# Dictating our passwords for us



## chillbot (Feb 25, 2020)

OK so I'm going through and updating all of my passwords, like literally every password on every site ever. Up to about 200 sites so far and still going. Because they're a bit of a mess and some of the non-important ones have been breached and I've been meaning to do it forever.

So here's my pet peeve... TWELVE characters with at least one special character and one number and one capital?? Is it a bit much or no?

I get that a lot of this is "for our own protection" because it makes a lot of work for everybody if someone gets hacked and blah blah blah. But surely we aren't still using "1234" as passwords... I mean give us a tiny bit of credit.

So I just used an online random word generator and it spit out two words FRAUD and MOSQUE. Now I make my password out of these and substitute a few characters and numbers and wind up with [email protected]$que. Is this actually not a strong enough password? Are you telling me it will be hacked? I can use this password at 90% of sites but since they are my friends I will call out two that won't accept it: @InSessionAudio and @pulse what is with the TWELVE characters? Couldn't you accept an ever-so-slightly "weak" password?

Well here is my new password then: [email protected]$que!

EDIT: This is not actually my password but I just tried using it a couple places to see... Sonuscore, for one, considers it "weak" (but will accept it anyway). I guess I am missing something if that is a weak password.

ALSO EDIT: Spectrasonics requires "minimum 6 characters" that's my kinda site. Yes I am currently working my way through the S's.


----------



## windshore (Feb 25, 2020)

lol, Yeah, I heard a security expert saying that passwords will soon be obsolete, but I'm not sure what will take their place. Fortunately on Apple devices they will generate complex passwords that will autofill on other apple devices. 
We live in an age of total insecurity .... ha


----------



## davidson (Feb 25, 2020)

Use 1password, the best solution for the time being.


----------



## Vartio (Feb 25, 2020)

random word combinations are the first things that you brute force when cracking password hashes, the second is letter replacements with numbers and special characters, so no that kind of a password is realistically as safe as "1234" or "password". There's a reason why some websites try to look after you and force you to really come up with a long enough phrase to force you into introducing real randomness into it. its not as straight forward as you'd think. The best way to do a password is to come up with your own words and phrases of gibberish that only you could come up with, then do letter replacement with numbers and special characters on that gibberish, add random letter number symbol padding and stuff in there too. As long as you have real gibberish (and this is things that no one else has ever used in any password that's ever cracked, since that's all in those word lists too) in the password they'll have to result to brute forcing every combination of characters and at that point the statistics of letter combinations and having that 12 letter minimum starts to really play to your advantage.


----------



## chillbot (Feb 25, 2020)

Vartio said:


> The best way to do a password is to come up with your own words and phrases of gibberish that only you could come up with, then do letter replacement with numbers and special characters on that gibberish, add random letter number symbol padding and stuff in there too.



Got it.

"b0Ob$"

Done.


----------



## Kony (Feb 25, 2020)

Does this mean I can't use my usual "password1" anymore?


----------



## Thundercat (Feb 25, 2020)

I've read from several sites that it's not using funky characters that matters - shorter passwords can be bruteforced no matter what.

Think in terms of a passPHRASE. As in, several words together: "I Love Walking Through the Park"

The longer the better - this is what makes a password uncrackable (at the mo) - length only. So pick some nice easy, long phrases or sentences.


----------



## chillbot (Feb 25, 2020)

If you ever come to my studio the WiFi password is "nottelling". That is because my two daughters ask what the password is and I tell them.


----------



## jbuhler (Feb 25, 2020)

These days I mostly just use the random sequences generated by my browsers. The password is then saved by the browser and since the browsers follow me from device to device the passwords do as well. The Apple ones use keychain and iCloud and follow me even across programs. Not sure how the security of these compares to the security of a password program. For sites I want to keep more secure I use a pass list that I keep in a password protected document. That one is completely manual. I’ve thought about using a password program for these as well.


----------



## sostenuto (Feb 25, 2020)

Are 'passphrases' the next evolution ..... and what are likely requirements ?


----------



## jbuhler (Feb 25, 2020)

sostenuto said:


> Are 'passphrases' the next evolution ..... and what are likely requirements ?


Long, maybe very long. But not requiring special characters.


----------



## Thundercat (Feb 25, 2020)

Turns out, the funky characters like typing "[email protected]$$w0r|]" do very little to nothing to make a password safer. It's just the length that matters...


----------



## chillbot (Feb 25, 2020)

Thundercat said:


> Turns out, the funky characters like typing "[email protected]$$w0r|]" do very little to nothing to make a password safer. It's just the length that matters...


The problem is, I was using "ILikeWhenYourFartsSmellLikeYouAteCatFoodForDinnerLastNight" and all my friends kept guessing it.


----------



## AllanH (Feb 25, 2020)

I use Keepass and long random passwords. It really makes no difference when using a good password manager and copy and paste. Firefox e.g. has a local password store that is independent of the windows authentication system, so that's another level of protection. For important accounts, such as VI-Control, I would suggest at least 16 characters.


----------



## Thundercat (Feb 25, 2020)

chillbot said:


> The problem is, I was using "ILikeWhenYourFartsSmellLikeYouAteCatFoodForDinnerLastNight" and all my friends kept guessing it.


Yeah...based on your posts, that was kind of an obvious one!

Try harder.


----------



## pulse (Feb 25, 2020)

chillbot said:


> OK so I'm going through and updating all of my passwords, like literally every password on every site ever. Up to about 200 sites so far and still going. Because they're a bit of a mess and some of the non-important ones have been breached and I've been meaning to do it forever.
> 
> So here's my pet peeve... TWELVE characters with at least one special character and one number and one capital?? Is it a bit much or no?
> 
> ...



