Skip to main content

Welcome to todays Anonymous DKos Tutorial Thread.

We're going to be doing a number of these tutorials to help Kossacks beef up their cybersecurity. There's a sign up sheet at the bottom for anyone else interested in participating in these tutorials.

The first piece in this series is about the all important password. Before we begin, I have an important warning.

DO NOT UNDER ANY CIRCUMSTANCES USE THE EXAMPLE PASSWORDS I PROVIDE IN THIS DIARY. EVER. Because I've discussed them in public, they're now tainted forever.

Also: Never ever EVER use a password that is just a single word taken from a dictionary. Like "power." If your password is "power" or "food" or "munchies" or any other single word from a dictionary, it can be cracked easily. If that's your password, it's like you're not even trying to keep your login secure. Finally, Never use the same password twice, always have different passwords fro different websites/computers.

First, let's explain why you need a secure password.

Imagine for a second that I'm a hacker. (I'm not.) I might be sitting in starbucks with a computer. Nowadays, I don't even need a laptop. With the growth of technology, I can steal someone's android phone and flash the memory to erase its identity. It's now useless as a phone, but if I tried to make a phone call I'd have been reported for theft anyway, so what do I care? I don't want it to make phonecalls anyway. I want it for hacking. I install a hacking package on the smartphone, and head out to do some grand larceny. It might look like I'm sitting in Starbucks texting away, when really, I'm downloading all of your information as you log into your bank account.

See, I've used what's called a packet sniffer to record the wireless transmissions being sent between your computer and Starbuck's wireless router. One of the things that people seem to think is that wireless communications work in a line. They think that when you connect to a router, it's somehow a private connection like a phone line connection. What's actually happening is that your laptop and the Starbucks router are screaming at each other at the top of their lungs.

"HI I'M JESSICA'S COMPUTER!"
"HI JESSICA'S COMPUTER, I'M STARBUCKS' ROUTER!"
"AWESOME, HEY SHE NEEDS TO LOG INTO HER BANK!"
"OKAY, GIVE ME THE LOGIN, IT LOOKS LIKE THE BANK WANTS TO USE ENCRYPTED HTTPS!"
"OH, OKAY. BLARGHALAHAL!"
"BLARAHAHADHAAHDLAHALALALAL!"
"OKAY, SHE'S DONE WITH THE BANK ACCOUNT NOW, NOW SHE WANTS TO ORDER UGLY SHOES FROM HIDEOUSHEELS.COM, BUT SHE'S NOT USING HTTPS!"
"THAT'S OKAY, WHAT THE FUCK DO WE CARE ABOUT HER PRIVACY?! WE'RE JUST LUMPS OF PLASTIC AND CABLE!"
"RIGHT! HER CREDIT CARD NUMBER IS-"

This is why the military uses microwave and satellite transmissions whenever they can instead of radio. Microwave transmissions move in a straight line, while radio transmissions go outward in every direction. I can't sniff a packet I can't hear. But if you're using wireless, you're using radio, and radio's don't whisper like satellite and microwave, they shout. If you're encrypting them, you're shouting in a language that's hard to understand, but you're still shouting.

And that's what happens when you buy stuff while sitting at Starbucks from a website that doesn't have adequate security. Never, ever check your bank account or buy stuff while at Starbucks. If I'm a hacker, my little packet sniffer picks it up. But lets say you didn't order anything, you just logged into your bank account.

I save the information where your computer says "BLARGHALAHAL!" because that's where you entered your username and password.

Password cracking is done in two ways. First, by assuming that people take the phrase "password" too literally and their password is an actual word. The first thing I do is load dictionaries into a program which checks literally every word in the dictionary against your password to see if your password is an actual word. That kind of hacking is fast and easy, and anyone who knows how to use a mouse can do it. It takes minutes if I have a fast enough computer. If that doesn't work, they'll turn to a decryption program.

This stuff is all difficult and time consuming, but luckily, there are people who've written programs and applications that do this kind of work to make my life easier. And I've downloaded all of them already, and installed them on my desktop. And no, I'm not going to tell you what they're called or where to find them. Ever. Don't ask. I've never done any of what I'm describing, and I'm way oversimplifying here, so don't assume that you can read this and understand how to be an uber-hacker. (Once again, I'm not a hacker.)

Anyway, if I put "BLARGHALAHAL!" into my decryption utility, I might find out that her bank Login is ShoeLover and her password is Shoes. She might even have used the same username and password for her HideousHeels.com account as she used for her bank. If so, I've already tried plugging that in. I'm also going to check ShoeLover@Gmail and Yahoo and Hotmail just to be sure. If she uses the same password there, I've got everything I need to steal her identity most of the time.

If, however, I put her info into my decryption system and 24 hours later, I still don't have a solution? I move on. Because I was sniffing packets while Bob signed up an account at BuxomBabes.com, and I think I can steal his credit card. Especially when his  password for BuxomBabes.com is "BuxomBabes".

Password writing can be intimidating. People tend to think that a random string of letters and numbers is a super-secure password that nobody could guess. For example, people assume that the password "Ab13gU7" is super secure. No one's going to guess that password, but if someone's running a decryption utility, they'll crack that password in about three hours. In contrast, if your password was "Whirled Peas" it would take someone with your basic desktop PC about two million years to crack. If a website lets you use it, the space key is your best friend in the world.

If_not,_use_underscores_instead.

That's why we need to stop thinking of passwords and start thinking of passphrases. Song lyrics or poetry snippets shot through with symbols and numbers are a great place to go. In contrast to whirled peas, the password "@11Uneedislove" would take about 32 billion years to crack. That's without spaces. When you type it as "@11 u need is love" it'd take a modern desktop about 560 sextillion years to crack it.

Don't use dictionary words, and don't use a long string of letters and numbers that you can't remember. Use a phrase.

Spaces are your friend, but so are symbols and numbers. Here are some ways to replace letters with symbols and numbers to help you write an easy to remember pass phrase:

!=I or L
@=A
#=H
$=S
%=oo
^=n
&=A

You can put your password in ( Parentheses ) if you want. Or [ Brackets ].

The password ( Parentheses ) would take 13 trillion years to crack, while [ Brackets ] would take about 2 million.

1=I or L
2=Q
3=E
4=A
5=S
6=G
7=F or T
8=B

If you don't like any of that, you can add a smiley to the end of Whirled Peas. Use creative ones like :-D or D-: or X-D or :b or :p or :B or ;-X or any other easy to remember smiley.

Want to add numbers? Add an important date to the password. "@11 u need is love 1776" would be a good password. It's got a phrase for a song and a totally unrelated date. No one will be able to guess it, and it will be hard for a computer to break through such a long password.

Wnat to be extar secuer? Misspell yuor passwird. (*Que asploding heads. Suck on it, Grammar Nazis.)

Making a passphrase secure and hard to guess is important. Equally important is having many passwords. That means that your passwords should be easy to remember. That's where the symbols and numbers and brackets and spaces come into play.

If we're talking about your home, It's okay to write down your passwords as long as you use pen and paper, and keep the paper in a secure place. Do not tape it to the bottom of your keyboard at work. I can't tell you how much trouble I caused in college knowing that everyone thinks they're being slick when they hide their passwords under their keyboards. Do not write down your passwords at the office.  If someone has broken into your home, they're probably not going to sit down at your computer and try to break into your DailyKos account. Writing your logins and passwords down on the bottom of your keyboard in a semi-public place is the kind of behavior that trolls call "asking for it." Trolls are not nice people.

If someone really, really wants to crack your password or your encryption, and they've got the technology to do it, they'll find a way; possibly a backdoor, possibly a hole in the website, program, or operating system's security. If they're really dangerous they can get ahold of every username and password on the server. If they do that, there's a good chance that they're going to be entering those same usernames and passwords into every website they can find.

And that's why every single password needs to be different. Because at some point, there's a good chance that someone will get a hold of one of your passwords. And if that's your only password, you're boned.

A good resource to play around with and the place I'm getting my numbers is howsecureismypassword.net. This site is completely secure, in that none of your password information is getting collected. The way it works is by running a program on your web browser called a Java applet. I've checked the code. The only communication script is Google Analytics, and they're not collecting what you type into the box.

Play with that until you've got a head for passwords.

Remember, the best pass phrases make no sense and are easy to remember. "[ 0bfuscating 0ffisaur ]" sounds like Obfuscating Officer, and is easy to remember. It's also excessively hard to crack. Hell, "Obfuscating Officer" by itself is a pretty secure passphrase.

Now that you know the basics of passwords and pass phrases, I'm going to open up the thread for comments/questions. Treat this like a tech-themed open thread.

2:28 PM PT: This XKCD Comic posted by Azazello is absolutely perfect.

3:49 PM PT: Holeworm adds this on "All you need is love"

That's not a good password, I'm sorry to say... (2+ / 0-)

Mainly, because the individual words are all short and common. A password cracker with short lists of things like "is", "all", "you", etc, might try combining them with other words, since chaining words is a common method these days.

Just sticking at least one long/uncommon word in there would do wonders as far as resisting cracking. That removes the ability to just use very-small dictionaries to figure out your chained words.

Need uncommon words? http://makemeapassword.net/ has some.

8:01 PM PT: Rescued? Reccomended? Thanks DailyKos. I'm going to work with some other Kossacks and make sure these security diaries keep coming.

8:37 PM PT: Thank you everyone who contributed in the comments section. It's time for me to head to bed.

If you want to write a security diary, send me a Kosmail. I'll get an open thread with a list set up tomorrow so that people can do signups. Should have posted that today. Just give me a topic and a date and we'll sign you up.

Originally posted to Anonymous Dkos on Thu Jul 12, 2012 at 01:57 PM PDT.

Also republished by Community Spotlight.

