Today's Posts Follow Us On Twitter! TFL Members on Twitter  
Forum search: Advanced Search  
Navigation
Marketplace
  Members Login:
Lost password?
  Forum Statistics:
Forum Members: 24,254
Total Threads: 80,792
Total Posts: 566,471
There are 949 users currently browsing (tf).
 
  Our Partners:
 
  TalkFreelance     Business and Website Management     Articles From The Experts :

Password security

Thread title: Password security
Closed Thread  
Page 1 of 2 1 2 >
    Thread tools Search this thread Display Modes  
03-05-2007, 10:15 PM
#1
Village Genius is offline Village Genius
Village Genius's Avatar
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
 
Posts: 6,894
iTrader: 18 / 100%
 

Village Genius will become famous soon enough

  Old  Password security

I gave this to the leader of a clan I was in due to some hackings, so I decided to post this here as well.

Here is a piece of a book ive been reading.


Users choose bad passwords. Its part of human nature. Numerous studies have confirmed that if they are allowed to, most users will create a password guessed in a short order.

A dictionary attack is an automated attack against an authentication system. The cracker commonly uses a list of potential passwords (say all two-word combinations of words in the English language) and tries to log in to a given user account with each in succession. This sort of attack does not work with random passwords, but is incredibly effective against accounts where users choose dictionary passwords. Ironicly, a tuned system makes dictionary attack even easier for the cracker. I was astounded at an old job to learn that a cracker can launch an attack trying over 100 passwords per SECOND. At that rate he could empty a 50,000 word dictionary in under 10min

This was form a book called Advanced PHP Programming by George Schlossnagle, they where talking about secure login systems.

I know from personal (test) experiences (ALL done by me on my accounts) that you can launch an attack much faster when you are cracking a computer based program. A intermediate c++ programmer can make a bare bones password cracker. I didn't care about strong password security till I learned a but about it, my old passwords where all words and possibly numbers after them, mostly in a sequence. How does one get a secure password? Use a random number generator such as the one here http://www.pctools.com/guides/password/ . All my passwords are 10 chars or more, mixed case alpha-numeric passwords, passwords for things like my bank account are more. I have never been hacked under those. Where to store them? If you have a PDA/cell that will do good, but if you are like me and dont, You should store them in an encrypted text file in your docs (to encrypt, right click on the file -> properties -> advanced -> check "encrypt file to secure data"). You will be able to read it in your account, but other accounts in the computer cant read it. As long as you have a firewall don't worry about being hacked for that password on your computer. This will make your passwords as close to uncrackable as you will be able to get them. I encourage anyone with mod/admin access to anything to implement this strategy.

03-05-2007, 10:48 PM
#2
sketchie is offline sketchie
sketchie's Avatar
Status: Senior Member
Join date: Jul 2005
Location:
Expertise:
Software:
 
Posts: 835
iTrader: 1 / 100%
 

sketchie is on a distinguished road

  Old


Where to store them? If you have a PDA/cell that will do good, but if you are like me and dont, You should store them in an encrypted text file in your docs (to encrypt, right click on the file -> properties -> advanced -> check "encrypt file to secure data")
If your going to go on about security, one of the first rules to remember is don't write down your information such as passwords.

I even have several different complex passwords for different things - and I find it easy to remember them all, most probably out of habbit, so theres no reason that people can't remember just one, unless you have short term memory loss :P.


All my passwords are 10 chars or more, mixed case alpha-numeric passwords, passwords for things like my bank account are more.
Don't forget most websites/programs will accept symbols too, such as [*(~ etc.

03-05-2007, 11:41 PM
#3
Village Genius is offline Village Genius
Village Genius's Avatar
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
 
Posts: 6,894
iTrader: 18 / 100%
 

Village Genius will become famous soon enough

  Old


If your going to go on about security, one of the first rules to remember is don't write down your information such as passwords.

I even have several different complex passwords for different things - and I find it easy to remember them all, most probably out of habbit, so theres no reason that people can't remember just one, unless you have short term memory loss :P.
Just the letters, yes, but mixed case makes it too hard for me to do.

03-06-2007, 01:05 AM
#4
DJAC is offline DJAC
DJAC's Avatar
Status: Member
Join date: Mar 2006
Location: Canada
Expertise:
Software:
 
Posts: 286
iTrader: 0 / 0%
 

DJAC is on a distinguished road

Send a message via MSN to DJAC

  Old

I'm currently taking a security course at my University and we have been given Linux boxes to install services onto and then secure. One of our tasks is to create a couple dummy accounts with simple passwords and then we will attempt to crack the passwords by using a simple brute force attack.

The attack is as simple as combining a small piece of software and a dictionary which comes with the Linux distribution.

Lots of security is common sense, so if you use simple, insecure passwords, you should change them. And yeah, don't store them on your machine. If someone hacks your machine, then they get your bank/etc passwords? Not good!

03-06-2007, 01:26 AM
#5
Village Genius is offline Village Genius
Village Genius's Avatar
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
 
Posts: 6,894
iTrader: 18 / 100%
 

Village Genius will become famous soon enough

  Old

I might add, dont put where the pass goes to in the file, my passwords arent in my docs, and they are not a text format. Even in the abstract chance that someone files it, they wont know that it goes to an account here, or what the username is for that matter.

Until I see a better solution to storing it (securely) on your comp, im gonna continue doing it.

03-06-2007, 07:09 AM
#6
Julian is offline Julian
Status: Simply to simplify
Join date: Apr 2005
Location: Foxton, Manawatu, New Zealand
Expertise:
Software:
 
Posts: 5,572
iTrader: 0 / 0%
 

Julian is on a distinguished road

  Old

My passwords are stored in my head, they are random 8-10 character alpha numeric ones. I have a system for the passwords I have to change regularly at work (every 6 weeks). They get 1 or two characters changed each 6 weeks.

