#269167 - 04/17/14 02:34 PM
Re: Might be time to change your passwords
[Re: chaosmagnet]
|
Pooh-Bah
Registered: 09/15/05
Posts: 2485
Loc: California
|
Using rainbow hash tables, if we got hits we'd get the whole thing done in a few seconds. Scary numbers. Are we talking cracking a salted password hash table, Chaos? If you're saying you can pre-compute a rainbow hash table for a single salted password like "Correcthorsebatterystaple" and get a hit in a few seconds, that kind of speed would blow me away. And would make me think about taking out all of my money from the bank and burying it in a hole in the woods! On a related tangent, if someone has access to the password hash table on some server, the user is already in deep trouble. Which is why you shouldn't make the bad guys' lives easier by reusing passwords (or usernames) for important websites/accounts. That is, a bad guy has already compromised the server for system A if they can grab the password hash table. Don't make it easier for them to get into your account on system B by using the same username/password from system A on system B. And also why having the ability to use unique email addresses for each website is worthwhile to me. Many websites use an email address as the user account value. If a hacker can obtain the username, email address and password for me from system A, that info will not match on system B, C, D, etc. For example, I've been a longtime Yahoo email user. The paid version allows you to create unique passwords in the form of rootword + whatever @yahoo.com. That way, you can use a unique password for each account and make life tougher for the bad guys if the email address is the username for an account. If they can't just reuse your online poker username/password at the login screen for your bank account, then they'd have to try some other method--actually hacking into the bank's server, using a "spear phishing" attack against you, keystroke logger, etc. Except for the spear phishing attack, that's a lot more work to get at your paltry bank account balance and probably isn't going to happen. Then again, my money might already be in that hole in the woods by then! Equally useful is that this email feature lets you more easily cutoff spammers by deactivating certain email addresses without having to totally throw away an email account and go through the trouble of changing the email address for all of your accounts. Although, I have to admit that spam filters work remarkably well nowadays, so I haven't had to deactivate an email address in quite a long time.
|
Top
|
|
|
|
#269168 - 04/17/14 02:55 PM
Re: Might be time to change your passwords
[Re: ireckon]
|
Pooh-Bah
Registered: 09/15/05
Posts: 2485
Loc: California
|
I don't understand how a computer can know if a password is partially correct. The way that passwords are typical stored, there's no such thing as a partially correct value. Passwords are never (should never be) stored as-is. You run them through an algorithm (a one-way cryptographic hash) which spits out a long gobbledygook string, which looks like c11083b4b0a7743af. This string is what is actually stored, not your password. When a bad guy is trying to crack passwords, they also have to hash their guesses and then compare that result to the result in the password table. When they match, they know they have guessed the password. There are two main characteristics of one-way hashes that are useful in this case. "One-way" means that you can't start with c11083b4b0a7743af and back-calculate what the password is. That's why it is safe to store the hashed value rather than the plain text password. The other important feature--and this answers your question--is that even the smallest difference between two passwords should result in very different hashes, so even a password off by the last letter will have a totally different hashed value. Therefore, it's not possible to know if you have a partially correct password guess. You either know the whole password or you have no clue how close you are.
|
Top
|
|
|
|
#269171 - 04/17/14 04:01 PM
Re: Might be time to change your passwords
[Re: Arney]
|
Sheriff
Carpal Tunnel
Registered: 12/03/09
Posts: 3867
Loc: USA
|
Using rainbow hash tables, if we got hits we'd get the whole thing done in a few seconds. Scary numbers. Are we talking cracking a salted password hash table, Chaos? If you're saying you can pre-compute a rainbow hash table for a single salted password like "Correcthorsebatterystaple" and get a hit in a few seconds, that kind of speed would blow me away. And would make me think about taking out all of my money from the bank and burying it in a hole in the woods! Yes. Burying money in a hole in the woods is probably not as safe as keeping in an insured bank or credit union, though. On a related tangent, if someone has access to the password hash table on some server, the user is already in deep trouble. Which is why you shouldn't make the bad guys' lives easier by reusing passwords (or usernames) for important websites/accounts. That is, a bad guy has already compromised the server for system A if they can grab the password hash table. Don't make it easier for them to get into your account on system B by using the same username/password from system A on system B.
And also why having the ability to use unique email addresses for each website is worthwhile to me.
