The Virtues and Vicissitudes of Passwords

[FactChecker]

One thing I hated was that I was forced to use my Google password to unlock the Chromebook. That forced me to dumb down my password to something I could easily remember and easily type. IMO, that is a serious security flaw.

All good points, but this about the passwords is the most critical. I think it is horrifying that Chrome uses the same password for gmail as it does for every other Google-owned thing (yahoo, etc.). I want the gmail password to be unique and hard to crack. I guess everyone could have two Google accounts -- one only for gmail and another one for everything else.
Chrome was made with security in mind and is thought to have some good security features. Every time you log in, it checks that the software on your machine has not been modified. It uses sandboxes. etc. Chrome allows the use of a security key fob, which I guess can greatly increase password protection.

 

[anorlunda]

I want the gmail password to be unique and hard to crack.

I'll second that. It would seem to be little trouble for Google to allow a separate pw for each service. ?

Chrome allows the use of a security key fob, which I guess can greatly increase password protection.

Maybe that's the answer. Everyone seems to be moving in the direction of decreasing dependence on passwords. Maybe the day when there are no passwords is on the horizon.

 

[DrJohn]

One thing I hated was that I was forced to use my Google password to unlock the Chromebook. That forced me to dumb down my password to something I could easily remember and easily type. IMO, that is a serious security flaw.

No need to dump down your password, use a passphrase, which can be extremely easy to remember
For example: Trois-Pegase?Frenchfor3flyinghorses!
that's 36 characters, with uppercase used, number used, plus -, ? and !, and words from two languages.
Secure enough for most people.
PS That's not my passphrase, of course.

 

[anorlunda]

For example: Trois-Pegase?Frenchfor3flyinghorses!

Good advice. But I unlock my computer maybe a dozen times per day. 8 characters is the upper limit for my tolerance.

On my Windows machine, I just use a 4 digit pin to unlock, and my phone has fingerprint unlock (which works poorly). I view the unlock as only needing minor security. I even set up my sister's computer to have no lock at all because she would never succeed in unlocking it. If I have info requiring more security, it is encrypted.

I think that it is good to think through your security needs and to realize that not everything needs the same level of security.

 

[jedishrfu]

One such consider that a 4-digit password requires at most 10,000 to crack it and with the curious USB cable that I saw recently that acts as a keyboard that should take no more than a few seconds unless MS has placed a delay or lockout for X bad retries.

https://www.theverge.com/23321517/omg-elite-cable-hacker-tool-review-defcon

 

[DrJohn]

Good advice. But I unlock my computer maybe a dozen times per day. 8 characters is the upper limit for my tolerance.

Unlock it once, and leave it on. That's what I do.

 

[FactChecker]

Good advice. But I unlock my computer maybe a dozen times per day. 8 characters is the upper limit for my tolerance.

On my Windows machine, I just use a 4 digit pin to unlock, and my phone has fingerprint unlock (which works poorly). I view the unlock as only needing minor security. I even set up my sister's computer to have no lock at all because she would never succeed in unlocking it. If I have info requiring more security, it is encrypted.

I think that it is good to think through your security needs and to realize that not everything needs the same level of security.

If your Windows machine has a simple pin does it have better security for the drive? If not, someone can pull the drive and hack it fairly quickly. In fact, if it does not have bitlocker, is the drive protected at all?

 

[Algr]

Good advice. But I unlock my computer maybe a dozen times per day. 8 characters is the upper limit for my tolerance.

One thing you can do is have visual patterns on the keyboard. For example, what is sw234rfd? It's all the keys surrounding E. Then throw a ringer in the middle and you've got something hard to guess. I am looking forward to more pasword alternatives though.

---

Most chromebooks have rather dull screens. And I expect they are even worse for gaming than Macs, which do have a few serious titles.

 

[jack action]

One thing you can do is have visual patterns on the keyboard. For example, what is sw234rfd?

Anything with a pattern is a bad password. For example, on Pwned, sw234rfd has been found in 38 data breaches already.

When using a pattern - no matter how smart and unique you think you are - it makes you very predictable.

