Foo - Are you reusing passwords on multiple websites?

This is a good article on password cracking: http://arstechnica.com/security/2012/08/passwords-under-assault/

Points to take away:

1. don't re-use the same password at multiple sites. If/when one site gets compromised, you want the damage to stop there.

2. don't rely on "mangling" a word (e.g. g0lfba11 in place of golfball) or simply tack on numerals or symbols (kittens!!!1). They're wise to your tricks :p

3. If possible, avoid any dictionary basis for your passwords at all. To make this easier, consider using a password-manger software like LastPass, or a fingerprint scanner & software (I use an Authentec Eikon Solo for this), so you can use truly strong, lengthy passwords that are unique for each site, without having to remember them all.

4. my tip: if you can get away with it, add at least one "special" character that wouldn't be found on a normal keyboard. For example, hold ALT and type 1098 on the keypad, and when you let go, you get a Æ (in Windows, anyway). This is a game-changer for a cracker since they're almost certainly going to crack for the standard keyboard characters only. I realize this isn't feasible for everyone (laptops, phones). Some sites will not allow special characters, either.


The article isn't just another article on how to pick a strong password. They show how crackers get their hands on literally millions of passwords at a shot, brute-force them on specially-constructed systems armed with multiple GPUs, and learn from the results so they can refine their strategies and algorithms. They also keep accumulating more and more "hashes" (basically digital fingerprints) of the top tens of millons of passwords that people actually pick in real life.

Yup, almost as easy as cracking photobucket accounts I must say all you need is the proper fuscker tool

meh....when you have an online persona like mine, no one wants to crack your account.

And you probably want different levels of security. Does your bikeforums password need to be as secure as your bank password?

.....For example, hold ALT and type 1098 on the keypad, and when you let go, you get a Æ (in Windows, anyway).......

Yep, ASCII keyboard codes are a bit of a "hidden" secret that just about foolproofs your passwords that generally even most programmers overlook, but be sure to use the numeric pad on the right side of yout keyboard and not the numeric keys above the lettered keys.

ASCII Keyboard Codes (http://www.theasciicode.com.ar/)

I think the article went for the more sensational sort of 'be very afraid' information. Any site with important information doesn't let you try a billion passwords a second. After 5 failed attempts you have to wait 5 or 15 minutes. At that rate it would take at least a billion years to crack mine.

I think the article went for the more sensational sort of 'be very afraid' information. Any site with important information doesn't let you try a billion passwords a second. After 5 failed attempts you have to wait 5 or 15 minutes. At that rate it would take at least a billion years to crack mine.

Good point. But let's say I use the same password at BF and at my primary email account. If BF gets hacked, now they own my email account and can send password-reset requests to it from my bank, PayPal, eBay, and so forth. And then they own them too. A chain's as strong as... yeah.

Another article on the subject: Own the email, own the person (http://threatpost.com/en_us/blogs/own-email-own-person-082012) It refers to the recent incident where writer Mat Honan ended up so thoroughly pwned that the attackers were able to remote-wipe his iPad and iPhone.

Bottom line, there are some habits that can be unlearned and avoided to help limit the damage potential.

No one will ever guess my pa55w0rd.

are passwords for sites such as BF commonly stored in plain text? I thought they were one-way hashed. Or is that reversible?

are passwords for sites such as BF commonly stored in plain text? I thought they were one-way hashed. Or is that reversible?

Passwords to forums are not stored as plain text. Even free forums like Simple Machines store them encrypted in a database. The forum admin themselves cannot see your passwords.

The obligatory XKCD post: http://xkcd.com/936/

Good article in Wired r.e. how easy it is to compromise Apple and Amazon security: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

are passwords for sites such as BF commonly stored in plain text? I thought they were one-way hashed. Or is that reversible?
It only takes a few hours to brute force most passwords. The ARS article details how it's done.

When I was a mod here, we had access to the big basket of passwords. They were not encrypted or anything. We just kept them in a big 55 gallon barrel by the storeroom door. I think I kept my key to the storeroom. Want me to go get a handful of passwords for ya'll?

When I was a mod here, we had access to the big basket of passwords. They were not encrypted or anything. We just kept them in a big 55 gallon barrel by the storeroom door. I think I kept my key to the storeroom. Want me to go get a handful of passwords for ya'll?

No thanks...but I'll take access to teh womenz forum.

This is a good article on password cracking: http://arstechnica.com/security/2012/08/passwords-under-assault/

Points to take away:

1. don't re-use the same password at multiple sites. If/when one site gets compromised, you want the damage to stop there.

2. don't rely on "mangling" a word (e.g. g0lfba11 in place of golfball) or simply tack on numerals or symbols (kittens!!!1). They're wise to your tricks :p

3. If possible, avoid any dictionary basis for your passwords at all. To make this easier, consider using a password-manger software like LastPass, or a fingerprint scanner & software (I use an Authentec Eikon Solo for this), so you can use truly strong, lengthy passwords that are unique for each site, without having to remember them all.

4. my tip: if you can get away with it, add at least one "special" character that wouldn't be found on a normal keyboard. For example, hold ALT and type 1098 on the keypad, and when you let go, you get a Æ (in Windows, anyway). This is a game-changer for a cracker since they're almost certainly going to crack for the standard keyboard characters only. I realize this isn't feasible for everyone (laptops, phones). Some sites will not allow special characters, either.


The article isn't just another article on how to pick a strong password. They show how crackers get their hands on literally millions of passwords at a shot, brute-force them on specially-constructed systems armed with multiple GPUs, and learn from the results so they can refine their strategies and algorithms. They also keep accumulating more and more "hashes" (basically digital fingerprints) of the top tens of millons of passwords that people actually pick in real life.

