Two million TERRIBLE PASSWORDS stolen by malware attackers Researchers have uncovered a massive cache of stolen account credentials which could impact some two million users. Security firm Trustwave said that its SpiderLabs reconnaissance team has detected a malware operation which has been able to pilfer account credentials on infected machines and build an archive of lifted …
And watch that long password fall to a dictionary attack. Ars Technica: “thereisnofatebutwhatwemake”—Turbo-charged cracking comes to long passwords, and How the Bible and YouTube are fueling the next frontier of password cracking. 1000 guesses per second is stupidly slow. Try 30 billion per second!
1000 guesses per second is stupidly slow. Try 30 billion per second!
And how many websites let you ender that many guesses a second, or even a year?
If they have the password file, they have your password. Reading the articles you linked (thanks!), no matter how stupidly complex your password is you're screwed. It's a matter of time and like the article says, some passwords fell very quickly but others took a while. Once the software/techniques and of course source lists were enhanced, those harder passwords were cracked.
Read the article found on the following link to understand how passwords are cracked. It's not one user password at a time. User passwords are stored within an encrypted hash. Steal the hash and test words against it until you get matches.
Easy passwords are quickly solved; repeat test with a better algorithm for more passwords; repeat again until the return (resolved passwords) on investment (time) is no longer worth the effort.
The log into site with username and cracked password.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
Various nuances are discussed within the article.
So I was in a retail store the other day and something was amiss with the register. The cashier called for her manager who came over to diagnose the problem. With me standing right there the manager said 'Push the Mgr Override button. Enter my employee ID (she spoke it aloud) then enter my password (again aloud) 1234567 and delete the transaction'.
This was at a gigantic retail store with huge amounts of cash in each till and here's the manager not only blabbing her override information to another employee, but also to customers and the password is 1234567.
Since I have no intention of getting done up for stealing from a retail store this information is useless to me. But it may not be useless to the employee or to their friends. Plus it's just epically stupid. Billions a year in revenue and even basic security isn't in place. I really don't have much confidence it's in place elsewhere either.
You only need to remember one password; the master password to a vault such as KeyPass
Quite why, in this day and age, people continue to try to *remember* different passwords for different sites or, worse, re-use the same one with multiple sites, is beyond me. I can only conclude it's ignorance and/or laziness.
(Edit: And yet these same people are happy to use a contacts list in their phone and email, rather than remembering phone numbers and email addresses)
I was guilty of reusing a couple of passwords for multiple sites and did eventually turn to KeePass and haven't looked back since. All sites I use have a minimum 20 character password automatically generated when I create an entry.
The only downside is I keep my database on an encrypted USB (backed up in my own cloud at home) so have to sort that out before I can access them and the auto type is a bit flaky on quite a few sites. Apart from that it's bloody marvellous.
> But, how do we know that the people who make KeePass are trustworthy?
It's Open Source software, so the source code is there for inspection should you wish to audit it.
Maybe the guys currently independently auditing TrueCrypt can move onto KeyPass next?
There is a flaw in thinking that 'open source' means secure.
Once upon a time, a western firm provided controllers to the then USSR for the operation of their pipe line. This was at a time the the USSR could make a microprocessor from stolen technologies, but the device was 5 times the size with twice the inefficiencies in power and speed.
The US gov't inserted a backdoor into the compiler and decomplier used to create new firmware. The resulting binary always had the backdoor and available decompliers always hid the backdoor. I think that was in 1970-ish. I am old and forget what I have done.
I know what you mean Mr Harvey, its a real pain in the backside so just do what i do and write them down on a piece of paper then refer to that piece of paper when you need to. To provide an extra layer of security, you could write them down in a pad (paper one not Apple) and put the pad in your trouser pocket thus "Air-Gapping" your collection of passwords from any potential Hacker.......this advice is 'No Charge' to you Sir.
No good writing 'em down, only takes a spill of coffee, coke (*) or small child needing some scrap paper and they'll all gone...unless you have a strongbox in the house with a photo-copy of the written down passwords, or better still make that a fireproof safe!
( * My Missus did have a book of passwords and logins written down and they did get soaked from an ice-cold frosty, sugar-beverage! Luckily she dried the book out and learned her lesson, put them in an encrypted software vault! )
Absolutely! That is one thing many people do not understand! My GF uses the same unlock code on all of her devices. And the same lame response I get whenever it's brought up, "But what if I forget one? I don't want to have to remember that many passwords." FFS!
oops. apologies.
The response I often hear when questioning someone's limp choice of password is along the lines of "well what do I care if someone gets access to my facebook/twitter account?". About half are a bit more sheepish when pressed as to whether their recycling policy extends to banks, credit cards etc.
I finally changed my GFs mind when I found her email and favourite multi use password in a list dumped after a well publicised hack.