Hey mate! Actually truth be told let's just blame Wordpress!! and their templates  I'll check to see if there is anyway to reduce the password craziness. That said I use 1Password and that seems to be a good solution to remembering all the passwords. The password gurus recommending not using the same password more than 2-3 times across different sites.


----------



## chillbot (Feb 25, 2020)

pulse said:


> Hey mate! Actually truth be told let's just blame Wordpress!! and their templates  I'll check to see if there is anyway to reduce the password craziness. That said I use 1Password and that seems to be a good solution to remembering all the passwords. The password gurus recommending not using the same password more than 2-3 times across different sites.


So having just gone though changing my password across 200 sites, I noted that yes you and Kyle use the same template/password/whatever, you were the only two that required 12 digits. But there were others with the same template that didn't require it. Sorry, I know shit about websites or this kind of stuff. But I'm guessing that it may be an option you can change. Given some of the responses here, I may be completely wrong and you're better leaving it as is.


----------



## chillbot (Feb 25, 2020)

AllanH said:


> For important accounts, such as VI-Control, I would suggest at least 16 characters.


I'm assuming that was a typo and you meant 61 characters?


----------



## tmhuud (Feb 25, 2020)

davidson said:


> Use 1password, the best solution for the time being.



While I LOVE 1PW, as it sinks to all of my machines and phones and bla bla, it’s not very good at generating certain required formulas.


----------



## davidson (Feb 26, 2020)

tmhuud said:


> While I LOVE 1PW, as it sinks to all of my machines and phones and bla bla, it’s not very good at generating certain required formulas.



Really? I've never had it trip on on criteria before.


----------



## MartinH. (Feb 26, 2020)

Vartio said:


> random word combinations are the first things that you brute force when cracking password hashes,





jbuhler said:


> Long, maybe very long. But not requiring special characters.





Thundercat said:


> Turns out, the funky characters like typing "[email protected]$$w0r|]" do very little to nothing to make a password safer. It's just the length that matters...





Thundercat said:


> I've read from several sites that it's not using funky characters that matters - shorter passwords can be bruteforced no matter what.
> 
> Think in terms of a passPHRASE. As in, several words together: "I Love Walking Through the Park"
> 
> The longer the better - this is what makes a password uncrackable (at the mo) - length only. So pick some nice easy, long phrases or sentences.




What matters most is that you *use a different password everywhere* else. It is fairly unlikely that someone gets directly access to the hash of e.g. your email or bank password, and then can bruteforce that specific hash with the goal to harm you specifically. It is more likely that they hack the database of e.g. an online forum or poorly secured shop, get a long ist of mail addresses with corresponding hashes, then run them through a script that goes through all the "easy" attacks (all numbers up till 8 digits, rainbowtable if they have access to one, simple dictionary attacks, dictionary + number up to 4 digits, dictionary in 1337, multiple words from dictionary strung together, dictionary words backwards, etc.), and then use a script to check if you also can log into the e-mail accounts with the same password. The number 1 most important thing is that your e-mail password isn't used _anywhere_ else, and that it can't be bruteforced easily for the rare case someone gets ahold of the hash for the password. If they have access to your mail account, they can get all the other passwords from there. 

If you use one very long passphrase (like 20+ digits) that consists of multiple words and also has one random character replaced with a special character that normally never is used to replace that letter (so not 0 instead of o, or $ instead of S, make it for example a % instead of an m or something like that), I would consider that a very secure password, because it can neither be broken by rainbowtables, nor dictionaries alone, nor bruteforced through trying all possible combinations. I'm not good enough at math to calculate how feasible it would be to crack that hash with something like "try dictionary word combinations of up to 6 words with 1 random character of the password exchanged for a random special character", but I doubt that your password hash will ever be targeted by something _that _specific.


One more thing that I'd like to bring up: vulnerabilites through two factor authentication. If you think you can take another boost to your paranoia and tech knowledge, listen to this podcast episode: 









#130 The Snapchat Thief | Reply All


This week, a new Super Tech Support: after Lizzie's Snapchat gets hacked, things start getting really creepy. Alex investigates.




gimletmedia.com





I've found it absolutely fascinating and for me personally it boosted my distrust of phone-centric security measures (I don't use 2FA for anything that doesn't force me to, and for those that do I try to use non-phone devices). But if you are prone to anxiety and don't have any very valuable assets that are at risk from cyber attack (e.g. cryptocoins etc.), I can understand if you'd rather continue to live in blissful ignorance.


----------



## Mike Greene (Feb 26, 2020)

Until they finally made me change it 4 or 5 years ago, my eBay password was "ben" (my son's name.)

I guess I never took passwords as seriously as I should, although I do have more secure passwords for important stuff, like bank websites and my Ashley Madison account.


----------



## kitekrazy (Feb 26, 2020)

I think the better solution is to have fewer sites to log into.


----------



## AllanH (Feb 26, 2020)

chillbot said:


> I'm assuming that was a typo and you meant 61 characters?




Sorry, of course "yes". For extra fun, try a password with \n somewhere in the password. That way you may make a new friend that is a sysadmin, at least once in a while.


----------



## Thundercat (Feb 26, 2020)

The State say:

“When I want your password, I’ll give it to you.”


----------



## MartinH. (Feb 26, 2020)

AllanH said:


> Sorry, of course "yes". For extra fun, try a password with \n somewhere in the password. That way you may make a new friend that is a sysadmin, at least once in a while.


----------



## tc9000 (Feb 26, 2020)

+1 for keepass: no cloud BS, it's free and open source, works great for me.


