The Virtues and Vicissitudes of Passwords

[pbuk]

And I've got 33 million passwords that say you are wrong.

werfvcxs - pwned 67 times
234rfdsw - pwned 43 times
uiol.,mj - pwned 1 time

How many more of the 33 million would you like to try?

 

[Algr]

What does "pwned" mean? One recorded use of the password that was not guessed, but found on a leaked list? What good does that do for the hacker once they try to hack someone else? I have over 300 passwords. How many lines of gibberish can you remember?

 

[Algr]

I didn't know that "Vissitude" was a real word. I only know it from World of Darkness, where it is something not good. Even my spell check doesn't know the word.

 

[pbuk]

What does "pwned" mean?

https://haveibeenpwned.com/

One recorded use of the password that was not guessed, but found on a leaked list?

"pwned 43 times" means that the password has been found 43 times on lists of matching email addresses and passwords submitted to HIBP (link above). If you go to the HIBP site it will tell you where the data came from.

What good does that do for the hacker once they try to hack someone else?

None at all. Hackers don't need to attack everybody so they only try easy targets: those they have cracked hash passwords for. If you have an easy password then it is likely that it has been cracked, you can lessen the odds by increasing the complexity.

I have over 300 passwords. How many lines of gibberish can you remember?

I can only reliably remember 5 passwords, for which I have mnemonics. I don't need to remember any others, I use a password manager.

 

[Algr]

:: Hacks pbuk's password manager using a keystroke monitor, or similar exploit. ::

 

[Vanadium 50]

You don't really mean that, do you? Because on can use a keylogger to crack secure passwords, it's OK to use insecure ones?

Do you believe that because your front door can be dynamited open, there is no need for a lock?

 

[Algr]

It's like mopping the deck on a sinking ship - it may superficially look like it helps, but it is completely failing to recognize what the problem really is. As I showed in the previous post, making passwords too burdensome results in LESS security, not more.

If you can see the guy outside with the dynamite, choosing that moment to install a lock does seem rather silly.

 

[Algr]

If the hacker has your password, and also your account name, then it makes no difference how long or complex you password was.

If the hacker has a list of 33 million passwords and one of them happens to be yours, then how does he make use of that? What is the risk?

BTW, here is the lock on your front door. How many different keys would you say are possible based on what you see here?
I get 1024.

 

[pbuk]

If the hacker has your password, and also your account name, then it makes no difference how long or complex you password was.

Nobody is disputing that, there is no point in repeating that obvious point. And neither is anyone suggesting that you should have excessively long and complex passwords.

What everyone is saying is that you should have sufficiently complex passwords: you are suggesting that 25 bits of entropy is enough and this is not correct.

If the hacker has a list of 33 million passwords and one of them happens to be yours, then how does he make use of that?

I don't know how I can explain this so you can understand, but I will try yet again: every time there is a leak of credentials (emails linked to password hashes), he checks each password hash against each of the 33 million passwords. If one of those password hashes is yours and your email is included in the leak then he can log into your account on that server. He can also try those credentials on thousands of other servers because people who choose weak passwords are also likely to use them more than once.

 

[pbuk]

I didn't know that "Vissitude" was a real word.

It isn't. The correct spelling is vicissitude.

 

[pbuk]

BTW, here is the lock on your front door. How many different keys would you say are possible based on what you see here?

But here there are additional security factors:

• There are no lists of keys corresponding to addresses.
• In order to try a key the attacker has to come to your door.

 

[Wrichik Basu]

My father used the same password for all his accounts, including his credit card. Then there was the breach at Adobe. I told him numerous times to change all the passwords, but he insisted that no one would be able to track him. He didn't believe in password managers and used to jot down all the passwords in a .docx file.

Years later, there was a mysterious transaction on his credit card on some Chinese website. There were two transactions, one with a small amount, and then with a huge amount. Thankfully, our bank blocked the card after the small transaction, and hence the latter didn't succeed. Later, the bank also reversed the small amount. They said that the Chinese website was already in their blacklist.