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Tip Jar (167+ / 0-)
    Recommended by:
    Horace Boothroyd III, hester, DRo, Knockbally, emsprater, tytalus, dansk47, KenBee, worldlotus, Azazello, wxorknot, ChicDemago, MKSinSA, cassandracarolina, dance you monster, CJB, Joieau, fumie, pat of butter in a sea of grits, Avilyn, confitesprit, johanus, cotterperson, CuriousBoston, Ekaterin, Maverick80229, chicagobleu, Catte Nappe, Williston Barrett, Hammerhand, here4tehbeer, blue91, blueyedace2, journeyman, holeworm, Hanging Up My Tusks, 2laneIA, FarWestGirl, Pithy Cherub, nomandates, Senor Unoball, 3goldens, glitterscale, Texknight, paul2port, Canis Aureus, Larsstephens, Spirit Dancer, pickandshovel, weck, SanFernandoValleyMom, sockpuppet, Its any one guess, Kristina40, gooderservice, shari, ParkRanger, Lady Libertine, Thinking Fella, murasaki, Jim P, sillia, Sylv, Gowrie Gal, Ice Blue, PsychoSavannah, tapestry, Susan from 29, Skennet Boch, Pupmonkey, blueoasis, grover, sunny skies, chimpy, ferment, democracy inaction, Dave in Northridge, Pirogue, roystah, princesspat, Mentatmark, FWIW, dejavu, DebtorsPrison, Tolmie Peak, stevenwag, tommy2tone, lineatus, badscience, Only Needs a Beat, deep, maryb2004, smoothnmellow, bnasley, Pluto, kaliope, JanetT in MD, Andrew C White, TravnTexas, PeterHug, BlueMississippi, elengul, tommymet, oceanview, lu3, Justus, BachFan, vigilant meerkat, Caddis Fly, David54, susakinovember, mslat27, Heart of the Rockies, DawnN, DavidW, foresterbob, createpeace, Justina, Dvalkure, MsGrin, ripzaw, Marihilda, dotdash2u, Hopeful Skeptic, uciguy30, Reel Woman, AgavePup, Robynhood too, Glinda, Coastside Scout, teemel, Oldowan, AbominableAllStars, greycat, Clive all hat no horse Rodeo, Black Max, steamed rice, rbird, MJ via Chicago, RainyDay, wretchedhive, DerAmi, jennifree2bme, ladybug53, Calamity Jean, JVolvo, dkmich, vicki, qofdisks, Geenius at Wrok, Linda in Ohio, historys mysteries, wvmom, Lisa Lockwood, Debbie in ME, MKinTN, stevemb, redlum jak, john07801, barkingcat, el dorado gal, splashy, chmood, M Fox, TracieLynn, edrie, SeaTurtle

    An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

    by OllieGarkey on Thu Jul 12, 2012 at 01:57:16 PM PDT

  •  excellent! antennae broadcasting... (14+ / 0-)

    my router has an antennae even when I am plugged in...should I wrap it in tinfoil and unscrew it?

    win7 keeps asking me for 'home, '' office' maybe and 'public' when I look for a wireless connection out in the world.

    What's up with that, what's the diff, can a criminal have an unsecured wireless connection just to hijack passwords and info?

    and how do we do online financial transactions safely.

    maybe another diary you plan to go into this?

    Thanks much for this...

    From those who live like leeches on the people's lives, We must take back our land again, America!...Langston Hughes

    by KenBee on Thu Jul 12, 2012 at 02:09:35 PM PDT

  •  That was very clear (16+ / 0-)

    for this non-techie person.  If I knew about how vulnerable a person's info can be in a Starbucks, I had forgotten.  YIKES.

    And like most people, I have a lot of passwords, and I tend to re-use them.  Because forgetful person forgets!!

    I thought my passwords were pretty secure (which they are apparently not), and never thought about using phrases or adding something simple like parentheses.  

    Thanks for posting this.  I look forward to hearing what others have to say/share!!

    What are People For?

    by Knockbally on Thu Jul 12, 2012 at 02:14:28 PM PDT

  •  My problem with passwords (19+ / 0-)

    is that it's hard to get in a groove with something you can remember. One site only allows 6-15 characters and can have no special ones then another (and sometimes even the same one when they decide to re-do the system) will only let you have special characters, CAPS and numbers but the length is 12-124 characters.

    When you've got to write them down or stick them in your browser, because they're so different, it pretty much undermines the value of the whole thing.

    I do try to at least get a yellow when the site's testing me though.

  •  Ladies of a certain age (8+ / 0-)

    carry a small notebook or, as they call them one here, a diary. Handy if you're as ditsy as I am.

    "There's a crack in everything; that's how the light gets in". Leonard Cohen

    by northsylvania on Thu Jul 12, 2012 at 02:19:32 PM PDT

  •  This is great! Thank you. n/t (8+ / 0-)

    Can you call yourself a real liberal if you aren't reading driftglass?

    by CJB on Thu Jul 12, 2012 at 02:19:34 PM PDT

  •  I like to use a combination of family names (11+ / 0-)

    and birth dates. (Not me or my husband ... I use parents, siblings, aunts, uncles) Like Sandra0428Jones1959. I just have different people's names associated with different websites in my head, and so I think .... I'm at abc.com, that's Aunt Sandy.

    For me, Mitt reminds me of Jeff Bridges in Starman. He's like an alien that hasn't read the entire manual. You know, he's going, "Nice to be in a place where the trees are the right size." -- Robin Williams on Letterman 26 Apr 2012

    by hungrycoyote on Thu Jul 12, 2012 at 02:26:33 PM PDT

  •  I maintain a spreadsheet of passwords but (15+ / 0-)

    do not spell any of them out in their entirety. I substitute letters with asterisks, and always include numbers and often symbols. Often just the first and last letter of a word will give you enough of a clue while thwarting others who stumble upon your list. Password protect the spreadsheet, and e-mail it to yourself and/or keep hardcopy handy.

    One thing you can do if you create a complex password and want to adapt it to multiple sites is to add a preface that links back to the site. For instance, if your password is

    "MyFantasyFootballTeam#66"

    Here it could be "DKosMyFantasyFootballTeam#66"

    If you lurk at Red State, it could be "RSMyFantasyFootballTeam6" and so on...

    Password generation is also a chance to re-live your childhood with nonsense words, nicknames, or rhymes.

    Some drink deeply from the river of knowledge. Others only gargle. -- Woody Allen

    by cassandracarolina on Thu Jul 12, 2012 at 02:28:16 PM PDT

    •  That is useful. (3+ / 0-)

      Like most of us, I have zillions of passwords, and do keep them in a place where I can find them.  But it's not a protected document, and I indicate quite clearly what each password is for.  

      Making things more cryptic for others but clear to me might help. . .

      What are People For?

      by Knockbally on Thu Jul 12, 2012 at 02:32:19 PM PDT

      [ Parent ]

    •  Memory clues (6+ / 0-)

      I mentioned in a comment above often using a pet's name with numbers from a phone number or address. So a clue might be "dog at vet" for the [dog's name @ the vet's adddress], or "puppy at mom's", etc.

      from a bright young conservative: “I’m watching my first GOP debate…and WE SOUND LIKE CRAZY PEOPLE!!!!”

      by Catte Nappe on Thu Jul 12, 2012 at 03:08:37 PM PDT

      [ Parent ]

    •  I use the same prefix/suffix method for some (5+ / 0-)
      Recommended by:
      weck, MKSinSA, sockpuppet, KenBee, ladybug53

      of my passwords, mainly on sites where I don't care if my account is compromised.

      It works quite well since each of those passwords ends up being unique, but unlikely to be cracked. (Even if they could be more secure.) And I can remember them more easily, leaving more room in my head for complex unique passwords for "important" sites.

      Keeping an offsite copy of your passwords is important too, e.g. emailing it to yourself like you suggest. However, I wouldn't rely on the password protection in a spreadsheet. Encrypt it with a 3rd-party utility instead. (Although, keeping only partial passwords in there makes that less of an issue. So this is more for other folks who're considering emailing themselves a full password list.)

      After all, that password list is useless if your disk dies, or your laptop is stolen, or whatever. So email yourself an encrypted copy as suggested, or keep one on a USB stick somewhere, and be diligent about backups (as everyone should be, anyways!)

      Of course, a local backup alone doesn't help if your house burns down with your computer and backup drive in it, thus having a copy offsite somewhere...

    •  Two part passwords (6+ / 0-)

      One part you memorize. The other part you write down and is different for every site. That way you don't have to remember dozens of passwords, but they are each unique. And that way you don't have your passwords written down anywhere.

      •  Several "two part" passwords. (1+ / 0-)
        Recommended by:
        ladybug53

        The part you memorize for banking should be different than the part you memorize for email.

        Banking, email, social sites.

        And something different for shopping sites if you store payment info. Subscription sites for content contains a lot of personal info.

        This better be good. Because it is not going away.

        by DerAmi on Fri Jul 13, 2012 at 01:11:24 AM PDT

        [ Parent ]

  •  Thanks so much for this (6+ / 0-)

    One thing I don't understand on a basic level - why do phrases with spaces in them or underscores or brackets take so much longer to crack? If the basic hacking can crack "3LSf74" quickly today, might they be able to incorporate those alternative characters at some point in the near future? Thanks.

    •  It has to do with the length of the password. (13+ / 0-)

      No one is going to memorize the password "sn s8sn 8sn39 2n203 n49sam 02,asf0 92I#(*# *@92293055 2" even though it's incredibly difficult to crack.

      But if your password is "All you need is love" it's hard to figure out.

      The longer a password is, the harder it is to crack, and the more variety of characters you use, the harder it is to crack.

      Letters, Numbers, Spaces and Symbols, if you have all of those, in a long but easy to remember password, you're better off.

      An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

      by OllieGarkey on Thu Jul 12, 2012 at 02:39:49 PM PDT

      [ Parent ]

      •  That's not a good password, I'm sorry to say... (10+ / 0-)

        Mainly, because the individual words are all short and common. A password cracker with short lists of things like "is", "all", "you", etc, might try combining them with other words, since chaining words is a common method these days.

        Just sticking at least one long/uncommon word in there would do wonders as far as resisting cracking. That removes the ability to just use very-small dictionaries to figure out your chained words.

      •  Hints For Creating A Strong Memorized Password (1+ / 0-)

        1. Memorize a moderately long (at least 8 words, preferably at least 10-12) phrase.

        2. Use the first letter of each word as the basis of the password.

        The advantages of taking just the first letter are 1)it reduces the amount of typing, 2)it makes the password short enough to not be cut off by sites that limit length, and, most importantly, 3)the resulting string of letters is almost* random.

        3. Mix things up a bit by making some of the letters uppercase (I know enough German that "capitalize all nouns" in nicely intuitive for me; pick your own method and stick to it).

        That said, I use KeePass, so I only need to memorize one password, which I take from the first letters of [REDACTED].

        *The letters aren't truly random, mostly because some first letters are more common than others. That said, it is random in a more critical way -- there is virtually no correlation between letters, so that guessing one gives no information about the next (unlike plain text, in which -- to take the most obvious example -- "q" is almost always followed by "u").

        On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

        by stevemb on Fri Jul 13, 2012 at 06:50:01 AM PDT

        [ Parent ]

        •  Addendum (0+ / 0-)

          I meant to add one more point to item 3:

          3. Mix things up a bit by making some of the letters uppercase and have a system for remembering which ones.

          On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

          by stevemb on Fri Jul 13, 2012 at 06:51:46 AM PDT

          [ Parent ]

  •  A thought. (4+ / 0-)

    The high profile hacker password grabs are never a single password.  They're always blocks of thousands, tens of thousands, millions.