----------



## Nick Batzdorf (Feb 26, 2020)

chillbot said:


> EDIT: This is not actually my password but I just tried using it a couple places to see...



Yeah, I was wondering why your bank account froze me out. Damn!


----------



## Nick Batzdorf (Feb 26, 2020)

windshore said:


> I heard a security expert saying that passwords will soon be obsolete, but I'm not sure what will take their place



You sit on a protruding object that examines your biometrics.


----------



## Nick Batzdorf (Feb 26, 2020)

The bane of my existence is not keeping track of my own passwords, but finding my wife's every time she gets locked out of something - like her iPhone when I took it in to replace the battery (I couldn't even call her to ask, because... I had her phone).

Now they're all constructed to embarrass or amuse tech support people who ask for them.


----------



## chimuelo (Feb 26, 2020)

davidson said:


> Use 1password, the best solution for the time being.



I’ve been doing that for years out of laziness and convenience but mostly because I don’t do online banking.
I use pre paid credit cards which I fill offline as well.
Everyone I receive payment from whines a little bit but as long as Hacking pays better than IT they can kiss my ass.

I’ve still got 2 brand new batteries and another Brand new MilSpec fliptop.
Waterproof, battery lasts for weeks, loud ass speaker too, best of all, no text.

Like Jessica Alba’s hero Machete.......Chimuelo no text.


----------



## pulse (Feb 26, 2020)

chillbot said:


> So having just gone though changing my password across 200 sites, I noted that yes you and Kyle use the same template/password/whatever, you were the only two that required 12 digits. But there were others with the same template that didn't require it. Sorry, I know shit about websites or this kind of stuff. But I'm guessing that it may be an option you can change. Given some of the responses here, I may be completely wrong and you're better leaving it as is.


Yeah to be honest I haven't really looked too much into it... but it sounds like a good plan to reduce the password craziness! I'll go check out the Wordpress settings when I a get a moment and see what can be done


----------



## ProfoundSilence (Feb 26, 2020)

chillbot said:


> Well here is my new password then: [email protected]$que!




are you sure you're not going to become a soundcloud rapper with that name? lil'[email protected]$SQUE

well I have 4 different passwords at work that have to be uppers, lowers, numbers, symbols - and varied lengths(one with large minimum lengths like 12, and some with maximum lengths of 12) And they have to be changed every 60-90 days AND you cant use the last(usually 10) passwords.

Meanwhile, there are cameras literally everywhere, and it's not only a secured facility, but it's not even publicly located. So you'd need to know where this place is, even though it's not public information - then also get into the gate, get somebody to let you in with their badge, get a badge with clearance to get to my floor, into the room that I work, infront of everyone - and cameras - to get to a machine that even has the software to attempt to log into using my passwords.


----------



## CT (Feb 26, 2020)

My password to everything is the solution to an equation of my own devising, which I've never told anyone. Except my phone. Anyone who is a Sherlock fan could get into my phone.


----------



## BassClef (Feb 27, 2020)

I am firmly set in the Apple ecosystem... phone, tablet, desktop, tv. I let Apple Keychain create and store complex passwords for all sites. They are highly encrypted and available anytime from any of my devices.


----------



## Uiroo (Feb 27, 2020)

This is a really interesting video about passwords.

My approach to yet another unwanted password is to insult the company, as a memory hook.
So if I'd be angry about VI-Control forcing me to come up with a new password, it'd probably be something like v1cont-rol!!!isama,ssiveshi(thole


----------



## MartinH. (Feb 27, 2020)

ProfoundSilence said:


> Meanwhile, there are cameras literally everywhere, and it's not only a secured facility, but it's not even publicly located. So you'd need to know where this place is, even though it's not public information - then also get into the gate, get somebody to let you in with their badge, get a badge with clearance to get to my floor, into the room that I work, infront of everyone - and cameras - to get to a machine that even has the software to attempt to log into using my passwords.



I've watched a couple of talks by this guy:








DeviantOllam







www.youtube.com





If what you guys have is important enough to protect, it might be worth hiring a professional "physical penetration tester" to see if your facility is as secure as you think it is and should be.




Don't watch this if you have anxiety or paranoia:


Spoiler



Most "locked" things are far from "secure". I find this stuff super fascinating and fun to watch. But realizing most locks are about as effective as saying "please don't" to people who know about lockpicking is quite something



There are a ton more talks by him on youtube. I had a lot of fun watching those. E.g. the one about how they exploit elevators to get into places they aren't supposed to get into etc..


----------



## Thundercat (Feb 27, 2020)

BassClef said:


> I am firmly set in the Apple ecosystem... phone, tablet, desktop, tv. I let Apple Keychain create and store complex passwords for all sites. They are highly encrypted and available anytime from any of my devices.


Me too. But soooooo often the passwords just don’t appear on various devices - to the point I have to reset them and usually end up making my own due to the hassle.

It’s wonderful when it works.


----------



## Uiroo (Feb 27, 2020)

Mike Greene said:


> Until they finally made me change it 4 or 5 years ago, my eBay password was "ben" (my son's name.)
> 
> I guess I never took passwords as seriously as I should, although I do have more secure passwords for important stuff, like bank websites and my Ashley Madison account.


Don't take this the wrong way, but one way to be secure is not to mention in popular forums that you suck at passwords. 

In combination with the disputes in the last months, where some people seemed to be angry with you (if I don't mix things up), I'd double-check my online security. The internet can be fucked up. I recommend watching the video I posted, it's really helpful


----------



## JohnG (Feb 27, 2020)

Simply use "incorrect" as your password. 

That way, if you forget it, hey presto! The device will tell you, "Your password is incorrect."


