Equipped To Survive Equipped To Survive® Presents
The Survival Forum
Where do you want to go on ETS?

Page 6 of 10 < 1 2 ... 4 5 6 7 8 9 10 >
Topic Options
#269130 - 04/16/14 04:12 PM Re: Might be time to change your passwords [Re: Mark_R]
ireckon Offline
Pooh-Bah

Registered: 04/01/10
Posts: 1629
Loc: Northern California
That's what I'm thinking also. I don't understand how a computer can know if a password is partially correct. If that were true, a brute force attack on the following password could be cracked rather easily on the weakest of computers:

&*&*(89234897sdlkjehruipIIOPUE3R-708760340=-23-0-0978s-89234^&^234897^&^7@3

In other words, the computer would be able to know the correct first character and then move on to the next, etc. I'm almost certain it is NOT possible to crack a password this way.

By the way, again, it's always possible to criticize anything that is not "long and random". It would be helpful to propose an improvement on a password recall system if you see a notable weakness. Not everybody can have their password vault program/notebook with them at all times.
_________________________
If you're reading this, it's too late.

Top
#269133 - 04/16/14 05:54 PM Re: Might be time to change your passwords [Re: Denis]
chaosmagnet Offline
Sheriff
Carpal Tunnel

Registered: 12/03/09
Posts: 3842
Loc: USA
Originally Posted By: Denis
My assumption was that a brute force password guessing algorithm would basically only get a boolean result; it worked or it didn't. I don't understand how it could know it was partially correct unless somehow it had access to the encrypted password, but then I would think that you'd be dealing with an entirely different type of algorithm.


It depends on the type of attack.

If the attacker has extracted a hashed password table, a brute-force attack can run every combination of letters and numbers for a single password out to twelve or more characters lightning fast. Using this (dumb) method I could typically crack 500 passwords in an hour or two on my (underpowered) laptop. Using an AWS cluster or something similar, we could get the same job done in a second or two. This was legal, by the way, because I had written authorization from my customers to do it.

Using a good dictionary, we could cut the time by a factor of roughly ten -- instead of 120 minutes, maybe 12. "Correcthorsebatterystaple" passwords would fall quickly to this method. But we'd be back to the brute-force type of attack for a strong password like those I mentioned upthread.

Using rainbow hash tables, if we got hits we'd get the whole thing done in a few seconds.

If you're not working on extracted password hashes, but rather attacking via a user interface, things get much, much slower.

Top
#269134 - 04/16/14 06:00 PM Re: Might be time to change your passwords [Re: Mark_R]
ireckon Offline
Pooh-Bah

Registered: 04/01/10
Posts: 1629
Loc: Northern California
If there is access to the hashed password table, that's a completely different ballgame. As far as I'm concerned, that falls under the umbrella of "stealing a person's password". All bets are off at that point. It really doesn't matter how long or how random your password is.
_________________________
If you're reading this, it's too late.

Top
#269135 - 04/16/14 06:04 PM Re: Might be time to change your passwords [Re: Mark_R]
Eugene Offline
Carpal Tunnel

Registered: 12/26/02
Posts: 2997
I'm oversimplifying a little to keep from wiring a whole book smile

basically a dictionary attach we take a bunch of known words, we just break the password down smaller and attach smaller words. Say a 9 character password I search my dictionary I check for combinations of smaller words such as appletree, brownpony, applepony, browntree as well a 9 character words. Then since I've used a spellchecker dictionary I have the common misspellings so we check brownpnoy, applepnoy, etc. We also added the hacker speak to our dictionary so we look for br0wnp0ny, @pplep0ny, and of course we did the search replace against our whole spell checker dictionary so we got @ppl3pn0yand br0wnpn0y as well.

Basically I am disagreeing with the statement that simply making a password from four (or most any number) words make it much more secure because it does not. Adding random letters, numbers, punctuation, etc does make it a little more secure.

Usually when I need a password I'll go find a random password generator and I'll have it generate say 10 at a time then choose one or more and merge them. That way even if someone were sniffing the traffic at that instant they don't know which of the 10 I chose.

Top
#269136 - 04/16/14 06:07 PM Re: Might be time to change your passwords [Re: Mark_R]
ireckon Offline
Pooh-Bah

Registered: 04/01/10
Posts: 1629
Loc: Northern California
Why wouldn't you use a random password generator that is disconnected from the grid?
_________________________
If you're reading this, it's too late.

