(and e-Harmony is apparently even worse, somehow! (http://www.slate.com/articles/technology/technology/2012/06/linkedin_eharmony_password_leak_what_russian_hackers_do_with_your_personal_information_.html))
Quote
...For hackers around the world, the huge trove of new leaked passwords is an opportunity to update their ?rainbow tables??vast databases that serve as a digital key for cracking encrypted passwords, called ?hashes.? The most-secure websites use an extra layer of password encryption, called ?salting,? so that two users with the same password?say, ?123456??will have different hashes. But LinkedIn didn?t do that, so the same key will unlock the accounts of every user who has that password, not only on LinkedIn but on any other site that uses the same hashing algorithm. (eHarmony apparently used an even weaker algorithm, also sans salt.)
:doh: hashing without salting = might as well be stored as plaintext :sigh:
a different Slate article responds with The old, still very good way to fix your terrible passwords (http://www.slate.com/articles/technology/technology/2012/06/linkedin_hacked_fix_your_terrible_insecure_passwords_in_one_minute_with_this_foolproof_technique_.html)
Quote
Come up with a short phrase you?re likely to remember. Just like in school, it helps to make your mnemonic really bizarre?the stranger the phrase, the easier it?ll be to remember. For example, Kim Kardashian is the most amazing woman in all 50 states, or Mitt Romney and Barack Obama decided to make 10 waffles. Notice that my phrases use a mix of capitalized and lowercase words, and I added some numbers as well.
To make a password, just take the first letter of each word in your phrase. The sentences above would turn into KKitmawia50s and MRaBOdtm10w. Both of those passwords are extremely strong?they?re long, and they?re free of common English words that can be guessed by a computer.
(http://tangphillip.com/wordpress/wp-content/uploads/2011/02/easy.png)
(or even easier -- use the actual phrase as your password ... presuming the site is not stupid enough to restrict the LENGTH of the password (http://stackoverflow.com/questions/98768/should-i-impose-a-maximum-length-on-passwords) or disallow spaces, or require you to include "at least one" of UpperCase Letter, Number, Symbol, etc...) (or maybe not so much easier, when it comes to tablets and mobile devices with onscreen keyboards click click click DAMMIT!)
easiest idea ever?
Quote from: Comments@SlateArticle
PsyberZombie
More & more sites are requiring mandatory characters i.e. "Your password must be at least 8 characters and contain at least 1 cap, 1 lower case letter, 1 special character, and 1 number"
So here's my system: first, create a 4 character base that meets these requirements, like "Xx&7". Then use the first and last 2 letters of the site at the beginning and end of that base. Your password for, say, amazon.com would be: amXx&7on .... this easy to remember and creates a unique password for each site.
Clarification: someone just asked me, how is that "easy to remember?"
Answer: you use THE SAME BASE for every password.... for google it's goXx&7le ; for slate it's slXx&7te , etc ....
Yer Welcome .....
Yup, had a good old laugh about this in the office, which made me look at how are security is handled...
One of the things I like about where I work is we do security reviews every two weeks as part of our sprint.
goddammit it's so easy to @%&# up security. This is why I'll never claim to be a security expert. However, even as a security non-expert I _know_ you salt and hash that @%&#!
Way back when I was still developing, I knew to at last hash, when unfortunately it was common for plain text passwords to be stored.
Near the end of my development career I had already learned that hashing was not enough and salting was supposed to be done.
That was 7-10 years ago! at least they used sha1 instead of md5 however as we know now sha1 already has weaknesses and rainbow tables are not hard to find or make for it. Even with a currently secure hash salting is necessary.
all of the above. Plus a reminder that the BEST salting is to make the salt different for each record, i.e. make it get generate randomly (truly randomly!) based in part on the source string as well as something unique to the particular system... so if someone gets "inside" the system and try a few common strings and look at the resulting hashed+salted string they can't then look for that result in another record.
Heck the ideal (and easy enough to code, just add something to the source string!) is to make your salt also include something related to a time[r] as well, so that way an internal hacker would get different results with the same source string.