----------



## Alex Fraser (Feb 27, 2020)

BassClef said:


> I am firmly set in the Apple ecosystem... phone, tablet, desktop, tv. I let Apple Keychain create and store complex passwords for all sites. They are highly encrypted and available anytime from any of my devices.


Me too. Way too easy, but far too convenient. Once you let Safari do one, it's hard to resist.


----------



## ProfoundSilence (Feb 27, 2020)

MartinH. said:


> I've watched a couple of talks by this guy:
> 
> 
> 
> ...



It's not. Ironically, MOST of it is public record. The physical security of the location makes sense, but that's about it.


----------



## JohnG (Feb 27, 2020)

Alex Fraser said:


> it's hard to resist.



Resistance. Is. Futile.


----------



## gsilbers (Feb 27, 2020)

do a custom phrase and then the name of the site so each password is different yet you'll remember. 

1Pilsner is better than IPA eBay 
1Pilsner is better than IPA VIcontrol 
etc

I like it when you can use space in the password. seems its very secure to leave a space between words. but some sites don't allow it.


----------



## Mike Greene (Feb 27, 2020)

Uiroo said:


> Don't take this the wrong way, but one way to be secure is not to mention in popular forums that you suck at passwords.


Obviously my ebay password is no longer "ben."

Apparently it was less obvious that my second paragraph was a joke, but ... it was a joke.


----------



## dzilizzi (Feb 27, 2020)

gsilbers said:


> do a custom phrase and then the name of the site so each password is different yet you'll remember.
> 
> 1Pilsner is better than IPA eBay
> 1Pilsner is better than IPA VIcontrol
> ...


I used to do something similar. But I recently had my personal laptop stolen so had to reset a lot of passwords. There may have been more than the normal amount of bad words in the mix as I was getting tired of coming up with them. I also find old phone numbers that aren't necessarily associated with me to be good. Of course, since phones now remember numbers for me, they are all really old numbers.


----------



## Thundercat (Feb 27, 2020)

JohnG said:


> Simply use "incorrect" as your password.
> 
> That way, if you forget it, hey presto! The device will tell you, "Your password is incorrect."


Don’t name your daughter “understanding”

As she grows people will call her Miss Understanding


----------



## Anders Wall (Feb 27, 2020)

JohnG said:


> Simply use "incorrect" as your password.
> 
> That way, if you forget it, hey presto! The device will tell you, "Your password is incorrect."


Or, since Mike Greene is not using it anymore, use ben.


Mike Greene said:


> Obviously my ebay password is no longer "ben."


I use Reverb for eBay and Ebay for Reverb, Altavista for Google etc...

Joking aside, I work on this reality-is show where this lady uses code for her phonebook.
Like instead of my name she'd probably have me listed as Anders Cat (as we own a cat).
First time I met here she was really super stressed about a delivery that was really important.
Thing is she couldn't phone the person who was delivering the goods since she didn't find the right code.
IE, she knew the first-name but wasn't sure if the person had a bird, motorbike or liked to swim!?!
You really can't make this shit up and it's brilliant Tv.
Sometimes its best to just use something simple and have it over with 
/Anders


----------



## sostenuto (Feb 27, 2020)

Like earlier creative phrase approach !

I will get Fluid Shorts II if not logging into _blank __ e.g. _eBay, VI-C, Amazon, ..... works for me !


----------



## Mike Greene (Feb 27, 2020)

When cracking passwords, don't most sites limit your attempts? I've learned the hard way that Wells Fargo blocks you after 3 misses. I couldn't remember my Soundboard password when I was on the road and got a warning after 4 or 5 attempts that I was near the end of my tries. (I haven't checked, but I assume VI-Control does the same?)

So even if I used a "bad" password like "[email protected]", it would take millions of attempts before the bot got to that one. Am I missing something there?

(Don't get me wrong, I use a similar approach as dzilizzi, so my passwords are pretty good. I'm just wondering.)


----------



## chimuelo (Feb 27, 2020)

JohnG said:


> Simply use "incorrect" as your password.
> 
> That way, if you forget it, hey presto! The device will tell you, "Your password is incorrect."



Ankyu....please stay seated.


----------



## Uiroo (Feb 27, 2020)

Mike Greene said:


> Obviously my ebay password is no longer "ben."
> 
> Apparently it was less obvious that my second paragraph was a joke, but ... it was a joke.


Hey, just wanted to make sure you don't get hacked 
I mean, your password WAS "ben." right?

The reason I said this is that very often people don't think about the fact that with personal hacking attacks, it's not only about the technical aspect, but also about what people give away for free without knowing it.
In your case, if I wanted to hack you, I'd stalk you on social media, look for the names of your children, your wife, your dog, cat, whatever. Since you once had "ben.", I'd hope that your passwords aren't more than 8 letters on average, which can be brute forced easily, you get the idea. If you haven't changed your password approach *everywhere*, I might land a few hits.

So, again, if your passwords are all super good now, there's no danger in telling people you used "ben.", but if not...
I just find it interesting how much mundane stuff is involved in hacking, so, yeah.



Mike Greene said:


> When cracking passwords, don't most sites limit your attempts?


Yes, but I think you can get around that with different IP's. I have no idea how it works, but I could imagine that there are tools that offer get past that, otherwise lots expert advise on passwords wouldn't make any sense.


----------



## MartinH. (Feb 27, 2020)

Mike Greene said:


> When cracking passwords, don't most sites limit your attempts?