 

[jedishrfu]

The pass-phrase is the best strategy. Decades ago at work, an employee had used a password of "igagik"

which was short for "I got a girl in Kalamazoo" which I thought was quite novel and easy to remember.



But much as he liked Glenn Miller and his song, he could never walk around humming it lest he gave away his password. :-)

The clip also features the Nicholas Brothers one the best dance teams of all time. They put many modern dancers to shame.

 

[FactChecker]

The pass-phrase is the best strategy.

I agree, and I have no trouble remembering passwords with 15-20 characters. Pick a phrase or song lyric, add a simple pattern of capitalization, and finally, throw in a simple sequence of numbers and special characters. Then you have a password that is easy to remember and will never be cracked.

 

[Vanadium 50]

I got a girl in Kalamazoo

I met Tex Beneke when I was a boy. He was very kind to me.

Oh, and Sun Valley Serenade also features Glenn Miller, the Nicholas Brothers, Dorothy Dandridge (who was one of the Mrs. Nicholases) and a young Milton Berle.

 

[Algr]

Google has serious problems with privacy and poor accountability when they screw up:

Anything with a pattern is a bad password. For example, on Pwned, sw234rfd has been found in 38 data breaches already.

Any conceivable combination of 8 letters and numbers will have some kind of pattern.

 

[pbuk]

Any conceivable combination of 8 letters and numbers will have some kind of pattern.

Find a pattern in ANY ONE of these and I'll give you a prize:

    nS3dQu4u
    CpJSr3qe
    5htvcH4x
    swPuZ3ds
    9Wj8PwA6
    hR5E4UHE
    dycEa8JM
    pKr9Vjpt
    X29Yf7mb
    VewLrgru
    Kr2dhutT
    Ry85EWkv
    NcMNZpus
    QSWYj65Y
    yn6HZYrM
    nv9WmqkT
    d6WATtgy
    WXQBhjBu
    SfFy2yqG
    zmUGTHMF
    VKeCJ8NT
    QKk6eU5p
    MA6H9amh
    NVT4kHzM
    xhmeu76p
    jcKxzh4K
    KyTC864C
    VnE9bbkf
    qADjS4QJ
    qnShtXeg
    fKMwwqms
    WbsujFQE
    YyrGQQKg
    FGXLXgCC
    LdrmTVUn
    TtvUqxPJ
    qbkkuNfN
    mtqeW3Aw
    vTKDwbm6
    kxPuCmtV
    Wjxc2yyx
    XndX8GSJ
    vScVDWZq
    JwCx38Sz
    7UKE9Ca7
    2c4M2FQE
    UK2BnXrc
    ed9NFyyp
    LEQCtDvG
    DdbjuncU
    pAfxaEY5
    6ar2MBd6
    XQn4H8L4
    mEUG8C83
    hG3MQBQA
    vsWVS5qd
    q9ENybf7
    WJnHXQNX
    Pe2ddbfW
    VJFpkbr2
    wJVkP9bj
    9gtmatgA
    jxWVYktg
    P8Q6RtGX
    KPzuwWHb
    JUAM5pSn
    cgMUNFUc
    Gm5j2TRB
    ZRBq4YnQ
    tCCNtkDm
    8pcNsa9q
    f3SPzk63
    zRZAPyes
    2HHgkewb
    j2gYbvxB
    Lurgfmxg
    M3kuQF7E
    z8h3AeDJ
    CgeQz296
    DGUKKBTR
    B6593Kbw
    WV6DHJ8X
    AV8n9GR4
    hkePYJZB
    zTejgsKG
    C5Vtd3bF
    6V9KxtHC
    nbnyCY82
    wQb6vVQm
    sYUQM7rT
    7KupTDur
    fpSFtAqP
    43vmEdpx
    mMPVZq4g
    6S7Su2YH
    TDC9nfQ9
    n8XfkZtV
    YrHJL29k
    AebFVhXy
    sRkQUwTc

 

[Algr]

nS3dQu4u

not So 3d Quit forget you.

