Passwords
Passwords
Can someone with more experience with this than I explain something to me.
I just got a notice from our ERP/MRP whatever company that "We are excited to announce an update to our password security....." Blah Blah Blah. They made it case sensitive.
Everywhere I go I get some twisted version of "More secure" passwords, special characters, caps, numbers etc etc etc.
I'm trying to figure out why any of this matters.
To me and my feeble understanding you have only a few ways to "HAck" based on beating the password. Brute force, which is essentially trying every possible combination and "Guessing" or some combination of the two.
Unless the hacker has some insight into the person they are attempting to hack then guessing really has no impact as far as I can see.
Outside of that brute force essentially has to assume that any character can be in any position. The only way this is not true is if somehow they figured out that the password is somehow limited to only a certain set of characters....which seems like a stupid idea for a password.
So assuming I'm not horribly wrong about the above for some reason wouldn't the only factor that mattered for the majority of cases is the number of characters? Two characters are twice as difficult to crack as one character, three is eight more difficult than 1 character and so on....or something like that if I did my maths right.
So assuming that a password has the possibility of containing any character, cap, no cap, number, special etc....what difference does it make if you use them? "11111111" would be as secure as "A1@#stU)" because they have the same number of characters.
I just got a notice from our ERP/MRP whatever company that "We are excited to announce an update to our password security....." Blah Blah Blah. They made it case sensitive.
Everywhere I go I get some twisted version of "More secure" passwords, special characters, caps, numbers etc etc etc.
I'm trying to figure out why any of this matters.
To me and my feeble understanding you have only a few ways to "HAck" based on beating the password. Brute force, which is essentially trying every possible combination and "Guessing" or some combination of the two.
Unless the hacker has some insight into the person they are attempting to hack then guessing really has no impact as far as I can see.
Outside of that brute force essentially has to assume that any character can be in any position. The only way this is not true is if somehow they figured out that the password is somehow limited to only a certain set of characters....which seems like a stupid idea for a password.
So assuming I'm not horribly wrong about the above for some reason wouldn't the only factor that mattered for the majority of cases is the number of characters? Two characters are twice as difficult to crack as one character, three is eight more difficult than 1 character and so on....or something like that if I did my maths right.
So assuming that a password has the possibility of containing any character, cap, no cap, number, special etc....what difference does it make if you use them? "11111111" would be as secure as "A1@#stU)" because they have the same number of characters.
Re: Passwords
As you say, https://xkcd.com/936/
I strongly believe that passwords are obsolete, and improving them does not greatly improve your security. The notice you received is security marketing, merely security theatre to make them look good, maybe make you feel better, but it is only polishing a turd.
Two Factor Authentication (2FA) is ideal, and fairly simple. Security Keys like Yubico are a handy authenticator also. Microsoft reports that 99.9% of breached accounts did not have 2FA active. That is, nothing is absolutely assured, but 2FA is tremendously more effective security than passwords alone.
I strongly believe that passwords are obsolete, and improving them does not greatly improve your security. The notice you received is security marketing, merely security theatre to make them look good, maybe make you feel better, but it is only polishing a turd.
Two Factor Authentication (2FA) is ideal, and fairly simple. Security Keys like Yubico are a handy authenticator also. Microsoft reports that 99.9% of breached accounts did not have 2FA active. That is, nothing is absolutely assured, but 2FA is tremendously more effective security than passwords alone.
- Jaylin Hochstetler
- Posts: 387
- Joined: Sat Mar 13, 2021 8:47 pm
- Location: Michigan
- x 380
- x 355
- Contact:
Re: Passwords
But..
The Brute Force software will try 1111111 then 11111112 then 11111113 and so forth (I believe). Which makes it easy to crack...
Edit: Or rather it will try the easy ones first.
BTW I use LastPass to manage my passwords. It is an awesome software (actually it's an extension for your browser). It will generate pws for you, it can store pws, credit cards, banking info, and a bunch of other stuff, plus your data can be backed up. And it will autofill the info for you!!
I use Authy for 2FA.
