1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Largest-ever password study: We are all idiots

Discussion in 'Tech Talk - Gadgets, Gizmos and Technology' started by Mark Holtz, Jun 2, 2012.

  1. dpeters11

    dpeters11 Hall Of Fame

    16,247
    490
    May 30, 2007
    Cincinnati
    And turn off WPS if it actually lets you.
     
  2. Laxguy

    Laxguy Honi Soit Qui Mal Y Pense.

    15,230
    552
    Dec 2, 2010
    Winters,...
    For an encryption challenged user, can you 'splain why WEP is no good? I use WPA2-PSK [AES], with about 19 chars and numbers, but can you teach me how to get into a WEP system when I need to? :D
     
  3. Shades228

    Shades228 DaBears

    6,081
    45
    Mar 18, 2008
    Normally I would PM this however it's more to show why WEP sucks than it is to show someone how to hack.

    WEP keys are broadcast as part of the network. With the correct applications running you will eventually just sniff out the key. It takes about 5-10 minutes at the most.

    If you want to test how easy it is setup a WEP key and then use a computer not connected with http://www.aircrack-ng.org/doku.php (Linux Based)
     
  4. phrelin

    phrelin Hall Of Fame DBSTalk Club

    14,941
    293
    Jan 18, 2007
    Northern...
    Problem is, I keep readin' about thieves accessing personal data from sites protected by "some of them there fancy encryption and firewall systems" because some moron working for the company downloads data to his laptop and leaves it at a Starbucks.

    Limits to my ability to remember and manage several hundred passwords seem to be growing as I age. There are a large number of sites on which I use a relatively simple password. There's nothing there to be gained by signing in as me. For instance, you could post here as me.

    Yes, there are a relatively small number of sites on which I use more sophisticated passwords. One could gain something by signing in as me. Daily monitoring bank, credit, and other financial account activity still seems like the best protection.
     
  5. Mark Holtz

    Mark Holtz Day Sleeper DBSTalk Club

    10,434
    77
    Mar 23, 2002
    Sacramento, CA
    I use the KeePass pasword manager. THe password file is stored on a USB stick, and backed up to a hard drive AND my dropbox.
     
  6. dmspen

    dmspen Hall Of Fame DBSTalk Club

    1,636
    40
    Dec 1, 2006
    Los Gatos,...
    When I was given access to a NASA network, our pass PHRASE had to be a minimum of 52 characters. No other requirements such as upper/lower case, numbers, etc.

    Most people had phrases like, "I hate typing in this very stupid and long pass phrase into the computer"

    Running through a standard cyclic algorithm, this phrase would take a VERY long time to guess, in fact...26.65 million trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries.
     
  7. Nick

    Nick Retired, part-time PITA DBSTalk Club

    21,838
    186
    Apr 23, 2002
    The...
    I don't think we have that much time left.
     
  8. Steve

    Steve Well-Known Member

    23,041
    147
    Aug 22, 2006
    Lower...
    Don't discount Moore's law, Nick. In 2 years, it'll only take half that time to crack it! :p
     
  9. Mark Holtz

    Mark Holtz Day Sleeper DBSTalk Club

    10,434
    77
    Mar 23, 2002
    Sacramento, CA
    There are enough people out there that think that Fluffy1956! is a secure password.

    Now, to convince battle.net that 14 characters is too short of a password.... and that case sensitivity DOES matter.
     
  10. dpeters11

    dpeters11 Hall Of Fame

    16,247
    490
    May 30, 2007
    Cincinnati
    One of the experts like Wilbur can confirm or tell me I'm wrong, but I'm always afraid that if a site only allows that length of password, or strips out case, that they don't store it encrypted. If they hashed it with sha-256 (or something similar), what I use as a password shouldn't matter. They'd store 256 characters of "garbage".
     
  11. James Long

    James Long Ready for Uplink! Staff Member Super Moderator DBSTalk Club

    45,288
    912
    Apr 17, 2003
    Michiana
    The less one knows about the password the better.
    A set length or maximum length makes it easier to figure out.

    One thing not mentioned so far is the lockout of accounts if bad passwords are used. That "million year" password hunt stretches out if people are locked out after a certain number of bad attempts. Of course, that does open up the person being attacked to personal denial of service attacks.
     
  12. dpeters11

    dpeters11 Hall Of Fame

    16,247
    490
    May 30, 2007
    Cincinnati
    The lockout time only helps with online attacks.
     
