Passwords

For things you would put in a kitty dump.
MJuric
Posts: 1070
Joined: Mon Mar 08, 2021 3:21 pm
Answers: 1
x 31
x 874

Passwords

Unread post by MJuric »

Can someone with more experience with this than I explain something to me.

I just got a notice from our ERP/MRP whatever company that "We are excited to announce an update to our password security....." Blah Blah Blah. They made it case sensitive.

Everywhere I go I get some twisted version of "More secure" passwords, special characters, caps, numbers etc etc etc.

I'm trying to figure out why any of this matters.

To me and my feeble understanding you have only a few ways to "HAck" based on beating the password. Brute force, which is essentially trying every possible combination and "Guessing" or some combination of the two.

Unless the hacker has some insight into the person they are attempting to hack then guessing really has no impact as far as I can see.

Outside of that brute force essentially has to assume that any character can be in any position. The only way this is not true is if somehow they figured out that the password is somehow limited to only a certain set of characters....which seems like a stupid idea for a password.

So assuming I'm not horribly wrong about the above for some reason wouldn't the only factor that mattered for the majority of cases is the number of characters? Two characters are twice as difficult to crack as one character, three is eight more difficult than 1 character and so on....or something like that if I did my maths right.

So assuming that a password has the possibility of containing any character, cap, no cap, number, special etc....what difference does it make if you use them? "11111111" would be as secure as "A1@#stU)" because they have the same number of characters.
User avatar
Tom G
Posts: 355
Joined: Tue Mar 09, 2021 9:26 am
Answers: 0
Location: Philadelphia, PA area
x 989
x 466

Re: Passwords

Unread post by Tom G »

As you say, https://xkcd.com/936/

I strongly believe that passwords are obsolete, and improving them does not greatly improve your security. The notice you received is security marketing, merely security theatre to make them look good, maybe make you feel better, but it is only polishing a turd.

Two Factor Authentication (2FA) is ideal, and fairly simple. Security Keys like Yubico are a handy authenticator also. Microsoft reports that 99.9% of breached accounts did not have 2FA active. That is, nothing is absolutely assured, but 2FA is tremendously more effective security than passwords alone.
User avatar
Jaylin Hochstetler
Posts: 387
Joined: Sat Mar 13, 2021 8:47 pm
Answers: 4
Location: Michigan
x 380
x 355
Contact:

Re: Passwords

Unread post by Jaylin Hochstetler »

But..
The Brute Force software will try 1111111 then 11111112 then 11111113 and so forth (I believe). Which makes it easy to crack...
Edit: Or rather it will try the easy ones first.

BTW I use LastPass to manage my passwords. It is an awesome software (actually it's an extension for your browser). It will generate pws for you, it can store pws, credit cards, banking info, and a bunch of other stuff, plus your data can be backed up. And it will autofill the info for you!!

I use Authy for 2FA.
A goal is only a wish until backed by a plan.
Merovingien

Re: Passwords

Unread post by Merovingien »

imagine a password XXX :

with 3 numbers, possibilities = 10 x 10 x 10 = 1 000

with 3 letters = 27 x 27 x 27 = 19 683

3 numbers or letters = 37 x 37 x 37 = 50 653

3 numbers, letters, caps = 64 x 64 x 64 = 262 144

3 numbers, letters, caps, symbols (about 10, i don't really know) = 74 x 74 x 74 = 405 224

if a password "can be with "numbers, letters, caps, symbols"
at the begining, user had the full choice, but as being lazy, choose for example : 1111111
so, a hacker know the majority of users are lazy, and will only use numbers,
so hacker can adapt his to do less work by searching only with numbers...

forcing the user to put numbers and letter, increase the safety,
forcing the user to put numbers, letters, caps, symbols, increase the safety
User avatar
mike miller
Posts: 878
Joined: Fri Mar 12, 2021 3:38 pm
Answers: 7
Location: Michigan
x 1070
x 1231
Contact:

Re: Passwords

Unread post by mike miller »

Where r is reward, e is effort, and p is probability of an attack (or relative juiciness of morsel).

r/e=p

To illustrate, which is more likely:
-a hacker in Pakistan cracks my password for this forum account.
-a team of hackers breaks into My Small-town Bank's servers and steals everyone's card numbers.

That's why I don't worry about 2FA for small fry accounts....but banking.....that's another story.
He that finds his life will lose it, and he who loses his life for [Christ's] sake will find it. Matt. 10:39
Merovingien

Re: Passwords

Unread post by Merovingien »

i agree,
2FA should not be standard for everywhere,
not for small things...
MJuric
Posts: 1070
Joined: Mon Mar 08, 2021 3:21 pm
Answers: 1
x 31
x 874

Re: Passwords

Unread post by MJuric »

Merovingien wrote: Tue May 11, 2021 11:13 am
forcing the user to put numbers, letters, caps, symbols, increase the safety
I think what you're saying here is that the "Guessing" factor becomes an issue because of human nature. IE hackers know that people are lazy and thus unless they are forced to use a password that is not ridiculously obvious they will use them and the hackers know it.