    Tell me why, if some hacker grabs off a list of passwords as a block file, it's any harder for him to crack my password than the guy next to me who used 'password'.  Isn't the encryption likely to be the same across the entire file, such that he'll know he's got it when he figures out what it takes to unencrypt 'password' guy's password, such that the strength of the entire block is only as strong as the weakest password in the entire file?  Heck, he could be that guy.  He could just sign up at the place he intends to grab the password database from, set up his account with 'password', and then just brute force different encryptions for 'password' til he finds one that matches his own, and then simply apply that to everyone else, no?  What am I missing that makes that scenario not work?

    •  Access levels. (5+ / 0-)

      If you hacked into my Dailykos account, then you only have access to my information and my account. You can hide rate people and post a diary designed to get me banned, that sort of thing.

      But you can't access every password on a website, because I don't have access to every password on DailyKos.

      Also, I'm WAY oversimplifying on the packet sniffing thing for a couple of reasons.

      First, I don't want this to be a tutorial on how to break into peoples stuff, so I don't really want to be super correct. Second, how it works is far more complicated than actually using the tools. I don't know the math behind decryption, but I know that if I download a certain program, I can steal people's passwords.

      When the passwords DO get stolen, it's because the website hasn't been paying to upgrade its security, and it's a totally different issue from this one, and not one that we as users have much control over.

      An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

      by OllieGarkey on Thu Jul 12, 2012 at 03:31:34 PM PDT

      [ Parent ]

      •  I was thinking of the recently reported Yahoo 400k (5+ / 0-)

        that got stolen, and the time my password and login showed up in a list of thousands of others for another website I used to hit.  Obviously the hackers hadn't simply gone through and hacked each password individually.

        Another thing I do on websites I've built is use 1 way encryptions.  You can never unencrypt user passwords, but you generally don't need to - just encrypt whatever they type in on future visits and compare the two encrypted versions to see if they pass inspection.

        •  I'm an IT security professional in real life (5+ / 0-)

          You describe hashing. Rainbow tables, or preconfigured hash values, (take the whole dictionary, hash every word in it,create a table and compare your hashes to the table.)

          I'm gonna get some hits, right?

          great diary!  Secure passwords=8 characters, uppercase, lowercase, numbers, special characters, pick 3 out of the four. very hard to crack in a timely manner,,,and that's what counts.

          Re-elect Barack Obama and elect Elizabeth Warren

          by al23 on Thu Jul 12, 2012 at 06:23:18 PM PDT

          [ Parent ]

          •  Rainbow tables may be theoretically interesting... (0+ / 0-)

            But usefulness and feasibility of implementation doesn't seem to make them very worthwhile. GPU-based approaches are likely far faster using standard brute-forcing, and memory access and so forth makes rainbow tables less feasible with GPUs.

            They're also useless if you salt your hash. (Unless you have like...many exabytes of memory.) So, basically, not very useful unless the target is a company like LinkedIn, and stupidly forgets to salt their hashes.

            •  Exactly-your Linkedin example proves my point. (0+ / 0-)

              I'll bet there are more companies just like Linkedin out there.  How many outfits don't salt their hash tables? More than a few. Bottom line, testing, patching, more testing and good design are required today. and require secure passwords as I stated above.

              Interested in your GPU based approaches. Will read up on that.

              Re-elect Barack Obama and elect Elizabeth Warren

              by al23 on Fri Jul 13, 2012 at 04:26:55 AM PDT

              [ Parent ]

        •  That was Yahoo's fault. (1+ / 0-)
          Recommended by:
          Dr Erich Bloodaxe RN

          What you describe with the one-way password encryption (a.k.a. hash) is what all websites are supposed to be doing. Apparently Yahoo didn't.  There's nothing you as a user can do about that kind of situation (barring some knowledge about which websites are risky) other than make sure that the password won't get the attacker into any of your other accounts.

          When hashes are stolen (as opposed to plaintext passwords), they can be individually attacked by brute force generation of a bunch of hashes to see which ones match something in the stolen hashed password list.  Finding that a hash that matches "password" (ideally plus locally-provided "salt" data so the attacker can't use precomputed hashes) doesn't help to find a hash that matches "j8og9oQMKe9- [3**A".

          I'm skeptical about the claim to be able to do similar attacks on captured SSL traffic, though.

    •  Rainbow Tables (0+ / 0-)

      http://en.wikipedia.org/...

      ... are an extreme brute force tactic that sacrifice massive amount of space (some tables are > 100 terabytes large) to exponentially reduce the time to break any given password.

      They're pre-computed, so "password" will fall out quickly, but "I <3 sporty $pice" will take a much larger table to decrypt quickly.

      This is why they recommend you use uppercasing, digits and special characters as they increase the size of such a table required to break your password.

      Ultimeatly, it's like a having a strong lock - yes any lock is breakable, but the thief will likely just hit your neighbor or a different neighborhood instead if results don't come fast enough.

      And remember - ALWAYS use a different password for every different site/app because password reuse is exactly how Mark Zuckerberg broke into his fellow students' accounts at Harvard when he had more brains than ethics.  Would you trust Kos/rusty/CT with your banking password? - I respect them but sure as hell wouldn't give em that.

      --
      Make sure everyone's vote counts: Verified Voting

      by sacrelicious on Thu Jul 12, 2012 at 11:00:56 PM PDT

      [ Parent ]

  •  A pass generator Mac-widget I've used for years (9+ / 0-)

    is called Make-A-Pass, and it's about as configurable as one would ever need.

    I'm starting to think John Boehner may not actually know what "the will of the American people" is.

    by here4tehbeer on Thu Jul 12, 2012 at 03:26:46 PM PDT

  •  How do hackers try out lots of passwords (6+ / 0-)

    at sites where they lock you out after a few failed attempts?

    Just another faggity fag socialist fuckstick homosinner!

    by Ian S on Thu Jul 12, 2012 at 03:31:11 PM PDT

    •  They can't usually. (6+ / 0-)

      They find other security holes.

      Or they steal some of your data with a packet sniffer and crack that instead.

      An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

      by OllieGarkey on Thu Jul 12, 2012 at 03:47:28 PM PDT

      [ Parent ]

    •  Depends on how they got your password (2+ / 0-)
      Recommended by:
      OllieGarkey, KenBee

      If they just have your username and are trying to brute-force the site, yeah, it'll lock them out after a few tries probably.

      The "trying out lots of passwords" part tends to come into play if a site is compromised, e.g. someone gets the database with usernames and passwords in it after breaking into the site.

      In most cases, these passwords will be encrypted. Then, the hacker can run various attacks against the encrypted passwords. Sometimes this is an attack against the encryption algorithm, sometimes it's a dictionary attack and/or brute-force attack where lots of possible passwords are tried.

      (Or a combination of all three! The recent LinkedIn fiasco was partially due to them not "salting" their passwords, making the encryption much less effective. Thus, it was much easier for the hackers to test out possible passwords.)

  •  Please sign me up (2+ / 0-)
    Recommended by:
    weck, sockpuppet

    Didn't see the signup sheet.  

    This is very timely.  Thanks!

  •  "Whirled peas" is not a good example (6+ / 0-)

    ...same reasons I said above.

    Crackers have clearly progressed to at least simple sets of two words. A dictionary attack against "Whirled Peas" is simple enough.

    Also, while many sites allow spaces, they may not even store the space with the password. So it's even easier for the attacker who then only needs to crack "WhirledPeas", and not bother trying spaces/symbols/whatever between words.

      •  Most of the diarist's ideas are on the ball (7+ / 0-)

        Longer strings, stick in some symbols, etc.

        I personally use 8 - 10 character passwords with a good number of symbols. I use simpler ones that I can remember for less-critical stuff, but longer random ones (generated via a script, not by mashing on the keyboard) for things like banking and other "important" sites.

        I save all my passwords in an encrypted file. (Which is on an encrypted disk itself...which I back up to a pair of encrypted backup disks. :) There are a lot of good password managers that can simplify this. This step is just as important, since if someone steals your laptop with a password list on it, even if it's locked (but not encrypted

        The suggestions of longer phrases with symbols/etc stuck in secure, and works well for most people. (I just personally don't remember those as well as "1Gj!4@.#z" or whatever. Yes, my brain works a little oddly.)

      •  use letter, numbers, and symbols (6+ / 0-)

        try not to get cute with words or substitutions.

        I disagree with this diary in this manner.

        As for using a combination of words, as in the XKCD comic, many sites will not allow that long a password.

        If you don't want to come up with a strong password, try http://www.keepass.info/ as it has a built in password generator.

        "The only person sure of himself is the man who wishes to leave things as they are, and he dreams of an impossibility" -George M. Wrong.

        by statsone on Thu Jul 12, 2012 at 04:15:36 PM PDT

        [ Parent ]

        •  One VERY important bit to add about long passwords (4+ / 0-)
          Recommended by:
          MKSinSA, sockpuppet, PeterHug, stevemb

          Many sites will cut your password off. They may let you enter 30+ characters, but they may only store and use the first 8 - 16 characters or whatever. (Depending on how old the site is and how poorly it was designed.)

          You can check this yourself on any given site, where you have a really long password, by chopping off the last letter and seeing if that still works.

          I agree with the "long password" method for general use (since it's more secure than what the average person is otherwise using), though I don't use it myself...partially for the reason stated above.

          (And substitutions can indeed be bad too. Dictionary cracking programs generally try I->1, 5->$, etc, which is why they're bad! Symbols are good, symbols used to substitute for similar letters aren't.)

          •  Long, strong, complex passphrases (4+ / 0-)
            Recommended by:
            holeworm, PeterHug, MikeyB33, ozsea1

            are essential for:   your machine login, whatever os you're using.  Try never to make login automatic unless there's nothing on the machine you care about losing or sharing.  
            But remember, every network is only as strong as its weakest link.  So if you have one easily hackable machine on your network, it can become an open door to the rest of your network.

            Also, complex passphrases for your online banking sites.  Most will let you use 10-16+ characters.

            And yes, sometimes a site won't tell you that it's only allowing the first 8 characters of the password you've set up.   That's good advice to find out for each site.

            At this point, most people glaze over about Internet security protocols.   It just all seems too complex to follow.  It is not.   In today's Net-connected milieu, anything you can do to secure your online privacy is essential.

            "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

            by sockpuppet on Thu Jul 12, 2012 at 05:28:36 PM PDT

            [ Parent ]

            •  ...or just an easily-hackable network (4+ / 0-)
              Recommended by:
              PeterHug, KenBee, OllieGarkey, sockpuppet

              The number of people I still see with open networks, or just broken old WEP, is astounding. Everyone should be using WPA2 on their wireless routers unless you have old devices.