Bruteforcing over the login of a site seems impractically slow and very prone to be caught and auto-banned in some way. I think the bigger risk is when hackers get access to the whole database with the password hashes. Those aren't unencrypted passwords, those are the hash you get when putting a password through e.g. the md5 algorithm. When you enter the password the site calculates the md5 hash of what you entered and compares it to the hash they have stored. The hash itself can't be transformed back into the password, you have to guess the password and see if the hash of your guess matches, if you want to "brute force" a password. That's why it's important that they are long and secure. If the brute forcing would take years, no one is gonna bother. "Ben" could be guessed in less than a second if you have the hash I think.


----------



## Nick Batzdorf (Feb 27, 2020)

Funny, my Ashley Madison password is also ben.

Anyone here is welcome to use my account, especially people looking for a professional woman.


----------



## Andrew Aversa (Feb 27, 2020)

Yep, @MartinH explained it very well. To expand a bit, a "hash" is basically a unique value generated from some amount of text. For example:

The hash for the word "cat" is d077f244def8a70e5ea758bd8352fcd8.
The hash for the word "banana" is 72b302bf297a228a75730123efef7c41
The hash for the text "1551570" is a25cf9d9603c7b79424d8e2e32ac75dc.

Any given text (word, number, or combination of characters) has ONLY one possible hash. This is good if we're trying to verify that a file is what we expect it to be! For example, if John wants to send Mary a file, Mary can download the file and compare the hash value to the hash John has. If they're different, we know the file is altered in some way.

But how do we go backwards from "72b302bf297a228a75730123efef7c41" to "banana"? Simple: we write a program that generates every possible combination of 6 letters and numbers, then generates a corresponding list of hashes.

In other words, we generate:

aaaaaa
aaaaab
aaaaac
.. and so on, to create a long list of hash values from their associated text. Voila, we've suddenly "cracked" the hash. We can simply search for "72b302bf297a228a75730123efef7c41" to find the text that generated it.

But wait, aren't there a lot of possible password combinations? 1.8 billion or so, for 6 characters? Yes, but modern hardware can generate all those combinations (and thus "crack" the hashes) almost instantaneously. As of 2012, hardware existed that could crack 348 billion passwords.... *per second.* And think about how far computer hardware has come in 8 years, not to mention all the tools we _don't_ know about.

To make matters even worse, the work of generating those text-to-hash lists only needs to be done once. Once we have a giant database of all possible 6 character passwords and their hashes, the database itself can be shared and searched by anyone on any computer, pretty much instantly.

All of this is just the "brute force" method. By making educated guesses, hackers can narrow down the amount of text to check very easily. Humans are not good at coming up with random things. If we are asked to type "randomly" we might use clusters of keys or numbers that are next to each other. We tend to make the first character of a password an uppercase letter, and the last characters numbers. 

Sophisticated tools can analyze existing cracked databases and 'learn' the patterns that people tend to use in their passwords - including longer ones - meaning that even a somewhat long password (12-13 characters) can be cracked potentially quickly if it uses those patterns.

*That's why you should use a password manager.*

Let a computer generate your random passwords. Those passwords can be 15, 18 characters or more with an impossible-to-remember series of numbers, letters, special characters, upper and lower case. You can have a different one for each site. And all YOU have to remember is your one master password for the manager itself. (Which, obviously, should be very secure.)


----------



## dzilizzi (Feb 27, 2020)

zircon_st said:


> Yep, @MartinH explained it very well. To expand a bit, a "hash" is basically a unique value generated from some amount of text. For example:
> 
> The hash for the word "cat" is d077f244def8a70e5ea758bd8352fcd8.
> The hash for the word "banana" is 72b302bf297a228a75730123efef7c41
> ...


With my luck, the password manager program company will go out of business the day after I get all my passwords changed. 

I'm also a fan of misspelled words for passwords. I guess I should look into a password manager besides Google. I have too many different OS's to use something like Apple for a password manager.


----------



## Thundercat (Feb 27, 2020)

I a


zircon_st said:


> Yep, @MartinH explained it very well. To expand a bit, a "hash" is basically a unique value generated from some amount of text. For example:
> 
> The hash for the word "cat" is d077f244def8a70e5ea758bd8352fcd8.
> The hash for the word "banana" is 72b302bf297a228a75730123efef7c41
> ...


I appreciate the detailed tutorial. What I don't get is, how does having the hash help a hacker? He can't enter the hash into the password field...and he can't go more than 3-4 times per site either...what gives? What does the hacker DO with the hash?


----------



## dzilizzi (Feb 27, 2020)

If he figures out the hash for one password, they can likely figure out them all. Of course, it only helps if they've hacked the site and gotten all the emails and passwords. Not so much use at a place like ISW because you normally can't resell the products. However, a lot of people use the same password everywhere. As in bank accounts and other money places. And that's why you are supposed to use a different password everywhere.


----------



## JohnG (Feb 27, 2020)

I thought if you used like 20 characters, even a clever computer would have a hard time with it.

123456789101112131415


----------



## Mike Greene (Feb 27, 2020)

zircon_st said:


> Yep, @MartinH explained it very well. To expand a bit, a "hash" is basically a unique value generated from some amount of text. For example:
> 
> The hash for the word "cat" is d077f244def8a70e5ea758bd8352fcd8.
> The hash for the word "banana" is 72b302bf297a228a75730123efef7c41
> ...


That's a really good explanation. I didn't know how the hashes worked.

Ironically, though, it makes me less inclined to worry much about my passwords, since apparently ben isn't that much harder to crack than my 8-digit masterpieces. Sure, ben is quicker to figure out the hashes for, but 8-digit is quickly and easily deciphered, too, so those are just as vulnerable. (Assuming the hash database gets hacked ... which is something I have no control over.)

The bottom line for me is that other than my email and bank accounts, I'm not that worried about whether some hacker logs into my Spotify account and listens to AC/DC for free, or logs onto my Verizon account and ... what, maybe pays my bill? Plus those cases rely on Spotify or Verizon having their databases hacked, which ultimately makes it their problem, not mine.

