes that the supposed hacker's machine can only make 100 guesses a second. That is incredibly slow. Say "One one-thousand" in your head. That was about a second. A proper computer can generate plenty of guesses in that time frame. Proper computers, such as one that is completely dedicated to cracking a password, can easily do several hundred in a second.

            2. The author assumes that the password is a password to get into something, not a key of any sort, and that there can be a possibility of a delay. What if you are encrypting something, such as a file on your file system or a file being sent over a network? No such delay can be added because the hacker will be using their own software that they wrote themself. This makes cracking much easier.

            Edit: 3. The author also assumes that the dictionary attack will go alphabetical. A smarter dictionary attack will start with smaller words and work up to larger words, so finding "sun" will take much, much less than one hour.


          The average person often confuses a key with a password. The kind of people that read the article are average people. The author hasn't acknowledged the difference between a password and a key, so he subtly makes the reader believe that a three-word dictionary key is better than any hacker can crack. A proper filesystem will encrypt everything using a key created by the user. To the average user's eyes, this key is just a password. The same goes with files being sent over a network. When you sign into Gmail, you enter a password. This password is also a key that you and Google use to encrypt and decrypt the files being sent and retrieved.



          A proper password isn't hard to remember at all. Just make up an 8-charactor phrase in your head (numbers and letters, or if you are really smart, numbers, letters, and a symbol). Type it out, make one or two letters capitalized, and spend the next ten minutes reciting it either out loud or in your head. Since you made it up in the first place, you will have an easier time remembering it than if someone shouted it in your face.

          BTW, I use a few keys, all eight-characters long, including upper and lowercase letters, numbers, and symbols. One of them I can type with either both hands or just my right hand. With only my right hand it is a little awkward, but it makes life much easier when you just want to sit down and get going. I don't have to move my whole body, which is nice.
          qft. nice post


          Comment


          • #6
            Re: how secure is your password?

            The thing that continues to wrack my brain is how paranoid people are about their home computers. If you run a business that someone might want to exploit or are a government agency, then sure, you'd have perfect cause to be slightly paranoid. But for your average joe, it really doesnt matter.

            Take my parents for example. They are SUPER paranoid. Heres how they have everything set up:
            -Windows XP with windows firewall turned on.
            -Password jumbler software with physical dongle that displays the randomly generated password that is changed for windows logon every 4 hours.
            -Third party firewall program.
            -McAfee AND Norton Systemworks both set to do full system scans 2x per day.
            -Spybot set to do system scans at least once per day, in addition to the registry monitor option.
            -Linksys router sprting 128 bit key encryption and a randomly generated 26 character (letters and numbers, case sensitive) password to login.
            -Router set to manual IP filtering, as well as MAC address filtrering.
            -Router firewall turned on.

            All of that for their personal computer. Now, you might be wondering, are my parents spies? High profile wall-street traders? Banking executives? No. They're retired naval officers who keep nothing more on their computer than emails and family pictures, with maybe the occasional funny video they download. Hell, my mom wont even use her real credit card when ordering stuff online, she gets those temporary net-card numbers that the bank will give you for more "secure" transactions. Yet, for some reason, they're super paranoid that someone is going to "hack" their computer.

            I see this as an ever growing trend amongst people, especially in light of things like this latest worm that was supposed to activate on april fools day (can anyone say "Y2K bug"?) and destroy everything.

            Me, I have all kinds of stuff on my system. I run a web design business in my spare time for pocket money (and to keep myself occupied when I'm not working or gaming). But my security is simple and has never run into any kind of problems or attacks:
            -Vista with automatic updates that run every day at 4am.
            -8 character password for windows with numbers and case sensitive lettering.
            -Systemworks that scans once a week.
            -Spybot that scans once a week.
            -Oh, and I dump my cookies and history with cleansweep once a week.

            It's simple. It's effective. It's maintenance free. I guess I just dont understand paranoia. Maybe if you're someone who goes to "questionable" websites all the time or downloads lots of stuff from non-secure places, then you might have to worry about viruses. But as far as an all-out attack on your system? Come on folks, the reality is, you're just not that important. Minimal security is just fine.

            Comment


            • #7
              Re: how secure is your password?

              Just send your passwords to me along with your user name and the website/service that you use them for and I'll let you know how secure they are. I usually charge thousands for this service but for you...it's free as long as you act NOW. This offer is valid within the next 12 hours, then this message will self destruct to protect your privacy.

              Comment


              • #8
                Re: how secure is your password?

