Passwords: Part III

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities

Passwords: Part III

Postby CountryBoy » Thu Aug 29, 2013 9:01 am

Do people have any views on the following article:

http://arstechnica.com/security/2013/08 ... passwords/
User avatar
CountryBoy
 
Posts: 1322
Joined: 28 Feb 2007
Location: NY

Re: Passwords: Part III

Postby mhc » Thu Aug 29, 2013 9:27 am

It seems real. As computing power goes up, the ability to break passwords go up.

I still think this articles only applies if the hash of a password is known. Also, the breaking of a 55 character password seems to rely on the password having dictionary words and possible a phrase.

I'm not going to lose any sleep over this.
User avatar
mhc
 
Posts: 2210
Joined: 4 Apr 2011
Location: NoCo

Re: Passwords: Part III

Postby vectorizer » Thu Aug 29, 2013 9:39 am

Most of the article is about improvements in the speed of cracking passwords from hashes, but I didn't see a fundamental breakthrough. To "crack" hashed passwords, an attacker first needs access to the hashes themselves through a major security breach into the internal database storing the passwords, and he or she needs a way to know when the cracking software guessed correctly. That hasn't changed. In the case of Vanguard and all responsible financial institutions, an attacker on the outside only has a few guesses on the web interface before the account is locked in some way and additional info is necessary before making further guesses.

IMHO:
1) We're long past the point where a human-memorizable password can have sufficient complexity. For passwords that are important, use a good password manager to generate and remember truely random and complex passwords with the maximum length allowed by the web site.
2) Securing the whole system is important. You have to protect your PC, your browser, and information that can be used to (re)register your access to the site. Likewise, financial institutions have to have protection in depth, including protection of the hashed passwords and behavior-based controls to spot frauds when the technical controls are not enough.
3) Your best single protection against fraud is frequent monitoring of your accounts' transactions and connections (to banks etc), and immediately contacting the FI if you see something hinkey. If available, sign up for automatic notifications of signficiant events like re-registration, password changes, new banking info, etc.
4) You can do everything right, and bad stuff can still happen. Like most things in life, all you can do move the odds more in your favor, not eliminate risk.
User avatar
vectorizer
 
Posts: 291
Joined: 3 Mar 2007

Re: Passwords: Part III

Postby overst33r » Thu Aug 29, 2013 2:49 pm

I got lastpassa couple of years ago and never looked back. It can be a bit tedious setting it up and using it on non-home computers, but overall it's made my life easier and more secure.
overst33r
 
Posts: 70
Joined: 4 Jan 2008

Re: Passwords: Part III

Postby cflannagan » Thu Aug 29, 2013 2:52 pm

overst33r wrote:I got lastpassa couple of years ago and never looked back. It can be a bit tedious setting it up and using it on non-home computers, but overall it's made my life easier and more secure.


Link for others: https://lastpass.com/

There's also http://keepass.info/ , which I believe I will end up liking better compared lastpass when I begin to use it soon.

(disclaimer: I have already tried lastpass and didn't like it that much. Going to try keepass, I feel it fits my needs better)
User avatar
cflannagan
 
Posts: 944
Joined: 21 Oct 2007
Location: Palm Harbor, Florida

Re: Passwords: Part III

Postby Sunny Sarkar » Thu Aug 29, 2013 3:03 pm

Another obligatory link to xkcd on password strength... https://xkcd.com/936/

Another vote for Lastpass (+ 2 factor authentication, + separate password retrieval email)
“Our life is frittered away by detail. Simplify, simplify.” ― Henry David Thoreau
User avatar
Sunny Sarkar
 
Posts: 2194
Joined: 2 Mar 2007
Location: Flower Mound, TX

Re: Passwords: Part III

Postby Sidney » Thu Aug 29, 2013 3:03 pm

I have used Keepass for a couple years. It suits my needs. I have a version on my IPOD as well as my home computer.
I always wanted to be a procrastinator.
Sidney
 