Dang. It's gonna take me forever to change all those passwords back to ben.


----------



## JohnG (Feb 27, 2020)

Mike Greene said:


> I'm not that worried about whether some hacker logs into my Spotify account and listens to AC/DC



But what if it's smooth jazz? It could irreparably harm your reputation.


----------



## Uiroo (Feb 28, 2020)

Mike Greene said:


> That's a really good explanation. I didn't know how the hashes worked.
> 
> Ironically, though, it makes me less inclined to worry much about my passwords, since apparently ben isn't that much harder to crack than my 8-digit masterpieces. Sure, ben is quicker to decipher, but 8-digit is quickly and easily deciphered, too, so those are just as vulnerable. (Assuming the hash database gets hacked ... which is something I have no control over.)
> 
> ...


Add forums and social media to the list. You don't want anyone to hack your VI-Control account and then send a harmful link in a PM to someone you talk to frequently, called "Haha, Matt, remember this?"

I once met a guy who showed me in realtime, how he hacked ONE ICQ account (yes, 10 years ago), and then asked some people the account was connected with, to run a file and to say if there's some anti-virus notification. (!!!)

That file automatically gave him access to a variety of passwords, and one hour later after some people had responded he had access to multiple pay-pal accounts, etc.. 
And he was a teenager kid who didn't really knew much about hacking, and he was sorta testing how dumb people are.


----------



## Thundercat (Feb 28, 2020)

Mike Greene said:


> That's a really good explanation. I didn't know how the hashes worked.
> 
> Ironically, though, it makes me less inclined to worry much about my passwords, since apparently ben isn't that much harder to crack than my 8-digit masterpieces. Sure, ben is quicker to decipher, but 8-digit is quickly and easily deciphered, too, so those are just as vulnerable. (Assuming the hash database gets hacked ... which is something I have no control over.)
> 
> ...


Leave the past to itself.

that password has Ben.


----------



## Fredeke (Feb 28, 2020)

Here's what I do:

My root password (main email and web hosting) is 3 mike models, slightly obfuscated. For example: SM58, MKH50 and KMR84 become $m58Mkh50Kmr84 (not my actual password). That's easy to remember.

Then I have a password for high security sites (bank, paypal, ebay, etc.) which is $0meThing-XY, where X is (first letter of website's name)+1 and Y is (last letter of website's name)-1

Then I have one universal password for all other websites because I don't care about their security.

(Actually I have 5 levels of security, but this 3-level example suffices.)


----------



## MartinH. (Mar 1, 2020)

Mike Greene said:


> That's a really good explanation. I didn't know how the hashes worked.
> 
> Ironically, though, it makes me less inclined to worry much about my passwords, since apparently ben isn't that much harder to crack than my 8-digit masterpieces. Sure, ben is quicker to figure out the hashes for, but 8-digit is quickly and easily deciphered, too, so those are just as vulnerable. (Assuming the hash database gets hacked ... which is something I have no control over.)









I tried finding some more solid info on what length is safe, and I don't 100% understand it. It seems length _alone _isn't what makes it safe, but safe passwords pretty much _require _to be long. And it's totally feasible to have a password that can't be brute forced, even if the attacker can try 300 billion times per second. The number of tries it takes grows rapidly and exponentially.

There is some good info here on stack overflow: 









Length of passwords that are rainbow table safe


With large computing power (like what you can get in the Amazon cloud for example) you can generate huge rainbow tables for passwords. There also seems to be some large rainbow tables reachable tha...




security.stackexchange.com





Someone there helpfully calculated an example of how big a list of hashes and passwords (which is called a "rainbow table") would get in relation to the password length.








So while it is true that 8-character passwords no longer are "safe" because hardware exists that could chew through the hash quick enough, a proper 16 digit random password (meaning a generated one and not something you typed on your keyboard, no word, no word with charactersubstitutions etc.) with a large characterset that includes special characters etc. still is pretty much unbreakable.

There's another xkcd comic that recommends the stringing words together method. Again I don't 100% understand the math, but the author is pretty smart, so there's probably something to it: 







If I understand correctly, the number of bits used for calculating the bottom example comes from the length of the dictionary used to pull the words from. So in this example 2^11 = 2048. If you pick words that are obscure enough not to be in the "list of 2048 most common words", then the strength of the password increases. In that sense throwing in things like Microphone names or other easy (for you) to remember but obscure gear references together with a list of random words (that don't form a sentence or quote because there's probably dictionaries for those too) might be a pretty good approach as long as you stay considerably over 8 digits.






Mike Greene said:


> The bottom line for me is that other than my email and bank accounts, I'm not that worried about whether some hacker logs into my Spotify account and listens to AC/DC for free, or logs onto my Verizon account and ... what, maybe pays my bill? Plus those cases rely on Spotify or Verizon having their databases hacked, which ultimately makes it their problem, not mine.



There is a market for accounts with "unique names", where they get hacked, taken over and resold on shady websites. So e.g. an instagram account with a really cool name is worth money. Or a social media account with plenty of followers also is worth cash.




Mike Greene said:


> Dang. It's gonna take me forever to change all those passwords back to ben.



To be perfectly honest, I can relate. I've kept using one password long after I knew it was compromised in a hack on a big site (iirc it was Adobe). But I'm leaning more and more on Keepass and use randomly generated passwords for everything where I make a new account and I think I have changed most of the old ones too. I once got notified that someone logged into my account of a free2play game and then I immediately looked through my password database where I still use that same mail address and password combination and changed all those that I could find.