              Of course, you should still encrypt anything sensitive even over encrypted wireless. (Especially with a laptop you might connect to public networks.) If it's really sensitive, use a VPN on top. You need to treat any network you connect your own device to (laptop, tablet, or even smartphone) as if it's hostile. Even if it's a friend's network, that person might well be infected with malware.

              The reverse applies as well: even a well-intention friend's laptop on your wireless network might have malware that will probe your network and try to break into your devices.

              (I actually have two networks at home, one for me, one for any guests...which goes into a separate port/subnet on my router.)

              •  Half the people in my building use WEP. (3+ / 0-)
                Recommended by:
                holeworm, KenBee, sockpuppet

                It makes me wonder why I'm still paying for internet.

                An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

                by OllieGarkey on Thu Jul 12, 2012 at 08:17:11 PM PDT

                [ Parent ]

                •  new diary topic (1+ / 0-)
                  Recommended by:
                  sockpuppet

                  router security, my wep written on the router...how to change that, and how to get wep2

                  go to bed!

                  :>

                  From those who live like leeches on the people's lives, We must take back our land again, America!...Langston Hughes

                  by KenBee on Thu Jul 12, 2012 at 09:18:11 PM PDT

                  [ Parent ]

                  •  No, not WEP2 (2+ / 0-)
                    Recommended by:
                    holeworm, KenBee

                    WPA2.   It's not as difficult as it seems here, at first.  But if your network is secured by a WEP level password, then I do recommend you change it asap.   Just run a Google search on the brand of your router and "how to use WPA2".  

                    Or wait til' this group gets some more networking discussions and diaries posted.  (But changing it sooner is better than later.  And with a very complex passphrase, the strongest one you'll use, almost, since you'll only enter once (or once in a while).)

                    "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

                    by sockpuppet on Thu Jul 12, 2012 at 11:25:43 PM PDT

                    [ Parent ]

                    •  Westell327W says incompatible, needs a usb card (1+ / 0-)
                      Recommended by:
                      sockpuppet

                      for WPA or WPA2...
                      brand new computer, maybe need a new router instead, will Verizon send a new one or do I have to buy one?

                      and what's a mobile router, mentioned earlier?

                      So, for this old router with WEP only and Firewall 'OFF' at this point...

                      and which MAC setting should it be? I think that's 'disabled'
                      and '4x' is disabled

                      Firewall should be on? low/med/high?

                      I want juuust right.

                      From those who live like leeches on the people's lives, We must take back our land again, America!...Langston Hughes

                      by KenBee on Fri Jul 13, 2012 at 03:12:39 AM PDT

                      [ Parent ]

                      •  Seriously, KB (2+ / 0-)
                        Recommended by:
                        ladybug53, KenBee

                        You need a new router.  If it doesn't have WPA2 capability, it's way too old.  

                        So your router is in tandem with your Verizon modem?  Okay, yes, they may give you an updated modem.  But it may or may not have a NAT router in it.  You need to ask 'em and press 'em on this point.  

                         I always use my own DSL or cable modem, rather than the one the ISP provides.  And then I put our home and office networks behind good NAT routers with security set to paranoid levels.  

                        If you need further help, just PM me.   I'll help you with this.   I'm very accustomed to being a "helpdesk" about security for the newly initiated.  :)

                        "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

                        by sockpuppet on Fri Jul 13, 2012 at 03:36:12 AM PDT

                        [ Parent ]

                        •  And whatever firewall you have (1+ / 0-)
                          Recommended by:
                          KenBee

                          whether it's just the built-in one with your OS (Mac or PC) or is a software 3rd-party firewall, turn it to ON immediately!  Something is better than nothing.

                          Talk to me.   :)

                          "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

                          by sockpuppet on Fri Jul 13, 2012 at 03:39:26 AM PDT

                          [ Parent ]

                          •  ok, fwall now on 'medium' (1+ / 0-)
                            Recommended by:
                            sockpuppet

                            sounds like 'just right'.......so......seems to still work-yay.

                            And noones stolen my..hey wait a dam minute...brb

                            From those who live like leeches on the people's lives, We must take back our land again, America!...Langston Hughes

                            by KenBee on Fri Jul 13, 2012 at 01:29:02 PM PDT

                            [ Parent ]

                    •  "WEP" = "We're Easily Probed" nt (2+ / 0-)
                      Recommended by:
                      OllieGarkey, KenBee

                      On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

                      by stevemb on Fri Jul 13, 2012 at 06:55:38 AM PDT

                      [ Parent ]

              •  Easily hackable network (1+ / 0-)
                Recommended by:
                holeworm

                Well yeah.  But what I wrote was assuming (heh) that folks had made some effort to secure their network, wired or wireless.  You're right.  Why would I assume that?

                I woulda mentioned all these other vulnerabilities, too,  but it seems like the audience here might be on overload already.   Really securing home and small-office networks would be another good diary topic (or three), y'think?

                This may all read to the technically inexperienced reading here as really complex.   What's kinda sad is that what's been advised and written about here is, like, the lightest levels of security against the ravages of today's cyber-infrastructures.  So there's kinda an urgent need for the Occupy the Internet global progressives (with a nod to Anonymous) to become more security savvy and conscious.  

                This is why this group here on Dkos is much more important and needed than most might realize at this point.   I hope Kossacks will really start paying attention to these security methods and protocols.  Seriously.

                "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

                by sockpuppet on Thu Jul 12, 2012 at 11:20:31 PM PDT

                [ Parent ]

                •  Yeah, the problem is that even this is complex (2+ / 0-)
                  Recommended by:
                  sockpuppet, ladybug53

                  ...if you're not dealing with security stuff on a regular basis, I think. Just the idea of complicated passwords, with numbers and symbols, and software to store it, etc.

                  But people are just going to start having more instances of hacked accounts, full-on identity theft, etc, from preventable issues like securing their computers and networks properly.

                  But you're right, it's really overload to just get into wireless security (past just setting up WPA2 or whatever)...since it's unfortunately quite complicated when you consider other networks and devices.

                  I just hope too many people don't have to deal with identity theft BS and so forth before it becomes more-common to have extra security features enabled by default, in general.

                  Sadly, I suspect we'll see tons more headlines about sites being hacked, credit card numbers stolen, bank accounts drained, etc, etc, before this starts getting cleaned up. Much of that is the sites' fault, but some of it can be prevented by users being informed, of course.

          •  Symbol substitution (3+ / 0-)
            Recommended by:
            holeworm, sacrelicious, ladybug53

            I just want to echo the problem with number/symbol substitution (that is to say, writing some of password in something that look like L33T).

            Don't.

            Or, rather, feel free, but don't expect that it alone is going to make much difference in the password strength IF you are using the "normal" exchanges.  See, because those normal exchanges are expected, they are typically incorporated into dictionary attacks.  Adding even a fairly exhaustive list of substitutions that make sense (E/3, A/4, I/1) has very little impact on run time for a brute-force attack.

            Numbers (and symbols) are much better used in a way that can't be derived from the syntax of words or phrases.  The diary's suggestion to use them in place of the spaces between words in a passphrase is excellent, although ideally, you won't have the same one in each break.

            "All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." -Douglas Adams

            by Serpents Choice on Thu Jul 12, 2012 at 09:15:15 PM PDT

            [ Parent ]

            •  The use of a separator is definitely a great idea (1+ / 0-)
              Recommended by:
              ladybug53

              Especially since some sites will just mush together the space in your passphrase, so this prevents that. (And some might even cut you off after the first space, using it as a delimiter.) A phrase with some unique separators won't be brute-forced in any reasonable amount of time.

              The problem, of course, is that remembering the separators becomes impossible, unless you just keep a list again, in which case you're better off just using completely random passwords. You could play some games like making your separators "d a i l y" for DK, etc, but that's something that can be deduced and thus doesn't really add much real strength.

              So if someone gets your password through whatever other method (unencrypted database, hijacked site logging passwords, whatever), then they have your "key" as far as the separators go...

              So I'm not sure that it's not actually best to just use a simple letter or symbol (just something random that feels "comfortable"), just to prevent spaces from being removed. Better to concentrate on remembering a better phrase, if you use that method, than try to remember complex separators as well.

              •  Compromised separator patterns (0+ / 0-)

                The thing is, a separator pattern isn't like a password.  Sure, if you're a hacker, and you know that someone uses complex passphrases with non-whitespace separators, and you guess that the separators are consistent, then you've shaved some time off the cracking of the next password.  But you haven't shaved ENOUGH to matter.  If you're able to get a password like that, to anywhere, you're able to get a thousand passwords that are easier gateways to other information.

                By means of example, even if the hacker manages to get a one-site password raven5loop7key3gnat2 (which doesn't even bother with capital letters or symbols and is still pretty durable -- 1 quadrillion years to break, according to howsecureismypassword) and guesses that all my passwords include the first four primes in alphabetal order as spacers, that ... that really doesn't do them a whit of good at figuring out my other passphrases.  No sane hacker will follow up on that; they'll glean whatever benefit they got from the one compromised password, sure, but they'll look to other victims to continue elsewhere.

                "All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." -Douglas Adams

                by Serpents Choice on Thu Jul 12, 2012 at 10:03:59 PM PDT

                [ Parent ]

                •  Right, I'm not suggesting anyone would use (0+ / 0-)

                  that information to CRACK passwords. Rather, I'm suggesting that the separator just doesn't matter. If you're in a hypothetical situation where the separator actually is a security concern...well, I'm guessing the other party would have significant resources and be specifically targeting you.

                  The cracking time just isn't relevant; of course, you could narrow down the impossibly-large brute-forcing time with that knowledge. I'm talking about someone compromising a site to get your "raven5loop7key3gnat2" directly. If you are being targeted by an organization that can perform basic cryptoanalysis...well, then they have your separator sequence, unless you go to the trouble of changing it around for every site (and more than just numbers at all.) It doesn't add much past just using all 0s or whatever. (And if you are in that situation, you should probably use completely random passwords anyways.)

                  Thus, unless you know you're being targeted be some organization, the separator isn't a big deal. It's a separator, and unless you want to get fancy and encode complex stuff into it that you have to remember or store somewhere, you may as well keep it simple.

                  Of course they still don't have the rest of your passphrase. That was kind of my point as well. You can put even MORE effort into a good passphrase if you don't have to worry about some complicated separator. You're better off dropping in a symbol or two randomly, if using a long phrase.