Posts: 5500
Joined: 8 Mar 2007

Re: Passwords: Part III

Postby covertfantom » Thu Aug 29, 2013 3:07 pm

+1 KeePass. My keyring is in my Google Drive and I have integration with both my Android phone and Google Chrome. It is somewhat difficult (for a novice user) to setup, but is amazing once it is setup.
covertfantom
 
Posts: 175
Joined: 2 Feb 2012

Re: Passwords: Part III

Postby Mudpuppy » Fri Aug 30, 2013 9:01 pm

This article is mostly about a programming update to remove an artificial limitation on a popular cracking software. Prior to now, oclHashcat-plus would only test passwords shorter than 16 characters. It's not a major breakthrough in hacker tools, as there were already ways to combine John with oclHashcat-plus to break through the 16 character limit if one wanted to crack longer passwords. It's more of a convenience factor than anything else. Of course, with convenience comes ease for less talented hackers to be able to break longer passwords, which is about the only consequence to this update that could be a cause for alarm.

Also keep in mind that the only way oclHashcat-plus could be used to recover a master password on a local password locker like KeePass (e.g. one that stores the file on your local computer instead of on the cloud like LastPass) is if they have already stolen the database file by compromising your computer. If they've compromised your computer, they could just have easily installed a key logger or other snooping software to get your passwords anyways. If you back that local database file up to the cloud, then you also have to worry about the cloud provider being compromised and having the file leaked that way. So encrypt your backups with a separate, strong, long master password so they have twice the work ahead of them.

It's not perfect, but no security is.
Mudpuppy
 
Posts: 2390
Joined: 27 Aug 2011
Location: Sunny California

Re: Passwords: Part III

Postby tadamsmar » Sat Aug 31, 2013 6:05 am

Seems to imply that the crackers might be set up to test phrases found on the internet as a way to increase the speed of cracking long passwords. Maybe one's rule should be don't use a phrase that gets hits on google when searched in quotes.
User avatar
tadamsmar
 
Posts: 5948
Joined: 7 May 2007

Re: Passwords: Part III

Postby TRC » Sat Aug 31, 2013 7:15 am

I read a good article on how to create a strong, yet easy to remember password.

It suggested using a static word along with the name of application you're logging into. Replace applicable letters with symbols and numbers.

So maybe Bob has an account at vanguard The password would normally be spelled Bob Vanguard

Instead it would look like B0b%V@ngu@rd

If bob has a hotmail account, it would look like B0b%H0tm@!l
TRC
 
Posts: 1254
Joined: 20 Dec 2008

Re: Passwords: Part III

Postby Tom_T » Sat Aug 31, 2013 7:54 am

TRC wrote:I read a good article on how to create a strong, yet easy to remember password.

It suggested using a static word along with the name of application you're logging into. Replace applicable letters with symbols and numbers.

So maybe Bob has an account at vanguard The password would normally be spelled Bob Vanguard

Instead it would look like B0b%V@ngu@rd

If bob has a hotmail account, it would look like B0b%H0tm@!l

To take that one step further, don't replace characters that look like what they are replacing. A zero is often used for "o", "@' is used for "a", "1" for "l", "!" for "i", etc. A hacker's program will likely make those substitutions as it tries out different passwords.
Tom_T
 
Posts: 1309
Joined: 29 Aug 2007

Re: Passwords: Part III

Postby magellan » Sat Aug 31, 2013 8:59 am

vectorizer wrote:1) We're long past the point where a human-memorizable password can have sufficient complexity. For passwords that are important, use a good password manager to generate and remember truely random and complex passwords with the maximum length allowed by the web site.

IMO, this isn't generally true as long as the site or encryption tool allows sufficiently long passwords. A very long password doesn't need to be random, it just can't be based on a phrase or saying that might appear in a database of common passwords or phrases. Sure, patterns reduce the theoretical robustness of a password, but with a long enough pseudo-random phrase it's a distinction without a difference. While you can get in trouble on lame sites that restrict passwords to 8 chars, for sites and tools using best-practice password standards, trading some randomness for memorability is just fine.