CpJSr3qe

Crap J Senior Sege

5htvcH4x

Shut venture capital haxor.

swPuZ3ds

Star Wars puzzles

9Wj8PwA6

9 weight paws

hR5E4UHE

Hearse for You! He he he...

dycEa8JM

____ ate Jim.

pKr9Vjpt

Pack our 9Volt script

 

[jack action]

not So 3d Quit forget you.Crap J Senior SegeShut venture capital haxor.Star Wars puzzles9 weight paws

Hearse for You! He he he...

____ ate Jim.

Pack our 9Volt script

We were referring to visual patterns, as you mentioned in post #17:

One thing you can do is have visual patterns on the keyboard. For example, what is sw234rfd?

 

[Algr]

We were referring to visual patterns

And why would the attacker know that a given person had used that instead of some other method?

All of these calls for impossibly difficult passwords are based on a false premise: They assume that hackers are getting in by trying out millions of random passwords and finding one that works. But that exploit was solved back in the 1980s. Just don't allow more than one password attempt per IP address per second.

What is really happening here is blame shifting. Hackers get in without needing any password. The IT department is told to "Fix it", so they just make things difficult for legitimate users. When one of them inevitably can't keep up with all the demands, they take the blame for the next fault that they had nothing to do with:

 

[DrJohn]

Just use a passphrase, not tricky to remember random mixes.
Compare dfR4.5"(hjY0
with 7*hamsters8myDOG!
Which is easier to remember, easier to type and has the most characters in it? The passphrase, Seven star hamsters ate my dog! with only a slight disguise to increase the character pool used is so much easier to remember, but hammers a brute force attack. And if you can't remember that phrase after two or three reads, you will definitely struggle with remembering and typing the first shorter one.
No need for hard to remember nonsense-style passwords.

 

[pbuk]

And why would the attacker know that a given person had used that instead of some other method?

All of these calls for impossibly difficult passwords are based on a false premise: They assume that hackers are getting in by trying out millions of random passwords and finding one that works. But that exploit was solved back in the 1980s. Just don't allow more than one password attempt per IP address per second.

Please stop posting misinformation.

The reason it is a very bad idea to use a keyboard pattern as a password is that there are only a limited number of such patterns. This does not mean that a hacker has to try every possible pattern at a login screen because hackers have lists of email accounts and the associated password in an encoded form known as a "salted hash", obtained through historical data breaches. Hackers then compare all common patterns with every entry in the list and if they find any matches then they have an email/password combination they know was correct for a given service at the time of the breach. They can then try that email/password combination everywhere and if it works they have compromised an account, if it doesn't then they have thousands of other places to try.

If you think you are not vulnerable to such an attack then type your email address in here https://haveibeenpwned.com/ and/or a password you have used, or just one with a "pattern" that you think might be OK, https://haveibeenpwned.com/Passwords for a nasty surprise.

 

[Algr]

type your email address in here

Seriously? Give my e-mail and a big hint to my password to some random site?

Please stop posting misinformation.

Find a pattern in ANY ONE of these and I'll give you a prize:

Nothing about visuals here. Gimme the prize!

 

[anorlunda]

It seems to be forgotten here that passwords came up only in the context of unlocking the screen for Chromebooks.

Screen unlock is a case of multi-factor authentication. The password is one factor. Physical access to the Chromebook is a second factor. If my computer was stolen, I figure game over; passwords won't prevent access to my info.

So in my view, the security of a password is less critical with multi-factor authorization than it would be with single factor.

I also believe that the biggest risk to consumers (not criminals, not spies) is that the database of your trusted vendor is stolen with the credentials of all customers. For example, Amazon knows my credit card info; so do other vendors that I purchase from online, so does my bank. That kind of crime happens every day and databases of millions of sets of credentials are sold on the dark web. For that kind of crime, it doesn't matter if your password is more secure or less secure.

 

[jedishrfu]

Seriously, @Algr hackers use lists of common passwords sorted as most to least common as one scheme of attack. These lists come from data breaches so there's a good chance that one of them will work.

Another more directed attack uses information on email name as a user identifier coupled with the data breach data to get a list of passwords the given user may have used. From there one might glean a pattern to try when trying to crack an account.

There may be other associations gleaned from open source data on a user that can be used to guess passwords or to get by security questions to change passwords.