  13. Renard

    Renard Godfather

    409
    3
    Jun 21, 2007
    Seattle, WA
  14. Mark Holtz

    Mark Holtz Day Sleeper DBSTalk Club

    10,434
    77
    Mar 23, 2002
    Sacramento, CA
    The funny part is that I also have a password card on my cell phone for the times when I can't use KeePass (like logging into my computer at work).

    Oh well, here is a file of amusement.... the 10,000 most commonly used password.
     
  15. phrelin

    phrelin Hall Of Fame DBSTalk Club

    14,941
    293
    Jan 18, 2007
    Northern...
    I've never figured out why all sites for both sign-in names and passwords don't accept the full combination of keyboard upper and lower case letters plus numbers and symbols effectively distinguishing between upper and lower case.

    And then there's all those sites that require you to use your email address as your sign in....
     
  16. dpeters11

    dpeters11 Hall Of Fame

    16,247
    490
    May 30, 2007
    Cincinnati
    Some of it I think may be reducing calls to support. Having a person answer the phone and asking a customer if their caps lock is on is expensive.
     
  17. Stewart Vernon

    Stewart Vernon Roving Reporter Staff Member Super Moderator DBSTalk Club

    21,572
    373
    Jan 7, 2005
    Kittrell, NC
    I've seen several programs about people who are hired to hack into companies to discover their security breaches and report back to them... and in almost all cases the guys find minimal security implementation to be more than sufficient... BUT they usually end up hacking the system by calling a secretary or something and saying "Bob, your boss, told me to ask you for the password" or by walking by someone's desk if they have building access and reading it off a sticky note or something.

    The point being... the age old... "only as strong as the weakest link" always applies.

    Install state of the art security, but leave the window open and it is all for naught.

    I also note how it keeps being banks losing credit information and not me... and it is banks giving out accounts to people with stolen identities that the bank fails to verify... again, not me failing to follow protocol... but the big secret-keepers.

    I also agree with the notion of odd answers to security questions. If you really want to have some fun, put something naughty as your security answer and listen to the person when they ask you to answer your security question :)

    The most secure answers, in all seriousness, are the random ones.

    "What is your favorite color" --> "Tuesday"
    "Where were you born" --> "Abracadabra"

    I just made those up on the spot... never used them... but odd answers are difficult for someone to pick without going through the dictionary-style hack.
     
  18. wilbur_the_goose

    wilbur_the_goose Hall Of Fame

    4,476
    49
    Aug 16, 2006
    Correct - people are without a doubt the weakest link in IT security.

    For the challenge questions: You'll soon see "red herring" questions introduced - this will be a question you don't provide an answer to. If an attacker guesses "where were you born" with "New York" (or anything), the login will fail.

    Social engineering is a huge risk. News came out last week that the huge credit card breach was a social engineering attack on the president of the company.

    As far as SHA-256 goes - SHA = Secure Hashing Algorithm. A hashing algorithm will take any string and "hash" it into a string of nonsense characters which are stored on the system. Hashes are cool because (in theory) they're one-way - you can encrypt to a hash, but you can't decrypt back. The best way to make hashes secure is to add a unique salt to each thing being encrypted. The salt is added by the password management system, not the user.

    By the way, the #1 way to screw yourself is to download something you didn't plan on downloading. If you didn't start thinking "I really want to download this", DON'T.

    The #2 way to mess yourself up is to not keep your system and software up to date. The two biggest problems are Java and Adobe products. Windows XP is also quite vulnerable (as a security pro, I recommend moving from XP to Windows 7 if you can)

    Lastly, Macs are no longer immune to attack. Because they're more popular, organized crime has targeted Macs today. Please make sure you're running a good anti-malware program on your Mac.

    (Mobile is another issue!)

    PS - If you're interested in this stuff, check out my favorite blog: http://krebsonsecurity.com/
     
  19. dpeters11

    dpeters11 Hall Of Fame

    16,247
    490
    May 30, 2007
    Cincinnati
    The security updates is my biggest pain at work. They don't reliably patch systems, I ran into one that had Java update 16 installed. Of course when a system gets a virus, they immediately blame my product, AV like it's the only needed process to protect systems. No, it's only one component.
     
  20. wilbur_the_goose

    wilbur_the_goose Hall Of Fame

    4,476
    49
    Aug 16, 2006
    Amen - A/V is just one part of the defense posture you need. Tell your boos that you need a Layered Security Strategy
     

Share This Page