    •  Really? Damn. Quoting you. (3+ / 0-)
      Recommended by:
      holeworm, MKSinSA, sockpuppet

      An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

      by OllieGarkey on Thu Jul 12, 2012 at 03:47:55 PM PDT

      [ Parent ]

    •  Storing passwords in clear text? (1+ / 0-)
      Recommended by:
      holeworm

      It is theoretically a no-no. They should be using one-way encryption hash that is run n-time against your password. Makes it really, really hard to crack. But if you lose your password, there is no getting it back, and then it all hinges on how strong the password is on your email when you request a new one.

      "You can die for Freedom, you just can't exercise it"

      by shmuelman on Thu Jul 12, 2012 at 09:21:30 PM PDT

      [ Parent ]

      •  I was simplifying... :) (0+ / 0-)

        I meant sites that remove spaces before applying one or more one-way hashes (preferably a series of different hashes, with a reasonable minimum runtime/number of rounds, that can be tweaked upwards as CPUs get faster), then do the same when you again log in with your password, removing any entered spaces before hashing it to check against the stored hash.

        That's a little complicated though, so I went with storing passwords. :)

  •  About that howsecureismypassword.net... (11+ / 0-)

    First, it's JavaScript, not a Java applet. This is an important distinction, since Java is prone to more serious security holes than JavaScript.

    Also, if someone hijacks the site, they can certainly modify the code to submit typed data back through to the site. So I wouldn't trust ANY password-checking site, based on that! Even if the current version looks nice and safe.

    Now, that is a good site to test a TYPE of password, as you do point out. It's just important to remember that it's not really a good idea to use a REAL password that you've checked there.

    As the diarist says, play with it until you have a feel for what's secure.

    A locally installed application is safe to test passwords with, since it can't be hijacked and modified in the same fashion.

    •  Do you want to write a diary for us on (6+ / 0-)

      a topic like this? Send me a message.

      An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

      by OllieGarkey on Thu Jul 12, 2012 at 03:54:14 PM PDT

      [ Parent ]

      •  Thanks for the great diary. And for translating (7+ / 0-)

        your sig lines, my Gaelic is minimal. :-)

         How about foreign words? Do they fall to the same dictionaries or not? I'd think that Gaelic or one of the Slavic languages would be good if the hackers stick to English dictionaries.

        Information is abundant, wisdom is scarce. The Druid

        by FarWestGirl on Thu Jul 12, 2012 at 04:38:16 PM PDT

        [ Parent ]

        •  Yeah. A few of my passwords are in Scots Gaelic. (8+ / 0-)

          I'm assuming that no one speaks dead languages.

          "Is Treasa Tuath na Tighearna !&$% 1689" was one of my passwords once.

          An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

          by OllieGarkey on Thu Jul 12, 2012 at 04:57:15 PM PDT

          [ Parent ]

          •  Extra credit if you can figure out what those (6+ / 0-)

            symbols mean.

            An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

            by OllieGarkey on Thu Jul 12, 2012 at 04:57:41 PM PDT

            [ Parent ]

          •  Balderdash! Scots Gaelic is not dead. (0+ / 0-)

            Especially since my brother learned it as a living language from native speakers.  His kids are also fluent and one teaches in a Gaelic public school.....dead indeed!!

            Admittedly numbers of native speakers had dwindled but hopefully they are on the rise again. I know this is a topic for another time, another place.

            Lucky this is an open thread...and now back to our main topic....

            Really enjoying both diary and comments.  Learned a lot.  Look forward to more in future.  

            •  I wish that I could rec you for this comment. (0+ / 0-)

              Unfortunately, I did not see it till now.

              There are actual dead languages that I use on occasion (a friend I know uses Sumerian passphrases).

              You are correct. Gaidhlig is alive. That's why I'm trying to learn it, though I worry that once I do, I will have no one to speak it with.

              An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

              by OllieGarkey on Sat Jul 14, 2012 at 01:59:59 AM PDT

              [ Parent ]

    •  javascript (6+ / 0-)

      Very hazardous while cruising on the Net with "all javascripting enabled."  

      If you use Mozilla Firefox (I do, so I don't know about Bing, and I never use IE or Safari), you can get a good add-on:  No Script.   I'm using it now, here on Dkos.

      You really only want to go to sites you know and trust with scripting enabled.   There are many websites with malware coded into them that can jump into your machine just because you clicked on them.   Sometimes even the sites you trust won't know they have malware hacked into them.

      So it's good to turn off scripting when going out on the Net.    "No Script" makes it a bit easier to manage this.

      "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

      by sockpuppet on Thu Jul 12, 2012 at 05:35:13 PM PDT

      [ Parent ]

      •  +1 for suggesting NoScript; also HTTPS Everywhere (4+ / 0-)
        Recommended by:
        sockpuppet, PeterHug, BachFan, OllieGarkey

        Running random JavaScript on every page you visit is indeed a bad idea. NoScript makes it easy enough to actually set what sites can do what...

        HTTPS Everywhere is another highly-useful extension. It forces the use of HTTPS (an encrypted connection) whenever possible, since most sites will default to plain-old unencrypted HTTP, even if they support HTTPS.

        •  Yes, I also use HTTPS Everywhere (2+ / 0-)
          Recommended by:
          holeworm, OllieGarkey

          NoScript and HTTPSEverywhere can cause you some momentary bumps in trying to get into or onto a site.  But hey, the tradeoff is worth the security.

          Just decide that your online security/privacy is of utmost importance, and then all the passphrase and NoScript drills, and logins to your machine/s become a painless effort in your own behalf.  It's worth it!  (And you have to train family members on your network and machines to be diligent and responsible, too.)

          "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

          by sockpuppet on Thu Jul 12, 2012 at 05:48:51 PM PDT

          [ Parent ]

    •  If You Can Store A Local Copy And Run It... (0+ / 0-)

      ...disconnected from the Net, that avoids the issue of trusting that it's not a password-harverster trick.

      On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

      by stevemb on Fri Jul 13, 2012 at 06:57:47 AM PDT

      [ Parent ]

  •  Storing and managing your secure passwords... (6+ / 0-)

    When one does have secure passwords, especially unique ones for every site, remembering them becomes impossible. So you do need to store them somewhere. Writing them down on paper is an option, but as the diarist points out, not feasible in office environments, etc.

    I personally keep my passwords on my laptop, in an encrypted file. (Which is on an encrypted disk on top of that, for additional security in general.) Remember, even if your computer is locked or shut down, if the file isn't encrypted someone can simply pull it off the disk. So you shouldn't EVER store unencrypted passwords on a computer in a regular text file. If someone gets your computer, they get your passwords.

    There are lots of good password managers available. They can generate passwords, store them, and fill them in on web forms and the like. For a lot of people, that's probably the easiest way to manage and store secure passwords.

  •  How do you feel about (2+ / 0-)
    Recommended by:
    weck, sockpuppet

    Password-storing tools?

    I'm not familiar precisely with exactly what I said, but I stand by what I said, whatever it was. -- Mitt the Twit

    by Senor Unoball on Thu Jul 12, 2012 at 04:36:39 PM PDT

    •  Password-storing tools are excellent! (4+ / 0-)

      Not only can they generate random passwords, they can securely save them on your disk, and fill them into forms and such. (I'd go a step further and recommend whole-disk encryption as well, though.)

      There are some security risks, but they can be mitigated. For example, don't remotely log in to your machine that has passwords stored (screen sharing, ssh, etc.) Don't trust that the password manager itself is storing them properly (thus whole-disk encryption as well.) Don't store them in a text file; see my comment immediately above yours!

      For the most part, they're safe, and they let you generate virtually-uncrackable random strings...which are really the "gold standard" in secure passwords. (Just too hard for us humans to remember lots of 10 - 15+ character random strings, without a utility to help.)

      •  I use passwordsafe. I am very happy with it. (2+ / 0-)
        Recommended by:
        holeworm, Senor Unoball

        The chance that my computer will be stolen and the password vault decrypted is asymptotic to nil. On the other hand, I don't store passwords in my browser. There is something odd about that, like having your laptop stolen and having the browser open. Everything is available in that case.

        "You can die for Freedom, you just can't exercise it"

        by shmuelman on Thu Jul 12, 2012 at 09:01:27 PM PDT

        [ Parent ]

        •  Having your laptop stolen is only a $$$ issue... (2+ / 0-)
          Recommended by:
          KenBee, Senor Unoball

          ...if you're using whole-disk encryption. Doesn't matter if the browser is open if they can't wake the machine up from sleep, and if plugging the drive into something else just gets you an unusable encrypted partition.

          But I still don't store any important passwords in my browser either. Always a risk that some security hole will cause my browser to dump random data to a malicious site...

  •  A strong password phrase method (8+ / 0-)

    The method I use is to take my favorite phrase/s and take the first letter of each word in the phrase, and to also capitalize and punctuate the phrase as a sentence.

    So, a password phrase would look like this:

    "I love to read Daily Kos every day."

    Would become:  IltrDKed.

    And then add some numbers, like your sister's husband's birthday.  And then a couple of symbols.

    And I like the suggestion here by the diarist to add brackets or parentheses around the whole thing.

    So the final passphrase would be:

                  [IltrDKed.0419^%]

    Trust me, it's really easy to remember, when it's something you're really familiar with saying.  Just say it to yourself, properly punctuated, remember the date you put in, and the symbols, and bracket the whole thing.  Very strong passphrase!

    Do not use this example I've given here as your password, whatsoever!

    Also, the advice here to not use any "single word in the dictionary" is good, but I would expand that to say, don't use a word in any language.  Which as you can see from the example I gave here, is true.

    This is getting serious, folks.  Please pay attention to your online security!!

    "I'm glad I don't know how it feels to vote to withhold basic human rights from someone else." DavidW-DKos

    by sockpuppet on Thu Jul 12, 2012 at 04:44:07 PM PDT

    •  GMTA (1+ / 0-)
      Recommended by:
      sockpuppet

      I posted a somewhat simpler version of the same basic idea before reading the whole thread.

      The only think I can think of to add it to pick a phrase that nobody else would ever associate with you (e.g. "I love to read Free Republic every day.") (OK, bad example since it's actually true in my case -- hey, there are people who get paid to write comedy who are less amusing than FReepers....)

      On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

      by stevemb on Fri Jul 13, 2012 at 07:04:00 AM PDT

      [ Parent ]

  •  I found that the Na'vi language (3+ / 0-)
    Recommended by:
    cassandracarolina, weck, sockpuppet

    combined with "L33T" has opened up whole new vistas of possibilities with both passwords and vanity license plates.

  •  What do you think of using verses of a song (2+ / 0-)
    Recommended by:
    cassandracarolina, sockpuppet

    for passwords, and same or similar user ids, and storing which verse goes to which site on a password encrypted file on your computer?  The passwords would, of course be based on your tips.