Lastly, nation states have the resources to dig even deeper into breaking into accounts that we won't get into on this forum.

 

[Algr]

My rough calculation is that there are 2^25 or 33,554,432 passwords that are eight characters with each one key-adjacent to the next. I also suggested:

throw a ringer in the middle

All the services I use lock you out after three-to-five wrong guesses. Hackers aren't getting in by guessing between 33 million common passwords. They are getting in because they know exactly what your password is via the data leak. No amount of memorizing gibberish is going to protect you from that.

 

[anorlunda]

They are getting in because they know exactly what your password is via the data leak.

That's right. So the better protection is to change your passwords every 30 days. If you do that, by the time the criminals get around to exploiting the stolen passwords, you will have already changed yours.

Of course, the ultimate is a single-use password. I recall sometime in the 2000s, Visa was offering single-use CC numbers. But they quickly stopped offering that. I'm not sure why.

But once again, all this talk does not apply to PC unlock codes. Unlock is a special case.

 

[pbuk]

My rough calculation is that there are 2^25 or 33,554,432 passwords that are eight characters with each one key-adjacent to the next. I also suggested:All the services I use lock you out after three-to-five wrong guesses. Hackers aren't getting in by guessing between 33 million common passwords. They are getting in because they know exactly what your password is via the data leak. No amount of memorizing gibberish is going to protect you from that.

No, there have been very few data leaks of plain text passwords. Almost all the email/password combinations available on the dark web have been cracked by dictionary attacks on salted hashes. Choose an obvious password like the ones you suggest and you are vulnerable to a dictionary attack.

 

[jack action]

My rough calculation is that there are 2^25 or 33,554,432 passwords that are eight characters with each one key-adjacent to the next. I also suggested:

throw a ringer in the middle

When you are using a visual keyboard pattern (or a word, or a name, or a date, or whatever is a pattern thought by a human), you are reducing considerably this 33 million figure. When you know which ones are the most popular, it will take even fewer trials.

Even @jedishrfu 's example (igagik) is a pattern. How many popular songs are there that will be chosen by most people? A few thousand at most. Probably a few hundred will be enough to cover most possibilities. Trivial for a brute force attack.

A ringer in the middle? That's also a pattern thought by a human. Guess what? Most humans are similar and think alike and it's usually trivial to find it. That's why p4$$w0rd is still not a good password. That's why asking people to insert a special character doesn't work also, because most people will only add a "!" at the end of their password. People are predictable. Therefore, not only you will never need to check all possibilities, but the list of "probably thought by a human" passwords is much much much shorter than the entire list of possible passwords.

To be efficient, a password must be as random as possible (i.e. not generated by a human) and then you use a password manager. Brute-force doesn't work, social engineering doesn't work, reused password doesn't work, phishing scam doesn't work, and you don't have to remember anything! I don't see any reason to select anything else but a 64 hexadecimal password (256 bits entropy), which is basically a random number between 0.07e77 and 1.15e77 (assuming the first digit is not zero), still giving 1.08e77 possible integers.

All the services I use lock you out after three-to-five wrong guesses. Hackers aren't getting in by guessing between 33 million common passwords.

Yes, they do:

Dutch hacker Victor Gevers claims to have logged into President Trump’s Twitter account six years ago by guessing the password: “yourefired.”

Then he did it again. On Oct. 16, Gevers, 44, made an accurate guess, “maga2020!,” on his fifth try, according to Dutch prosecutors.

Funny, there's an exclamation point at the end. Who would've thought!

 

[jedishrfu]

One method I've always thought was superior to passwords was the zero-knowledge proof scheme where a couple of questions are asked that only the user knows. However, that means you are interacting with the computer and not doing meaningful work so companies rejected the idea.

https://en.wikipedia.org/wiki/Zero-knowledge_proof

You variants of this in the security questions that get asked to reset a password but the difference is that they are the same questions whereas in a zero-knowledge proof scheme the questions would always be different.

Questions are usually of the form:

What is the fifth letter of the college you graduated from?

What is the third letter of your password?

Anyone watching over their shoulder would not in one sitting be able to determine the answers. However, over many sittings its possible though very unlikely.