"If you want to find out if your password was one of the 6.5 million leaked passwords, enter it below."
http://leakedin.org
^ 'splained here: http://shiflett.org/blog/2012/jun/leakedin
found via http://java.dzone.com/articles/i%E2%80%99d-share-my-linkedin-password
...and from the above tool I found out about "Bcrypt" (http://en.wikipedia.org/wiki/Bcrypt), a Java implementation and differently-worded explanation here: http://www.mindrot.org/projects/jBCrypt/
btw in case you care, LinkedIn blog sez "nothing to fear, we were already moving towards a better system before the leak..."
http://blog.linkedin.com/2012/06/09/an-update-on-taking-steps-to-protect-our-members/
Quote3. What is LinkedIn doing to protect its members?
We have built a world-class security team here at LinkedIn including experts such as Ganesh Krishnan, formerly vice president and chief information security officer at Yahoo!, who joined us in 2010. This team reports directly to LinkedIn?s senior vice president of operations, David Henke.
Under this team?s leadership, one of our major initiatives was the transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry. That transition was completed prior to news of the password theft breaking on Wednesday. We continue to execute on our security roadmap, and we?ll be releasing additional enhancements to better protect our members.
Well of course they were already fixing their security! I mean, why would they ever admit to _not_ already being active on improving their security? Admitting that would be a huge blunder.
Pretty @%&#ty that they're advertising that a world-class former chief information officer joined them in 2010 and in 2012 they're announcing that although the leaked passwords were only hashed, they're now salting and hashing. Yeah, sure, that work was completed before the leak was announced, but I'm guessing it wasn't completed before the leak happened. So only two years to add a second step in password storage. Yep, the CIO they're pimping there, he really took the bull by the horns and improved the security landscape at LinkedIn from day one. Or, you know, not.
Odd..
Well at least it doesn't think my password was leaked.
But today someone posted some porn to my facebook feed? Did anyone see that? A relative of mine did and complained. I've since changed my password, but who knows. facebook's security is probably a joke.
Quote from: Tom on June 14, 2012, 06:45:42 PM
Odd..
Well at least it doesn't think my password was leaked.
But today someone posted some porn to my facebook feed? Did anyone see that? A relative of mine did and complained. I've since changed my password, but who knows. facebook's security is probably a joke.
Hmm did it get removed or did you see it? Was it posted by an app or did it appear to have been posted by you directly?
Quote from: Lazybones on June 14, 2012, 07:35:35 PM
Quote from: Tom on June 14, 2012, 06:45:42 PM
Odd..
Well at least it doesn't think my password was leaked.
But today someone posted some porn to my facebook feed? Did anyone see that? A relative of mine did and complained. I've since changed my password, but who knows. facebook's security is probably a joke.
Hmm did it get removed or did you see it? Was it posted by an app or did it appear to have been posted by you directly?
I have no idea. My aunt says it was from me, but she's not the most computer literate. All I know is apparently something appeared with my name attached, and that its gone now.
That's scary...
Quote from: Mr. Analog on June 14, 2012, 10:24:03 PM
That's scary...
You ain't kidding. It isn't every day that an aunt messages you saying you posted something lewd.
It could be the other way around, maybe she installed a facebook app that is putting junk in her feed?
It could be. That would suck.
best secure password ever?
"17346721476C3278977763T732V731?171888732476789764376"
http://www.youtube.com/watch?v=rAUVUUhf7U0 (ST:TNG)
...then again, only alpha and numeric? no symbols? :shock: I guess the length is helpful though...
http://howsecureismypassword.net/
Quote
It would take a desktop PC about
666 novemvigintillion years
to crack your password
Length: 52 characters
Character Combinations: 130
Calculations Per Second: 4 billion
Possible Combinations: 84 quinquatrigintillion
on-topic with the whole passwords/hashing/SALT discussion...
http://www.adayinthelifeof.nl/2011/02/02/password-hashing-and-salting/
found via http://www.codinghorror.com/blog/2012/04/speed-hashing.html
cliffs: use 12 characters or more (even if all lowercase, that puppy is gonna be tough to brute-force crack -- but hope and pray the app's developer salted the damn thing, obv.)