Top
#269137 - 04/16/14 06:44 PM Re: Might be time to change your passwords [Re: Mark_R]
Eugene Offline
Carpal Tunnel

Registered: 12/26/02
Posts: 2997
Non admin on work computer so I can't install anything there. Passwords at home I can do that.

Top
#269142 - 04/16/14 08:17 PM Re: Might be time to change your passwords [Re: ireckon]
chaosmagnet Offline
Sheriff
Carpal Tunnel

Registered: 12/03/09
Posts: 3842
Loc: USA
Originally Posted By: ireckon
Why wouldn't you use a random password generator that is disconnected from the grid?


I use an encrypted password database app that syncs with the desktop version of the same app on my home PC. It includes a random password generator, and I use it constantly.

Top
#269143 - 04/16/14 08:23 PM Re: Might be time to change your passwords [Re: ireckon]
chaosmagnet Offline
Sheriff
Carpal Tunnel

Registered: 12/03/09
Posts: 3842
Loc: USA
Originally Posted By: ireckon
If there is access to the hashed password table, that's a completely different ballgame. As far as I'm concerned, that falls under the umbrella of "stealing a person's password". All bets are off at that point. It really doesn't matter how long or how random your password is.


The vast majority of password thefts come from stealing a hashed password table or compromising a workstation and either stealing passwords stored in a browser or sniffing keystrokes.

No amount of password complexity can help against any of those scenarios when faced with a determined attacker. However, most attackers aren't determined enough to crack long complex random passwords. If nothing else, such a password may give you time to find out about the breach and change your password before it's cracked.

For password attacks against user interfaces, long complex passwords are very effective.

Top
#269144 - 04/16/14 08:28 PM Re: Might be time to change your passwords [Re: Mark_R]
Denis Offline
Addict

Registered: 01/09/09
Posts: 631
Loc: Calgary, AB
Here's an interesting article that cleared some things up for me: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

Based on the little reading I've done so far, it seems like the biggest risk is having the hashed passwords stolen from a compromised website which then allows the crackers to decrypt the passwords at their leisure.
_________________________
Victory awaits him who has everything in order — luck, people call it. Defeat is certain for him who has neglected to take the necessary precautions in time; this is called bad luck. Roald Amundsen

Top
#269164 - 04/17/14 12:06 PM Re: Might be time to change your passwords [Re: Mark_R]
Eugene Offline
Carpal Tunnel

Registered: 12/26/02
Posts: 2997
The real test is to download and learn to use the password cracking tools. Then see how long it takes to crack the password your using.
Just be careful searching for those tools, don't use an unsecure browser like IE unless your doing it in a sandboxed VM as those sites also like to test your browser security smile

Top
Page 6 of 10 < 1 2 ... 4 5 6 7 8 9 10 >



Moderator:  Alan_Romania, Blast, chaosmagnet, cliff 
November
Su M Tu W Th F Sa
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Who's Online
1 registered (NAro), 687 Guests and 34 Spiders online.
Key: Admin, Global Mod, Mod
Newest Members
Aaron_Guinn, israfaceVity, Explorer9, GallenR, Jeebo
5370 Registered Users
Newest Posts
Leather Work Gloves
by KenK
11/24/24 06:43 PM
Satellite texting via iPhone, 911 via Pixel
by Ren
11/05/24 03:30 PM
Emergency Toilets for Obese People
by adam2
11/04/24 06:59 PM
For your Halloween enjoyment
by brandtb
10/31/24 01:29 PM
Chronic Wasting Disease, How are people dealing?
by clearwater
10/30/24 05:41 PM
Things I Have Learned About Generators
by roberttheiii
10/29/24 07:32 PM
Newest Images
Tiny knife / wrench
Handmade knives
2"x2" Glass Signal Mirror, Retroreflective Mesh
Trade School Tool Kit
My Pocket Kit
Glossary
Test

WARNING & DISCLAIMER: SELECT AND USE OUTDOORS AND SURVIVAL EQUIPMENT, SUPPLIES AND TECHNIQUES AT YOUR OWN RISK. Information posted on this forum is not reviewed for accuracy and may not be reliable, use at your own risk. Please review the full WARNING & DISCLAIMER about information on this site.