Don't worry, you can keep track of them in one of these:
www.amazon.co.uk/Personal-Internet-Address-Password-Organizer/dp/1441303251/
[quote]
Are you tired of losing track of those login/usernames and passwords you create every time you visit a new Web site? Do you have sticky notes and scraps of paper scattered about your office and home computer space covered with these vital pieces of information, but never seem to be able to put your hands on them when you need them? Now you can keep important Web site addresses, usernames, and passwords in one convenient place! Introducing the Personal Internet Address & Password Organizer! This time-saving, headache-preventing little organizer features:
Lots of space: 144 pages, including tabbed alphabetical pages
Plenty of room for all those Web site addresses, usernames, passwords, and additional notes
A spiral binding that allows pages to lie flat for ease of use
Handy elastic band closure
Pages in the back on which to record additional useful information, such as your home network configuration, software license numbers, and other notes
Removable label and discreet cover design
4-1/4'' wide x 5-3/4'' high
[/quote]
No it's not April 1st, this and several similar ones get 4*+ reviews.
It even says "Personal Internet Address and Password Log Book" on the front (in big friendly letters as required by law).
I've asked my local IT folks if they can supply them, given that their expertise doesn't seem to cope with anything other than Active Directory authentication from Windows XP/7 clients (and deffo no Lunix).
Yep, I've got one of those. I got so annoyed with remembering all the passwords I needed that I bought one.
I knew it wasn't very secure though, so I created an encryption sheet of 987 letters with a master sheet which changes every week to give a new lead key. As long as I remember the decryption sequence it's easy.
Oh... wait...
People who don't take basic security steps, like anti-malware and anti-virus, also trend to choose dumb passwords!
Providers need to put basic checks into their systems to prevent such passwords in the first place. Just because 12345 is the combination for your luggage doesn't mean you should use it for your bank accounts!
12345? That's amazing! I put the same combination on my luggage!
But SERIOUSLY, remembering the password IS an issue just as big as having it stolen which is why it creates a second, competing barrier to passwords: you need one that's hard enough to guess but not SO hard you can't recall it. Think of it like having a ring full of keys. If time is pressing, could you retrieve the one key you need quickly enough? And if you use anything to help differentiate the keys, then someone who STEALS the keys can use those mnemonics, too. And key vaults only help if you're in known systems. What if you MUST login on a new or otherwise unknown device where the key vault can't be retrieved?
Sometimes I wonder if we should try to develop something better than passwords because, let's face it, people's memory can be flakey, but what alternatives are out there that can tick all the boxes?
So what's the solution?
Remembering 10-20+ strong passwords isn't easy for most people.
I've been thinking of using one of the password vault systems but then all my credentials are in one place - what happens when they get hacked?
Is it really so bad to write everything down? A notebook with all credentials, though instead of using a bank name you'd probably use something a little more cryptic. Stick it on the bookshelf, lock it in a box, whatever. At this point it seems far less likely that it will be compromised than using crap passwords on websites. Especially if you live alone - I suspect very few burglars will be looking for this. Seems like good risk management to me.
Of course this only works for sites you access from home.
Note: just had to reset password to post this as I forgot it.
"reset your password every single time you use a service"
I sort of do this with a lot of passwords. Not on purpose, but the once a year that I might log into some software company's updates page or similar, there's no way in hell that I'm going to remember what I used as a password, let alone which email address I used to sign in, so I make good use of their 'Forgot my password' button. Then I just have to try a few email addresses until it recognises one.
When the passwords are just lifted wholesale in clear text from the site you enter it at, whats the point?
On top of that, its a proven fact that the more complex the password the more likely it is to appear on a post it note stuck to the screen...
Whilst I don't do it (I am fortunate in having a reasonably good memory and a technique for creating passwords), Bruce Scheier actually advocates strong passwords written down and kept in your wallet/purse. I'm not sure I agree, since money, cards and passwords all kept in one place just seems to multiply the pain if it is stolen, but using a simple substitution code (all numbers are +2, or whatever) could help.
I got so peed off with different sites requireing different policies, that I came up with my own.
I have three passwords, (four if you include the ones I don't bother remembering) that I use for everything.
I have my use everywhere password for low value sites that wont hurt me if they are cracked (such as this one). It looks like Passw0rd (but isn't) giving me 8 character mixed case with digit to satisfy most sites.
I have the passwords that must be changed on a regular basis such as work, it looks like Password1311 (but isn't), the digits are the year and month I last had to change it.
I have a complex non-guessable password for bank accounts etc.
And finally, for infrequently visited sites, I just use the "forgot my password" link and have them send me a new one when I want access.