 

[Algr]

When you are using a visual keyboard pattern (or a word, or a name, or a date, or whatever is a pattern thought by a human), you are reducing considerably this 33 million figure.

No. I already accounted for that by using 4 bits per letter, and 3 after that. 33 million also excludes the ringer. There is a huge difference between "cdewq7sxz" and "maga2020!" Anyone who would use the latter is a moron.

 

[anorlunda]

No, there have been very few data leaks of plain text passwords. Almost all the email/password combinations available on the dark web have been cracked by dictionary attacks on salted hashes.

That's interesting. I've been trying to verify that, but no luck. That shouldn't be surprising. Any statement claiming to know what is on the dark web sounds like an oxymoron by definition. However, the article below implies that cracking encrypted password files is almost as easy as cracking passwords.

Security expert Bruce Schneier has a pretty comprehensive article on choosing secure passwords. It's too long to paste here, but the link is https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

Here are a few gems from that article.

What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as “k1araj0hns0n,” “Sh1a-labe0uf,” “Apr!l221973,” “Qbesancon321,” “DG091101%,” “@Yourmom69,” “ilovetofunot,” “windermere2313,” “tmdmmj17,” and “BandGeek2014.”

This is why the oft-cited XKCD https://subrabbit.wordpress.com/2011/08/26/how-much-entropy-in-that-password/ for generating passwords—string together individual words like “correcthorsebatterystaple”—is no longer good advice. The password crackers are on to this trick.

Last year, Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break as many as possible. The winner got 90% of them, the loser 62%—in a few hours.

Pretty much anything that can be remembered can be cracked. [bold is mine]

There’s more to passwords than simply choosing a good one:

1. Never reuse a password you care about. Even if you choose a secure password, the site it’s for could leak it because of its own incompetence. You don’t want someone who gets your password for one application or site to be able to use it for another.
2. Don’t bother updating your password regularly. Sites that require 90-day—or whatever—password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it. [Note: this is the opposite to what I said in other posts.]
3. Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
4. One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It’s almost certainly a security improvement.

 

[jack action]

No. I already accounted for that by using 4 bits per letter, and 3 after that. 33 million also excludes the ringer.

That is not what I meant. By obeying a set of rules (for example choosing letters based on their position on a keyboard), you are excluding a lot of passwords that a hacker doesn't need to try.

As soon as you are using a set of rules to create your password, you're screwed. For example, here's a set of rules that was popular to get an easy-to-remember password: use an alternate of consonants and vowels (ex.: fiborazu). It's meaningless, but still easy to remember. But doing so - for someone who assumes you used this rule - you drop from 209 billion possibilities (= 26^8) to 207 million possibilities (= (20 X 6)^4).

There is a huge difference between "cdewq7sxz" and "maga2020!"

Not by that much. Your password is no more secure than "qwer7ty" because you are using a pattern based on the key positions on a keyboard. Which limits the possibilities just like orthography does with letters when forming words. I can assure you that there is a dictionary out there with all possible patterns on a keyboard, ordered by popularity.

Have you noticed that your ringer is a number? That's the first thing a human does instinctively, which again greatly limits the number of possibilities.

 

[Vanadium 50]

, because most people will only add a "!" at the end of their password.

Something like 40% of all passwords are of the form a capital letter, 5 lower case letters, the number 1, and an exclamation point. I suspect many of them are 5 or 6 character dictionary words as well.

There have been complaints about password managers and attacks (which did not cause a leak) but when the alternative is Password1! , which probably takes a millisecond to crack, what is the better strategy?

 

[anorlunda]

Good thread after separation from Chromebooks. I've learned useful things, and it made me think through the problem more, especially the secondary aspects of the security. Here is my summary. I tagged quotes from others; everything else is my opinion.

