[a bit late, but...] These are *great* sites, thanks! Fascinating read
about becoming a cracker-for-a-day! It might be worth trying that for
ourselves just to understand what we're up against. I just had my twitter
account apparently hacked so got pretty interested in this.
Bruce Schneier's advice:
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
So if you want your password to be hard to guess, you should choose
something that this process will miss. My advice is to take a sentence and
turn it into a password. Something like "This little piggy went to market"
might become "tlpWENT2m". That nine-character password won't be in anyone's
dictionary. Of course, don't use this one, because I've written about it.
Choose your own sentence -- something personal.
I thought about this independently (or remembered it!) and started thinking
about sentences and taking the first letter of each word: Star Spangled
Banner: oskysbtdel .. then adding other stuff that is unique per site and
fulfills n-Caps, n-Specials, etc silly rules. Since many hacks are
dictionary based (this means you XKCD), this avoids words completely. Pub
tunes and chanties are great for this! Or favorite poems.
This is still somewhat low on the PW Hygiene scale, I bet, but still .. I'd
like to not have a PW mgr be the only one knowing the unique passwords, so
wanted a formula of my own, one I can remember for every site.
So questions:
- How many of us are now using completely random pw's generated by one of
the pw managers?
- Is sentence based stunts close to "random"?
- Wouldn't unicode help here? 16 bit characters would definitely bother the
crackers, right?
And we should remember, the massive hacks are only for sites that have
gotten an encrypted pw file and know a lot about it like what crypto it
uses etc. The high order bit here is quick notification by compromised
sites.
-- Owen
On Mon, Nov 18, 2013 at 11:28 AM, Parks, Raymond <rcpa...@sandia.gov> wrote:
> WRT password cracking - Dan Goodin has a good series of articles on
> password cracking at Ars Technica.
>
> http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
>
> http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
>
> http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/
>
> TL;DR - Current GPU-based password cracking using 20-million word
> dictionaries make truly random passwords below 14 characters and nearl all
> pass-phrases susceptible to cracking in a relatively short time.
>
> On a related subject, roughly 75% of websites store passwords as nothing
> more complicated than simple, unsalted MD5 hashes. This is almost as easy
> to break as as NTLM.
>
> Salt makes the initial crack more difficult, but if the same salt is used
> for all hashes, then subsequent cracks ignore it.
>
> WRT the use of PII - it's sold on various markets, correlated in a "big
> data" manner with other exposures, and, if enough information is available
> and the person's credit score is high enough, is used for credit attacks.
> In some cases, if banking information is correlated, the collection is used
> for banking attacks. If there is poor correlation but an email or FQDN is
> in the information, then the data may be used as a target list.
>
> Ray Parks
> Consilient Heuristician/IDART Program Manager
> V: 505-844-4024 M: 505-238-9359 P: 505-951-6084
> NIPR: rcpa...@sandia.gov
> SIPR: rcpar...@sandia.doe.sgov.gov (send NIPR reminder)
> JWICS: dopa...@doe.ic.gov (send NIPR reminder)
>
>
>
> On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote:
>
> A forum I belong to has been hacked, including personal info as well as
> passwords.
>
> How do they use this information?
>
> I presume they try the hash function on all combinations of possible
> passwords. (Naturally optimized for faster convergence). They see a
> match, i.e. a letter combination resulting in the given hash of the
> password.
>
> If they crack one password, does that make cracking the rest any easier?
>
> And does "salt" simply increase the difficulty, and indeed can it be
> deduced, as above, by cracking a single password?
>
> .. or is it all quite different from this!
>
> -- Owen
> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9a-11:30 at cafe at St. John's College
> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
>
>
>
> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9a-11:30 at cafe at St. John's College
> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
>
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
