Docstoc

Weak Passwords be awere

Document Sample
Weak Passwords be awere Powered By Docstoc
					                     Weak Passwords be awere


the list goes on.
   Then he’d have to be really pressed for something to do in trying to find out who he’s talking to. What’s he going to
get out of it ? Woo Hoo, he can now post as someone else in some knee jerk fan forum, or chatter box. And it only
took 4 months of constant beating at my passwords and login.
   4 different logins, 5 or more different passwords. Even if you were handed this info, you’d still have to know where
to apply it, and in what combination.

  2nd He’d have to be EXTREMELY good. I can’t even get into my places on the 1st shot. and lots of those places
only allow 5 chances [TODAY] I normally have to pull out my cheat sheet.
  And without that cheat sheet Don Quixote, you won’t get into my info any simpler than I can.
  Though the question still arises ? Why would anyone want access to someone else’s crap on the web ?

   Actually, I wouldn’t even bother with trying to guess how many guesses it’d take, since I have no idea why you’d
even want to waste that much time in the 1st place. But I would make one statement about it as it dawns on you that
while trying to guess the passwords etc.., what’s in it for you. I’d guess you’d give up as easily I do or faster, when I
think to myself do I really want to go look for the cheat sheet ? What is so important that I need to access this crap
now ?

   passwords and logins is an afterthought by many sites. It all started to stop kiddies that thought it’d be neat since
they have semi anonymity [Total anonymity in their head] to post graffiti, and other obscenities on public forums.
They started adding logins & passwords to know who was posting the crap.
   To me that was a bad move. I have a delete key, a 97% accurate spam filter, and a page down key.
   It’s like this if you ignore them, they eventually lose interest and move on to someone they can get a rise of.
   This one, my mistake I replied.
   But then I feel just fine in pointing out stupidity even if it is just a spammer in a fantasy world.

  You want logins, and passwords ? Offer a web site with gold half price today only, don’t date it. initiate a login with
password, and collect them.
  you now have a list of logins and passwords with isp’s.
  But here’s the monkey wrench in that plan.
  1 you better have gold for half price = fraud possibly interstate fraud, and U.S. legal enforcement doesn’t need
passwords to find you.
  2 on sites like this that I have ZIP TRUST, they get some immediately thought up login and password that I’ve never
used before, and will never use again. Stick that in your tried and true formula for guessing passwords. I could never
get back into that site without customer support.
  3 have them mail you the password info. again not going to happen. If you don’t have an account there, the only
password info would be yours.

  Any success at guessing someone’s password that you don’t know would be just luck. Any site worth visiting
doesn’t respond to brute force attacks.

  Yiou want to try brute force on something that will sit still while you pummel it with passwords for days, just
password protect a RAR file. Maybe 6 months down the road assuming the password is less than 6 characters, not
counting caps, or numbers you might find out whats in the file.
  Only place that might have any value in taking a risk like that would be a billionaires account.
  All the time spent trying to crack, you’re CONNECTED to the web. it only takes a minute to trace a phone call.
And you’re talking about months online ? Not likely.
  Plus login & password are needed not just 1 word.
change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
Password Length       All Characters Only Lowercase
3 characters
4 characters
5 characters
6 characters
7 characters
8 characters
9 characters
10 characters
11 characters
12 characters
13 characters
14 characters 0.86 seconds
1.36 minutes
2.15 hours
8.51 days
2.21 years
2.10 centuries
20 millennia
1,899 millennia
180,365 millennia
17,184,705 millennia
1,627,797,068 millennia
154,640,721,434 millennia      0.02 seconds
.046 seconds
11.9 seconds
5.15 minutes
2.23 hours
2.42 days
2.07 months
4.48 years
1.16 centuries
3.03 millennia
78.7 millennia
2,046 millennia

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If
Google put their computer to work on it they’d finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make
your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just
protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about
using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

  Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ’0', or even better an
‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
  Randomly throw in capital letters (i.e. – Mod3lTF0rd)
  Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME!
Every name plus every word in the dictionary will fail under a simple brute force attack.
   Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
   You really need to have different username / password combinations for everything. Remember, the technique is to
break into anything you access just to figure out your standard password, then compromise everything else. This
doesn’t work if you don’t use the same password everywhere.
   Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will
store all of your passwords in an encrypted format and allow you to use just one master password to access all of
them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your
password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate
their web site here is the direct download link.
   Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an
iPhone application so you can take them with you too.
   Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Tutorial. Hope it helps…

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example,
some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.”
Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into
the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying
about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is
save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that
device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try
passwords from this list until they gain control of your network – after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust
me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak
passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson.
But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know
that all the time I spent on this article wasn’t completely in vain.

Please, be safe. It’s a jungle out there.

EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.
Filed Under: Computing, Security Tagged With: Bank-of-America, Banking, Computing, Crime, Digg, Hacking,
Passwords, Popular, Security, Smith-Barney
Comments

  Marco Barulli says:
  March 26, 2007

  Hi,
  your advice to make strong passwords is certainly appropriate and useful. But it’s still better to never re-
use the same password for multiple sites and devices.

  And if you are going to use multiple strong and complex passwords you definitely need a password manager.

  (I know, I’m a tad biased since I’m the co-founder of Clipperz , an online password manager Ã
¢â‚¬Â¦)

  With Clipperz you can do much more than simply storing your passwords
  - direct login to online services
  - offline version
  - bookmarklet for quick data entering
  - …

  Give it a try and let me know your impressions.
  http://www.clipperz.com

  Thanks,
  Marco
  Reply
  The Man says:
  March 26, 2007

  Marco,

  First of all, I applaud your concept. Anything that can be done to give people a simple secure alternative to having
weak passwords is a good thing.