Finally, he agreed to use random passwords and a password manager. I had a sigh of relief.

 

[DrJohn]

"Change your password every three/six months"
Dreadful advice, as the number of passwords to change is ridiculous and the chance of getting locked out because of a mistake is high. It leads to people just adding a number at the end and adding one to it at each change date.

A college I lecturered at gave all new students the same password - changeme! on day one. Many did update it, some forgot to and got hacked. They were also told to change it at three month intervals. And if they forgot to change it, it was automatically changed for them by the system - back to changeme! . So after termtime breaks, accounts got hacked again because students thought why change it now and not use it for a month, wait till next term starts. Eventually enough lecturers complained that automated changes back to changeme! meant students could try to hack lecturers' accounts!

 

[DrJohn]

But here there are additional security factors:

• There are no lists of keys corresponding to addresses.
• In order to try a key the attacker has to come to your door.

A well-known car manufacturer, name begins with F, during 80s and 90s, had only FOUR different car keys for a while. Thieves loved them.
At a sports event where we all knew at least half the people there, a friend got locked out of his car and was going to break the small side window with a hammer and get me to slip my skinny arm in and unlock it. I simply got out my key and said try this, if it fails, just ask friend after friend with a car by this manufacturer and you'll get in with no damage. And mine worked! Even though it was a different model and several years older than his car. Reward was a drink in the bar.

 

[Vanadium 50]

The correct spelling is vicissitude.

This is good for passwords - it's not a dictionary word!

 

[Vanadium 50]

If the hacker has a list of 33 million passwords and one of them happens to be yours, then how does he make use of that? What is the risk?

We apparently are still unclear. Maybe a specific example will help. Consider the following users:

User	Password
Alice	baseball
Betty	qwerty
Charlene	&#JpS63UDj8Zvp2n
Donna	Z6s2a*#*qKP%hQDG

Storing a file with the name and password is horribly insecure - if that file leaks or is stolen, everybody is compromised. So instead, there exists a file containing users and the output of a function that takes the password as input. The actual test is not "has the user entered the same password as in the database" but rather "has the user entered a password that produces the same output as stored in the password database when this function is applied. So what's actually stored is more like this:

User	Password Output
Alice	67863462408908
Betty	56536561877978
Charlene	11780956528780
Donna	31268681278999

Now if the password database is stolen, it is less bad. It's still very bad, but at least it doesn't expose all four passwords.

However, the thief can keep trying passwords as often as she wants as quickly as she wants. It doesn't matter if the real system locks you out after N incorrect attempts in M minutes, because the thief can wait until she has a hit before trying. All she has to do is apply the password function to every password she can think of and see if it matches one of the four numbers above when the password function is applied.

Obviously, the place to start is the list of most common passwords. This includes words like "baseball" and keyboard patterns like qwerty.

If one can test 1000 words per second (which sounds low in this age of parallel processing), the most common "acceptable" password form - a six-letter word with the first letter capitalized, a number, and an exclamation point - takes on average two minutes to find by brute force. Less secure ones, like dictionary words and keyboard patterns, are just that much faster.

 

[Algr]

So hacking the server doesn't usually get you the passwords, just this "hash" that can tell you if the password is right or not. At two minutes per password, it would take 3.8 years for a hacker to break them all. Not good, but not "walk right in" either. And when used, the server would still know that the request is coming from a different machine and IP, and can react accordingly. Given how often I have servers suddenly fail to recognize passwords I have written down, I can't see the burden getting any higher without people just giving up on one account after another.

The problem I have with password managers is that I don't believe the claim that "You'll never have to type the password in yourself." What if I need to log in from a different device? It isn't humanly possible to write down Il|1¡iO0りˆ^`' on a piece of paper and then type it back correctly a year later. Even case sensitive passwords are a major issue. We are all taught to reflexively change lower case letters to upper case at the beginning of a sentence and in many other places. It is not natural for us to think of them as separate objects. This is what my analogy pic with the burning resistor is about.

https://www.wired.com/story/apple-p...4724cd-c3e2-43ed-b8f4-ec7850c212d3_popular4-1

I'm reading this now. I'm hopeful, but these are the people who said that webcam would be unhackable.