1. Never reuse a password you care about. -- Bruce Scheiner
a. If you have N online accounts, you need N secure passwords.
b. You must remember which password goes with which site.
c. A corollary: Never reuse the same email address for password recovery. If you have N online accounts, you need N password recovery email addresses and N email passwords.
i. An alternative is to use something other than email address as the account name. Then someone stealing your account name does not simultaneously get your recovery email address.
1. Some sites mandate a valid email address as the account name.
d. I tried and failed to delete old unused accounts. Many sites have no function for account deletion. Therefore, I have to forever remember the login information I used on those sites, in order to avoid reusing them.
i. When service providers go bankrupt, their assets including digital assets are sometimes sold to the highest bigger. Obviously, all provider security becomes moot. For example, a hospital in Phoenix failed to pay the rent on a warehouse storing patient medical records. The landlord sold the records at auction.
2. Pretty much anything that can be remembered can be cracked. -- Bruce Scheiner
As soon as you are using a set of rules to create your password, you're screwed. -- @jack action
a. That pretty much mandates a pseudo-random software pw generator. No human method or algorithm can be secure enough.
i. If using a machine generated pw, and machine entry of your pw, it might as well be the maximum length, because you will never type it in by hand. There is no advantage to shorter passwords. My password generator can produce 256 character passwords.
3. Unless you think your password might be compromised, don’t change it. -- Bruce Scheiner
a. Obvious corollary: If you do think your password may be compromised, change it immediately.
4. Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. -- Bruce Scheiner
5. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper. -- Bruce Scheiner
a. Unless your handwriting skills are exceptional, writing it down means printing it. A transcription error can be almost as damaging as password theft.
i. Since transcription errors are so easy, your paper list must be tested by trying to log in using the information on the paper.
b. Don’t forget to include both the password and the account name and the site on the paper.
c. You might die. Your house can burn down. Make sure your loved ones have access to a copy of that paper list, or access to the password manager.
i. Every time you change a password, you need to regenerate the list and distribute copies to your loved ones.
ii. If you use porn or other sites that you don’t want your loved ones to know about, you need a separate security system for those.
iii. Make sure that your loved ones secure their copy of the paper.
d. I can’t trust myself to do all that stuff on paper. For me, a password manager is the only practical solution. .
6. One more piece of advice: if a site offers two-factor authentication [or MFA], seriously consider using it. It’s almost certainly a security improvement. -- Bruce Scheiner

Not addressed in that list are the vulnerabilities of letting your login credentials be stored elsewhere. For example, I opt to let PF keep me logged in. I assume that means cookies, but sometimes browsers claim to store passwords.

Whew! What a headache all this stuff is. The future trend seems to be to use many-factor authentication, reducing or eliminating the need for secure passwords. I welcome that.

 

[FactChecker]

Any conceivable combination of 8 letters and numbers will have some kind of pattern.

Of course, the issue is the security of keyboard position patterns. The pattern 'qwerty' is probably the worst example. A password strength checker rates qwerty as "an open door" even though it would appear fairly random if you ignore keyboard positions.

 

[vela]

2. Pretty much anything that can be remembered can be cracked. -- Bruce Scheiner
As soon as you are using a set of rules to create your password, you're screwed. -- @jack action

I think Scheiner's claim is just a little bit over the top. You can make good passwords that you can remember but don't rely on a pattern, e.g., five or six random words generated by Diceware. Most password managers, I expect, allow the user to generate such a password as well.

i. If using a machine generated pw, and machine entry of your pw, it might as well be the maximum length, because you will never type it in by hand. There is no advantage to shorter passwords. My password generator can produce 256 character passwords.

You may never need to type in a password on your computer, but if you need to enter one on another device, you will quickly appreciate the benefits of a shorter, easier to enter password.

There are also places, for reasons I don't understand, that don't allow you to autofill a password or paste a password in. You're pretty much forced to type in those passwords. Personally, I wouldn't want to type in a 256-character password consisting of random characters.

3. Unless you think your password might be compromised, don’t change it. -- Bruce Scheiner

I think this advice is a holdover from the days before password managers. When people were forced to change their password, say, every six months, supposedly to increase security, they instead made things worse because users would opt for weak, easier-to-remember passwords.

Nowadays, a password manager may eliminate the problem of weak passwords, but changing your passwords frequently strikes me as a waste of time.

Not addressed in that list are the vulnerabilities of letting your login credentials be stored elsewhere. For example, I opt to let PF keep me logged in. I assume that means cookies, but sometimes browsers claim to store passwords.