----------



## Fredeke (Mar 1, 2020)

@MartinH. : About that second XKCD comic: In his blog the author confesses it was a joke and wouldn't work, because in addition to trying many combinations of random characters, a brute force hacker can also try many combinations of random words from the dictionary.


----------



## MartinH. (Mar 2, 2020)

Fredeke said:


> @MartinH. : About that second XKCD comic: In his blog the author confesses it was a joke and wouldn't work, because in addition to trying many combinations of random characters, a brute force hacker can also try many combinations of random words from the dictionary.



Thanks for the correction, do you have a link to that blog entry? I couldn't find it. 

If I'm not miscalculating 4 words from 2048-word wordlists would mean 17 592 186 044 416 combinations. But you can easily scale that up exponentially by just adding a couple more words. With 6 words it's already 2048 ^ 6 = 
73 786 976 294 838 206 464
And for comparison 80 ^10 is "only" =
10 737 418 240 000 000 000

And 6 random words are imho easier to remember than a randomly generated 10 digit case sensitive alpha numeric password with special characters.

When calculating the likelyhood of a hash being cracked, it's also a big factor if and how the password's hash is "salted" in the database. For example for my keepass password (the one protecting all my other passwords) I have set the salt to be so calculation intensive, that on my hardware it takes ~1 second to calculate the hash. That alone will scale the computing power needed to breach it up by many orders of magnitude, compared to an "unsalted" password.


----------



## Uiroo (Mar 2, 2020)

MartinH. said:


> Thanks for the correction, do you have a link to that blog entry? I couldn't find it.
> 
> If I'm not miscalculating 4 words from 2048-word wordlists would mean 17 592 186 044 416 combinations. But you can easily scale that up exponentially by just adding a couple more words. With 6 words it's already 2048 ^ 6 =
> 73 786 976 294 838 206 464
> ...


6 random words are essentially not that different from 6 random letters.
You let the computer go through the dictionary and let it try words that are known to be the most common, which is well explored through huge databases of cracked passwords. Very well explored.

Words like norepinephrine should be way down the list, but correcthorsebatterystaple are essentially just 6 extremely common words and will be hacked in no time.
Dictionary attacks get difficult if it would be corr0ectho?!rseba_tterysta*ple. But if you think you're clever by using leetspeak (c0rr3ct), the computer speaks leetspeak and will try each word in all leetspeak combinations.
The computerphile video I posted earlier explains it really well, extremely interesting video


----------



## Fredeke (Mar 2, 2020)

MartinH. said:


> Thanks for the correction, do you have a link to that blog entry? I couldn't find it.


Oh, no, sorry. It's just a bit of trivia that got stuck in my brain.
And maybe you're right, and he was wrong in thinking he was wrong.


----------



## MartinH. (Mar 2, 2020)

Uiroo said:


> The computerphile video I posted earlier explains it really well, extremely interesting video



I hadn't watched that yet, thanks a lot for reminding me. Very interesting! His suggestion of throwing one additional special character in there randomly in the middle of a word so that it's not a letter-substitution is brilliant! That raises the security of the password by a whole lot.



Uiroo said:


> 6 random words are essentially not that different from 6 random letters.



Only if the words are so common that the dictionary that contains them is like 100 words long, so I disagree. If it's 1000s of words or more in the dictionary, it's a considerably harder challenge to crack because of the amount of hashes you'd need to go through and the size that a rainbowtable containing all those hashes would have.

math example:
alphanumeric with special characters: 80^6 = 262144000000
words from a 1000 word dictionary: 1000^6 = 1000000000000000000

That's a couple of orders of magnitude difference. And wordlists can be a lot bigger than 1000 words. He said "staples" is already only the 12000th most common word or something like that. Even if he can guess 40 billion hashes per second you can feasibly reach a complexity where it's not feasible to brute force it with multi-word dictionary attacks, even if you use just words. They just have to be obscure enough and they can't be in one of the dictionaries that consist of leaked passwords. So things like famous quotes etc. are all terrible. I googled a bit just now and there are dictionaries with 1,493,677,782 words, 15GB... crazy!

I agree with you that 4 random words isn't secure enough. 


P.s.: You could probably make pretty good custom dictionaries from someone's forum posts or tweets to get all the obscure gear references that people have talked about using in their passwords. If you really want to target someone specifically, that's feasable to include in an attack I think.


----------



## Uiroo (Mar 2, 2020)

MartinH. said:


> I agree with you that 4 random words isn't secure enough.


Yes, but it could be save again if you use different languages.
diamondbrezelmasionlacama should be REALLY difficult :D
Make it diam_ondbrezelmasÜionlacama, and it should be almost impossible, and relatively easy to remember.

But yeah, 6 words are better than 6 letters, you're right 

ps: another nice trick might be to take words from foreign languages and write them the way you'd pronounce them in your native language. So daimäntbrezelmäsonglakama or something^^


----------



## MartinH. (Mar 2, 2020)

Uiroo said:


> Yes, but it could be save again if you use different languages.
> diamondbrezelmasionlacama should be REALLY difficult :D
> Make it diam_ondbrezelmasÜionlacama, and it should be almost impossible, and relatively easy to remember.
> 
> ...



Those are really good ideas! Thinking outside the box, I like it .


----------



## robgb (Mar 2, 2020)

I highly recommend LastPass. Makes life much easier.


----------



## Nick Batzdorf (Mar 2, 2020)

robgb said:


> I highly recommend LastPass. Makes life much easier.



Is it paranoid to worry that password repositories are likely to be the first targets for thieves?


----------



## robgb (Mar 2, 2020)

Nick Batzdorf said:


> Is it paranoid to worry that password repositories are likely to be the first targets for thieves?