Exactly. If they can't just reuse your online poker username/password at the login screen for your bank account, then they'd have to try some other method--actually hacking into the bank's server, using a "spear phishing" attack against you, keystroke logger, etc. Except for the spear phishing attack, that's a lot more work to get at your paltry bank account balance and probably isn't going to happen. Then again, my money might already be in that hole in the woods by then! The most common ways an attacker can steal money from your account go like this: - Using a card and keypad skimmer (or card skimmer and camera) to get your card details and create a forged card to extract money from your account(s)
- Extracting payment card details from a retailer you do business with, either where the data is stored or while it's in motion
- Compromising the credentials you use for online banking and creating fraudulent transactions
Addressing these threats, here is what I do and what I recommend: - Do not use or possess a debit card. When a debit card is compromised, the money is gone and under the law you are guilty until proven innocent. When my financial institution insisted on replacing my ATM card with a debit card, I insisted in turn that they completely disable the debit function. If you absolutely must use a debit card, keep a separate account for it and only keep money in it that you don't need to pay your mortgage and other bills. But you're better off without one altogether.
- Use an ATM that's less likely to have been compromised, such as one at a branch of your financial institution.
- If you're paying with some means other than cash, you really don't have any control over whether the retailer will adequately protect your payment data. So use a credit card. You're protected by law with a maximum liability of $50 (most cards have written policies of $0 liability) and the stolen money isn't removed from your account keeping your bills from getting paid.
- Use good antivirus software, keep your operating system and browser updated, and don't surf anywhere that might be a bad "neighborhood" on the Internet. Stronger security might be had from "walled garden" operating systems like iOS on the iPad, and there's a good argument that Macs and Linux is more secure than Windows.
- Consider using a dedicated workstation that does four things: OS updates, browser updates, antivirus updates, and online banking. I don't do that, but I'm also very cautious about where I surf.
- Delete all spam unread, never click on a link in spam email, never open an unexpected email attachment.
When a bad guy is trying to crack passwords, they also have to hash their guesses and then compare that result to the result in the password table. When they match, they know they have guessed the password. That's true...but unfortunately incomplete. Hashing algorithms are imperfect, and every one of them have "hash collisions." This is what happens when two inputs into the hash algorithm result in the same hash. Which means that there may be more than one password that can open your account.
|
Top
|
|
|
|
#269175 - 04/17/14 05:15 PM
Re: Might be time to change your passwords
[Re: chaosmagnet]
|
Addict
Registered: 01/09/09
Posts: 631
Loc: Calgary, AB
|
I don't know about the debit card thing, at least from a Canadian perspective. The debit card is pretty much the defacto method of payment up here (over 10 years ago debit outpaced cash for purchases). However, there have been several changes over the years to improve security both from a technology perspective (chip cards) and process perspective (we usually insert/swipe our own cards). However, we also have some protection against fraud, similar to credit cards. Here's some good info: Debit Card FraudIts also way nicer to spend the money you actually have 
_________________________
Victory awaits him who has everything in order — luck, people call it. Defeat is certain for him who has neglected to take the necessary precautions in time; this is called bad luck. Roald Amundsen
|
Top
|
|
|
|
#269177 - 04/17/14 05:27 PM
Re: Might be time to change your passwords
[Re: chaosmagnet]
|
Old Hand
Registered: 08/18/07
Posts: 831
Loc: Anne Arundel County, Maryland
|
Addressing these threats, here is what I do and what I recommend: [list] [*]Do not use or possess a debit card. When a debit card is compromised, the money is gone and under the law you are guilty until proven innocent. When my financial institution insisted on replacing my ATM card with a debit card, I insisted in turn that they completely disable the debit function. If you absolutely must use a debit card, keep a separate account for it and only keep money in it that you don't need to pay your mortgage and other bills. But you're better off without one altogether. [*]Use an ATM that's less likely to have been compromised, such as one at a branch of your financial institution.
A big +1 on the do not use or have a Debit card. Chaosmagnet suggests that if you do, have a separate account for it. BUT be careful that the bank does not have the right to tap into other accounts if the Debit card is overdrawn: I think most Banks now are required to offer the option to not overdraw the debit card account, but, as I understand it, you must opt into this option. We do not even have a debit card because of the added risks and liability mentioned. Our solution is a credit card, which is payed off monthly. Also, ATM machines at bank branches are not more secure. 1.) due to their heavy use, they are a prime target. 2) They get lots of traffic when the bank is closed (and no one is there to keep an eye on the machine). This happened at my bank branch, and it hit a lot of people. There was some theorizing that the skimmer was being installed after the branch closed, and de-installed before it opened. Thus, the branch employees never noticed anything different about the machine.
