Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: Creating strong passwords and keeping them secret.

  1. #11
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    Also, wiskic10_4, I continued a little research, and I don't mean to scare you, but with mediocre hardware, and around 500GB of password tables (sounds like a lot, but if someone wants your password all they need to do is invest $100 on a terabyte drive, then download them) a 8 character md5 can be cracked in around 10 minutes, assuming the password contains symbols.

  2. #12
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254
    Quote Originally Posted by metguru
    Also, wiskic10_4, I continued a little research, and I don't mean to scare you, but with mediocre hardware, and around 500GB of password tables (sounds like a lot, but if someone wants your password all they need to do is invest $100 on a terabyte drive, then download them) a 8 character md5 can be cracked in around 10 minutes, assuming the password contains symbols.
    Sure they could. But what is the likelihood of that happening? To me or to any other Joe Schmo? And what sort of password are we talking about? You can't brute-force my ssh server because you're locked out 10min after three failed attempts. I wouldn't even know how to brute-force a Gmail or Facebook account!?

    If someone out there does know how, try cracking my old business email at 3DLeaseOpJRD@gmail.com - I don't use it anymore. The password is 8 characters long, and contains only numbers and letters (no symbols). If you are able to do it, kindly PM me the password and let me know how you went about it.

    [edit] I see - you're talking about cracking the password from a hash - but how would they get the hash (without physical access to the machine, that is? Or sniffing?)
    Last edited by wiskic10_4; December 22nd, 2010 at 06:45 AM.
    My Corner of the Intarwebz: Jeremy Dean Online

  3. #13
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Quote Originally Posted by wiskic10_4 View Post

    I see - you're talking about cracking the password from a hash - but how would they get the hash (without physical access to the machine, that is? Or sniffing?)

    Very true and sorry to go offtopic from the start of the thread, but please do not forget that there are MANY other ways to obtain passwords other than cracking them. We have all seen the dangers that come from phishing, social engineering, dumpster diving, sniffers, keyloggers, old backup's media etc...

    For the people who have a bit of security in mind though, there are methods to protect against all of these.

    - Host file security (dont surf the web as root/administrator)
    - Dont throw away personal info in the garbage
    - Dont give out personal info to people (especially 'admins' since legit admins DONT need info)
    - Always make sure that your logins are SSL encrypted connections
    - Never login to important accounts on public computers or networks or in general on computers / networks that you do NOT have under control. (Use VPNs if possible)
    - Set timeouts for bad logins
    - Log all logins and review log files (if many bad attempts are logged, review them asap)
    - Dont give out root/admin access to prevent software being installed at system level (like going into promicious mode)
    - Use strong passwords, like mentioned earlier here in the thread, best way to create a password is to make up a phrase, and play with their letters/numbers/symbols. Avoid like hell using any word/address/phonenumber/date/event/name of wife/pet/child etc.... and you should be rather safe.
    - Dont use same password across multiple locations
    - Change passwords every 2 - 3 months (alsmot no one does, but its good security practice to do so)

    Cheers everyone
    Last edited by instronics; December 22nd, 2010 at 09:48 AM.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  4. #14
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    Quote Originally Posted by wiskic10_4 View Post
    Sure they could. But what is the likelihood of that happening? To me or to any other Joe Schmo?
    You're thinking of a random attack. If you do something online to make someone hate you and want to target you in an attack, that all can change. Dropping a reasonable amount of money and a few days to download the tables is no big deal for someone who wants to attack you, IMO.

    And what sort of password are we talking about? You can't brute-force my ssh server because you're locked out 10min after three failed attempts.
    The way you're thinking is too close minded (also, brute-forcing your ssh server has nothing to do with cracking hashes, btw). A successful SQL injection attack on a server would lead to your hash; A zero-day exploit to a server will lead to admin access allowing access the the SQL database, leading to your hash; sniffing a non-encrypted connection to a server (depending on what software you're using and what you're connecting to) will lead to your hash; etc. There are lots of ways to obtain a hash, and those are just a few.

    I wouldn't even know how to brute-force a Gmail or Facebook account!?
    [edit] I see - you're talking about cracking the password from a hash - but how would they get the hash (without physical access to the machine, that is? Or sniffing?)
    Gmail and Facebook aren't 'brute-forced' per say, rather vulnerabilities are found and privilege escalation will lead to the SQL database and your hash.

    I am in no way trying to sound condescending or anything of the sort, and if I do, i apologize. I am just trying to be quite frank about the fact that there are many ways to obtain hashes, and if your password is 11 or 12 characters including spaces and symbols, good luck cracking it (as precomputed tables of that size don't exist) unless you have a computer with something like a P-Flop or faster supercomputer, which only 7 currently exist in the world, haha. I haven't run any calculations on that, but estimating in my head, anything slower would seem to be just unreasonable.