The Brute Force software will try 1111111 then 11111112 then 11111113 and so forth (I believe). Which makes it easy to crack...
Edit: Or rather it will try the easy ones first.
BTW I use LastPass to manage my passwords. It is an awesome software (actually it's an extension for your browser). It will generate pws for you, it can store pws, credit cards, banking info, and a bunch of other stuff, plus your data can be backed up. And it will autofill the info for you!!
I use Authy for 2FA.
A goal is only a wish until backed by a plan.
Re: Passwords
imagine a password XXX :
with 3 numbers, possibilities = 10 x 10 x 10 = 1 000
with 3 letters = 27 x 27 x 27 = 19 683
3 numbers or letters = 37 x 37 x 37 = 50 653
3 numbers, letters, caps = 64 x 64 x 64 = 262 144
3 numbers, letters, caps, symbols (about 10, i don't really know) = 74 x 74 x 74 = 405 224
if a password "can be with "numbers, letters, caps, symbols"
at the begining, user had the full choice, but as being lazy, choose for example : 1111111
so, a hacker know the majority of users are lazy, and will only use numbers,
so hacker can adapt his to do less work by searching only with numbers...
forcing the user to put numbers and letter, increase the safety,
forcing the user to put numbers, letters, caps, symbols, increase the safety
with 3 numbers, possibilities = 10 x 10 x 10 = 1 000
with 3 letters = 27 x 27 x 27 = 19 683
3 numbers or letters = 37 x 37 x 37 = 50 653
3 numbers, letters, caps = 64 x 64 x 64 = 262 144
3 numbers, letters, caps, symbols (about 10, i don't really know) = 74 x 74 x 74 = 405 224
if a password "can be with "numbers, letters, caps, symbols"
at the begining, user had the full choice, but as being lazy, choose for example : 1111111
so, a hacker know the majority of users are lazy, and will only use numbers,
so hacker can adapt his to do less work by searching only with numbers...
forcing the user to put numbers and letter, increase the safety,
forcing the user to put numbers, letters, caps, symbols, increase the safety
- mike miller
- Posts: 878
- Joined: Fri Mar 12, 2021 3:38 pm
- Location: Michigan
- x 1070
- x 1231
- Contact:
Re: Passwords
Where r is reward, e is effort, and p is probability of an attack (or relative juiciness of morsel).
r/e=p
To illustrate, which is more likely:
-a hacker in Pakistan cracks my password for this forum account.
-a team of hackers breaks into My Small-town Bank's servers and steals everyone's card numbers.
That's why I don't worry about 2FA for small fry accounts....but banking.....that's another story.
r/e=p
To illustrate, which is more likely:
-a hacker in Pakistan cracks my password for this forum account.
-a team of hackers breaks into My Small-town Bank's servers and steals everyone's card numbers.
That's why I don't worry about 2FA for small fry accounts....but banking.....that's another story.
He that finds his life will lose it, and he who loses his life for [Christ's] sake will find it. Matt. 10:39
Re: Passwords
i agree,
2FA should not be standard for everywhere,
not for small things...
2FA should not be standard for everywhere,
not for small things...
Re: Passwords
I think what you're saying here is that the "Guessing" factor becomes an issue because of human nature. IE hackers know that people are lazy and thus unless they are forced to use a password that is not ridiculously obvious they will use them and the hackers know it.Merovingien wrote: ↑Tue May 11, 2021 11:13 am
forcing the user to put numbers, letters, caps, symbols, increase the safety
That's a valid point.
Re: Passwords
I have my own method for "Randomly" generating passwords. I apply that formula to all my passwords. So if someone figured out the formula then they would have access to all my accounts, which is probably bad. That being said certain websites that require some oddball criteria that does not fit my formula end up making me add/subtract something and then I can't remember what was changed.Jaylin Hochstetler wrote: ↑Tue May 11, 2021 11:12 am BTW I use LastPass to manage my passwords. It is an awesome software (actually it's an extension for your browser). It will generate pws for you, it can store pws, credit cards, banking info, and a bunch of other stuff, plus your data can be backed up. And it will autofill the info for you!!