_________________________
"Better is the enemy of good enough."
|
Top
|
|
|
|
#269181 - 04/17/14 06:55 PM
Re: Might be time to change your passwords
[Re: chaosmagnet]
|
Pooh-Bah
Registered: 09/15/05
Posts: 2485
Loc: California
|
Hashing algorithms are imperfect, and every one of them have "hash collisions." It would not be good if these clients of yours are still using MD5 for their passwords since it has well known collision problems. I thought more recent hash functions like the SHA-2 class of hash functions basically eliminated collisions.
|
Top
|
|
|
|
#269183 - 04/17/14 07:01 PM
Re: Might be time to change your passwords
[Re: Mark_R]
|
Pooh-Bah
Registered: 04/01/10
Posts: 1629
Loc: Northern California
|
I generally agree with what Chaosmagnet said about bank card practices.
I've had fraud on my credit card a few times. It's a non-stressful thing because 24 hours does not pass before I check my bank accounts and credit cards at least once. The bank immediately reversed the charges and started an investigation. Had the fraud been on my ATM/debit card, I would have been stressed.
I don't use my debit card for anything but the ATM. You guys have reminded me about fraud that occur on a debit card, and I will see if I can get that feature removed. By the way, I have never come across a vendor who accepts debit card but does not accept credit card. So, I use credit card everywhere I can. Further, I can't recall ever using debit card for anything my whole life.
Another good thing about using credit card is that if you time your payments properly, your credit score will keep rising. My lowest credit score is over 800, and I think it's due to how I use credit cards: I let the card show a balance on the statement date, and then I pay it off.
_________________________
If you're reading this, it's too late.
|
Top
|
|
|
|
#269187 - 04/17/14 07:33 PM
Re: Might be time to change your passwords
[Re: bws48]
|
Sheriff
Carpal Tunnel
Registered: 12/03/09
Posts: 3867
Loc: USA
|
Also, ATM machines at bank branches are not more secure. 1.) due to their heavy use, they are a prime target. 2) They get lots of traffic when the bank is closed (and no one is there to keep an eye on the machine). This happened at my bank branch, and it hit a lot of people. There was some theorizing that the skimmer was being installed after the branch closed, and de-installed before it opened. Thus, the branch employees never noticed anything different about the machine. Most of the skimmer attacks I've read about involved off-site ATMs. As you say, that doesn't mean that branch ATMs are necessarily secure.
|
Top
|
|
|
|
#269189 - 04/17/14 07:34 PM
Re: Might be time to change your passwords
[Re: Arney]
|
Sheriff
Carpal Tunnel
Registered: 12/03/09
Posts: 3867
Loc: USA
|
It would not be good if these clients of yours are still using MD5 for their passwords since it has well known collision problems. I thought more recent hash functions like the SHA-2 class of hash functions basically eliminated collisions. Fewer, not eliminated.
|
Top
|
|
|
|
#269195 - 04/17/14 10:02 PM
Re: Might be time to change your passwords
[Re: Mark_R]
|
Addict
Registered: 01/09/09
Posts: 631
Loc: Calgary, AB
|
Okay, when talking about password length/complexity requirements here the focus seems to be website accounts as these appear to be the most likely source of compromise. Am I correct in assuming that the same level of length/complexity would not be required for things like Windows/Active Directory accounts as they are (I'm guessing here) not likely to be open to this type of compromise. What about things like Wi-Fi passwords?
_________________________
Victory awaits him who has everything in order — luck, people call it. Defeat is certain for him who has neglected to take the necessary precautions in time; this is called bad luck. Roald Amundsen
|
Top
|
|
|
|
|
|
|
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
10
|
11
|
12
|
13
|
14
|
15
|
16
|
17
|
18
|
19
|
20
|
21
|
22
|
23
|
24
|
25
|
26
|
27
|
28
|
29
|
30
|
31
|
|
|
0 registered (),
839
Guests and
91
Spiders online. |
Key:
Admin,
Global Mod,
Mod
|
|
|