                Originally posted by Ferris Bueller View Post
                -Windows XP with windows firewall turned on.
                -Password jumbler software with physical dongle that displays the randomly generated password that is changed for windows logon every 4 hours.
                -Third party firewall program.
                -McAfee AND Norton Systemworks both set to do full system scans 2x per day.
                First off, don't run two firewalls and two AV programs at the same time. More than likely, they'll cancel each other out and then crap will fly right through and infect the system.

                Secondly, there is no need for a physical key scramber/jumbler dongle that changes the Windows logon password every 4 hours. It's not like their computer holds all of the answers to life and death.
                |TG-18th| Acreo Aeneas
                TG World of Tanks Clan Executive Officer
                Former 9th & 13th

                Pronounciation: Eh-Cree-Oh Ah-Nay-Ess
                Still can't say it? Call me Acorn then. -.-





                SSDs I Own: Kingston HyperX 3K (240 GB), Samsung 840 Pro (256 GB), Samsung 840 EVO (250 GB), Samsung 840 x 2 (120 GB), Plextor M5S (120 GB), OCZ Vertex (30 GB)

                TG Primer and Rules

                Comment


                • #9
                  Re: how secure is your password?

                  Thats my point entirely, but the sales pitch of the computer security industry is "more is better!" and people buy into it, especially people with absolutely know computer literacy, such as my parents. It's absolutely ridiculous.

                  Comment


                  • #10
                    Re: how secure is your password?

                    I wanted to post this as I've found this tool to be fairly handy when I create a new password for some new account or for a hidden volume.

                    It gives you a percentage score as you type and has a chart that explains why your given password is so weak or so strong. Using "l33t" speak passwords with special symbols tend to give you a near perfect to perfect score.
                    |TG-18th| Acreo Aeneas
                    TG World of Tanks Clan Executive Officer
                    Former 9th & 13th

                    Pronounciation: Eh-Cree-Oh Ah-Nay-Ess
                    Still can't say it? Call me Acorn then. -.-





                    SSDs I Own: Kingston HyperX 3K (240 GB), Samsung 840 Pro (256 GB), Samsung 840 EVO (250 GB), Samsung 840 x 2 (120 GB), Plextor M5S (120 GB), OCZ Vertex (30 GB)

                    TG Primer and Rules

                    Comment


                    • #11
                      Re: how secure is your password?

                      Use a pass phrase and you are about as safe as you can get.

                      One I have used in the past was "ItIsNotForYouToDecide"

                      It won't succumb dictionary or rainbow hash cracking. Easy to remember as well. To make it even harder do "iTIsNotForYouToDecidE" but I don't bother with it.

                      Ferris makes a very valid point. They are not going to attack an individual. What they will do is try to make your computer into a zombie. Even then they are not really interested in YOUR computer or your stuff. Criminals do not work hard unless there is a very big payoff. They attack the point of least resistance.
                      Iím not racists, I have republican friends. Radio show host.
                      - "The essence of tyranny is the denial of complexity". -Jacob Burkhardt
                      - "A foolish consistency is the hobgoblin of little minds" - Emerson
                      - "People should not be afraid of it's government, government should be afraid of it's People." - Line from V for Vendetta
                      - If software were as unreliable as economic theory, there wouldn't be a plane made of anything other than paper that could get off the ground. Jim Fawcette
                      - "Let me now state what seems to me the decisive objection to any conservatism which deserves to be called such. It is that by its very nature it cannot offer an alternative to the direction in which we are moving." -Friedrich Hayek
                      - "Don't waist your time on me your already the voice inside my head." Blink 182 to my wife

                      Comment


                      • #12
                        Re: how secure is your password?

                        Originally posted by Ferris Bueller View Post
                        Maybe if you're someone who goes to "questionable" websites all the time or downloads lots of stuff from non-secure places, then you might have to worry about viruses. But as far as an all-out attack on your system? Come on folks, the reality is, you're just not that important. Minimal security is just fine.
                        True, those who visit questionable sites are most at risk.

                        But you are that important. Or rather, your machine is. Russian mobsters want your machine as a zombie to send their spam. That's the major cause of infections these days.

                        The other big one is keyloggers to steal World of Warcraft passwords. Scammers will strip a character of all his belongings to convert to game gold, send the gold to another toon, and then sell that gold online (a violation of the game's ToS, BTW).

                        The recent vulnerability in Adobe Acrobat Reader was found to be used to target online stock traders. The exploits that had been found were all targeted at that specific class of user.
                        Dude, seriously, WHAT handkerchief?

                        snooggums' density principal: "The more dense a population, the more dense a population."

                        Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

                        Comment


                        • #13
                          Re: how secure is your password?