That's a valid point.
MJuric
Posts: 1070
Joined: Mon Mar 08, 2021 3:21 pm
Answers: 1
x 31
x 874

Re: Passwords

Unread post by MJuric »

Jaylin Hochstetler wrote: Tue May 11, 2021 11:12 am BTW I use LastPass to manage my passwords. It is an awesome software (actually it's an extension for your browser). It will generate pws for you, it can store pws, credit cards, banking info, and a bunch of other stuff, plus your data can be backed up. And it will autofill the info for you!!

I use Authy for 2FA.
I have my own method for "Randomly" generating passwords. I apply that formula to all my passwords. So if someone figured out the formula then they would have access to all my accounts, which is probably bad. That being said certain websites that require some oddball criteria that does not fit my formula end up making me add/subtract something and then I can't remember what was changed. :evil:
User avatar
Tom G
Posts: 355
Joined: Tue Mar 09, 2021 9:26 am
Answers: 0
Location: Philadelphia, PA area
x 989
x 466

Re: Passwords

Unread post by Tom G »

Every year, the most used passwords are publicized and ranked. These are the first 100 or so attempts within a brute force attack, followed by factory-default passwords. Human nature has been analyzed, and leveraged against humans by humans.
User avatar
zwei
Posts: 701
Joined: Mon Mar 15, 2021 9:17 pm
Answers: 18
Location: Malaysia
x 185
x 600

Re: Passwords

Unread post by zwei »

A lot of time they are:
→ Min 12 characters
→ Include special characters
→ Include Upper case
→ Include Lower case
→ Include Number
→ Change your password every X months

Ironically, when it come to changing password, a lot of user either just replace 1 character or just add a character...
A lot of time they are even using the same password for multiple account...
Far too many items in the world are designed, constructed and foisted upon us with no understanding-or even care-for how we will use them.
User avatar
Glenn Schroeder
Posts: 1521
Joined: Mon Mar 08, 2021 11:43 am
Answers: 23
Location: southeast Texas
x 1759
x 2130

Re: Passwords

Unread post by Glenn Schroeder »

I'm always annoyed with sites that don't have sensitive information, where no one would bother to hack and I wouldn't care if they did, but they still require complex passwords.
"On the days when I keep my gratitude higher than my expectations, well, I have really good days."

Ray Wylie Hubbard in his song "Mother Blues"
User avatar
Tom G
Posts: 355
Joined: Tue Mar 09, 2021 9:26 am
Answers: 0
Location: Philadelphia, PA area
x 989
x 466

Re: Passwords

Unread post by Tom G »

Zhen-Wei Tee wrote: Tue May 11, 2021 12:07 pm A lot of time they are even using the same password for multiple account...
One breach reveals the password, and it affects far more than that resource.

You can find out if your email is included within disclosed breaches at https://haveibeenpwned.com/ which is run by Troy Hunt, a respected security researcher. Results include, per breach, what information was captured and appropriate recommendations.
User avatar
AlexLachance
Posts: 2184
Joined: Thu Mar 11, 2021 8:14 am
Answers: 17
Location: Quebec
x 2364
x 2013

Re: Passwords

Unread post by AlexLachance »

I can answer about the brute forcing a bit.

I used to play Starcraft when I was a teenager and people would steal accounts on there by brute forcing passwords because generally they were all very fairly simple.

Depending on the way it is done, the brute force will try different word combinations, until it reaches it's "word limit combiniaton" and then it starts trying letters by letters and so on.

So the more possibilities per character, the more complex it becomes to brute-force something. The more characters, the more complexity it adds, because it's exponential.

There are some people who are really good at it and can break down passwords rather easily, but the rather "general" brute force method is as I described it. It could take a solid 24 hours to brute force an 8 character password and back then symbols were not allowed and there was no distinction between capitalization.
MJuric
Posts: 1070
Joined: Mon Mar 08, 2021 3:21 pm
Answers: 1
x 31
x 874

Re: Passwords

Unread post by MJuric »

AlexLachance wrote: Tue May 11, 2021 2:00 pm I used to play Starcraft when I was a teenager and people would steal accounts on there by brute forcing passwords because generally they were all very fairly simple.
I had already started my business when Starcraft came out. Me and a couple of my employees would play Starcraft after work regularly. Friday was often Pizza, Beer and Starcraft night at the office UU

Unreal Tournament and other FPS games were also regularly on rotation.
User avatar
Frederick_Law
Posts: 1947
Joined: Mon Mar 08, 2021 1:09 pm
Answers: 8
Location: Toronto
x 1638
x 1470

Re: Passwords

Unread post by Frederick_Law »

One way to brute force is use words in dictionary.
Another thing is people reuse passwords in different accounts.