    "I cannot live without books" -- Thomas Jefferson, 1815

    by Susan Grigsby on Thu Jul 12, 2012 at 05:07:30 PM PDT

  •  I used to get away with this one (3+ / 0-)
    Recommended by:
    sockpuppet, wu ming, holeworm

    When I was an instructor, I used to use a password that was meant to confuse the students, as they could, with the proper tools, find out the password. The default setting when there was no password, was NONE. So I typed in the password to be NONE. Needless to say, I had great fun as the students would think there wasn't a password, rather than the password was actually NONE.

  •  All my passwords are obscene phrases. (4+ / 0-)

    If I knew any obscene symbols I'd add those too.

    Tracy B Ann - technically that is my signature.

    by ZenTrainer on Thu Jul 12, 2012 at 05:25:40 PM PDT

  •  Thanks (3+ / 0-)
    Recommended by:
    sockpuppet, OllieGarkey, ladybug53

    The radical Republican party is the party of oppression, fear, loathing and above all more money and power for the people who robbed us.

    by a2nite on Thu Jul 12, 2012 at 05:35:49 PM PDT

  •  Daily Kos is a weak link in password security (5+ / 0-)

    Never use the same username and password on your secure accounts (banks, etc) as you use here on Daily Kos.  See, Daily Kos is not a secure web site (https) and so when you enter your name and password to log on, they are sent as clear text.  If someone were to intercept your username and password here, they could use that pair on secure sites such as wellsfargo.com, schwab.com, and so forth, until they find a place where you use the same pair for "important" security.

    If you have a "secure" password that you use for important information, never ever use that login on any site that does not show the lock icon to indicate that the login info will be encrypted before it is sent to the server.

    "They let 'em vote, smoke, and drive -- even put 'em in pants! So what do you get? A -- a Democrat for President!" ~ Faster, Pussycat! Kill! Kill!

    by craiger on Thu Jul 12, 2012 at 05:39:53 PM PDT

    •  It is, but it's irrelevant if it's https or not (3+ / 0-)
      Recommended by:
      OllieGarkey, KenBee, sacrelicious

      The large-scale breaches don't come from people sniffing traffic. They come from site databases being hacked and the passwords cracked, or the sites being hacked and passwords stolen over time.

      You should not have "a" secure password. (I read your comment as suggesting that, sorry if it was just ambiguous.) You should have a SEPARATE secure password for each site you use.

      It doesn't matter if it has an https lock icon on it or not. If the site database is compromised, and you use the same password elsewhere, your other accounts are compromised as well.

      I don't even use the same username on anything important; e.g., all my my financial logins have unique email addresses and usernames (but all forward back to me.)

      You can do this with Gmail, for example. If your email address is webmaster@gmail.com, you can use webmaster+dailykos@gmail.com (so add a + sign and then whatever), and it'll go to you as well. But you've now created a semi-unique email address, that can be used to improve your security!

      •  Partly true (0+ / 0-)

        See firesheep - a firefox plugin that allowed you to steal nearby users' passwords if they were using non-secured (http) and on the same access point (i.e., at a coffee shop).

        --
        Make sure everyone's vote counts: Verified Voting

        by sacrelicious on Thu Jul 12, 2012 at 11:06:23 PM PDT

        [ Parent ]

        •  Who even needs that? Just tcpdump... (0+ / 0-)

          Dump hex packets, see http data, see passwords. Of course, an extension does make it easier for the average person (who's probably more malicious than a researcher) to hijack sessions.

          Your password can be hijacked at lots of points. It could be on the wireless network. Someone could be sniffing your packets off a wired switch. The end site could be compromised. You could be subject to a man-in-the-middle attack, even with an apparently-valid ssl certificate.

          That wasn't really my point, though. What I said was that large-scale breaches don't come from sniffing; I wasn't suggesting that unencrypted wireless traffic is going to be immune from local sniffing. Just that you're not going to get 500k compromised passwords at once from doing that.

          Of course, you should be careful with your wireless security, especially on a public network. Or even on a friend's network. Don't log into anything you care about that isn't via https unless you're on a properly-secured home or office network. (Again, HTTPS Anywhere is great for helping with that.)

  •  One way to vary the passwords (3+ / 0-)
    Recommended by:
    holeworm, OllieGarkey, ozsea1

    is to mentally encode the name of the website, for example Daily Kos could be "4" as in the fourth letter of the alphabet, or 411 (for 4th and 11th).
    Insert that in front or behind your nifty string.

    I do this for websites that I don't feel matter very much, making it easier for me to remember. For example, [Niftystring411] for DKos, [Niftystring14] for Netflix, etc. I can write these down in a logbook but can probably guess on a given website by typing my usual nifty string and the code #.

    For bank passwords, paypal, etc. I use something unrelated to this system. So my Niftystring wouldn't help them even if they got it.

    ~On, Wisconsin! On, Wisconsin! Raise her glowing flame!~ I am proud to say three generations of my family lived in WI. Though I live elsewhere, am with you in spirit!

    by sillia on Thu Jul 12, 2012 at 05:47:58 PM PDT

    •  I use something similar for unimportant sites (2+ / 0-)
      Recommended by:
      OllieGarkey, sillia

      (Of course, I can't give you the details since that would reduce the strength of my security measures... :)

      But, yeah, I have lots of passwords that I can usually "calculate" in my head based on the site and some other data, and it's stored in an encrypted file if I can't remember it. Those types of sites I can usually just store logins for in my browser, anyways.

      Like you said, for financial passwords and the like, it's not a good system. But it is quite useful when it wouldn't be a big deal if someone got into your account and/or learned your password.

  •  Next diary please: Home Wireless Security (6+ / 0-)

    I use a non-meaningful network name on mine, but some of my neighbors are broadcasting "Smith family network", and so forth, right out to the street... sheesh!

    Have you noticed?
    Politicians who promise LESS government
    only deliver BAD government.

    by jjohnjj on Thu Jul 12, 2012 at 06:24:58 PM PDT

    •  Planning on it! (And see my previous comment) (2+ / 0-)
      Recommended by:
      OllieGarkey, KenBee

      http://www.dailykos.com/..., covers some basic measures at least.

      Of course, that just touches on those basics. I've actually been in touch with the diarist and plan on writing something about personal Internet security measures in general...and that would definitely include wireless security measures, for a start.

      Hell, we could do a whole series on these related topics. I don't usually think of DK as a place to go for tech info, but it's clear that this diary has made quite a few users improve their password security!

    •  The network name is not the issue. (3+ / 0-)
      Recommended by:
      KenBee, holeworm, ladybug53

      It is the encryption on the network (your network key). The book "Wi Foo" http://www.amazon.com/...
      shows many methods of cracking your encryption protected wireless network, but it does require proximity to the radio signal. I do not do serious commerce, bank stuff, brokerage, over a wireless connection.
      Let's all remember though, there are no secrets from the US Government, who taps into the net at its source, and has spent billions of dollars to make sure you are not being subversive.

      "You can die for Freedom, you just can't exercise it"

      by shmuelman on Thu Jul 12, 2012 at 08:58:12 PM PDT

      [ Parent ]

  •  Scientific names can be good. They can be long, (5+ / 0-)

    they are memorable, and they might not show up in many dictionaries, even Latin dictionaries (because they are often formed by latinizing someone's last name).  I don't actually use any of them right now, but for a long time I used variations on bird names that I would be able to remember easily - e.g., turdus migratorius or bombycilla cedrorum - with a number substitution or two.  A species like buteo swainsonii has the added bonus of the latinized proper name to add confusion.

    Probably doesn't work as well with popular/charismatic species.  I wouldn't suggest any password incorporating panthera tigris, for example.  Or dinosaurs.  

    •  Scientific names ARE in there; length also isn't (3+ / 0-)
      Recommended by:
      KenBee, lineatus, ozsea1

      a huge factor when brute-forcing anyways, as long as it's in the dictionary. (Of course, I'm simplifying since length adds complexity when dealing with things like I->1/5->$/etc substitutions, with the added possible combinations of such.)

      The usual "smaller" typical system dictionaries don't generally include them. However, the larger sets contain everything from proper names, to scientific names, to things I can't even identify.

      In fact, I just checked one of my dictionary files (and it's not even the largest by far; I'm not sure where those went. This one is about 230k words.) TURDUS is in there, as are BOMBYCILLA, CEDRORUM, and SWAINSONII. Migratorious is the only one that's not in there!

      There are plenty of things that are "weird" and still in there, e.g. 68 words that end in "ii" including obscure (for me) things like CHONDROPTERYGII, LABYRINTHIBRANCHII, and PLEUROPTERYGII.

      So basically, scientific names aren't really that great... :)

      •  Good to know. (2+ / 0-)
        Recommended by:
        ozsea1, holeworm

        Migratorius might be in there too - I don't know if you just have a typo in your comment or if your search also included the "o" in the spelling.  But if so, that gives one way to complicate things... the addition of a superfluous letter or two.

        •  Oops, I did typo my comment. No migratorius, (1+ / 0-)
          Recommended by:
          lineatus

          but your suggestion is a good one, if done in a reasonable fashion. Keep in mind that it needs to be done differently for each password... For example, if you just double the first vowel, or something like that, that's a possible weakness, say if someone is sniffing your traffic and notices a couple of these.

          The odds of someone analyzing a single attack (unless you're being specifically targeted) like that are about zero, though. Most attackers doing that crap would probably just get confused by the Latin names and give up.

          In any case, it still does make a good "base", since using uncommon words like that breaks the "simpler" dictionary attacks in general, though just stringing 2 words along isn't sufficient. Sticking in a couple symbols or deliberate, unique typos, though, would make that plenty secure.

  •  thanks for the wakeup (2+ / 0-)
    Recommended by:
    holeworm, OllieGarkey

    strengthened my passwords because of it.

    "We can't solve problems by using the same kind of thinking we used when we created them." - Albert Einstein

    by pickandshovel on Thu Jul 12, 2012 at 06:51:21 PM PDT

  •  I have a list of passwords... (3+ / 0-)

    but it's a JPG inserted into a word doc, with a dull name.

    And I only list the CLUE to the password, not the password itself   (ie, a fictional reference that really is only going to make sense to me.)

    But I like the idea of making phrases or longer passwords.  I have trouble remembering them, I need a list!  

    •  This is "security through obscurity," and not (3+ / 0-)
      Recommended by:
      OllieGarkey, KenBee, JanetT in MD

      really a good idea...

      Use a password manager, an encrypted file, whatever...and you can have proper secure passwords (and fully list them out, not just list a clue!)