As well as salting, look into scrypt, bcrypt or PBKDF2 (in that order). (though I think these algorithms tend to include salting built in)
oh and make sure to use a cryptographically secure random number generator to seed the hash algo.
sorta-on-topic:
here's an idea, remember a single "master password", and have an easy-to-access webpage that generates SHA for each of the most common websites, thus anywhere-anytime reminding you of your password (after entering which you will click 'remember me', I am sure)
http://ss64.com/passwords/
http://ss64.com/pass/
cliffs: kinda like http://keepass.info/ (as suggested here (http://preshing.com/20110811/xkcd-password-generator) or similar, but it's a simple PUBLIC WEBPAGE that you can access from anywhere. anytime.
definitely-on-topic:
HALL OF SHAME for password restrictions* (length, types of characters) ZOMG!
https://defuse.ca/password-policy-hall-of-shame.htm
* -- and touched upon in another password-related thread:
Quote from: Lazybones on August 12, 2011, 04:06:13 PM
Doesn't do you any good on sites that have 9 character limits on the password field or do automatic truncation..
What site would do such a bad thing? ONE OF MY BANKING SITES! Not my primary bank but another one I have an account with.
The trouble with services like this is you don't know if they have some kind of "magic number" backdoor that could be used to find your (or anyone else's) key.
(sorry, an article I read this morning (http://it.slashdot.org/story/13/09/11/1224252/are-the-nist-standard-elliptic-curves-back-doored) got the brain juices flowing about public cryptography)
What I just linked to, it's not a service, it's just a simple JS/html webpage; u can save a copy locally and never use the original ... and check the code yourself to ensure no 'phone home' tomfoolery...
It's of course still as 'vulnerable' as the hash algorithms themselves, this is just a convenience widget thingie.
Quote from: Darren Dirt on September 11, 2013, 05:24:18 PM
http://ss64.com/passwords/
http://ss64.com/pass/
From that page: "Copy and paste the new password(s) into the website and
set your web browser to remember them".
So now all I need to do is find a way to read your browser's password store.
Or trade a chocolate bar for your password.
Or pretend I'm from IT (with requisite coffee cup ring on my back).
Nowadays it's far more than just PASSWORDS; the real question is:
How secure OVERALL are the biggest names on the social web -- especially when it comes to possible future NSA/otherTLA requests?
https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what
"EFF has asked (30Oct2013) service providers to implement strong encryption (http://news.cnet.com/8301-13578_3-57610139-38/6-steps-silicon-valley-can-take-to-protect-users-from-nsa-spying/)... [the reason:] The National Security Agency's MUSCULAR program, which tapped into the fiber-optic lines connecting the data centers of Internet giants like Google and Yahoo, exposed the tremendous vulnerabilities companies can face when up against as powerful an agency as the NSA. Bypassing the companies' legal departments, the program grabbed extralegal access to your communications, without even the courtesy of an order from the secret rubber-stamp FISA court..."
RESULTS (19Nov2013):
(https://www.eff.org/files/2013/11/19/crypto-survey-graphic.png) (https://www.eff.org/files/2013/11/19/crypto-survey-graphic.png)
Ironic, surprising take-away: LinkedIn, the reason for THIS forum thread ... is actually doing a BETTER JOB than MICROSOFT, when it comes to protecting users from spying.
more re. EFF's movement to "ENCRYPT THE WEB" @ https://www.eff.org/encrypt-the-web
I'm actually more concerned that the hard links between the very underpinnings of these services are compromised.
I mean great Dropbox uses HTTPS between client and server, but what about internal to their network and so on.
Shenanigans happening in some old wire centre somewhere? We'll never know for sure, the companies themselves may not know.
So I assume that there is no such thing as secure communication online.
There's no such thing as secure communications period.
Quote from: Darren Dirt on November 21, 2013, 04:20:52 PM
Nowadays it's far more than just PASSWORDS; the real question is:
How secure OVERALL are the biggest names on the social web -- especially when it comes to possible future NSA/otherTLA requests?