I use Authy for 2FA.
Re: Passwords
Every year, the most used passwords are publicized and ranked. These are the first 100 or so attempts within a brute force attack, followed by factory-default passwords. Human nature has been analyzed, and leveraged against humans by humans.
Re: Passwords
A lot of time they are:
→ Min 12 characters
→ Include special characters
→ Include Upper case
→ Include Lower case
→ Include Number
→ Change your password every X months
Ironically, when it come to changing password, a lot of user either just replace 1 character or just add a character...
A lot of time they are even using the same password for multiple account...
→ Min 12 characters
→ Include special characters
→ Include Upper case
→ Include Lower case
→ Include Number
→ Change your password every X months
Ironically, when it come to changing password, a lot of user either just replace 1 character or just add a character...
A lot of time they are even using the same password for multiple account...
Far too many items in the world are designed, constructed and foisted upon us with no understanding-or even care-for how we will use them.
- Glenn Schroeder
- Posts: 1521
- Joined: Mon Mar 08, 2021 11:43 am
- Location: southeast Texas
- x 1759
- x 2130
Re: Passwords
I'm always annoyed with sites that don't have sensitive information, where no one would bother to hack and I wouldn't care if they did, but they still require complex passwords.
"On the days when I keep my gratitude higher than my expectations, well, I have really good days."
Ray Wylie Hubbard in his song "Mother Blues"
Ray Wylie Hubbard in his song "Mother Blues"
Re: Passwords
One breach reveals the password, and it affects far more than that resource.Zhen-Wei Tee wrote: ↑Tue May 11, 2021 12:07 pm A lot of time they are even using the same password for multiple account...
You can find out if your email is included within disclosed breaches at https://haveibeenpwned.com/ which is run by Troy Hunt, a respected security researcher. Results include, per breach, what information was captured and appropriate recommendations.
- AlexLachance
- Posts: 2184
- Joined: Thu Mar 11, 2021 8:14 am
- Location: Quebec
- x 2364
- x 2013
Re: Passwords
I can answer about the brute forcing a bit.
I used to play Starcraft when I was a teenager and people would steal accounts on there by brute forcing passwords because generally they were all very fairly simple.
Depending on the way it is done, the brute force will try different word combinations, until it reaches it's "word limit combiniaton" and then it starts trying letters by letters and so on.
So the more possibilities per character, the more complex it becomes to brute-force something. The more characters, the more complexity it adds, because it's exponential.
There are some people who are really good at it and can break down passwords rather easily, but the rather "general" brute force method is as I described it. It could take a solid 24 hours to brute force an 8 character password and back then symbols were not allowed and there was no distinction between capitalization.
I used to play Starcraft when I was a teenager and people would steal accounts on there by brute forcing passwords because generally they were all very fairly simple.
Depending on the way it is done, the brute force will try different word combinations, until it reaches it's "word limit combiniaton" and then it starts trying letters by letters and so on.
So the more possibilities per character, the more complex it becomes to brute-force something. The more characters, the more complexity it adds, because it's exponential.
There are some people who are really good at it and can break down passwords rather easily, but the rather "general" brute force method is as I described it. It could take a solid 24 hours to brute force an 8 character password and back then symbols were not allowed and there was no distinction between capitalization.
Re: Passwords
I had already started my business when Starcraft came out. Me and a couple of my employees would play Starcraft after work regularly. Friday was often Pizza, Beer and Starcraft night at the officeAlexLachance wrote: ↑Tue May 11, 2021 2:00 pm I used to play Starcraft when I was a teenager and people would steal accounts on there by brute forcing passwords because generally they were all very fairly simple.
Unreal Tournament and other FPS games were also regularly on rotation.
- Frederick_Law
- Posts: 1947
- Joined: Mon Mar 08, 2021 1:09 pm
- Location: Toronto
- x 1638
- x 1470
Re: Passwords
One way to brute force is use words in dictionary.
Another thing is people reuse passwords in different accounts.
If you hack a bank database, you'll need to decrypt all the info. The bank, police, FBI, CIA will be after you.
