Peccant pwners post 670,000 Pokémon punter MD5 passwords Hackers have breached some 670,000 Pokémon gamer accounts on popular fan site Pokebip. The breach hit the French site on 28 July and includes compromised usernames, email and IP addresses, website activity, and weak MD5 passwords which can be broken in seconds. The site warns that other connected social media accounts …
Except then you're vulnerable to LOCAL hacking, especially by the janitorial crew and the like. It seems you can't win. You either get hacked locally, hacked remotely, or hacked by both at the same time.
And lastly, I've known people who tried to remember things by writing down notes...only to forget the notes.
"So what do you do if you have a bad memory and no place to store a password safe?"
Then you come up with a way to store passwords. Today's internet is just too risky to not do so.
There are myriad ways and tools available to do this, so the idea that someone has "no place to store a password safe" just doesn't hold water. There are free tools like KeyPass, there are online tools like LastPass if you prefer to have someone hosting your passwords (not sufficient, IMO, but that's me).
I personally use 1Password by Agilebits, cause you can store the AES encrypted database on dropbox to sync between devices, and it supports integration with all major browsers and most platforms, so the only way I could lose my password database is if a nuclear bomb hit, at which point I probably wouldn't care.
Devise a formula that creates a unique password from the context of the account that you are using.
Then you only have to keep this formula secret, and each time you come back to the account you haven't used for a month, the password can be deduced again using a formula.
For example (simplified):
<Name of service in caps> + <common secret word> + <15 - (number of letters in name of service) >
So:
REGISTERpassword7 would be the password for The Register.
The secret word (password) would be common to all accounts.
Obviously this example only for illustration, the formula would be a bit stronger.
But I'm talking about who write notes down and forget the notes, tried "correcthorsebatterystaple" and ended up with "donkeyenginepaperclipwrong", forget their ID cards, cell phones, and house keys half the time, and one time even forgot how to spell their own surname. I suspect if they tried your solution, they'll end up forgetting the formula, the codeword, or both.
All fine advice, and pretty much what I do, but this comes back and stings you when one of the sites you use gets hacked, or forces you to change your password for some reason.
At this point you need to come up with another formula, and either go back and change your password on every other site to match, or try to remember which site uses which one.
There's never an easy answer to this.
"weak MD5 passwords which can be broken in seconds."
Not unless the hash is unsalted and the password is in a dictionary used for a pre-generated rainbow table.
Probability of generating an MD5 collision is 2^64, so even if a single password attempt could be made in a single clock cycle (unlikely), that is still 2^64 cpu core clock cycles to _probably_ (>= 50%) crack it.
If it scales well onto a GPU, with a top of the line GPU of today having 4096 cores running at around 1GHz, that is still 4.5M seconds, or about 52 days.
So the statement that it can be broken in seconds is at best misleading.
Completely disagree with your post and agree with the author's original comment.
As you quote, we're talking about weak password - which would commonly be taken to mean unsalted.
With relatively standard hardware, and using a definition of "weak" to mean a six character password made up of uppercase, lowercase, digits and symbols, we're talking under a minute to generate MD5 hashes of EVERY POSSIBLE COMBINATION. All seven character passwords can be hashed in under an hour. Take out symbols, and you can do seven characters on slightly fancier (but not OTT) hardware in under four minutes.
On specialised rigs, performances in excess of 200 billion hashes per second have been achieved.
So yep, weak MD5 passwords can indeed be broken in seconds.
MD5 is broken. For several years. PC hardware with GPGPU acceleration means its dead in the water. MD5 with salt is no better any more.
Even SHA1 is ropey now. From next year you won't be able to use SHA-1 in TLS certificate hashes.
That you DON'T know this is exactly why forums like this are compromised so badly all the time. Because nobody ever bothers to upgrade or check what's actually valid.
I've said for many years that we need a one-page website that basically says:
MD5 - DO NOT USE
SHA1 - OBSOLETE. DO NOT USE FOR NEW PROJECTS
SSLv1 - DO NOT USE
SSLv2 - DO NOT USE
SSLv3 - DO NOT USE
etc.
etc.
etc.
Calculating an MD5 collision is relatively trivial - even if you don't know the original's size, complexity or format - especially if you have all the time in the world to perform offline attacks. Those passwords are now, or will be in a month's time, common knowledge and there's nothing you can do about it.
Stop using MD5.
'"You must avoid re-using the same password on multiple sites and keep passwords confined to a single site," site admins wrote.'
How about you inept wankstains spend less time telling us how not to share passwords and a bit more time implementing a secure hashing algorithm. ( ie NOT MD5!). You might want to stop making your users data available to anyone on the internet while you're at it too.
And that's ridiculous anyway, because the average person would end up with several dozen passwords.
Keep passwords in security levels. When you sign into a site, think what data it's going to hold and use the appropriate level of password. Then, if your Twitter account is compromised, ONLY accounts with the same access, the same level of personal data, etc. can be affected and you have to change passwords to ONE new password for everything on that "level".
I use several levels, hence only several passwords, thusly:
- Banking, taxation, important stuff I wouldn't want ANYONE else to know.
- Shopping, general secured credit cards, renewals, hosting, etc.
- Personal data (e.g. Facebook, etc.) and things I wouldn't want people playing with but that aren't going to cost "money" if they do.
- Junk (forums, random sign-ups, newsletters, etc.).
Then, if one of those passwords is compromised, you can get NO MORE information out of all the sites using that password of mine than you already have. And yet I only have to memorise four passwords of differing strength.
And if The Reg forums are compromised, you can't get into my Paypal or Amazon because there's no need for The Reg to share any password with a money-holding website.
The suggestion for a unique password per website is stupid.
Using a password manager is stupid too (basically, one compromise and ALL your accounts are open again).
I know exactly what you're saying and tend to follow the same as you...
.. but I think we're both wrong and that one password per site is unfortunately now needed. The trouble with what you say is how do you police yourself? How do you consciously decide that some particular site needs you to "upgrade" its level from one to another? That site that you thought was going to be a junk site, but which some months later you purchased something on, or donated some money to?
Or that site which may not cost you money, but which may cost you significant embarrassment or time if it does get hacked because you thought it was a junk site but then became more popular. Then when undergoing a security screening for a new job, your hacked posts come up?
When one of your sites does get hacked, would you prefer to simply know that there is nothing else you need do because all other sites have a different password, or do you want to spend the time double-checking the sites that you reused that password to see if they're on the "right" level and/or do a blanket change across all of them in any case for safety?
Then there are copious stories of social engineering hacks where people managed to compromise one site using information gleaned from another.
So I think we really are at the stage of needing one unique password per site. And I'd disagree with use of a password manager - in my opinion, the chance of losing (all) my passwords stored in a decent non-cloud based password manager is far less than losing any one of my passwords used on a site that I have absolutely no control over (other than the password and accuracy of any other data I've provided).
But it all comes down to one's own personal perceived risk assessment and, as always, a balance between the risks and the inconvenience of any measures to mitigate those risks
"But it all comes down to one's own personal perceived risk assessment and, as always, a balance between the risks and the inconvenience of any measures to mitigate those risks"
But sometimes those concerns can hit extremes. Take my earlier example: a very bad memory. I mean bad enough that "correcthorsebatterystaple" turns into "donkeyenginepaperclipwrong" the following day. I personally know people whose memory is just that bad, yet they're expected to use the Internet.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