As far as I can tell, the passwords are not stored on their website, but on your computer. I use an extension on my browser.


----------



## robgb (Mar 2, 2020)

From the LastPass website:

"Your data is encrypted and decrypted at the device level. Data *stored* in your vault is kept secret, even from *LastPass*. Your master *password*, and the keys used to encrypt and decrypt data, are never sent to *LastPass*' servers, and are never accessible by *LastPass*."


----------



## Nick Batzdorf (Mar 2, 2020)

robgb said:


> the passwords are not stored on their website, but on your computer



Are they shared across your own computers and devices?

Asking because I go to sites on at least four computer devices, not because of the security.


----------



## dzilizzi (Mar 2, 2020)

My problem with password repositories is that I have 4 computers (or more), an android phone and an iPad. They usually charge per device, not per user. I have been thinking about getting one of those Yubiko things or something similar.

Edit - Okay, looks like LastPass has a free version that lets you use multiple devices. I guess some things have changed. I will need to do more research into this.


----------



## Zero&One (Mar 2, 2020)

I use Kaspersky Password manager. It came with the Suite, but you can buy it standalone . All synced across phone, Mac and 2 PCs.
I don’t know any password, just that they are 12 chars and strong. Auto logon with zero hassle.
It also can check your passwords for dupes and if they have been compromised via haveibeenpwned.


----------



## robgb (Mar 2, 2020)

Nick Batzdorf said:


> Are they shared across your own computers and devices?
> 
> Asking because I go to sites on at least four computer devices, not because of the security.


Again, from the website:

"No matter where you need your passwords – on your desktop, laptop, tablet, or phone – you *can* rely on *LastPass* to sync them for you, for free. Anything you save to *LastPass* on one device is instantly available to you on any other device you use."


----------



## robgb (Mar 2, 2020)

Zero&One said:


> I use Kaspersky Password manager.


I have reservations about Kasperksy. According to Wikipedia:

"*Kaspersky* has faced *controversy* over allegations that it has engaged with the Russian Federal Security Service (FSB)—ties which the company has actively denied. The U.S. Department of Homeland Security banned *Kaspersky* products from all government departments on 13 September 2017."


----------



## dzilizzi (Mar 2, 2020)

robgb said:


> Again, from the website:
> 
> "No matter where you need your passwords – on your desktop, laptop, tablet, or phone – you *can* rely on *LastPass* to sync them for you, for free. Anything you save to *LastPass* on one device is instantly available to you on any other device you use."


Do you use the free version? Just wondering how good it is. thanks


----------



## Zero&One (Mar 2, 2020)

Same happened in the UK, I used to get it free from Barclays until they banned them .
I've used them ever since without any issues.

World is a scary place though, this is LastPass.

2019 security incidents
On Friday, August 30, 2019, Tavis Ormandy reported a vulnerability in the LastPass browser extension in which Web sites with malicious JavaScript code could obtain a username and password inserted by the password manager on the previously visited site.[36][37] By September 13, 2019, Lastpass publicly announced the vulnerability, acknowledging the issue was limited to the Google Chrome and Opera extensions only; nonetheless, all platforms received the vulnerability patch.[38] [39]


----------



## robgb (Mar 2, 2020)

dzilizzi said:


> Do you use the free version? Just wondering how good it is. thanks


I only use the free version and have never seen a reason to pay.


----------



## Zero&One (Mar 2, 2020)

robgb said:


> I only use the free version and have never seen a reason to pay.



Yeah, the free is as good as anything. The basic functionality is the same.
People should use them rather than not in my opinion. As soon as there's a data breach you can reset all the most secure accounts in minutes. The rest is auto and easy.


----------



## Fredeke (Mar 6, 2020)

JohnG said:


> Simply use "incorrect" as your password.
> 
> That way, if you forget it, hey presto! The device will tell you, "Your password is incorrect."


Some phone companies provide an automatic answering message along the lines of "XXX is not available for the moment, etc." where you just have to record your name to fill in for XXX. So for a while my recorded name was "Repeat after me: 'is not available for the moment'"...

Ok, more seriously, there's one thing I don't get about password prompts: why do they make it possible to brute force 1000 attempts per second? Wouldn't requiring a 1-second minimum delay between attempts defeat all brute force attacks?

That's what I do when coding PHP password access to a website I set up. Oh, I'm sure my security is full of holes, but at least brute force is not one of them.


----------



## JohnG (Mar 6, 2020)

Fredeke said:


> why do they make it possible to brute force 1000 attempts per second?



I suppose for extremely fast typists? Who keep forgetting their passwords?


----------



## Uiroo (Mar 6, 2020)

JohnG said:


> I suppose for extremely fast typists? Who keep forgetting their passwords?


----------



## MartinH. (Mar 6, 2020)

Fredeke said:


> Ok, more seriously, there's one thing I don't get about password prompts: why do they make it possible to brute force 1000 attempts per second? Wouldn't requiring a 1-second minimum delay between attempts defeat all brute force attacks?



Unless the developers of a website/onlinestore were very negligent, there should be something in place preventing bruteforcing on the passwort _prompt_. But when you get ahold of the password _hash_, then you can bruteforce all you want. When you _salt_ the hash in a way that the computation takes e.g. 1 second on a server, then that would scale very poorly for services that might end up having lots of users log in, and it would also mean you open up a vulnerability for maxing out CPU load on the server from the outside by having bots try loggign in into many accounts quickly. I assume banks etc. would still use that added layer of securitly, or at least I hope they would. From what I heard much of banking and stock exchange IT is ancient under the hood (decades old), because no one dares to touch it.


----------