There's a good example in the article's comment section, but I'll take another shot at it here. Let's say you went to a memorable concert a few years back. Start with a sentence like "I paid $76 for tickets to an Indigo Girls concert at the Wang Center in Boston on June 20, 1993." Though it's definitely not random by any stretch, this phrase has everything you need to make a robust yet memorable password.

You could use Ip$76fttaIGcatWCiBoJ2093. That seems like gobbledygook, but after 10-20 uses, it will roll off your fingers without even thinking. If 24 chars is too short, you could replace one or more initials with full words.

If you don't mind typing a lot, you could even use "Ipaid$76forticketstoanIndigoGirlsconcertattheWangCenterinBostononJune20,1993." IMO, this would take a huge amount of compute power to crack even with a sophisticated heuristic-based cracking engine that's fed by English grammar rules, all English literary works, and even every article ever published on the web. Sure, you could try to break the grammatical patterns to make it even better, but why bother.

I think the bigger problem is the amount of typing effort we're willing to tolerate. Even if a password is easy to remember and it rolls off your fingers, typing 20-100 characters without making a single mistake is usually a challenge and a big pain.

Jim
User avatar
magellan
 
Posts: 2755
Joined: 9 Mar 2007

Re: Passwords: Part III

Postby SnapShots » Sat Aug 31, 2013 9:07 am

TRC wrote:I read a good article on how to create a strong, yet easy to remember password.

It suggested using a static word along with the name of application you're logging into. Replace applicable letters with symbols and numbers.

So maybe Bob has an account at vanguard The password would normally be spelled Bob Vanguard

Instead it would look like B0b%V@ngu@rd

If bob has a hotmail account, it would look like B0b%H0tm@!l


I wouldn't use my name or the name of the website in the password.

Another way is to use the first three letters of the website, followed by a symbol or number, then the letters of a phrase you can remember, ending with another symbol or number, and capitalizing certain letters such as vowels. Every website should have a different password.

However, I think password software is the way to go. My bank makes me change my password every 4 months. Impossible to remember all these passwords. :confused

Phrase: the grass is always greener on the other side Website: Vanguard

vAn$tgIAgOthOs8
the best decision many times is the hardest to do
User avatar
SnapShots
 
Posts: 805
Joined: 9 May 2012

Re: Passwords: Part III

Postby telemark » Sat Aug 31, 2013 12:58 pm

magellan wrote:I think the bigger problem is the amount of typing effort we're willing to tolerate. Even if a password is easy to remember and it rolls off your fingers, typing 20-100 characters without making a single mistake is usually a challenge and a big pain.


No kidding. You type the whole thing in without any feedback, hit enter, and wait for what seems like a long time, only to be told that some unspecified thing was wrong. Hmm, maybe the num lock key was on. Try again and it still doesn't work. No wonder people go with 123456.
User avatar
telemark
 
Posts: 687
Joined: 11 Aug 2012

Re: Passwords: Part III

Postby g$$ » Sat Aug 31, 2013 3:49 pm

covertfantom wrote:+1 KeePass. My keyring is in my Google Drive and I have integration with both my Android phone and Google Chrome. It is somewhat difficult (for a novice user) to setup, but is amazing once it is setup.


same here
User avatar
g$$
 
Posts: 224
Joined: 21 Dec 2011

Re: Passwords: Part III

Postby Mudpuppy » Sat Aug 31, 2013 4:27 pm

tadamsmar wrote:Seems to imply that the crackers might be set up to test phrases found on the internet as a way to increase the speed of cracking long passwords. Maybe one's rule should be don't use a phrase that gets hits on google when searched in quotes.

Once you Google it, it's in a log file at Google and therefore could be in a dictionary.

TRC wrote:I read a good article on how to create a strong, yet easy to remember password.

It suggested using a static word along with the name of application you're logging into. Replace applicable letters with symbols and numbers.

So maybe Bob has an account at vanguard The password would normally be spelled Bob Vanguard

Instead it would look like B0b%V@ngu@rd

If bob has a hotmail account, it would look like B0b%H0tm@!l

Sophisticated hackers are aware of these recommendations and techniques. There are tools to develop customized dictionaries based on a target's personal information and likely preferences if they really wanted to break Bob's passwords specifically.