99 percent of sites don't need real passwords... For instance how much security do you need for BF? Are you buying or selling anything here, is your bank account exposed, or is it just to maintain your unique identity?

Do I need a secure password to access the local newspaper site to read the news? How about My Yahoo? The list goes on... unless your money or precious data is involved... you can use cheap passwords for most of the sites that require passwords.

I gave my BF password to the Official BikeForums Tech Support Team in Nigeria.

No thanks...but I'll take access to teh womenz forum.

Trust me you don't want access... its the boringest forum on the Board! I don't go there its so boring...

Trust me you don't want access... its the boringest forum on the Board! I don't go there its so boring...

NorCal is pretty boring. They should compete to see which is the most boring.

I gave my BF password to the Official BikeForums Tech Support Team in Nigeria.

They are also the ones who gave me your shipping address when I had all those cases of Yoo-Hoo to get rid of.

They are also the ones who gave me your shipping address when I had all those cases of Yoo-Hoo to get rid of.

Those Nigerians are most helpful at times.

They are also the ones who gave me your shipping address when I had all those cases of Yoo-Hoo to get rid of.

Or lots of candy bars.....dangit!

Trust me you don't want access... its the boringest forum on the Board! I don't go there its so boring...

NorCal is pretty boring. They should compete to see which is the most boring.
Sorry OP....

Actually in the late '80s and '90s there was a group of women who called themselves the W.O.M.B.A.T.S. (Women's Offroad Mountain Biking And Tea Society, I believe) in NorCal and they were anything but boring. I believe that they are still around, but what I remember of them most is that they were really exceptional mountain bikers who impressed anyone who ever saw them ride. Jacquie Phelan (alias "Alice B. Toeclips") was the founder I believe (and a co-founded NORBA too, IIRC) and she the woman's NORBA Champion for several years, and a staunch advocate of mountain biking and bicycling in general. It would be very cool to see her contribute to the BF. She would blow the doors off the place!

And you probably want different levels of security. Does your bikeforums password need to be as secure as your bank password?

Bingo.

I don't much care if someoen cracking my password here can get onto other social sites. Makes a huge difference if they can get onto my bank account however.

I would not suggest password management software. Sooner or later someone will break it and ....

One trick suggested by a coworker is use the first letters of a phrase of title.

iwtbotiwtwot for example is the start of a rather famous book and actually a poor choice it sort of repeats.

Throwing in a cipital letter, a bit of leet speak or even jsut a trailing number or letter still helps.

BUT a huge percentage of security breaches is because someone writes it down. Pick something you can remember and if needed write down somethgin to remind you, but not the passwork itself.

I think the article went for the more sensational sort of 'be very afraid' information. Any site with important information doesn't let you try a billion passwords a second. After 5 failed attempts you have to wait 5 or 15 minutes. At that rate it would take at least a billion years to crack mine.

I'm pretty sure this site does that. The ones with important information log all failed attempts and report to system administrators. At the very least for any lockouts, likely for anything more than one failure within a specified time less than a half hour.

One thing left out, account access is only as secure as the back door.

You know those questions they use to reset the password for accounts. If you pick favorite football team and pick the pro team for yuor city how secure do you think that is?

Oh you will find out next time you try to logon, which if it is for your bank account may be when your debit card stops working.

If yuo are like me and your favorite 'football' team is not gridiron or in country you are in you have a better chance.

Bingo.

I don't much care if someoen cracking my password here can get onto other social sites. Makes a huge difference if they can get onto my bank account however.

I would not suggest password management software. Sooner or later someone will break it and ....

One trick suggested by a coworker is use the first letters of a phrase of title.

iwtbotiwtwot for example is the start of a rather famous book and actually a poor choice it sort of repeats.

Throwing in a cipital letter, a bit of leet speak or even jsut a trailing number or letter still helps.

BUT a huge percentage of security breaches is because someone writes it down. Pick something you can remember and if needed write down somethgin to remind you, but not the passwork itself.

I haven't read A Tale of Two Cities but that's about the only line I know from it.

No one will ever guess my pa55w0rd.

Hah! It's "gyrating weasel", I'm sure of it! :P


are passwords for sites such as BF commonly stored in plain text? I thought they were one-way hashed. Or is that reversible?

The article discusses that in detail. The hashing algorithm used is really important. The short answer is that it might very well be reversible. Worst-case scenario, they'd just look up the hash on a rainbow table in a matter of seconds to minutes, and it definitively tells them what your password is. I'm not an expert in this field, but I believe this is where one of those "special" characters could save your bacon simply by not being part of the character set the rainbow table covers.

I login as chipcom and irritate random people in P&R and S&A. Then I login as jsharr and post things about couch (and visa-versa). Then I login as phantomcow and post naked pictures of my landlords and roomates.

Lastly, I login as Siu and try to erase all this evidence.

Don't tell anyone!


No one will ever guess my pa55w0rd.

Correct!

Our office used to have an 8-character minimum password length that required an upper case, lower case, special character, and number. Everyone made a fair attempt at making a secure password.

Eventually they tried to "improve" security by bumping the minimum length to 13 characters. Now just about everyone has their password written down on a post-it note that's stuck to their desk, monitor, or "hidden" under their keyboard.

I think eventually you get to a point of diminishing returns.

I use the one from Spaceballs, 1,2,3,4,.......use it for my luggage as well. Or 100011101010001101.