      The problem with things like personal references is that it may be possible to perform cryptanalysis. Have you gone through your entire list and tried to figure out if anyone else might spot a pattern? (And it's HARD to do that yourself, with that type of list, since you're biased with your own data...thus making it not a great security measure.)

      So, yeah, do make phrases and longer passwords! Use symbols! And make a list, just store it securely and safely, using known encryption.

      A few other folks pointed out good password managers elsewhere in the comments; you might want to take a look at those.

  •  A few other ideas... (10+ / 0-)

    First, re: myself - I've worked in the computer security industry since the 1980's, so I've been around the block a few times on this topic.  I architect/engineer products to combat attacks from sources varying from script kiddies to foreign government cyberwarfare.  I look forward to seeing more diaries here and hope I can contribute once and awhile, although works pretty crazy right now and that limits my time (it's 10pm and I'm still at the office :-().

    The advice given so far (especially re: phrases and character substitution) is absolutely great advice.  All of my passwords incorporate these techniques.

    RE: sharing passwords across sites: Actually, a common practice I've seen and use myself is that you don't really have to use a different pw on EVERY single web site you use.  Even with a good password creation algorithm and password manager tools, that can get tedious.  The recommendation I have is to categorize the web sites at which you need accounts based on the site's "value" to you. For very low value sites, you can consider sharing a password among some them.  

    What's valuable to each person may of course vary.  For example, I have accounts on a bunch of media/news web sites just to read news articles or perhaps to be able to occasionally post something (which I almost never do).  There's really nothing wrong with using the same password across those sites.  If someone hacks that password,  there will be no real (financial) harm done to me.  It's not likely to happen since it's a strong password, but if it happened, I'm not gonna worry.

    If I pay for site access, then I put that site in a slightly more important class and may use the same phrase for those sites but vary them per site by including something from the site's name sprinkled into the phrase.  For example, take the first and last letter of the site name (e.g. "ds" for DailyKos) and stick those letters as, say the 2nd and next to last character in the phrase.

    For sites where my online reputation is really valuable to me (e.g. social media sites, blogs), I use a longer/tougher phrase and modify the substitution/tailoring algorithm.

    This way, I can at least remember the passwords without having to go to my password vault (which I do use).

    For financial sites where my money lives?  Those all get truly random passwords and I do have to look them up in my vault.

    My point is that the requirement for uniqueness can be relaxed a bit if you categorize the sites by their "value" to you.

    "Truth is, everybody is going to hurt you. You just gotta find the ones worth suffering for." ~ Bob Marley

    by cyberKosFan on Thu Jul 12, 2012 at 07:03:36 PM PDT

  •  How do I know that you're not really trying to (5+ / 0-)

    trick me into divulging the password for all my accounts, including my swiss bank accounts, which is so clever no one could ever possibly figure it out unless I personally divulge it?
    Huh?
    Just kidding. Thanks for the information!

    You can't make this stuff up.

    by David54 on Thu Jul 12, 2012 at 07:49:23 PM PDT

  •  Can I have my passwords all listed (1+ / 0-)
    Recommended by:
    MKSinSA

    in a Word document on my computer that has a file name that doesn't hint that it might be a Word document that has my passwords? So, for example, a file called "Rick Santorum" that lists all my gay porn passwords? Or do I really have to use pen and paper?

    One boy against the Stock Market all Wall Street ascream. --Allen Ginsberg, "Elegy Ché Guévara"

    by Anak on Thu Jul 12, 2012 at 07:56:19 PM PDT

  •  about yahoo (2+ / 0-)
    Recommended by:
    Heart of the Rockies, KenBee

    which pretty much bites.  And I realize this is somewhat ot, but...

    As you probably know, some group released a big bunch of yahoo email addresses (including mine from what I can tell) as well as passwords.

    I've changed my password as well as the one on my FB page just as a precaution...

    anything else I should do?  

    •  Don't use Yahoo? (0+ / 0-)

      An Fhirinn an aghaidh an t'Saoghail. (The truth against the world.) Is treasa tuath na tighearna. (The common people are mightier than the lords.)

      by OllieGarkey on Thu Jul 12, 2012 at 08:26:01 PM PDT

      [ Parent ]

    •  How did you decide yours (0+ / 0-)

      had been released?

      •  I went through dazzlepod.com (1+ / 0-)
        Recommended by:
        KenBee

        and I would stop using Yahoo (I was already getting lots of spam) but I have had this account for over a decade and lots of friends use it...

        So I did change my pw and do not use the same one ever on any other sites.  And there is nothing of any use in my profile..

        Thanks so much for the help/s

    •  The Yahoo leak is overblown... see the diary and (0+ / 0-)

      comments at http://www.dailykos.com/... for some more details.

      There's a PBS link there to check if you were affected, but I'm not including it myself because it's http-only with no https, and I don't think submitting usernames over http for something like this is the best idea.

    •  Oh, and also, it primarily WASN'T Yahoo addresses (1+ / 0-)
      Recommended by:
      KenBee

      The Yahoo Voices (not the Yahoo Voice IP phone service) service had lots of different email addresses registered, not requiring a yahoo.com address; it was a different service that Yahoo acquired.

      I just checked the data file and only 138835 of 453492 listed addresses (about 31%) include "yahoo.com" in the address. So the vast majority are NON-Yahoo addresses.

      So changing anything, other than your Yahoo account, just because you have a Yahoo address, isn't going to be particularly useful. You really need to be checking all of your accounts. (Anyone have a good link, to a reputable site, that's actually https/etc, to do so? Obviously, most people don't need to do security analysis on the entire file.)

      It would make sense to change any Yahoo account to be safe, in case they did sync the accounts and passwords for their primary services with this Yahoo Voices crap.

      As long as you didn't use the same password elsewhere, you should be fine. If you did, you should check to see if you're there...whatever email address you used.

  •  More things you can do to protect your passwords (3+ / 0-)
    Recommended by:
    holeworm, KenBee, cyberKosFan

    I use passwordsafe, a password vault (free software) for added security. Really, I don't even know most of my passwords., I have them automatically generated for anything that deals with money (you can hack my netflix account - I only use multi/string?phrase passwords for those), and stored with a master password. You can then cut and paste usernames and passwords to the browser. This gives you the added security of bypassing the keyboard so that even if your keystrokes were tracked, it would not be recorded.
    For my brokerage account, I have gone with an RSA fob that generates a new 6 digit key every minute. This is because a fella in Maine had $250K stolen from his account over three days, and the bank won in court ( a foolish decision made by a judge who didn't understand technology IMHO) because his computer had been hacked.
    Another point: ALWAYS BE PARANOID. I couldn't agree more about (not) using wireless at Starbucks to do commerce. I don't use wireless in my house except to stream movies. The WAP stuff can be hacked fairly easily.

    "You can die for Freedom, you just can't exercise it"

    by shmuelman on Thu Jul 12, 2012 at 08:48:01 PM PDT

    •  Recced for "ALWAYS BE PARANOID" (1+ / 0-)
      Recommended by:
      cyberKosFan

      Seriously. Take that advice to heart.

      Be paranoid about anything you do and everywhere you go on the net. Be paranoid about where and how you connect any device.

      As for SecurID fobs, there have been recent discussions about the security possibly being broken. (Independent of the OTHER security issue a year? or so ago that required a bunch of fobs to be reissued.)

      I like the concept of SecurID fobs, I just don't like that they rely on unauditable security that can't be properly tested...

      •  I heard that some generating keys were (1+ / 0-)
        Recommended by:
        holeworm

        stolen from RSA. Is nothing sacred? No one knows if this caused a security problem for its users. On the other hand, Every level of effective security makes you less of a target in favor of the witless schlub that leave his door unlocked.

        "You can die for Freedom, you just can't exercise it"

        by shmuelman on Thu Jul 12, 2012 at 09:05:17 PM PDT

        [ Parent ]

        •  There has been some talk of it being fully broken (1+ / 0-)
          Recommended by:
          shmuelman

          Here's an article about the latest issues. It's unclear whether or not this fully compromises the security; at worst, it could indeed make it possible to "watch" a SecurID fob and extract the key generation sequence. Or it might just make other possible attacks worse; I haven't read the paper in detail, nor do I understand all of the crypto math involved.

          The issue a year or so ago did involve some root keys being leaked; they had to reissue tons of fobs because of that.

          Now, if there's an attack against the generation mechanism...that's FAR more serious. But again, it's unclear if that's actually the case.

          •  that research was not about the one-time passwords (2+ / 0-)
            Recommended by:
            holeworm, shmuelman

            BTW - I actually do understand the crypto involved.

            The research referred to in that link had nothing to do with one-time passwords (OTP) generated by fob devices from companies like RSA. Those OTP algorithm's almost all rely on what's called shared "symmetric" keys.

            The research was about a way to attack "smart-card" devices that deal primarily with "asymmetric" keys.  Those kinds of keys are used for things such as encrypting and decypting application data such as email.  RSA explained in their blog post (linked to in the article) why this doesn't put OTP customers at risk and why the research really didn't put their smart-card customers at risk. Simply put, the attack requires access to the smart card and the user's PIN used to unlock the device.  If you have those, you don't need to run the attack because you can ask the smart card to just decrypt the data for you anyway.

            The reason that this got confused with the OTP technology is a) that specific RSA product mentioned (SecurID 800) is actually 2 completely separate products in one device (an OTP token and a USB smart card), and b) there was some really bad reporting about the research that confused things.

            "Truth is, everybody is going to hurt you. You just gotta find the ones worth suffering for." ~ Bob Marley

            by cyberKosFan on Fri Jul 13, 2012 at 07:26:59 AM PDT

            [ Parent ]

            •  Ah, I didn't realize that fob is a combo device (0+ / 0-)

              I ought to fully read the articles I link... :) (Too busy commenting away last night...)

              Yeah, it's not an attack on the OTP generation mechanism at all. Oops.

              (I understand the symmetric vs asymmetric keying and all...the complex math is in the full paper. Mainly, I don't fully understand how they optimized the Bleichenbacher attack, but I don't think that's important to understanding the implications.)

              There's a blog post that explains things better.

              So, RSA tokens not broken, but new attacks on them and similar devices possible...against an older standard. Think physical access to a laptop left alone and logged in, and some keys being secretly extracted, assuming it stored the PIN for active use. (Of course, you can always just install some malware or do other such things to an open laptop, without complex crypto attacks involved.)

            •  Thanks for the calrification (0+ / 0-)

              A buddy of mine sent an article, and you're right, a reporter for the Financial Times or whatever can't be expected to understand the issues. Thanks for the clarification. Wish I understood the math, I wouldn't have to be involved in filthy commerce to make a living!