Hey look at a stupid way to make things more secure -- INCREDIBLY STUPID ESOTERIC PERSONAL QUESTIONS!
https://twitter.com/JuliaAngwin/status/818910052333604865 https://archive.is/WuKb8
"Every day, a new fresh hell of password questions."(https://pbs.twimg.com/media/C11aRQdXUAADtyt.jpg)
Because of course that is so much better than allowing for very lengthy** passwords that can thus be utilized by using easily-remembered phrases ala http://forums.righteouswrath.com/index.php/topic,8098.0.html
ROFL -- comic relief on this serious subject = https://www.mcsweeneys.net/articles/nihilistic-password-security-questions (e.g. "What is your ex-wife's newest last name?" :)
** on that note, WTF with all these big name corp websites saying "8-15 characters, NO SYMBOLS" R U SERIOUS!? morons
( and FFS devs, make sure a stolen database password table does not look like THIS, let alone worse -- https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/ )
Amazingly, *NIST* is doing something smart about the headache of "special questions" authentication or w/e it is called:
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/ ( via https://twitter.com/philipbsugg/status/818917750043185152 )
Security questions can be close to 2-factor auth if you use them "incorrectly"
What is your Mother's maiden name: "Optimus Prime"
What was your first pet's name: 79edba46-fb54-489c-a882-1c4d07dee7f0
Good luck Phishing for my pet's name fuccbois
I'm concerned that no one even acknowledged my IT Crowd reference back then. It's the last line:
Quote from: Thorin on September 12, 2013, 07:26:19 PM
From that page: "Copy and paste the new password(s) into the website and set your web browser to remember them".
So now all I need to do is find a way to read your browser's password store.
Or trade a chocolate bar for your password.
Or pretend I'm from IT (with requisite coffee cup ring on my back).
It's almost like you guys don't watch that show religiously and internalize its gags!
I have the brain damage
Sent from my SM-T810 using Tapatalk
Quote from: Thorin on January 17, 2017, 10:45:39 PM
I'm concerned that no one even acknowledged my IT Crowd reference back then. It's the last line:
Quote from: Thorin on September 12, 2013, 07:26:19 PM
From that page: "Copy and paste the new password(s) into the website and set your web browser to remember them".
So now all I need to do is find a way to read your browser's password store.
Or trade a chocolate bar for your password.
Or pretend I'm from IT (with requisite coffee cup ring on my back).
It's almost like you guys don't watch that show religiously and internalize its gags!
Masterful classic. And speaking of coffee cup rings, well it's understandable innit, some damn some good casting in the "extras" esp. the girls in accounting, they were all pretty damn hot IIRC.
The "final episode" [now on NetFlix!] was pretty cool, seeing what happened / happens to Richmond (stay for the ending credits!)
Quote from: Darren Dirt on January 17, 2017, 02:06:04 PM
ROFL -- comic relief on this serious subject = https://www.mcsweeneys.net/articles/nihilistic-password-security-questions (e.g. "What is your ex-wife's newest last name?" :)
BTW might I suggest this be a "first week of January introspection routine" for all of us seeking to motivate ourselves to do better and be better going forward... actually partly serious.
What is the name of your least favorite child?
In what year did you abandon your dreams?What is the maiden name of your father?s mistress?
At what age did your childhood pet run away?What was the name of your favorite unpaid internship?
In what city did you first experience ennui?What is your ex-wife?s newest last name?
What sports team do you fetishize to avoid meaningful discussion with others?What is the name of your favorite canceled TV show?
What was the middle name of your first rebound?On what street did you lose your childlike sense of wonder?When did you stop trying?
excellent and LENGTHY new post (10Mar2017) on CodingHorror about this fun topic of password complexity... and obstacles users encounter!
https://blog.codinghorror.com/password-rules-are-bull@%&# https://archive.is/sHYY0
If interested in this subject then [TimeSink Warning] because, like I said, lengthy.
... and of course a few comments got me to other pages on the subject, etc. etc. ... there goes lunchtime! :)
But among those comments, a link so simple yet so overflowing with reason and logic! A basic wisdom echoing forth from almost a decade ago...
http://www.baekdal.com/insights/password-security-usability
"A usable and secure password is then not a complex one. It is one that you can remember - a simple password using 3+ words."
Nothing has changed since August 2007, it is actually really easy to balance out "security" and "usability" (unless the idiot devs decided that password LENGTH should be stupidly limited to like 16 or 12 or 10 or something stupid like that. Idiots.)
The above, plus some basic cracking prevention (e.g. time-delay between sign-in attempts, penalty period) = PostItNote-Proof Passwords!
( the author of the above added an update in April of 2011 -- http://www.baekdal.com/insights/usable-security-reply-to-security-now -- and the message remains unchanged: simply allow/encourage very lengthy phrases made up of easily-remembered words. That's it. )