Skip to main content

View Diary: How to AVOID writing passwords (154 comments)

Comment Preferences

  •  I'm an IT security expert, and... (2+ / 0-)
    Recommended by:
    CalvinV, certainot

    There is a lot of good advice here.  However, things are not as bleak as they seem.  

    For example, any reasonably secure site like a bank, a retirement account, or even gmail, will not allow you to try 823 trillion password attempts.  In fact, after even a few bad attempts the account will be locked, either permanently or for a few minutes.  

    So actually if you use a "reasonably" secure password, and a different one at each site, you can reasonably assume that nobody can hack into your financial or important accounts, even though you are not using military grade passwords.

    So for most people a "typable" password using letters and numbers, is secure as long as you use a different one of each site.

    Now the bad news is, increasingly, hackers don't have to try 823 trillion passwords.  They just make sure your computer has a virus, which transmits your passwords as you type them to a third world country. :-(

    •  No, but a computer will allow you to, on hashes (0+ / 0-)

      The case is if you have the hashed password file from the site in question.

      That's what the diarist is talking about when referring to "testing" 823 trillion passwords. Brute-forcing against a hashed password file, to try to determine the cleartext.

      Not trying to log into a site 823 trillion times...

    •  Well, at first I thought like you did (0+ / 0-)

      but then I read the original thread again and it assumes that your enscripted password has already been known (by a radio packet sniffer at a local Starbuck, say) and the descripter program just tries all the combos on the home PC until it hits one that produces the same enscripted password. Then that person only needs to type it in once to access your bank account.

      You're right that almost all sites will lock you out after a few attempts though.

      About the keylogger virus I have an amusing story to tell. I bought an Acer laptop for my 9-year-old daughter. One day, her laptop suddenly stopped working when doing certain things (i.e. did not fail all the time). When it failed all keyboard entries got mapped to sequential digits 1234567890123.....

      Even my PC repair shop had no idea what happened then I googled and found that all Acer laptops of the same model failed on the same day after a Microsoft update.

      It turned out for that particular model, Acer had a factory-installed security program which was supposed to prevent the keylogger viruses. After the automated Microsoft update, the program didn't work any more and I guess it scrambled the keyboard entries for the wrong reason. Fixed the problem by uninstalling it :).

      •  To clarify, you wouldn't be trying this against (0+ / 0-)

        passwords that you caught off a wireless network. Trying to decode SSL streams and the like is a separate issue, and a potential concern in its own right... Most passwords pulled off wireless networks are just ones sent in cleartext, with no encryption.

        (You don't need any special hardware to do that by the way; no special packet sniffer radio. Most wireless chipsets can be configured to sniff unencrypted traffic.)

        The case given is that the hashed passwords are known, such as by breaking into a site and stealing their database contents; e.g., as happened with LinkedIn in the example used.

        By the way, just to be a pain and nitpick at the terminology: the passwords are referred to as hashed, and not as encrypted, because you can't reverse the function to get the original data back, like you can with encryption. So you have to use various attacks to figure out what that original data was. Sometimes this does just involve trying lots of combinations, sometimes there's a flaw in the encryption itself. (In the case of LinkedIn, they made a major mistake that still required the passwords to be cracked, but made it require MUCH less computing power to do so.)

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site