Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
7 Tips To Toughen Passwords
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Osmore
50%
50%
Osmore,
User Rank: Apprentice
6/9/2012 | 5:39:23 PM
re: 7 Tips To Toughen Passwords
Some of you well-meaning authors need to recognize the real impracticality of your preachings. Some of us have well over 100 sites that we visit which require passwords, including this one. To do as you suggest is simply not practical. Why can't you come up with more meaningful ideas and get out of your ivory towers?
NanosecPeterS
50%
50%
NanosecPeterS,
User Rank: Apprentice
6/9/2012 | 6:59:54 PM
re: 7 Tips To Toughen Passwords
Maybe I am stupid, but I don't understand the logic what the author is talking about.
If the website ( they all should ) have a lock on the account after three unsuccessful password entry, so it doesn't matter how fast they can crack passwords. If the web-site doesn't have such a protection I simply don't want to enter any sensitive information there, that is all .
If the recovered password from the compromised web-site was not encrypted with the best possible encryption - that is not the user fault and the strength of the user password doesn't have anything to do with it.
ComScience
50%
50%
ComScience,
User Rank: Apprentice
6/9/2012 | 8:50:52 PM
re: 7 Tips To Toughen Passwords
"The best possible encryption" means a level of complexity, licensing and processing that is too expensive for most websites. You are probably thinking about military grade encryption?

Using MD5 is a standard encryption process, salted hashes should have been implemented and would have made the decryption much more difficult. See the wikipedia article for more information.

What the hackers did is convert the hashed password back into the text password using various processes including rainbow tables.

A simple explanation is if I make a password of "2Paramount109"and convert it to an MD5 hash, I get a 16 byte string of Hexadecimal characters that are the same no matter what MD5 conversion I use.

If I now have a list of MD5 hashes, I can see which ones match a table of pre-converted passwords. These huge tables of pre-converted passwords are called rainbow tables and can be generated using software at home, or purchased online.

They didn't actually try different login / password combinations on the live website, which could have locked them out of the website.

References:

http://en.wikipedia.org/wiki/M...

thecalitree
50%
50%
thecalitree,
User Rank: Apprentice
6/9/2012 | 8:52:22 PM
re: 7 Tips To Toughen Passwords
If you really want to know how to choose a correct password, look at this comic.

http://xkcd.com/936/

I literally just registered to post this.

The author of the comics is a physicist/computer scientist from what I can tell. Seems legit.

Bprince
50%
50%
Bprince,
User Rank: Ninja
6/9/2012 | 9:33:40 PM
re: 7 Tips To Toughen Passwords
Personally, I think the best thing to do is prioritize. Like Osmore is saying, there are a lot of sites that require passwords (such as this one). But this account probably isn't as important to you in terms of personal information etc. as your Facebook or email. So maybe come up with complex but memorable passwords for the important stuff and weaker passwords for the sites that are less important.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Eric_Brown
50%
50%
Eric_Brown,
User Rank: Apprentice
6/11/2012 | 12:55:13 PM
re: 7 Tips To Toughen Passwords
I have to argue with you, the biggest single security problem is articles like this one. I have to laugh by the fact that million articles about password strength and password managers the minute there are reports of passwords being stolen. HELLOGǪ anyone out there, the strength of your password or having it locked-up in Fort Knox does not mean anything when it is stolen from the source! You need to be talking about other steps like the need to implement some form of 2FA (two-factor authentication) were you can telesign into your account to protect you if your password were to be stolen. If they were to try to use the GǣstolenGǥ password and were not on the computer, smartphone or tablet you have designated trusted, they would still need the one-time PIN code which is delivered to YOUR phone via SMS or Voice.
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
6/11/2012 | 9:02:57 PM
re: 7 Tips To Toughen Passwords
That's interesting because I was thinking of posting this very thing. It doesn't much matter how convoluted the algorithm you use to generate passwords: If they are 8 characters or fewer there's enough brute strength to hack them. It may take two days for yours as opposed to 1/2 hr for someone else's but the result is the same.

We need to move to passphrases. Passphrases needn't be unbearably cryptic as long as they are not trivial (e.g. "all cows eat grass" or "the password is swordfish"). One can string together words that are meaningful to them but not obvious to others.

Voila. It's memorized. To personalize for each site that has critical data, embed an abbreviation (not the full name) related to the site. For example, Facebook might have an fb in it or an ook. That's not risky in the context of a longer passphrase.

By all means punctuate your passphrase in an unpredictable way and/or throw in a cap if you like but only if you'll easily remember them.

The math for this is well documented. Longer string, MUCH harder to crack and more opportunity to create something that's easy to remember without being written down. End of story.

Why then do so many sites restrict password size to 8 characters? Why did Amex of all places reduced its max allowable password length from 8 to 6 a few years ago???!!!! Why do so many sites disallow spaces when by lengthening a passphrase they make it harder to crack it?

We need a new paradigm here, not more cryptic short passwords.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
6/11/2012 | 11:22:58 PM
re: 7 Tips To Toughen Passwords
Should do away with passwords altogether and use biometric access instead.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
6/13/2012 | 9:45:46 AM
re: 7 Tips To Toughen Passwords
Hi Osmore, thanks for your comment. If there could be any single piece of advice that this author would propose, it would be: Use a password manager. No, it won't protect you if a site gets its password database stolen and cracked. But it does give you a practical, affordable way to generate and manage unique, strong passwords for the over 100 websites you use. That way, if your LinkedIn password does get published, it's a one-off. Inconvenient, but no one will be able to use it to access your Gmail account.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
6/13/2012 | 10:00:01 AM
re: 7 Tips To Toughen Passwords
Rock Star, you're entirely correct that websites need to do a better job of protecting their passwords, and two-factor is a great idea. So is using password encryption algorithms, versus cryptographic algorithms such as MD5 that are now widely used. Unfortunately, there's no magic wand ... with luck, the LinkedIn (et al) breaches will lead more companies to proactively invest, to help avoid any damage to their reputation when/if their password database gets knocked over. But from a consumer/user standpoint, using stronger passwords will at least slow attackers down, and making sure they're unique will prevent hopscotch-style password cracking attempts.
Page 1 / 2   >   >>


Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0828
PUBLISHED: 2020-02-21
Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BM...
CVE-2012-0844
PUBLISHED: 2020-02-21
Information-disclosure vulnerability in Netsurf through 2.8 due to a world-readable cookie jar.
CVE-2013-3587
PUBLISHED: 2020-02-21
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses...
CVE-2012-6277
PUBLISHED: 2020-02-21
Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 10.16, as used in Symantec Mail Security for Microsoft Exchange before 6.5.8, Symantec Mail Security for Domino before 8.1.1, Symantec Messaging Gateway before 10.0.1, Symantec Data Loss Prevention (DLP) before 11.6.1, IBM Notes 8....
CVE-2012-0063
PUBLISHED: 2020-02-21
Insecure plugin update mechanism in tucan through 0.3.10 could allow remote attackers to perform man-in-the-middle attacks and execute arbitrary code ith the permissions of the user running tucan.