I used to use simple words with numbers etc, but not now.

03-06-2007, 11:52 AM
#7
Sixtys is offline Sixtys
Status: Member
Join date: Mar 2007
Location: Canada
Expertise:
Software:
 
Posts: 176
iTrader: 1 / 100%
 

Sixtys is on a distinguished road

Send a message via MSN to Sixtys

  Old

I use this program, it makes passwords for you and remembers them, most of them are like 16 chars long ex:
N1b3Elo91nEz3

I'd Give you the name of the program if i could remember it...

03-06-2007, 12:08 PM
#8
Jeff Andersen is offline Jeff Andersen
Status: Superstar
Join date: Apr 2005
Location:
Expertise:
Software:
 
Posts: 4,449
iTrader: 10 / 100%
 

Jeff Andersen is on a distinguished road

  Old

I just stick to having a few key passwords and rotate the numbers within them. At work we have to change them every month so it gets a bit tedious, however when your password are like >\1nt5o and you're rotating the 1 and the 5, it's not so bad.

03-06-2007, 12:44 PM
#9
Impluo is offline Impluo
Status: We're all mad here
Join date: Aug 2005
Location: Missouri
Expertise: programming
Software: Notepad
 
Posts: 1,606
iTrader: 0 / 0%
 

Impluo is on a distinguished road

  Old

I think it's funny when people create these "hard" passwords but then for their secret question they just use some random piece of personal information. Something that isn't too personal and their friends would probably know the answer if they ever bothered to look into the secret question on their friends account.

I used to play a game with scammers back when I played the game Diablo II if I saw a scammer trying trick people and steal others' accounts (and there was no shortage of them, they were all over that game). I'd start talking to the scammer. I'd eventually have them give me their email address and then if it was a MSN or Hotmail email address I'd open up Hotmail and hit forgot password. If that person chose to reset the password by secret question I'd click that link to see what the secret question was.

I'd search google for that email address and see if it brought up any results (forums, personal pages, etc.) People put too much personal information online

If their question had to do with their mother/father I wouldn't bother asking them about it, if their secret was favorite color I could guess it without even talking to them anymore, and if it was anything like Favorite movie, My dogs' name, Birth place, etc I'd either find it on pages I found with Google or I could continue talking to them and eventually I could extract the answer I need without making myself look too suspicious after gathering that information among other things such as current location if they live in the US and it if they don't live in a city I'll be able to get their zip code with ease. If it is in another country that makes it easier since I will only need they country and nothing else for location on MSN/Hotmail.

From there I'd enter the data. Country, State (if the country was US), Zip Code (if the country was US) and the secret answer. If all the data matched I'll be able to change the password and then enter the account. If it is their main email address most of the time it will hold old email to places they have registered such as forums and sometimes those places like to send you an email when you register telling you the password and username you registered with.

Based on what usernames and passwords you see in that persons' email you will probably see a certain topic they are interested in the usernames and/or passwords.

If I saw keywords and then some random letters/numbers after if it I will look at the persons' info they registered with. First/Last name, Street Address, Birthday, Phone Number. Most of the time it'd be a combination or their initials and the date of their birth tacked onto the beginning or end of their password.

If bits of that info match up in their various passwords I have a good idea how they build their passwords in case it wasn't one of the passwords I found in their email. Then I login to their D2 account, change the password and then log back onto my account. They aren't happy when they find out what it is like to lose their precious account and they had no idea that it was me behind it the whole time

That is just one of the many games I'd play with scammers to take away their account. I think I liked doing that more than actually playing the game
That whole process could take anywhere from minutes up to a few days (few days if I wanted to build a friendship with the scammer. I had better games to play when I built a friendship with the person

03-06-2007, 12:49 PM
#10
RaZoR^ is offline RaZoR^
RaZoR^'s Avatar
Status: Member
Join date: Feb 2006
Location:
Expertise:
Software:
 
Posts: 191
iTrader: 1 / 100%
 

RaZoR^ is on a distinguished road

  Old

My passwords are 14+ characters, combinations of uppercase, lowercase, numeric and symbol characters. The symbol characters include the ones on the standard UK keyboard and at least 1 special symbol such as ™ or something that has to be keyed in using Alt Codes.

If you have a Windows account, you want a password 8+ characters. If your password is 7 characters or less (veryt odd algorithm), then your NTLM hash doesn't need to be split. If it's over 7 characters, then the hash is split into 2 parts and each part is decrypted then the string is fixed together again. It's a strange algorithm, but that's M$ for you!!

Security-wise, don't store your passwords anywhere really. You can make a too, that searches all files as raw-text just as easily as you could make a dictionary-attack or brute-force attack.

For brute-force attack prevention, simply make your password longer. A brute-force goes through every combination possible; the longer your password, the more combinations it could be. For passwords that are say 10 characters long, it can take years upon years to brute-force a password

If you REALLY have to store your passwords in encrypted format in a file somewhere, then salt the hash and keep a copy of the salt you used. The same rule applies to sites, although if you're salting your passwords then you also have the choice of using a randomly generated salt and store the salt alongside the hash in the database.

Geesh Impluo, you little social engineer!! Yeah, you must also remember that if you have a password which can be recovered by entering your personal data and/or a secret qquestion, then you need to keep the answer secure, even unrelated, maybe enter fake data (remembering what you entered somehow) or use a different password for the email account that the new password or the recovered password will be sent to.

Closed Thread  
Page 1 of 2 1 2 >


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

  Posting Rules  
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump:
 
  Contains New Posts Forum Contains New Posts   Contains No New Posts Forum Contains No New Posts   A Closed Forum Forum is Closed