  5. #15
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254
    Quote Originally Posted by metguru
    The way you're thinking is too close minded (also, brute-forcing your ssh server has nothing to do with cracking hashes, btw).
    Again, I'm just saying that the chances of someone taking the initiative to execute the type of attacks you're talking about is very slim. And, yes, I realize brute-forcing has nothing to do with cracking hashes - that's why I added the edit on the previous post. Missed that part.

    Quote Originally Posted by metguru
    A successful SQL injection attack on a server would lead to your hash; A zero-day exploit to a server will lead to admin access allowing access the the SQL database, leading to your hash; sniffing a non-encrypted connection to a server (depending on what software you're using and what you're connecting to) will lead to your hash; etc. There are lots of ways to obtain a hash, and those are just a few.
    And that is interesting to think about - fascinating really - to me. But I am the only person I know who runs a server, or would ever care to run a server. Most people use the Internet to check their email, bank statement, hop on FB and watch stupid videos. These are the sorts of people my little article was targeting - as I said in the OP, my intention was to get your thoughts on whether this was a good guide to the Joe Schmos of the world to create better passwords and keep them secret.

    Quote Originally Posted by metguru
    Gmail and Facebook aren't 'brute-forced' per say, rather vulnerabilities are found and privilege escalation will lead to the SQL database and your hash.
    Vulnerabilities where? Not on FB or Gmail right? Remember, we're talking about the commoner, who doesn't have an SQL database...

    Quote Originally Posted by metguru
    I am in no way trying to sound condescending or anything of the sort, and if I do, i apologize.
    Well, you didn't until you said that. No worries though. I'm here to learn. If I feel like you're talking down to me, well then that's my problem isn't it?

    I am a computer technician - I know only the basics of Internet and network security. I am interested in learning more! But the only way I've ever obtained password hashes is by using a bootable CD and then cracking them on another computer. So this is all interesting to me, and I may even have to try it out on my home network - if and when I have time. Until then I can only listen to what other people that know more about the subject have to say.

    So then, preach on brother.
    My Corner of the Intarwebz: Jeremy Dean Online

  6. #16
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    This is turning into a very interesting thread. Thanks for the good dialog guys. Metguru made some great points. I tried to give him [guessing you are a male, sorry if I am wrong] some APs, but it said I must spread them around.

    I would definitely agree that passwords can be bypassed as an authentication method with various exploits, but what do you guys suggest as far as good precautionary measures. Obviously, keep your systems patched, implement layered security, kill unneeded services [decrease your attackable surface], keep an eye on your logs... etc. What other measures do you guys implement to secure your systems against the attacks discussed in this thread?

    Metguru brought up sniffing unencrypted traffic, which depending on what service you are providing, includes some sort of user education. Working for a school district, I usually have a really hard time trying to educate the teachers. Their skill levels range from moderate to [no kidding] "Where is the enter key?". [Yes, that actually happened at the beginning of the school year]. I send out examples of phishing/fraudulent emails as often as I get them. I highlight the things to watch out for... but when you start telling them to make sure that their session is encrypted, their eyes glaze over. It isn't as simple as telling them to look for the little lock icon, because SSLStrip adds that as the favicon. I usually tell them to look for the https, but even that is beyond some of them. They largely rely on bookmarks, and don't really even know what a URL is. We have had several teachers lose their bookmarks, and all of a sudden they have no idea how to check their mail, get to the school website, etc. So, telling them to look at the address bar can often times put them into dummy mode.

    By the way... sorry for the rant... 'Tis the season!
    Last edited by westin; December 23rd, 2010 at 07:30 AM.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  7. #17
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    wiskic10_4, sorry about that, I was trying to think of a more polite way than saying "I hope I don't sound like a dick" but I guess I failed.

    And maybe you're right about the whole 'the chances of someone doing all this is slim'. I guess that just means I'm extra paranoid. But generally paranoia is a good thing when dealing with security.

    And if you're interested in more types of vulnerabilities, you can always check out my site in my sig. I don't mean to be self promoting, but it is a pretty good example for this thread, as I post about different types of things that are vulnerable as I do research on security. I haven't come across anything like it before, so I just made a site myself as a collection of different types of vulnerabilities basically.

    westin, Yes, I am a guy. I forgot that you guys really don't know anything about me, as I really don't post any personal info, not because I'm that paranoid, but more so because I don't find my personal life that interesting. I'm from the eastern US, and I'm in my 20s. And thanks for the attempted greenies.

    SSLStrip! Have I mentoned how much I love SSLStrip?

    but what do you guys suggest as far as good precautionary measures.
    What you've just said is what I can think of off the top of my head, but in truth there are always going to be some sort of vulnerabilities. If someone cares enough to break into your home and get physical access to your machine the only thing left to save you is an encrypted file system, and maybe a bios password, but that can just be reset by the proper jumper.

