12 {{ upvoteCount | shortNum }}
12 {{ upvoteCount | shortNum }}

How passwords *REALLY* work!

by seasoned
10 replies
  • OFF TOPIC
    • |
I heard "kim commando" today. Sometimes she makes me SO angry!

She CLAIMED that computers are so fast today that they can crack entered passwords in less than an hour. And she claims we MUST go to biometrics! ***************WRONG****************!

1. Password cracking does NOT work like in terminator, etc.....
2. There are strategies in place to FRUSTRATE it!
3. ONE feature in UNIX that MIGHT allow the technique she mentioned existed for over a decade. The problem? It was removed about 30+ ******YEARS******* ago!

OK, FIRST, she claims a computer that could try a trillion passwords a second could crack a 1 trillion potential combo in a second. *******WRONG******* WHY?

You NEED the hash, as was present in UNIX over 30 years ago, to test the password! If you don't have that, you must REALLY TRY it! That means trying out MAYBE 1 password a second! OK, the 1 second success now could take as long as 31709 YEARS!

SECOND, many systems today allow limited attempts! At the company I was just at, they allow TWO failures! Fail three times, and NO password will work!

THIRD, there is often some other gadget! One place I was at required a special cert. The last place, if logging on remotely, had an RSA fob. That meant you had to enter ANOTHER special password and a 6 digit number that was only valid for a minute! After a minute, the number was no good anymore. At one company, I setup modems to not respond unless a special string was typed in.

SO, she WAS right IF you had the hash! If you DIDN'T have the has(and you usually DON'T), FORGET IT!

So HOW do people break in? Well, my account HERE was "hacked" a while ago. It was a LOW security password I used elsewhere, has been used on other systems, and this site allows you to keep trying! In the over 30 years I have used passwords, it was the FIRST one cracked! There is also sniffing, vuruses, keyloggers, and trojans.

As for biometrics? They are *****FAR****** from accurate. They HAVE to be! Take fingerprints. Dirt, cuts, abrasions could interfere. Besides, fingerprints aren't taken the exact same way each time. AFIS is a "fingerprint matching system". It is INCREDIBLY fast! HOW? Let me tell you a secret! It does NOT match fingerprints! The fingerprints are broken into groups, and each is numbered. It uses THAT to find candidates. Eventually, a PERSON compares the fingerprints to see how close they are. So there is tolerance built into the system, and the result amounts to be a password that might be like 10-20 low digits. Frankly, the RSA system is likely more secure.

In wikipedia...

Fingerprint matching has an enormous computational burden. Some larger AFIS vendors deploy custom hardware while others use software to attain matching speed and throughput. In general, it is desirable to have, at the least, a two stage search. The first stage will generally make use of global fingerprint characteristics while the second stage is the minutia matcher.
In any case, the search systems return results with some numerical measure of the probability of a match (a "score"). In tenprint searching, using a "search threshold" parameter to increase accuracy, there should seldom be more than a single candidate unless there are multiple records from the same candidate in the database. Many systems use a broader search in order to reduce the number of missed identifications, and these searches can return from one to ten possible matches. Latent to tenprint searching will frequently return many (often fifty or more) candidates because of limited and poor quality input data. The confirmation of system suggested candidates is usually performed by a technician in forensic systems. In recent years, though, "lights-out" or "auto-confirm" algorithms produce "identified" or "non-identified" responses without a human operator looking at the prints, provided the matching score is high enough. "Lights-out" or "auto-confirm" is often used in civil identification systems, and is increasingly used in criminal identification systems as well.
Steve
  • Profile picture of the author MissTerraK
    Steve went on a rant, hehe!

    Terra
    {{ DiscussionBoard.errors[8136589].message }}
    • Profile picture of the author Joel Young
      Passwords should meet the following criteria if you want to be secure:
      • Minimum 8 alpha-numeric characters
      • Include at least two uppercase letters
      • Include at least one special character
      Example: Fd6P@^nz

      Personally, I use 16 or 24 or even 32 characters (depending on how secure I need it to be), with a corresponding ratio of mixed case, numbers and special characters. And never use the same password twice! It's a PITA but you'll never get hacked.

      Check your password strength here: http://www.passwordmeter.com/
      (I do not own the site nor do I benefit in any way from this link; it's purely informational
      for fellow Warriors. It's a link in my bookmarks, nothing more.)
      {{ DiscussionBoard.errors[8136622].message }}
      • Profile picture of the author Joe Mobley
        Lastpass --> Generate secure password --> OuPiA$o54%hnF%xxnS8J

        Joe Mobley
        Signature

        .

        Follow Me on Twitter: @daVinciJoe
        {{ DiscussionBoard.errors[8136665].message }}
        • Profile picture of the author Joe Mobley
          The e-world is quickly moving to 2-step authentication.

          I predict that they will quickly move away from SMS as a verification method. But that's another discussion.

          Joe Mobley
          Signature

          .

          Follow Me on Twitter: @daVinciJoe
          {{ DiscussionBoard.errors[8136671].message }}
          • Profile picture of the author ThomM
            I tend to use what I conceder to be simple passwords for the most part.
            For example my favorite date and year. But for that one, part of it is in roman numerals and part isn't. Also one is inside the other.

            Another is my favorite cannabis strain, but not by itself. For example It may be the first letter followed by the number of dogs I have had followed by the second letter and then my favorite special character, etc.
            I also use passwords like Joel is talking about and I'll change my passwords a couple times a year.
            Signature

            Life: Nature's way of keeping meat fresh
            Getting old ain't for sissy's
            As you are I was, as I am you will be
            You can't fix stupid, but you can always out smart it.

            {{ DiscussionBoard.errors[8136719].message }}
        • Profile picture of the author Joel Young
          Originally Posted by Joe Mobley View Post

          Lastpass --> Generate secure password --> OuPiA%hnF%xxnS8J
          Lastpass is awesome. I've been using it for about 3 years now, after a decade with RoboForm.
          {{ DiscussionBoard.errors[8136703].message }}
      • Profile picture of the author senthu
        Originally Posted by Joel Young View Post

        Passwords should meet the following criteria if you want to be secure:
        • Minimum 8 alpha-numeric characters
        • Include at least two uppercase letters
        • Include at least one special character
        Example: Fd6P@^nz

        Personally, I use 16 or 24 or even 32 characters (depending on how secure I need it to be), with a corresponding ratio of mixed case, numbers and special characters. And never use the same password twice! It's a PITA but you'll never get hacked.

        Check your password strength here: Password Strength Checker
        (I do not own the site nor do I benefit in any way from this link; it's purely informational
        for fellow Warriors. It's a link in my bookmarks, nothing more.)
        I tend to have a lot of different passwords and it's honestly a pain to try to remember which password corresponds with which login. Never been hacked though.
        Signature
        Custom Twitter backgrounds for $75 - www.ilovetwitter.com
        Banner Design - www.bannersmall.com
        {{ DiscussionBoard.errors[8138919].message }}
  • Profile picture of the author seasoned
    Thom,

    I do much the same. One favorite today of many, though rarely me, is "leet speak". So admitme may become 4dm1tm3.

    Steve
    {{ DiscussionBoard.errors[8136831].message }}
    • Profile picture of the author Claude Whitacre
      All my passwords are my first and last name. I don't have to worry about anyone cracking that code, because I never tell anyone my first and last name.

      In fact, I was just telling a friend of mine, Bob Dr...(Ooops, I almost let the cat out of the bag) that my passwords is my first and last name.

      Someone tried to get into my website, but I have the best password there is, my first and last name.

      But I'll never tell you what that is...my lips are sealed.
      Signature
      One Call Closing book https://www.amazon.com/One-Call-Clos...=1527788418&sr

      What if they're not stars? What if they are holes poked in the top of a container so we can breath?
      {{ DiscussionBoard.errors[8137027].message }}
      • Profile picture of the author bizgrower
        Originally Posted by Claude Whitacre View Post

        All my passwords are my first and last name. I don't have to worry about anyone cracking that code, because I never tell anyone my first and last name.

        In fact, I was just telling a friend of mine, Bob Dr...(Ooops, I almost let the cat out of the bag) that my passwords is my first and last name.

        Someone tried to get into my website, but I have the best password there is, my first and last name.

        But I'll never tell you what that is...my lips are sealed.
        Does anybody know who posted this?

        And, of course never use a real word in your password.
        Signature

        "If you think you're the smartest person in the room, then you're probably in the wrong room."

        {{ DiscussionBoard.errors[8137196].message }}

Trending Topics