Websites use cookies to keep you logged in. They can't access the passwords stored by a browser. That would be a gigantic security hole.

One vulnerability currently is that your login credentials are stored by the website, so you might follow the best practices, but the website may be compromised due to circumstances outside of your control.

Whew! What a headache all this stuff is. The future trend seems to be to use many-factor authentication, reducing or eliminating the need for secure passwords. I welcome that.

Me too. Microsoft, Google, and Apple recently committed to support the FIDO standard for password-less authentication, which relies on public and private keys and MFA. I hope this standard gets adopted quickly by sites once it rolls out.

 

[Vanadium 50]

For example, a hospital in Phoenix failed to pay the rent on a warehouse storing patient medical records. The landlord sold the records at auction.

Can you point me to this? It sounds like a pretty egregious HIPAA violation.

While I don't disagree with anything on the list, it does fail to put things in perspective. Think of security as a parallel network of resistors. Increasing the resistance of an alreday-high resistor doesn't change the network resistance. Similarly, changing your password from "password" to "Z!n33%DA" is more helpful than changing it from Z!n33%DA to Z!n33%DA1iQ@7w5Rnkr0d9mrDp.

 

[anorlunda]

Can you point me to this? It sounds like a pretty egregious HIPAA violation.

It happened in the 80s, so no link, and it predates HIPAA. But HIPAA, applies only to health care providers. Non providers who come into possession of confidential information by any means are not restricted by HIPAA. If the NY Times gets protected info, Congress shall pass no law prohibiting them from publishing it.

https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent.

Life insurance companies ask you to sign a waiver giving them access to your medical records. But HIPAA can't restrict what they do with the information thereafter because they are not covered entities.

 

[jack action]

You can make good passwords that you can remember but don't rely on a pattern, e.g., five or six random words generated by Diceware.

The keyword in your statement is "random". This means you take whatever the Diceware gives you on your first attempt.

The mistake to avoid is not to be tempted to generate another password until you find one set of words you find easier to remember. In such a case - even though all passwords were randomly generated - the selected one does follow some rules you made up to easily remember it.

 

[Vanadium 50]

This is a classic case of trying to improve an already very-secure part of the system.

 

[Vanadium 50]

ind a pattern in ANY ONE of these and I'll give you a prize:

nS3dQu4u

Oddly, this has the same cadence as I've Got A Gal In Kalamazoo.

"Hi there Tex, how's your new ro-mance"
"N S 3, d Q u 4 u"

 

[Vanadium 50]

Many, many years ago, when IBM 3278 terminals roamed the earth...

I worked in a shop where every so often (14 days?) we were assigned new passwords. Assigned. We didn't get to pick them. Security, you see. You'd log in and it would tell you "your new password is"...sorry, it was the olden days.."YOUR NEW PASSWORD IS" and then seven random characters.

People were expected to memorize this in a few seconds, and of course each system had a different password .Security, you see.

Fortunately, we all had notepads on our desk, so we could quickly write down the new passsword before it faded from view, and conveniently, the 3278 had a little hinged cubbyhole for pens, paperclips, and little slips of paper.

Security, you see.

 

[pbuk]

No. I already accounted for that by using 4 bits per letter, and 3 after that. 33 million also excludes the ringer. There is a huge difference between "cdewq7sxz" and "maga2020!" Anyone who would use the latter is a moron.

Now you are arguing against yourself. Yes there is a huge difference between "cdewq7sxz" and "maga2020!", but there is not a huge difference between "sw234rfd" and "maga2020!", in fact "sw234rfd" appears to be associated with at least 38 password leaks!

 

[Algr]

That is not what I meant. By obeying a set of rules (for example choosing letters based on their position on a keyboard), you are excluding a lot of passwords that a hacker doesn't need to try.

Ugg! I just told you that I accounted for that. There are 16 keys that don't border any edge on the keyboard. So that is 4 bits. Then there are eight keys surrounding those 16. That is 3 bits per key. So: 7x3+4 = 25 bits. 2^25 = 33,554,432 possible passwords using the adjacent key tactic. And that ignores the salt.