  8. #18
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254
    Quote Originally Posted by metguru
    wiskic10_4, sorry about that, I was trying to think of a more polite way than saying "I hope I don't sound like a dick" but I guess I failed.
    Not at all! You simply shared information. Again - if I or anyone else feels like you were condescending them, well, then that's their problem isn't it? Don't worry so much about what other people think!

    Quote Originally Posted by metguru
    And if you're interested in more types of vulnerabilities, you can always check out my site in my sig. I don't mean to be self promoting, but it is a pretty good example for this thread, as I post about different types of things that are vulnerable as I do research on security. I haven't come across anything like it before, so I just made a site myself as a collection of different types of vulnerabilities basically.
    I've had it bookmarked since your first post. Good stuff. And don't worry about being self promoting - it's a good site with good information. Somebody ought to promote it!

    Quote Originally Posted by metguru
    I'm in my 20s.
    Closer to 20 or 29? I'm 28. And a half.

    What prompted me to write my little article was a post I read on Computer Forum in which the poster's Hotmail account had been compromised, and was sending out random spam. Changing his password fixed the problem. I saw something similar happen to a friend's Facebook account the other day. She changed her password, and everything was fine.

    So this leads me to believe the passwords were either guessed, bruteforced (in as much as a Hotmail or Facebook password can be bruteforced) or, most likely, phished.

    So I wondered how this has never happened to me? I grew up on the Internet!

    I Googled "creating strong passwords" and Microsoft came to the top of the page. I read their little article, and my eyes glazed over about half-way through. I was immidiately thinking "yeah, I'm not going to do that." - And I'm a HUGE NERD! So I know damn well my friends and family aren't going to go through the trouble to create such passwords. So I thought I'd share my method - seems to have worked well for me so far.

    Of course, as I mentioned before, the passwords were most likely phished, so I made a [nonfunctional] Facebook phish to show how easily people could be tricked into handing over their passwords. I also warned against surfing on open networks, etc, and shared my little story about using keyloggers at the University library.

    All I really wanted was some feedback on whether the article would be of benefit to the average computer user. But it's turned into a password security thread, and that's cool too.
    My Corner of the Intarwebz: Jeremy Dean Online

  9. #19
    Junior Member
    Join Date
    Jan 2011
    Location
    Germany & America
    Posts
    1
    Hmm, so in the end the conclusion is that any password can be compromised - just some faster than others. I took a look at the KeePass westin mentioned and I like it. While the encryption feature is very useful it doesnt help you if the password on the websites themselves dont use encryption. Now that would be the day. A new encrypted security standard for websites. Would this be doable?

  10. #20
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    This is quite interesting. As far as I am aware the length of a password takes precedent over its complexity, so I agree with the concept of packing a core.

    I have no problem with writing passwords down either, so long as you keep them safe. I can assure you that if someone broke into my house, their finding my e-mail account password would be the least of my worries

    Try writing them in the back of a family bible or other religious book, or a cookery book.....................I don't think that burglars would give them a single glance? Also, if you use the same packing algorithm, all you need write down is the variable core, for example:

    @£1234567890Variable CoreabcdEFGH€#

    I don't think that you would find rainbow tables to handle that on the internet? Sure, you could generate them, but it would take a long time and a lot of storage.

    Where you have a "three strikes rule" I don't think that brute forcing is practicable as it would take way too long.

    I work on the principle that security only buys you time, and the people who do this sort of thing will generally get bored and go looking for lower hanging fruit.

    Keyloggers, sniffing, phishing, and the inherent insecurity of public access points have already been covered.

    The one thing I didn't notice was any discussion of the "forgot password" mechanisms that these sites use.

    My advice to people is never answer the questions honestly. After all the bad guys will know that your mother's maiden name was Atilla the Hun, your first pet's name was Godzilla the Megalizard and your first school was a correctional institution?

    Fake all that and people who know you, or others who do, won't be able to hijack your account.

    Myself; I never keep personal data or passwords on a computer, so if my security was remotely compromised, there wouldn't be much to find anyway.

    However, following what I have seen in this thread, I will look into setting up what appears to be an encrypted account and password storage folder. So if anyone does get in, it will give them hours of amusement.............the least I can do to reward their efforts

    Sure, if the website itself is compromised, there isn't much you can do about it.................you chose to open an account there?

    Just a few thoughts

Similar Threads

  1. Tips
    By XTC46 in forum Site Feedback/Questions/Suggestions
    Replies: 15
    Last Post: August 24th, 2005, 07:52 PM
  2. Creating a Secure SUSE Linux server for FTP and SSH
    By gore in forum The Security Tutorials Forum
    Replies: 3
    Last Post: March 16th, 2005, 10:33 PM
  3. Secure Passwords Tutorial
    By NeonWizard in forum The Security Tutorials Forum
    Replies: 5
    Last Post: August 13th, 2004, 06:54 PM
  4. The history of the Mac line of Operating systems
    By gore in forum Operating Systems
    Replies: 3
    Last Post: March 7th, 2004, 08:02 AM
  5. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •