passwords

Discussion in 'Computer Science & Culture' started by leopold, May 5, 2014.

  1. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    This is where such things as OpenID.net could come in handy. Where you deal with a Data aggregator for your username/password combination (and any subsequent tests) and through various site agreements you can login through that aggregator on their sites. The only concern however is the "One password to rule them all" mentality, *if* someone manages to break in, they automatically have access to the cloud of sites you currently use and even the ones you've not accessed yet. (They are slowly but surely trying to make the idea more secure)
     
  2. Google AdSense Guest Advertisement



    to hide all adverts.
  3. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Messages:
    13,938
    *nods*

    I rather liked my old Sandisk U3 Drive - it had an application on it called GoldKey - it used a highly encrypted "master password" that was stored only on the key itself. Then, within that application, you could have as many logins for sites as you wanted - the nice thing was, since you didn't have to remember them, you could make them obscenely long. It also integrated pretty well with Firefox, allowing for auto-filling of logins once you had entered the master password.

    I was sad when that drive finally died on me (I had enough advance warning to change to passwords I could remember thanks to its onboard diagnostics)
     
  4. Google AdSense Guest Advertisement



    to hide all adverts.
  5. !!!!!batman!!!!! Registered Member

    Messages:
    30
    there are apps for android tablets now that instead of having a password, you press your thumb to the touch screen and it reads your figure print. as touch screens become more prevalent, i expect this to start becoming an option for websites.
     
  6. Google AdSense Guest Advertisement



    to hide all adverts.
  7. Defined By Labels Banned Banned

    Messages:
    11
    I combine dates and use different formats for different websites.
    One thing that I recently started doing which is a bit overkill is that I own a spare laptop. I've dabbled in some C++ and have created a manual input encryption program running an algorithm that I constructed myself. I have my spare laptop offline and have a text file stored on it, encrypted with BitLocker. Within the file is a database of my passwords encrypted with my algorithm. So IF the old chance I forget a password, it's there or if I have to change a password, I just have to update it on the file.

    Some websites that allow it, I have sometimes 30 character passwords. But on the last page where someone mentioned having a longer password could actually make it weaker based on the backend process of encryption.. I'll have to go read up on that.
     
  8. danshawen Valued Senior Member

    Messages:
    3,951
    Our society and IT departments have been in a state of denial about passwords providing any semblance of security for some time.

    Microsoft, McAfee, and Norton were complicit about leaving a gaping security hole in the way email servers interacted with browsers that allowed stealing of passwords and the content of emails themselves for over 20 years.

    The Secure Socket Layer encryption keywords were deliberately hard limited by NSA regulation and law to allow it to be cracked by their computer systems. The Heartbreak virus exploited this. We all had to change our passwords while the entire internet changed SSL encryption to something stronger. Phil Zimmerman's PGP software offered an email encryption solution, but he literally had to leave the country in order to market it.

    I recently received notification from Verizon about needing to change from WEP to WPA2 wireless encryption. Same deal. WEP was hard limited in terms of the encryption keyword lengths, and for the same reason.

    Is anyone else getting tired of this? Password encryption is a joke. Password management software is a bigger joke.
     
  9. sideshowbob Sorry, wrong number. Valued Senior Member

    Messages:
    7,057
    I tried the Kaspersky password checker with a password similar to one that I commonly use. It says it would take 3 months to bruteforce it (32 years if I remove one character).

    That's plenty secure for me. And I can remember it.
     
  10. TBodillia Registered Senior Member

    Messages:
    159
    I'm a bit of a student of languages, from back in the days of the USSR. I like to use words from foreign languages as the root for passwords. Especially words we made up while learning the different languages (bažina is swamp so bažinac would be The Swamp Thing!)

    I mention this because the linked password checker seems skewed to English.
    Czech: 1Bez2Do3 takes 2 days to brute force.
    English: 1Run2To3 takes 55 minutes

    Bez do (basically) = run to

    The Jeff Foxworthy redneck word "widjadidja" takes 21 hours to brute force, making it "w!dj@d!dj@" bumps it to 7 months. This part is odd: w!dj@d!dj@3 clocks in at 6 years, but 3w!dj@d!dj@ rates 67 years?? 11x longer because you put the number in front instead of rear?
     
  11. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    To be honest it doesn't actually matter what language is used for a password.

    ASCII/Unicode characters (or other language code pages) can be broken down to their reference number or their pure binary version (That's 7-8 bits per character with ASCII). bruteforcing can then be applied to the Binary level. The timing of bruteforcing a character is just applied to the length it takes to cycle through all variations of binary for one character at a time. (0)0000000 to (1)1111111 gives you a total of 128 or 256 iterations (respectively) with each addition character the position of the actual character in reference to that timing is then applied as a multiplier.

    (Incidentally bruteforcing ASCII or Unicode won't even use the full 128/256 iterations since the used characters themselves don't necessarily reside throughout all the binary range, some programs would therefore miss characters in a crack attempt.)
     
  12. Sylvester Registered Senior Member

    Messages:
    467
    Good point. I prefer an "open ID" but will probably never be fully implemented, for the reasons you specify.

    Why are some sites not letting you cut and paste your password?
     
  13. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    The attempt to block Cut and Pasting passwords is due to a number of reasons.

    If your Password is placed into a Buffer and you have a trojan on your machine, the password can be automatically captured in it's true form. (Paste buffers have never used a runtime encryption), however if you have a trojan on your machine it's likely typing in the password is going to have a key logger being applied, so it's going to get captured either way.

    Another reason is the Speed of how quickly people can attempt to login, this means either multiple attempts in a short duration leading to the potential of cracking the password in poorly implemented environments or the equivalent of a DDoS attack where multiple attempts to login can bring the whole logging in process to a standstill (Obviously on large multi-user sites this could be a problem)

    In any case I doubt that it's actually as effective as it was initially considered, since anyone wanting to crack in could write "around" this attempted security measure by emulating keyboard strikes etc.
     
  14. Sylvester Registered Senior Member

    Messages:
    467
    Thanks Stryder.

    When you say "speed" do you mean an automated program will keep updating the password until it gets in or is it done manually?
     
  15. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    I mean automated speed. Manually you'd been there for a long while considering the number of mistypes people make.
     

Share This Page