SnapShots wrote:Another way is to use the first three letters of the website, followed by a symbol or number, then the letters of a phrase you can remember, ending with another symbol or number, and capitalizing certain letters such as vowels. Every website should have a different password.

However, I think password software is the way to go. My bank makes me change my password every 4 months. Impossible to remember all these passwords. :confused

Phrase: the grass is always greener on the other side Website: Vanguard

vAn$tgIAgOthOs8

The tools can deal with phrases and generating passwords off phrases. So if they know your favorite artist is Beonce, they can generate passwords and phrases off lyrics in her songs and put that in the customized dictionary. They can also append and prepend random sequences of characters to the dictionary lists to retrieve passwords with random beginnings or ends.

So rather than using existing phrases and modifying them, the trick is to have a password locker program store randomly generated passwords (truly random, edit: at least as close to random as a computer can be given it only has pseudorandom number generators) and then have another program randomly choose words for you and randomly join them together with random sequences to create your master password for the password locker. You can't choose the words or joiners yourself or you will be biased, and that bias can be profiled by a targeted attack. So let's say the computer randomly chooses the words "topic" "elephant" "jogged" "portal" "boston", it could then join them together using a random sequence of characters to get "56Topic1TelpHant$5joggEd93%poRtalH8#bostoN!7" and that would be your master password. It would be a pain to memorize and a pain to type in, but it would be a heck of a lot harder for an attacker to crack than any other phrase based method.
Mudpuppy
 
Posts: 2390
Joined: 27 Aug 2011
Location: Sunny California

Re: Passwords: Part III

Postby whaleknives » Sun Sep 01, 2013 4:11 pm

xkcd is good, but so is Dilbert.
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ~ Maritime signal flag W - Whiskey: "I require medical assistance."
User avatar
whaleknives
 
Posts: 171
Joined: 24 Jun 2012

Re: Passwords: Part III

Postby oaksavannah » Sun Sep 01, 2013 5:17 pm

Does anyone have an opinion about Dashlane?

Pogue in the New York Times seemed to like it (June 5, 2013).
http://www.nytimes.com/2013/06/06/techn ... d=all&_r=0

I've hesitated doing anything because my wife and I both have computers and are in and out of various password protected sites all day:
Do any of these managers sync two computers? Would I load the software on my computer and my wife's computer and passwords would be kept up to date on both?

thanks in advance for your perceptions!
oaksavannah
 
Posts: 19
Joined: 25 Nov 2012

Re: Passwords: Part III

Postby Higman » Sun Sep 01, 2013 5:51 pm

oaksavannah - If you want feedback on Dashline I suggest you read all 266 comments posted on the website you referenced. Some are good but many are bad. Buyer be ware even though it is free.
User avatar
Higman
 
Posts: 162
Joined: 20 Aug 2008

Re: Passwords: Part III

Postby mike127 » Mon Sep 02, 2013 9:18 am

Feedback on Dashlane and the comments I'm seeing on Pogue's column:

I use Dadhlane after comparing LastPass and a few of the other options. I'm pretty happy wi Dashlane; it seems to work more seamlessly with the websites I use and has been very reliable. I've also found the "learning curve" for LastPass to be higher.

I see three kinds of comments from people on the Pogue piece.

1) Don't trust password managers generally or Dashlane specifically

This is a legitimate concern, but one that applies to all password managers. If they work as advertised (passwords encrypted in a file, and nobody, including the company, can decrypt without the password) then they're pretty good. The challenge is that you have to trust the company not to be sloppy or build in back doors, and without an audit by a reputable company you can't be sure. (As far as I'm aware, none of the password managers have been the subject of public audits, though I think a few have done unpublished audits that don't actually help because we don't know what the results were.)

The alternative here is to keep an encrypted file with passwords on each computer and transfer them back and forth by flash drive (more security but harder to manage), keep your passwords on paper (not secure), or reuse the same or similar passwords on multiple websites (easier to do but bad security).