If you hack a bank database, you'll need to decrypt all the info. The bank, police, FBI, CIA will be after you.
If you found someone's password, you could have everything they got. And they can't do anything because you took everything. They can't even hire a lawyer.

I use a password manager now. So I don't even know most of my passwords.
User avatar
matt
Posts: 1589
Joined: Mon Mar 08, 2021 11:34 am
Answers: 19
Location: Virginia
x 1219
x 2371
Contact:

Re: Passwords

Unread post by matt »

Hackers also get lists of popular passwords from past hacks, and from news reports. From there it's just a matter of statistics and probability to get hits on some of those. In fact, I get hack attempts every day on my blog for user names that don't exist. There really are people who don't have anything else to do but mess around like this. Even if they got in, there's nothing of value, but they get bots to do the big work, and it doesn't matter if 99.9% or more of their time is completely wasted. They just need one big hit.
Merovingien

Re: Passwords

Unread post by Merovingien »

but some websites have a limitation to "failure password" after 3 attempts.
so bots can't test their infinite combination during hours.

i prefer not used a software or an external site to create-manage passwords for me.
And hackers can get interest of hacking them, because they centralized passwords.

i prefer manage passwords myself, with a paper.
MJuric
Posts: 1070
Joined: Mon Mar 08, 2021 3:21 pm
Answers: 1
x 31
x 874

Re: Passwords

Unread post by MJuric »

Merovingien wrote: Wed May 12, 2021 6:30 am i prefer manage passwords myself, with a paper.
I live about five miles from a nuclear power plant. Every other year they do an "Open house", to their visitor center not the actual plant. In the Visitor center is their training center. It's essentially an exact replica of the control center for the plant except it doesn't actually control anything.

While I was walking thru the place I noticed that essentially everything was mechanical. 10-15 way mechanical switches, a bunch of them, mechanical gages, readouts etc etc. I asked why they haven't updated anything to say, 1990. His response was "We haven't found anything that can't be hacked". Pretty hard to hack a mechanical switch or a piece of paper :D
User avatar
Frederick_Law
Posts: 1947
Joined: Mon Mar 08, 2021 1:09 pm
Answers: 8
Location: Toronto
x 1638
x 1470

Re: Passwords

Unread post by Frederick_Law »

Yes, and pretty hard to shut it down when the switch and paper is beside the core .....
User avatar
jcapriotti
Posts: 1868
Joined: Wed Mar 10, 2021 6:39 pm
Answers: 30
Location: The south
x 1211
x 1998

Re: Passwords

Unread post by jcapriotti »

Had a guy here who used to write his passwords down in a notebook to all his sites and our internal systems. But he was a little paranoid about his security so he would list several potential passwords, there may have even been some personal memory encryption scheme involved as well (He wouldn't tell). Anyway, we had to keep resetting his password to various systems because he kept forgetting what password he used.
Jason
User avatar
mike miller
Posts: 878
Joined: Fri Mar 12, 2021 3:38 pm
Answers: 7
Location: Michigan
x 1070
x 1231
Contact:

Re: Passwords

Unread post by mike miller »

jcapriotti wrote: Thu May 20, 2021 4:40 pm Had a guy here who used to write his passwords down in a notebook to all his sites and our internal systems. But he was a little paranoid about his security so he would list several potential passwords, there may have even been some personal memory encryption scheme involved as well (He wouldn't tell). Anyway, we had to keep resetting his password to various systems because he kept forgetting what password he used.
The worst ones are the guys with a sticky note hanging off the monitor and all the rest of the passwords under "P" in the Rolodex. <()>
He that finds his life will lose it, and he who loses his life for [Christ's] sake will find it. Matt. 10:39
User avatar
zwei
Posts: 701
Joined: Mon Mar 15, 2021 9:17 pm
Answers: 18
Location: Malaysia
x 185
x 600

Re: Passwords

Unread post by zwei »

I had come across someone who write their password in a notebook, but with a Caesar cipher/shift.
He used a fixed number (according to him it is his favorite number) for shifting all his password...

It sound good in paper, no one can really guess his password even he leave the notebook with his password on his desk...

Until one day the notebook is lost :?
Far too many items in the world are designed, constructed and foisted upon us with no understanding-or even care-for how we will use them.
Post Reply