Originally Posted By: Arney
Originally Posted By: chaosmagnet
Using rainbow hash tables, if we got hits we'd get the whole thing done in a few seconds.

Scary numbers. Are we talking cracking a salted password hash table, Chaos? If you're saying you can pre-compute a rainbow hash table for a single salted password like "Correcthorsebatterystaple" and get a hit in a few seconds, that kind of speed would blow me away. And would make me think about taking out all of my money from the bank and burying it in a hole in the woods!


Yes.

Burying money in a hole in the woods is probably not as safe as keeping in an insured bank or credit union, though.

Quote:
On a related tangent, if someone has access to the password hash table on some server, the user is already in deep trouble. Which is why you shouldn't make the bad guys' lives easier by reusing passwords (or usernames) for important websites/accounts. That is, a bad guy has already compromised the server for system A if they can grab the password hash table. Don't make it easier for them to get into your account on system B by using the same username/password from system A on system B.

And also why having the ability to use unique email addresses for each website is worthwhile to me.


Exactly.

Quote:
If they can't just reuse your online poker username/password at the login screen for your bank account, then they'd have to try some other method--actually hacking into the bank's server, using a "spear phishing" attack against you, keystroke logger, etc. Except for the spear phishing attack, that's a lot more work to get at your paltry bank account balance and probably isn't going to happen. Then again, my money might already be in that hole in the woods by then!


The most common ways an attacker can steal money from your account go like this:

  • Using a card and keypad skimmer (or card skimmer and camera) to get your card details and create a forged card to extract money from your account(s)
  • Extracting payment card details from a retailer you do business with, either where the data is stored or while it's in motion
  • Compromising the credentials you use for online banking and creating fraudulent transactions


Addressing these threats, here is what I do and what I recommend:
  • Do not use or possess a debit card. When a debit card is compromised, the money is gone and under the law you are guilty until proven innocent. When my financial institution insisted on replacing my ATM card with a debit card, I insisted in turn that they completely disable the debit function. If you absolutely must use a debit card, keep a separate account for it and only keep money in it that you don't need to pay your mortgage and other bills. But you're better off without one altogether.
  • Use an ATM that's less likely to have been compromised, such as one at a branch of your financial institution.
  • If you're paying with some means other than cash, you really don't have any control over whether the retailer will adequately protect your payment data. So use a credit card. You're protected by law with a maximum liability of $50 (most cards have written policies of $0 liability) and the stolen money isn't removed from your account keeping your bills from getting paid.
  • Use good antivirus software, keep your operating system and browser updated, and don't surf anywhere that might be a bad "neighborhood" on the Internet. Stronger security might be had from "walled garden" operating systems like iOS on the iPad, and there's a good argument that Macs and Linux is more secure than Windows.
  • Consider using a dedicated workstation that does four things: OS updates, browser updates, antivirus updates, and online banking. I don't do that, but I'm also very cautious about where I surf.
  • Delete all spam unread, never click on a link in spam email, never open an unexpected email attachment.


Quote:
When a bad guy is trying to crack passwords, they also have to hash their guesses and then compare that result to the result in the password table. When they match, they know they have guessed the password.


That's true...but unfortunately incomplete. Hashing algorithms are imperfect, and every one of them have "hash collisions." This is what happens when two inputs into the hash algorithm result in the same hash. Which means that there may be more than one password that can open your account.