   I read quite a bit of your information on the site and also established an account. If I understand correctly, the site is
in open Beta currently and requires FireFox.

  I’ve got a few other comments, but they would probably be more appropriate on your discussion board rather than
here, so I’ll leave them on your site.

  Thanks,

  John
  Reply
  Tara says:
  March 26, 2007

   There are various Online Password Managers out there. Like Marco, I’m pushing my own service, but in the end,
it’s best if you shop around, try out a few that inspire you and start using it.

  I wrote a similar (though much more simplified) post on our blog:
  http://passpack.wordpress.com/2007/01/19/why-you-must-use-a-password-manager/

  Good article. Glad to see people being proactive. Cheers to you,
  Tara
  Reply
  The Man says:
  March 26, 2007

  Tara,

  First of all, thanks for stopping by and sharing.

   The article you referenced is fantastic. I also like your articles about trust and the comparison between online and
offline products.

  On a technical note, I appreciate that your resulting code validates, but your site isn’t accessible to browsers with
Javascript disabled. They only get a completely blank page.
  I know quite a few people who typically leave scripting support off in their browser for security purposes and then
only enable it on an as needed basis. So, if you don’t mind the recommendation, I would suggest finding a way to
present a landing page for users without scripting enabled to let them at least know to turn it on.

  Thanks again,

  John
  Reply
  Pentium4Borg says:
  March 26, 2007

  Isn’t another of the most commonly used passwords “password1?? I remember reading that somewhere. :-)
  Reply
  MiGs says:
  March 28, 2007

  Nice!

  I use the same passwords for sites or accounts that are not that important. But i maintain different passwords for
important ones. So that you won’t be able to forget them or have a hard time remembering, just add a number or
another character at the beginning or end of your passwords. =>

  MiGs
  migs.wordpress.com
  Reply
  myself says:
  March 28, 2007

  Great article, and great advise. Congratulations and thank you.
  Reply
  Tommy says:
  March 28, 2007

  Caution on Man in the Middle attacks
  Reply
  Chris says:
  March 28, 2007

  Mmm… too long… here the best way:
  1) Go near the person you want to hack the password and wait for he or she to check his or her e-mail.
  2) Take your mobile and do a video of he or she tiping the password.
  3) Convert the video in .mpg format (usually nokia video are .3pg).
  4) Drag the video in Windows Movie Maker and see it slowly.
  5) It’s hard, I know, but not too much. I found 2 password in this way.

  Chris :-)
  Reply
  zero mostel says:
  March 28, 2007

  pure fantasy.
  to use any of that info, he’d need more than some anonymous name found in an email with an isp link.

  ie: who’s he talking to ? If he doesn’t know that he sure doesn’t know any family names, dates, pets, birthdays etc..
the list goes on.
   Then he’d have to be really pressed for something to do in trying to find out who he’s talking to. What’s he going to
get out of it ? Woo Hoo, he can now post as someone else in some knee jerk fan forum, or chatter box. And it only
took 4 months of constant beating at my passwords and login.
   4 different logins, 5 or more different passwords. Even if you were handed this info, you’d still have to know where
to apply it, and in what combination.

  2nd He’d have to be EXTREMELY good. I can’t even get into my places on the 1st shot. and lots of those places
only allow 5 chances [TODAY] I normally have to pull out my cheat sheet.
  And without that cheat sheet Don Quixote, you won’t get into my info any simpler than I can.
  Though the question still arises ? Why would anyone want access to someone else’s crap on the web ?

   Actually, I wouldn’t even bother with trying to guess how many guesses it’d take, since I have no idea why you’d
even want to waste that much time in the 1st place. But I would make one statement about it as it dawns on you that
while trying to guess the passwords etc.., what’s in it for you. I’d guess you’d give up as easily I do or faster, when I
think to myself do I really want to go look for the cheat sheet ? What is so important that I need to access this crap
now ?

   passwords and logins is an afterthought by many sites. It all started to stop kiddies that thought it’d be neat since
they have semi anonymity [Total anonymity in their head] to post graffiti, and other obscenities on public forums.
They started adding logins & passwords to know who was posting the crap.
   To me that was a bad move. I have a delete key, a 97% accurate spam filter, and a page down key.
   It’s like this if you ignore them, they eventually lose interest and move on to someone they can get a rise of.
   This one, my mistake I replied.
   But then I feel just fine in pointing out stupidity even if it is just a spammer in a fantasy world.

  You want logins, and passwords ? Offer a web site with gold half price today only, don’t date it. initiate a login with
password, and collect them.
  you now have a list of logins and passwords with isp’s.
  But here’s the monkey wrench in that plan.
  1 you better have gold for half price = fraud possibly interstate fraud, and U.S. legal enforcement doesn’t need
passwords to find you.
  2 on sites like this that I have ZIP TRUST, they get some immediately thought up login and password that I’ve never
used before, and will never use again. Stick that in your tried and true formula for guessing passwords. I could never
get back into that site without customer support.
  3 have them mail you the password info. again not going to happen. If you don’t have an account there, the only
password info would be yours.

  Any success at guessing someone’s password that you don’t know would be just luck. Any site worth visiting
doesn’t respond to brute force attacks.

  Yiou want to try brute force on something that will sit still while you pummel it with passwords for days, just
password protect a RAR file. Maybe 6 months down the road assuming the password is less than 6 characters, not
counting caps, or numbers you might find out whats in the file.
  Only place that might have any value in taking a risk like that would be a billionaires account.
  All the time spent trying to crack, you’re CONNECTED to the web. it only takes a minute to trace a phone call.
And you’re talking about months online ? Not likely.
  Plus login & password are needed not just 1 word.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:12
posted:8/4/2012
language:English
pages:6