back to article Stolen passwords integrated into the ultimate dictionary attack

Targeted password guessing turns out to be significantly easier than it should be, thanks to the online availability of personal information, leaked passwords associated with other accounts, and our tendency to incorporate personal data into our security codes. In a paper [PDF] presented at the ACM Conference of Communication …

Silver badge

Using a password manager

One way to generate effective passwords is to use a good password manager that will generate gibberish passwords on demand. 48 or 64 characters of random gibberish will take a good while to guess.

This research highlights the more one can learn about a potential victim the easier it is attack. The Internet makes finding a lot information much easier even if was always publicly available.

4
0

This post has been deleted by its author

Anonymous Coward

Re: Using a password manager

One way to generate effective passwords is to use a good password manager that will generate gibberish passwords on demand. 48 or 64 characters of random gibberish will take a good while to guess.

.. if it weren't for sites which want to enforce the presence of certain characters, but at the same time limit the password length (although I think a password of more than 128 characters is a tad excessive :) ). Yes, I use a random generator too, but I also started to give sites email addresses that tell me who sold mine on to third parties - you have no idea just how many do that to earn an extra buck :(.

4
0
Anonymous Coward

Re: Using a password manager

Yeah good.

Until said password manager becomes mainstream and the blackhats reverse engineer the "random" generator algo.

Certificates are the way to go with a certificate manager.

Easily revoked at both ends and easily regenerated.

We just need to work out a reliable and secure means of exchanging keys.

0
0
Silver badge

Re: Using a password manager

"Until said password manager becomes mainstream and the blackhats reverse engineer the "random" generator algo."

Even if they reverse-engineer it (and the one in KeePass is open-source), if the algo was seeded properly with truly random data (or even just truly ephemeral data, like the time of creation to the microsecond--try figuring out THAT one), they'll still be at a loss to reconstruct the password. It's like trying to predict the lottery.

0
0
Silver badge

Sites also a problem

The other day I was creating an account on a site, where the password just had to be typed in manually. Usually I like 20-30 random character passwords, but this site made it practically impossible me! Gee whiz, unknown people, why do you make your sites unfriendly to secure entropy? What is the personal problem with being able to paste a long password into the box?

Ech.

9
0
Silver badge

Re: Sites also a problem

I find that generated random passwords with a slight sorting of characters and removal of some difficult-to-find special characters usually gives a decently typable password. Feel free to use any of my spares, (as long as you use them for your own account ;):

HAwwpy~QU356.uc

jazFURC=Lx+Gb143

iralwDQ+78wmCli

\99@NULC-J45xdc

0
0
Silver badge

Re: Sites also a problem

The site bought some software that is supposed to identify who is typing by looking at the amount of time between key presses and releases. Clearly people pasting a randomly generated password for each site from an encrypted file are a threat to sales of this software. Such people must be bashed repeatedly with inconvenience until they use "correct horse battery staple" for all their accounts.

As a bonus, key timing software can decloak privacy nuts who use different user names for different accounts. It is almost as if these people do not understand that they only exist to promote the sales of analytics software.

6
0

This post has been deleted by its author

Silver badge

Re: Sites also a problem

"There are many Chrome and Firefox extensions available to override these double dumbass website wankers."

There's an even better way - take your business elsewhere.

12
1
Silver badge

Re: Sites also a problem

"There's an even better way - take your business elsewhere."

Ever heard of a Captive Market? If they're the ONE AND ONLY source of something (say the manufacturer's website), you're left with a Hobson's Choice: Take It or Leave It and be left with very expensive bricks.

4
0

Re: Sites also a problem

I usually go for Shift-Insert first, failing that using a built-in web debugger.

1
0
Anonymous Coward

Re: Sites also a problem

With Safari on OSX, if the site blocks pasting the password via Cmd-v, its usually worth trying right click > paste from the context menu. Works about 75 percent of the times I've been blocked.

0
0
Silver badge
Thumb Up

Do they select research teams by how well their names rhyme?

Ding Wang, Zijian Zhang, Ping Wang, Jeff Yan and Xinyi Huang from Fujian.

If true, possibly the best team ever.

9
0

What's a "security-savvy user"

The figures are pretty meaningless without defining the terms..

0
0

Re: What's a "security-savvy user"

from a quick read of the ACM paper, I think he means that the 'standard users' use "123456" everywhere, and the 'security-savvy user' however use different pw's for the different websites: such as '123456eBay' and '123456BraclaysBonk'; the very clever Wang team have decided that they can guess 30% of the time what Mr. Savvy uses at Yahoo!

(I think I agree with you that the really really savvy users just won't go near the !)

I leave you with a just-announced revolution, totally OT http://cogink.com/cleese/

1
0
Silver badge

Re: What's a "security-savvy user"

Can differentiate between the power switch of the computer and the power switch of the monitor?

1
0
Silver badge
Coffee/keyboard

Re: What's a "security-savvy user"

Dave, thank you, thank you, thank you for that link!

2
0

Re: What's a "security-savvy user"

Geez, doesn't Cleese think The UK has suffered enough after Brexit?

This is like throwing a posh dinner party and insisting the neighboring hooligans attend!

0
0
Jin

Password could work if expanded

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Are you aware of this?

https://youtu.be/-KEE2VdDnY0

0
0
Silver badge

Re: Password could work if expanded

Are you aware that websites have to accommodate the BLIND by law? Picture passwords are useless to the blind.

0
0

I heard a surprisingly secure password can be made by stringing together 3 or more unrelated words & some numbers or characters.

Like FreekyEgg5&Purple is a pretty good password, and if you tried hard you might be able to remember it.

0
0
Silver badge

Now do that again for the hundred or so sites you pass through every week, without repeating. This is why every time someone mentions your scheme or xkcd, I reply with, "Now was it 'correcthorsebatterystaple' or 'donkeyenginepaperclipwrong'?"

1
0

This post has been deleted by its author

Yes, using a password manager is the best option. Even if the password manager companies get hacked, your passwords are still safe. They keep them encrypted, so that only someone who knows your master password can get in.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018