                          Originally posted by browna3 View Post
                          thos are all fair points waldo



                          if you re-read the article you will note, however, that the author states that
                          meaning not the hackers machine which probably can handle 1000's of attacks a second, can only do 100 or a so a second. Rather the web application for the login would only be able to handle around 100 or so attempts a second.
                          That isn't how it works, bro. What hackers try to do is instead of logging into an account, cracking or using a password, they capture data packets that have already been sent out, they copy them, and then they let them on their merry little way so nobody thinks anything wrong has happened. These packets are encrypted, and that is where they do their decrypting. What they are decrypting is the key.

                          Think about my Gmail reference. They aren't going to keep guessing in the password field until they get it right. They are going to wait for the user to send an outgoing packet to Google, they will copy it, let it go, and they will take that packet and decrypt that. The packet could be anything from telling Gmail that you want to change the user interface from the "beach" theme to "blood'n'gore", or it could be an email, or a message telling Google that you want to log out.

                          If someone was accessing something that is unencrypted, such as Facebook (hell, maybe Facebook is encrypted. I don't use it, I can't imagine it would be), then they first are sending information out to the people (servers) at Facebook.com saying "I want to login with the username "hottotallyover18girl" and the passoword "1031995"". Now, this may be encrypted with the password itself, or it could be unencrypted (which is stupid). If Facebook.com says "Yes, you are right, those are the correct credentials," then those servers will allow you to access the pages that you are requesting. This is a scenario of a password. It might be a key at some point, but it is basically a password. If a hacker wanted to hack into "hottotallyover18girl's" account, they would intercept the original packet, copy it, send it on its way, and then look at the packet, and then easily figure out the password, put porn on the man's account, and ruin his life forever.




                          Another important issue that I didn't address in my first post. I am ashamed Ididn't address it earlier. The author assumes that the hacker either doesn't know the method of encryption being used, or that the method used cannot be cracked, or they don't have the resources to crack it. More often than not, the method of encryption is not complex, and the hacker can easily crack the password using one of many different techniques developed for that method of encryption. A longer, more advanced (random) password will take longer to crack than a longer, simpler password (such as a few short dictionary words strung together). "AjFj56^" will take much longer to crack than "chinese", or "chinesepeople." Any password consisting of dictionary words is incredibly easy for a proper hacker to crack.
                          Waldo II

                          Comment


                          • #14
                            Re: how secure is your password?

                            I don't see how a "hacker" (stop using hacker...cracker is more correct) would know which specific algorithm a website is using for encryption if it isn't posted somewhere. Maybe you could explain it.

                            Also, a website may use something stronger than the industry standard 128-bit SSL like 256-bit AES Blowfish to encrypt user passwords and information.
                            |TG-18th| Acreo Aeneas
                            TG World of Tanks Clan Executive Officer
                            Former 9th & 13th

                            Pronounciation: Eh-Cree-Oh Ah-Nay-Ess
                            Still can't say it? Call me Acorn then. -.-





                            SSDs I Own: Kingston HyperX 3K (240 GB), Samsung 840 Pro (256 GB), Samsung 840 EVO (250 GB), Samsung 840 x 2 (120 GB), Plextor M5S (120 GB), OCZ Vertex (30 GB)

                            TG Primer and Rules

                            Comment


                            • #15
                              Re: how secure is your password?

                              Originally posted by Acreo Aeneas View Post
                              I don't see how a "hacker" (stop using hacker...cracker is more correct) would know which specific algorithm a website is using for encryption if it isn't posted somewhere. Maybe you could explain it.

                              Also, a website may use something stronger than the industry standard 128-bit SSL like 256-bit AES Blowfish to encrypt user passwords and information.
                              Yeah, I cringed every time I used "hacker." I figured that the word would give people a better idea of the kind of person who would crack keys and passwords because of how the word has been used in today's culture. Plus, using "cracker" implies that the person doing the cracking is white :)

                              I don't know a whole lot about encryption, although I do know much, much more than what 95% of people do. I'm sure that the cracker can find out the method of encryption by studying the information. I'm sure that a file that has been encrypted with Blowfish will look much more different than that same file encrypted with AES or MD5.


                              My knowledge of the subjects extends to about this far, I'm afraid. Much of what I know I learned from a friend of mine (ultra-genius, used/abused/explored Linux since like the fourth grade, he got me onto Linux myself), via long conversations on the subject. A bit of my knowledge comes from light Wikipedia readings, or short inquiries on the web. If I had inquired as to more specific detail, understanding of it would require much more knowledge than I have already.
                              Waldo II

                              Comment

                              Connect

                              Collapse

                              TeamSpeak 3 Server

                              Collapse

                              Advertisement

                              Collapse

                              Twitter Feed

                              Collapse

                              Working...
                              X