But doing so - for someone who assumes you used this rule - you drop from 209 billion possibilities (= 26^8) to 207 million possibilities (= (20 X 6)^4)

Five chances out of 207 million before the account locks up? That is NOT how the hackers are getting through.

Yes there is a huge difference between "cdewq7sxz" and "maga2020!", but there is not a huge difference between "sw234rfd" and "maga2020!",

"cdewq7sxz" is my tactic with salt as I originally described.

 

[pbuk]

Five chances out of 207 million before the account locks up? That is NOT how the hackers are getting through.

No it isn't. You have repeatedly been told how the "hackers are getting through" - they are using matched lists of passwords and email accounts. To find out more about where these lists have come from see https://www.troyhunt.com/password-r...other-1-billion-records-in-have-i-been-pwned/

 

[Algr]

You have repeatedly been told how the "hackers are getting through" - they are using matched lists of passwords and email accounts.

Then why aren't you acknowledging the obvious consequence of this. Your password could be a billion digits long, but it won't make any difference if the hackers already have it.

 

[pbuk]

No, there have been very few data leaks of plain text passwords. Almost all the email/password combinations available on the dark web have been cracked by dictionary attacks on salted hashes. Choose an obvious password like the ones you suggest and you are vulnerable to a dictionary attack.

That's interesting. I've been trying to verify that, but no luck.

One source for partial verification is https://haveibeenpwned.com/PwnedWebsites.

This lists 628 data breaches, with "plain text" mentioned 87 times, "MD5" (an insecure method of password hashing) 186 times and "SHA" (a less insecure method of password hashing but still useless for insufficiently complex passwords) 66 times.

Not very scientific, but as you say we should be careful not to over-analyse data which is by its very nature intended to be shared covertly.

 

[pbuk]

Then why aren't you acknowledging the obvious consequence of this. Your password could be a billion digits long, but it won't make any difference if the hackers already have it.

Of course it wont, but if a password is insufficiently complex, is easy to guess, or was used on a service that has suffered a plain text or poorly hashed password leak such as the Adobe leak of 153 million accounts you can pretty much guarantee that the hackers already have it.

A sufficiently complex, hard to guess password, is only vulnerable if it has been leaked in plain text.

 

[Algr]

SOCIAL ENGINEERING:​

The most successful tool for hackers is not guessing passwords, but social engineering. The PEOPLE using your system are as vital a part of it as any software or hardware. The hackers know this. If your IT department doesn't understand PEOPLE, they are a bad IT department. Overloading your people with excessive burdens is just as much IT's fault as any other hardware failure:

Random passwords generated every two weeks? That is TERRIBLE security because HUMANS don't work that way. As Vanadium 50 and others have mentioned before, excessively burdensome passwords inevitably result in the above pic.

SECURITY = the DIFFERENCE between the difficulty of a legitimate user logging in, and the difficulty of a hacker logging in.​

If you bury a hard drive in cement, it isn't secure, it is useless. The hacker will probably have the best tools to get it out, while legitimate users are stuck.

This is why there are so many security failures in major corporations. IT is so busy keeping out the hackers that they make legitimate users their enemy, who have no choice but to undermine security in order to get any work done.

 

[Algr]

Of course it wont, but if a password is insufficiently complex, is easy to guess, or was used on a service that has suffered a plain text or poorly hashed password leak such as the Adobe leak of 153 million accounts you can pretty much guarantee that the hackers already have it.

A sufficiently complex, hard to guess password, is only vulnerable if it has been leaked in plain text.

Technically true, but you are WAY past the point of diminishing returns if you are saying that anything that can be memorized is a bad password. It's like mopping the deck on a sinking ship - it may superficially look like it helps, but it is completely failing to recognize what the problem really is. As I showed in the previous post, making passwords too burdensome results in LESS security, not more.

 

[pbuk]

Technically true, but you are WAY past the point of diminishing returns if you are saying that anything that can be memorized is a bad password.

I have not said that. I have said that anything that is based on a keyboard pattern is a bad password.

 

[Algr]

I have said that anything that is based on a keyboard pattern is a bad password.

And I've got 33 million passwords that say you are wrong.