              "You can die for Freedom, you just can't exercise it"

              by shmuelman on Fri Jul 13, 2012 at 08:29:09 AM PDT

              [ Parent ]

        •  RSA attack (0+ / 0-)

          Some data was stolen last year from RSA and they said it was a state-sponsored attack, although they didn't say who.  The head of the NSA testified to congress not long ago that it was China.  There was an expose on CNBC a few nights ago about that discussed this attack and other cyberwarfare coming from China.  None of the data taken from RSA could be used to directly mount an attack on an customer and no commercial attacks resulted since RSA replaced the products for customers that were at risk. CNBC indicated that China wanted the data to be able to attack US defense companies and one reported they did get attacked but it was repelled (with RSA's help).  

          "Truth is, everybody is going to hurt you. You just gotta find the ones worth suffering for." ~ Bob Marley

          by cyberKosFan on Fri Jul 13, 2012 at 06:59:25 AM PDT

          [ Parent ]

  •  Um..."microwave" IS "radio" (1+ / 0-)
    Recommended by:
    KenBee

    Or at least a specific flavor of radio. In fact, the 2.4 GHz transmissions that your typical WiFi router uses are microwaves. So are the satellite transmissions the military uses.

    The difference is in the directionality. Your router, and the WiFi card in your laptop that's talking to it, are omnidirectional - they send out signals in all directions (and they have to, since you don't want to have to try to point an antenna from your laptop to wherever the router might be). What you're describing as "microwave" is simply the addition of a directional antenna to the equation, concentrating the radio transmission in a narrower beam that only goes from one point to another.

    The password stuff is spot-on, though.

    Intended to be a factual statement.

    by ipsos on Thu Jul 12, 2012 at 08:51:48 PM PDT

  •  I have this problem, every few hours.. (0+ / 0-)

    this helps:

    http://xkcd.com/...

    not :>

    tried it, dint werk

    From those who live like leeches on the people's lives, We must take back our land again, America!...Langston Hughes

    by KenBee on Thu Jul 12, 2012 at 09:10:31 PM PDT

  •  There's one major problem here: (1+ / 0-)
    Recommended by:
    KenBee

    You missed a major, major security factor...
    When Richard Feynman worked at Los Alamos on the nuclear bomb, his hobby was safecracking.  By the end of his tenure there, he had cracked the four-digit code to pretty much every 'secure' filing cabinet in the facility.  He used four major techniques, all of which are analogous to common mistakes in modern password security.  You covered three of the four, but missed my own personal favorite from my time acting as the shadow IT manager at my school (since our actual IT guys were highly trained in the age of punch cards, and had a brief refresher on networking back in the GOPHER days, I wound up being responsible for fixing printers, solving software incompatibilities, and updating software, despite not cough officially having admin access).

    The first was trying the default combination.  Most sites don't have a default password, but many businesses and schools issue them to new users.  P@ssword1 will get you into a third of the email and network accounts on some of the ships I've sailed on.

    The second was looking at open file cabinet drawers - since people set the combination to open the drawer, you could grab it off the open drawer.  This is directly analogous to packet snipping - especially in the case of unsecured transmissions.

    The third was brute force cracking.  He determined that although each digit of the combination could be 1-10, it actually would a value 1 higher or lower than the target.  This allowed him to drastically speed up the guessing process.

    But the fourth was the best and most common - and remains so today, in large part because of advice like yours:  He'd check the top left desk drawer of unoccupied offices.

    When a password is hard to remember, what do you do?  You write it down.  And nowadays, we need dozens, possibly hunreds of passwords.  I don't know about you, but my brain simply can't handle remembering 50 different, complex, and unique passwords, even though it's a really good idea.  And doing what most of the less computer savvy people I know do - keeping passwords for everything  from Netflix to online banking written down on a piece of paper in a desk drawer (or worse - a notepad file on their desktop) - is quite a bit worse than having a crackable password.  According to the rather pathetic Federal IT Security Briefing I just had to sit through, the vast majority of IT security breaches are physical - someone either visually or physically absconds with the information (the single biggest problem is apparently theft of government laptops - go figure).

    I personally use something of a compromise.  For stuff that wouldn't be terribly damaging if it was compromised, I use a couple of different, easy-to-remember passwords, depending on the password strength requirements of the site and what username I'm using.  If my DailyKOS account was stolen, it would be annoying, but far from irreparable.  The same goes for the couple dozen other forums and social sites I use the same password for.

    For stuff that'd be really dangerous in the wrong hands - banking, email, and the like - I use higher security unique passwords, and often completely different usernames.

  •  On passphrase selection (1+ / 0-)
    Recommended by:
    KenBee

    Long passphrases are becoming "popular" as a way to introduce a lot of bits of extra security without making your password impossible to remember for actual humans.

    Hackers do know this.

    Passphrases are still good ideas.  I like them.  I like passphrases that have some number/symbol tricks added in, especially ones that use those in a way that makes sense to YOU but doesn't just swap letters for L33T equivalents (which adds very little computational complexity).  However, the key to passphrase selection is to choose a passphrase that is not in common (ideally, not in any) usage.

    If they haven't already, hackers can add a database of song and movie titles to their dictionary attacks at very limited cost.  So don't use "Gone With the Wind", or even "All You Need Is Love".  "Whirled Peas" is terrible; if its on bumper stickers everywhere, its not hard to imagine it going in a comprehensive attack dictionary.  And, needless to say, don't even think about making your password something like "This is my password."  Just don't.

    The xkcd passphrase (which, being public, you're ALSO not using, right?) is good because the created phrase doesn't appear anywhere and doesn't make syntactic sense.  That's the goal: it makes a passphrase that is long (which stops brute-force from working in finite time), immune to dictionary attacks, and is still possible to remember while remaining human.  Add in some number and letter tricks (spacing if they let you), and you're good to go.

    "All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." -Douglas Adams

    by Serpents Choice on Thu Jul 12, 2012 at 09:29:50 PM PDT

  •  another password diary now up (0+ / 0-)

    also has good advice..

    How to AVOID writing passwords

    ..for the record...

    From those who live like leeches on the people's lives, We must take back our land again, America!...Langston Hughes

    by KenBee on Thu Jul 12, 2012 at 10:59:18 PM PDT

  •  LastPass online password vaut/generator (0+ / 0-)

    has been my go-to program for a while now and has performed admirably for creating and storing and logging into sites that require a password.

    You can specify length, special characters, use of numbers and other parameters when generating a new password, or have it remember for you one that you made up in the first place.  Some examples:

    jPmzumoBYgR3z17
    22vf9lNjoEMckyF
    2#jcJ%AAD85Q8gV

    This proved to be very useful, as I just bricked my laptop and had to migrate to another computer.  I simply installed the LastPass browser attachment to Chrome, typed in my master password, and continued on without a hitch.

    It really is very important not to take your online security for granted, considering how much of our lives are dependent on being able to securely access information online.

    "Hey Joe Walsh, when did you stop deadbeating your wife?"

    by wretchedhive on Fri Jul 13, 2012 at 12:56:05 AM PDT

  •  Here is my password. Can someone tell me if it is (0+ / 0-)

    secure?

    Ich=!d!0T//nur_ein_Witz

    This better be good. Because it is not going away.

    by DerAmi on Fri Jul 13, 2012 at 02:45:50 AM PDT

    •  Not Any More nt (1+ / 0-)
      Recommended by:
      DerAmi

      On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

      by stevemb on Fri Jul 13, 2012 at 07:10:19 AM PDT

      [ Parent ]

      •  Awww. Did you not translate it? (0+ / 0-)

        I am an idiot // just a joke

        I guess my humor just doesn't translate very well.

        This better be good. Because it is not going away.

        by DerAmi on Fri Jul 13, 2012 at 07:35:47 AM PDT

        [ Parent ]

shari, Davinci, maryb2004, Sylv, vicki, CJB, hester, glitterscale, SaveDemocracy, Geenius at Wrok, PeterHug, DebtorsPrison, sacrelicious, krwada, Andrew C White, ChicDemago, cotterperson, ripzaw, mslat27, elfling, grover, Heart of the Rockies, Justina, TravnTexas, cyberKosFan, susakinovember, chimpy, jennifree2bme, oceanview, Glinda, splashy, Texknight, edrie, dejavu, psnyder, sockpuppet, 2laneIA, johanus, Catte Nappe, Tillie630, ybruti, TexasLefty, Black Max, Josiah Bartlett, Gowrie Gal, Skennet Boch, historys mysteries, 3goldens, greycat, blueyedace2, qofdisks, JanetT in MD, democracy inaction, PsychoSavannah, Alice Venturi, Annalize5, dansk47, ladybug53, stevemb, Ice Blue, Steve in Urbana, kaliope, Lisa Lockwood, Pluto, sillia, Ekaterin, murasaki, RainyDay, Jim P, kishik, BachFan, stef, tommymet, Debbie in ME, Medium Head Boy, vigilant meerkat, Dvalkure, KenBee, pengiep, blueoasis, MJ via Chicago, paul2port, tapestry, JVolvo, middleagedhousewife, BlueMississippi, CA Nana, Clive all hat no horse Rodeo, cohenzee, amini1, tonyfv, old wobbly, john07801, out of left field, FWIW, Pupmonkey, Dave in Northridge, dclawyer06, bnasley, SeaTurtle, uciguy30, Chico David RN, journeyman, bkamr, ferment, Senor Unoball, Its any one guess, Calamity Jean, Hanging Up My Tusks, pickandshovel, SpiffPeters, DavidW, bluemoonfever, chrswlf, MKSinSA, Keith Pickering, stevenwag, 57andFemale, Larsstephens, teemel, chambord, confitesprit, Susan Grigsby, wvmom, sunny skies, Lady Libertine, Kristina40, DerAmi, Betty Pinson, Maverick80229, roystah, elengul, MsGrin, petesmom, soaglow, Quantumlogic, annieli, ozsea1, Oldowan, Hopeful Skeptic, FarWestGirl, princesspat, mrsgoo, Lorikeet, AgavePup, smoothnmellow, createpeace, dougbob, worldlotus, Empty Vessel, foresterbob, M Fox, Caddis Fly, Marihilda, SoCalSal, DRo, Mentatmark, ParkRanger, DawnN, Only Needs a Beat, chmood, Liberal Granny, wretchedhive, Williston Barrett, MikeyB33, barkingcat, a2nite, 2thanks, Horace Boothroyd III, chicagobleu, Spirit Dancer, wxorknot, cassandracarolina, dotdash2u, peptabysmal, Robynhood too, Hammerhand, Canis Aureus, nomandates, Illinois IRV, countwebb, SanFernandoValleyMom, holeworm, Avilyn, Jacoby Jonze, blue91, snazzymike, Knockbally

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site