2) This costs money

It costs $20/year if you want to sync with your mobile devices. You can transfer the file manually or pay this fee. I tend to be okay with paying it because I want to understand the business models of companies I trust with my data. Advertising-supported services I understand, and I get that they can make money without giving away my data. I get pay-for-purchase. And I understand subscription models, like Dashlane, which make it more likely they'll be around to support me three years from now. I'd feel more worried if I didn't understand what they did to make money. But this is personal preference.

3) This breaks / slows down my computer

I've not had this experience at all (running it on every major browser on Mac and on iOS devices) but if I did I'd consider it to be a deal-breaker.
mike127
 
Posts: 31
Joined: 19 Aug 2012

Re: Passwords: Part III

Postby lightheir » Mon Sep 02, 2013 9:48 am

mike127 wrote:Feedback on Dashlane and the comments I'm seeing on Pogue's column:

I use Dadhlane after comparing LastPass and a few of the other options. I'm pretty happy wi Dashlane; it seems to work more seamlessly with the websites I use and has been very reliable. I've also found the "learning curve" for LastPass to be higher.

I see three kinds of comments from people on the Pogue piece.

1) Don't trust password managers generally or Dashlane specifically

This is a legitimate concern, but one that applies to all password managers. If they work as advertised (passwords encrypted in a file, and nobody, including the company, can decrypt without the password) then they're pretty good. The challenge is that you have to trust the company not to be sloppy or build in back doors, and without an audit by a reputable company you can't be sure. (As far as I'm aware, none of the password managers have been the subject of public audits, though I think a few have done unpublished audits that don't actually help because we don't know what the results were.)

The alternative here is to keep an encrypted file with passwords on each computer and transfer them back and forth by flash drive (more security but harder to manage), keep your passwords on paper (not secure), or reuse the same or similar passwords on multiple websites (easier to do but bad security).

2) This costs money

It costs $20/year if you want to sync with your mobile devices. You can transfer the file manually or pay this fee. I tend to be okay with paying it because I want to understand the business models of companies I trust with my data. Advertising-supported services I understand, and I get that they can make money without giving away my data. I get pay-for-purchase. And I understand subscription models, like Dashlane, which make it more likely they'll be around to support me three years from now. I'd feel more worried if I didn't understand what they did to make money. But this is personal preference.

3) This breaks / slows down my computer

I've not had this experience at all (running it on every major browser on Mac and on iOS devices) but if I did I'd consider it to be a deal-breaker.


keepass is pretty good. Because it's open source, the underlying code is available for analysis, so people can look to see whether a backdoor exploit has been built in or not (has not come up).

I use keepass. I prefer it to Lastpass, as I keep my keepass on my home laptop where I only access my sensitive info (banking etc). I'd prefer to not have my passwords for these sites online, despite the convenience. Works extremely well, and makes handling of those big complex passwords a cinch.
lightheir
 
Posts: 1231
Joined: 4 Oct 2011

Re: Passwords: Part III

Postby Jeff Albertson » Wed Sep 04, 2013 8:49 am

The Economist has a blog post on new password protection schemes, from a wireless ring from Google to "a chair which detects the unique shape of a user’s bottom—with 99% accuracy".
http://www.economist.com/blogs/babbage/2013/09/anti-password-backlash
Jeff Albertson
 
Posts: 90
Joined: 6 Apr 2013

Re: Passwords: Part III

Postby tadamsmar » Wed Sep 04, 2013 9:11 am

Jeff Albertson wrote:The Economist has a blog post on new password protection schemes, from a wireless ring from Google to "a chair which detects the unique shape of a user’s bottom—with 99% accuracy".
http://www.economist.com/blogs/babbage/2013/09/anti-password-backlash


The hackers will have to start scanning our bottoms and replicating them on 3D printers.
User avatar
tadamsmar
 
Posts: 5948
Joined: 7 May 2007

Re: Passwords: Part III

Postby zaplunken » Sun Sep 08, 2013 5:51 pm

I use KeePass but I put my database on 2 flash drives and deleted the base on the hard drive.
User avatar
zaplunken
 
Posts: 671
Joined: 1 Jul 2008


Return to Personal Consumer Issues

Who is online

Users browsing this forum: No registered users and 14 guests