 

[PeroK]

By the way, the word in the title should be vicissitudes:

https://www.merriam-webster.com/dictionary/vicissitude

 

[DavidSnider]

So hacking the server doesn't usually get you the passwords, just this "hash" that can tell you if the password is right or not. At two minutes per password, it would take 3.8 years for a hacker to break them all. Not good, but not "walk right in" either. And when used, the server would still know that the request is coming from a different machine and IP, and can react accordingly. Given how often I have servers suddenly fail to recognize passwords I have written down, I can't see the burden getting any higher without people just giving up on one account after another.

The problem I have with password managers is that I don't believe the claim that "You'll never have to type the password in yourself." What if I need to log in from a different device? It isn't humanly possible to write down Il|1¡iO0りˆ^`' on a piece of paper and then type it back correctly a year later. Even case sensitive passwords are a major issue. We are all taught to reflexively change lower case letters to upper case at the beginning of a sentence and in many other places. It is not natural for us to think of them as separate objects. This is what my analogy pic with the burning resistor is about.

https://www.wired.com/story/apple-p...4724cd-c3e2-43ed-b8f4-ec7850c212d3_popular4-1

I'm reading this now. I'm hopeful, but these are the people who said that webcam would be unhackable.

You wouldn’t have to use Il|1¡iO0りˆ^`' you can compensate just by making your password longer. inzlsybkueuxkuxzjlwbbhbol has no special characters but more entropy.

 

[Algr]

Where did you get "inzlsybkueuxkuxzjlwbbhbol" from? All the password generators I've see are bit wize and mind foolish.

 

[DavidSnider]

Where did you get "inzlsybkueuxkuxzjlwbbhbol" from? All the password generators I've see are bit wize and mind foolish.

https://www.lastpass.com/features/password-generator

 

[Algr]

Interesting. The first thing it told me was "phydnaphotor".

Edit: Unfortunately most sites will not let you use "ierfairedwainjugstimerylverticarypionictuciansangl" as a password because it contains no numbers, special characters, or squirrel sounds.

 

[DavidSnider]

Interesting. The first thing it told me was "phydnaphotor".

Edit: Unfortunately most sites will not let you use "ierfairedwainjugstimerylverticarypionictuciansangl" as a password because it contains no numbers, special characters, or squirrel sounds.

Then you just pad them all with with !1, they still aren’t cracking it

 

[Algr]

Prisencolinensinainciusol

Oh no — pwned!
This password has been seen 3 times before.

 

[ozdc]

Use fingers randomly in keyboard when create your password. That is your algorithm and can't cracked by hashcat or unknown specifically hash algorithms created by unknown creators. Define your hash with your neural random functions.

 

[vela]

The problem I have with password managers is that I don't believe the claim that "You'll never have to type the password in yourself." What if I need to log in from a different device?

It sounds like you made up your mind about password managers without ever having used one or even looked into them.

These days, the only places I have to type in a password manually are on web pages where, for some reason, pasting into a password field is disabled. For these cases, I typically use a password that consists of several words chosen by random.

It isn't humanly possible to write down Il|1¡iO0りˆ^`' on a piece of paper and then type it back correctly a year later.

If you were using a password manager, you wouldn't have to write it down on paper and type it back in.

Even case sensitive passwords are a major issue. We are all taught to reflexively change lower case letters to upper case at the beginning of a sentence and in many other places. It is not natural for us to think of them as separate objects. This is what my analogy pic with the burning resistor is about.

When I'm typing a password, I'm not thinking I'm typing a sentence and therefore have to capitalize the first letter and include punctuation.

 

[Vanadium 50]

Use fingers randomly in keyboard when create your password.

Nonsense.