I am not a fan of keypass or the likes as they are just a single point of failure. If someone hacks my hotmail account, if they take the time, they can find references to some of the other sites I access, and maybe even some of the user ids I use. They can they try to access each one individually to see if I have used the same password. If the break my keypass account, they have full access to every site I have registered with keypass, no need to guess. And that motivates hackers to target keypass.
Care to know a password generating scheme that works?
The password checker at https://howsecureismypassword.net/ say that my passwords are pretty good.
<quote>
It would take a desktop PC about
501 nonillion years
to crack your password
</quote>
I use a md5 hasher to create a password; I need only remember the method used to create the root word used for all sites. The md5-er will make it different and significantly more complex.
example:
my root word for the password for 'The Register' is two parts. A ' short secret pattern' used at all sites and several characters from site name; ie. 'The Register' = happyregister. The md5 hash is 589c4d4e1f9bf29a16fd66fb385ea351 and The Register likes long passwords :)
For the few sites that don't like long passwords or requires special chars, I reduce the password length until the site is happy and add the special characters as needed. For some sites, I do have to keep up with the length and special chars, but very few; and I have a simple 'tag' based on a common pattern for all such needs. example 589c4d4e1f9bf29a16fd66fb385ea351 plus the tag 'N!'
So I copy & paste the md5 hash and type the tag...
Every site has a different password because I am using the site name as part of the root password.
I never write down a password. I use the md5 hash maker to generate it as needed.
I am never 'without' my password because I know the pattern for the root word and this site will gladly give me the md5 hash. http://www.miraclesalad.com/webtools/md5.php
If you can spot a flaw with my method, please point it out to me.
The flaw I see is the sheer volume of sites on the net today that require one to log in to do anything (pet peeve: those retards who won't even let you do a search or look at an attached image in a forum without a login). I don't know about you, but the sheer amount of logging in here there and everywhere every day would drive me bonkers within the week if I had to do a little MD5 dance every time I wanted to access something (and remember special tags plus password length). Same reason why retrieving some well-hidden central repository from somewhere to look them up all the time wouldn't work either.
So I chose to prioritize instead, and thus the 80% of the various non-essential sites I log into have the same 2-3 super-short passwords recycled, which I can type in 2-3 tries. No biggie if they go titsup, really. I only bother with stronger things on those very few money-handling logins and on the main email. I'd still be quite glad to do away with passwords altogether, if only I had a better idea.
I'm an IT geek for a 40-person non-profit. The usual password advice only confused my users - now which character got replaced with a number? The ones that did it couldn't remember them.
I'm sure I did NOT invent this, but nobody seems to talk about it so here we go. Pick a sentence! Movie quotes, lines from books, everyone knows a few. Then take the first character (or pair) from each word, add punctuation at the end, capitalize the first letter. Instant long random password, easy to recall.
Here's one you all know: "These aren't the droids you're looking for". Password becomes Tharthdryolofo! You do not have to remember the password itself, only the phrase.
Last time I checked, no cracker dictionary included this sort of thing. Hack-resistant and user-friendly!
Just because a dictionary attack doesn't do it NOW doesn't mean they won't add it in in the future. Much as dictionary attacks now handle chains of words to deal with "correcthorsebatterystaple", soon they'll be savvy enough to try literary initialisms such as "Iwtbot,iwtwot." Especially with help from an e-book library where the text can be extracted.
Plus it doesn't address the main issue: too many sites, not enough memory. Now you have to know which book you pulled the password from and what line from what page. Plus what if you lose the book or someone else (within your local circle) figures out your mnemonic?
If your web browser has been compromised by malware and is sending the contents of login forms directly to a 'hackers' server for collection how does your having a good password policy help exactly?
Reading between the lines of the article I'd say the Spiderlabs team merely found a script kiddie who neglected to turn off directory browsing for their rogue server. A lucky find but not unprecidented in the annals of cyber security, never the less it's a useful tale when it comes to "Bullshitting for Bonuses" around christmas.
Two million sets of login credentials is also not what I would personally describe as a 'massive' amount in this instance. At say.. 2 to 4 site logins captured per infected machine and the fact it's a ridiculously simple process to infect around a 1000 computers per hour then it takes mere days of operation to collect this quantity.
If your password can't be cracked in less than a million tries it SHOULD be secure.
If a site allows more than one login attempt every five seconds per account or a total of more than ten failed login attempts on that account, then the person who set up that website should be fired with extreme prejudice.
It's good policy to use a different password for everything. So you know what they all are, use a password keychain with one memorable but really strong master keyword to unlock the keychain. Yeh, I know that word is used by the fruit vendor, but there are third party cross-platform keychains which also do the job. The one I use is available for at least android and apple on both desktop and portable devices. But it doesn't excuse using a poor password in any instance. It only makes it easier to assign strong and different passwords for everything and have easy access to each of those individual passwords through a master password.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