If you found someone's password, you could have everything they got. And they can't do anything because you took everything. They can't even hire a lawyer.
I use a password manager now. So I don't even know most of my passwords.
Another thing is people reuse passwords in different accounts.
If you hack a bank database, you'll need to decrypt all the info. The bank, police, FBI, CIA will be after you.
If you found someone's password, you could have everything they got. And they can't do anything because you took everything. They can't even hire a lawyer.
I use a password manager now. So I don't even know most of my passwords.
Re: Passwords
Hackers also get lists of popular passwords from past hacks, and from news reports. From there it's just a matter of statistics and probability to get hits on some of those. In fact, I get hack attempts every day on my blog for user names that don't exist. There really are people who don't have anything else to do but mess around like this. Even if they got in, there's nothing of value, but they get bots to do the big work, and it doesn't matter if 99.9% or more of their time is completely wasted. They just need one big hit.
Blog: http://dezignstuff.com
Re: Passwords
but some websites have a limitation to "failure password" after 3 attempts.
so bots can't test their infinite combination during hours.
i prefer not used a software or an external site to create-manage passwords for me.
And hackers can get interest of hacking them, because they centralized passwords.
i prefer manage passwords myself, with a paper.
so bots can't test their infinite combination during hours.
i prefer not used a software or an external site to create-manage passwords for me.
And hackers can get interest of hacking them, because they centralized passwords.
i prefer manage passwords myself, with a paper.
Re: Passwords
I live about five miles from a nuclear power plant. Every other year they do an "Open house", to their visitor center not the actual plant. In the Visitor center is their training center. It's essentially an exact replica of the control center for the plant except it doesn't actually control anything.
While I was walking thru the place I noticed that essentially everything was mechanical. 10-15 way mechanical switches, a bunch of them, mechanical gages, readouts etc etc. I asked why they haven't updated anything to say, 1990. His response was "We haven't found anything that can't be hacked". Pretty hard to hack a mechanical switch or a piece of paper
- Frederick_Law
- Posts: 1947
- Joined: Mon Mar 08, 2021 1:09 pm
- Location: Toronto
- x 1638
- x 1470
Re: Passwords
Yes, and pretty hard to shut it down when the switch and paper is beside the core .....
- jcapriotti
- Posts: 1868
- Joined: Wed Mar 10, 2021 6:39 pm
- Location: The south
- x 1211
- x 1998
Re: Passwords
Had a guy here who used to write his passwords down in a notebook to all his sites and our internal systems. But he was a little paranoid about his security so he would list several potential passwords, there may have even been some personal memory encryption scheme involved as well (He wouldn't tell). Anyway, we had to keep resetting his password to various systems because he kept forgetting what password he used.
Jason
- mike miller
- Posts: 878
- Joined: Fri Mar 12, 2021 3:38 pm
- Location: Michigan
- x 1070
- x 1231
- Contact:
Re: Passwords
The worst ones are the guys with a sticky note hanging off the monitor and all the rest of the passwords under "P" in the Rolodex.jcapriotti wrote: ↑Thu May 20, 2021 4:40 pm Had a guy here who used to write his passwords down in a notebook to all his sites and our internal systems. But he was a little paranoid about his security so he would list several potential passwords, there may have even been some personal memory encryption scheme involved as well (He wouldn't tell). Anyway, we had to keep resetting his password to various systems because he kept forgetting what password he used.
He that finds his life will lose it, and he who loses his life for [Christ's] sake will find it. Matt. 10:39
Re: Passwords
I had come across someone who write their password in a notebook, but with a Caesar cipher/shift.
He used a fixed number (according to him it is his favorite number) for shifting all his password...
It sound good in paper, no one can really guess his password even he leave the notebook with his password on his desk...
Until one day the notebook is lost
He used a fixed number (according to him it is his favorite number) for shifting all his password...
It sound good in paper, no one can really guess his password even he leave the notebook with his password on his desk...
Until one day the notebook is lost
Far too many items in the world are designed, constructed and foisted upon us with no understanding-or even care-for how we will use them.