What people think of as "random" is not. For example, if you ask people to write down a string of random digits, consecutive digits will differ far more often than if they were random.

If you want a random password, use a random password generator. Faster, easier, and more secure than making up something on your own.

 

[Vanadium 50]

It sounds like you made up your mind about password managers without ever having used one or even looked into them.

This. Maybe even This++.

These days, the only places I have to type in a password manually are on web pages where, for some reason, pasting into a password field is disabled

This can often be worked around. For example, Treasury Direct thinks its more secure to use a virtual keyboard - but that of course provides an incentive to keep passwords short. There is a Grease Monkey script that makes this work just like a regular password.

 

[ozdc]

Nonsense.

What people think of as "random" is not. For example, if you ask people to write down a string of random digits, consecutive digits will differ far more often than if they were random.

If you want a random password, use a random password generator. Faster, easier, and more secure than making up something on your own.

You're right. That can react only for experienced computer users. I thinked this because for increase entropy in cryptography. Random password generators is generally safe only for trusted developers and that passwords are third-party data. I'm sensing only with hands without patternly typed and lingustic words, dates, numbers and symbols on keyboard. Are higher uncertainty and more chaotic %100 safier system can possible without hands?

 

[Algr]

It sounds like you made up your mind about password managers without ever having used one or even looked into them.

That's quite an assumption. I have trouble getting iCloud to sync. Sometimes it does, sometimes I have to text records to myself. I don't know why. Passwords that I have written down and used suddenly stop working for no reason, and I have to call and spend hours on the phone getting into my account. Security questions don't work because I was one letter off on how a street name from my childhood was spelled. The stuff we have now doesn't work reliably. I get locked out of stuff too often now, and it consumes so much time fixing it. Why assume that some new replacement will be reliable when so much that is out their now is not?

Do you know what has been reliable for me? Fingerprint scanners. And they got rid of them. ::Eyeroll::

BTW: If these corporate experts are so good, why are their records always leaking?

 

[ozdc]

That's quite an assumption. I have trouble getting iCloud to sync. Sometimes it does, sometimes I have to text records to myself. I don't know why. Passwords that I have written down and used suddenly stop working for no reason, and I have to call and spend hours on the phone getting into my account. Security questions don't work because I was one letter off on how a street name from my childhood was spelled. The stuff we have now doesn't work reliably. I get locked out of stuff too often now, and it consumes so much time fixing it. Why assume that some new replacement will be reliable when so much that is out their now is not?

Do you know what has been reliable for me? Fingerprint scanners. And they got rid of them. ::Eyeroll::

BTW: If these corporate experts are so good, why are their records always leaking?

Mostly leaked datas is providing by malwares or web security vulnerabilities. This is because of it providing web and software vulnerability or directly server database breaching. It's not related for password or random password generators. The password generators still to useful for block crackers possibilities.

 

[Algr]

Mostly leaked datas is providing by malwares or web security vulnerabilities. This is because of it providing web and software vulnerability or directly server database breaching.

Lots of passive voice to avoid saying "The people who screwed up are telling us how to fix the mistakes they keep making." Maybe it is all true, and there are no better alternatives, but I resent the implication that the situation is all my fault for having human-level information processing capabilities.

 

[DavidSnider]

Lots of passive voice to avoid saying "The people who screwed up are telling us how to fix the mistakes they keep making." Maybe it is all true, and there are no better alternatives, but I resent the implication that the situation is all my fault for having human-level information processing capabilities.

Nobody said there aren’t better alternatives. People are saying what the best practices are for the situation we are currently in.

Your posts don’t seem all that interested in why these are suggested. It sounds like you just want to vent about how bad software is. Trust me, nobody is going to argue with this, especially software engineers.

 

[DavidSnider]

In every other aspect of life it is just understood that there is a trade off between convenience and security but for some reason computers have to be magic.

 

[berkeman]

This thread has had a long and happy life, and is now locked. It will take the correct pa$$word to unlock it for any further discussion...