Random Rants
-
That works, Thanks.
-
*as always, a relevant xkcd
-
good to know…
-
NERD MODE !!!
I use a form of correct battery horse staple - styled passwords with rotating digits to log in.
I have TWO FACTOR enabled for my domain names, GMAIL (Looking @ all you guys who use Google Apps ;)), and hosting providers.
I have TWO different YubiKeys for 2 different sets of systems to authenticate me as 'something I have'. This to me is the future, screw all this numbers stuff, press a button on a physical device, and in.
I use OnePassword to generate site-specific passwords. My YubiKey's randomly generated static password unlocks my OnePassword library. I keep a backup of this specific password protected encrypted on another machine with a password I'm aware of/know.
TWO FACTOR is a must these days. For all of you, especially any business - looking @ you @Giles and Co, if you've not set it up, For the 5 minutes of hassle, you'll get real security increases from it. Easy enough to do with the Google Authenticator App.
The Yubikey is a future thing really, really nice to authenticate me, only needs to be used once a day to ensure I'm still me..
-
I was gonna go there but wasnt sure if rOman was ready for the rectinal scan discussion.
-
@mikebarhoot I think your advice was solid for Roman's requirements. I was aiming more general awareness singing the praise of TWO FACTOR :).
-
Thanks for the advice @mikebarhoot and @Snowy . I will give it a try.
-
The trouble with the xkcd password is that it depends on the hacker using brute force to try to guess it on a letter by letter basis.
A common attack is to use a dictionary, or a list of words. For example, there are about 200 billion combinations of eight characters (ignoring numbers and upper and lower case), but about 45,000 words in English. Now if the hacker thinks we're using a combination of words, he could run with the assumption that they're likely to be pretty simple. No-one is likely to come up with a combination like EigenvectorFloccinaucinihilipilificationDisestablishmentarianism…
Let's say that there are 10,000 words that might be used, then the search space for a combination of four becomes about 10^16. (That's a one followed by sixteen zeroes.)
OK, let's take characters. If you throw in lower and upper case, numbers, and symbols (!, £, %, &, @, etc.), then you might end up with 80 you could use. For an eight character password, you've got 10^15 options. But going up to ten would give you 10^19.
Of course, the hacker might assume that you're using L337 speak to swap out characters in a regular word to form a password, which gets you back to square one…
As @Snowy says, use two-factor authentication. That's more secure, because you need to lose your device to prevent your account from being compromised. A password manager, with randomised long strings will also help. But security isn't my speciality.
-
i'm not worth enough to be hacked…
-
Modern password cracking isn't done (generally) by trying to log in as you onto a website over and over. It's done trying to authenticate/spoof your identity. It's knowing your name and address, then calling a telco, finding out they tell you the last 4 digits of your credit card by mistake. Then you call up Yahoo who authenticate you using the last 4 digits you now have. Then your gmail account or whatever, you can now do a password reset, as you've set that password to reset to the yahoo account. Game over man.
^Is a real attack that has/does get used it's how a lot of the celeb icloud hacks happened.
The modern form of password cracking itself is now usually done offline. They aim to get the database and crack it offline. Most cracks don't look to work out the password, they have 1-time pre-computed hashes up front. They hire these huge instances from cloud providers and one time work out every password ever. It costs a few thousand dollars.
Then they hack into a company like Yahoo, Tumblr and pull the entire database of passwords. They figure out how the password was stored in the database, then run their precomputed matching against it. That's the annoying attack. It's not targetted at you, but you've still lost all your shit. Or the details here will be kept/sold and re-used YEARS later, for something else..
An example of the precomputed password stuff;
Say my password is "hello world";
1)The computer when it saves to the database would save that as "5eb63bbbe01eeed093cb22bb8f5acdc3" if I was using MD5 as a checksum.
2)When I try log in, it generates a MD5 checksum of what I type in to make sure it matches "5eb63bbbe01eeed093cb22bb8f5acdc3".
3)If it does, it knows that I typed in the right password as ONLY "hello world" can generate that string (within reason).So the hackers have a DB with all these MD5 checksums, what they then do is generate every possible word and combination ahead of time like;
MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661 MD5 ("b") = 92eb5ffee6ae2fec3ad71c777531578f MD5 ("c") = 4a8a08f09d37b73795649038408b5f33 MD5 ("..") = 58b9e70b65a MD5 ("Hello World") = b10a8db164e0754105b7a99be72e3fe5 MD5 ("Hello w0rld") = e7a9e19587c07e67b205ae2d94cbad13 MD5 ("h3llo w0rld") = 0dedd75e7d5b93afef109aae6a3e73a5When they get the password database, what they do is run it through the dictionary, if they get a match, they know your password. This takes under a day and only a few hundred dollars. Password complexity is not a thing anymore. Single factor is NOT secure. Hopefully you guys don't have your credit cards or bank accounts behind just a single password. And hopefully your bank password is not the same as your e-mail account. And hopefully the password reset for your bank isn't the same as the email address that was cracked above :o. 2 factor is mandatory for any business IMO.
Some of the larger breaches of the database style attacks can be seen @ https://haveibeenpwned.com/ The website owner downloads every release hack and keeps the emails on file. DO put in your e-mail and subscribe to the service to let you know if you get owned. The owner of that website is one of the most vocal IT security guys in the game (Troy Hunt).
#'s of DB hacks in last few years;
359,420,698 MySpace accounts
234,842,089 NetEase accounts
164,611,595 LinkedIn accounts
152,445,165 Adobe accounts
112,005,531 Badoo accounts
93,338,602 VK accounts
91,436,280 Rambler accounts
68,648,009 Dropbox accounts
65,469,298 tumblr accounts
58,843,488 Modern Business Solutions accountsMy name is Snowy and I have worked and continue to work around the Information Security Industry.
-
Which is why owners of sites need to salt their hashes.
-
^yah, and you want to make damn sure it's a good salt. Have seen some examples where the salt is statically coded as well :(.
BTW the password lookup DB is called a Rainbow Table. I forgot the term, just came back to me. (https://en.wikipedia.org/wiki/Rainbow_table).
The world is an interesting place.
-
I really can't believe my current job is in Washington DC. Looking forward to my next one in Houston.
-
One of the news stories on the day after I arrived, which was 1/12/17, was that a man was running around NW DC groping women.
-
-
-
No name was mentioned but I thought someone got to town early. Seul gets credit for the post from earlier.
