LinkedIn password hacking = STUPID AND AVOIDABLE!

Started by Darren Dirt, June 09, 2012, 07:48:25 AM

Previous topic - Next topic

Darren Dirt

on-topic with the whole passwords/hashing/SALT discussion...

http://www.adayinthelifeof.nl/2011/02/02/password-hashing-and-salting/

found via http://www.codinghorror.com/blog/2012/04/speed-hashing.html


cliffs: use 12 characters or more (even if all lowercase, that puppy is gonna be tough to brute-force crack -- but hope and pray the app's developer salted the damn thing, obv.)
_____________________

Strive for progress. Not perfection.
_____________________

Tom

As well as salting, look into scrypt, bcrypt or PBKDF2 (in that order). (though I think these algorithms tend to include salting built in)

oh and make sure to use a cryptographically secure random number generator to seed the hash algo.
<Zapata Prime> I smell Stanley... And he smells good!!!

Darren Dirt

#17
sorta-on-topic:

here's an idea, remember a single "master password", and have an easy-to-access webpage that generates SHA for each of the most common websites, thus anywhere-anytime reminding you of your password (after entering which you will click 'remember me', I am sure)

http://ss64.com/passwords/
http://ss64.com/pass/


cliffs: kinda like http://keepass.info/ (as suggested here or similar, but it's a simple PUBLIC WEBPAGE that you can access from anywhere. anytime.





definitely-on-topic:
HALL OF SHAME for password restrictions* (length, types of characters) ZOMG!
https://defuse.ca/password-policy-hall-of-shame.htm







* -- and touched upon in another password-related thread:
Quote from: Lazybones on August 12, 2011, 04:06:13 PM
Doesn't do you any good on sites that have 9 character limits on the password field or do automatic truncation..

What site would do such a bad thing? ONE OF MY BANKING SITES! Not my primary bank but another one I have an account with.
_____________________

Strive for progress. Not perfection.
_____________________

Mr. Analog

The trouble with services like this is you don't know if they have some kind of "magic number" backdoor that could be used to find your (or anyone else's) key.

(sorry, an article I read this morning got the brain juices flowing about public cryptography)
By Grabthar's Hammer

Darren Dirt

What I just linked to, it's not a service, it's just a simple JS/html webpage; u can save a copy locally and never use the original ... and check the code yourself to ensure no 'phone home' tomfoolery...


It's of course still as 'vulnerable' as the hash algorithms themselves, this is just a convenience widget thingie.
_____________________

Strive for progress. Not perfection.
_____________________

Thorin

Quote from: Darren Dirt on September 11, 2013, 05:24:18 PM
http://ss64.com/passwords/
http://ss64.com/pass/

From that page: "Copy and paste the new password(s) into the website and set your web browser to remember them".

So now all I need to do is find a way to read your browser's password store.

Or trade a chocolate bar for your password.

Or pretend I'm from IT (with requisite coffee cup ring on my back).
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Darren Dirt

#21
Nowadays it's far more than just PASSWORDS; the real question is:

How secure OVERALL are the biggest names on the social web -- especially when it comes to possible future NSA/otherTLA requests?

https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what
"EFF has asked (30Oct2013) service providers to implement strong encryption... [the reason:] The National Security Agency's MUSCULAR program, which tapped into the fiber-optic lines connecting the data centers of Internet giants like Google and Yahoo, exposed the tremendous vulnerabilities companies can face when up against as powerful an agency as the NSA. Bypassing the companies' legal departments, the program grabbed extralegal access to your communications, without even the courtesy of an order from the secret rubber-stamp FISA court..."


RESULTS (19Nov2013):



Ironic, surprising take-away: LinkedIn, the reason for THIS forum thread ... is actually doing a BETTER JOB than MICROSOFT, when it comes to protecting users from spying.



more re. EFF's movement to "ENCRYPT THE WEB" @ https://www.eff.org/encrypt-the-web

_____________________

Strive for progress. Not perfection.
_____________________

Mr. Analog

I'm actually more concerned that the hard links between the very underpinnings of these services are compromised.

I mean great Dropbox uses HTTPS between client and server, but what about internal to their network and so on.

Shenanigans happening in some old wire centre somewhere? We'll never know for sure, the companies themselves may not know.

So I assume that there is no such thing as secure communication online.
By Grabthar's Hammer

Tom

There's no such thing as secure communications period.
<Zapata Prime> I smell Stanley... And he smells good!!!

Darren Dirt

#24
Quote from: Darren Dirt on November 21, 2013, 04:20:52 PM
Nowadays it's far more than just PASSWORDS; the real question is:

How secure OVERALL are the biggest names on the social web -- especially when it comes to possible future NSA/otherTLA requests?



Hey look at a stupid way to make things more secure -- INCREDIBLY STUPID ESOTERIC PERSONAL QUESTIONS!

https://twitter.com/JuliaAngwin/status/818910052333604865 https://archive.is/WuKb8

"Every day, a new fresh hell of password questions."




Because of course that is so much better than allowing for very lengthy** passwords that can thus be utilized by using easily-remembered phrases ala http://forums.righteouswrath.com/index.php/topic,8098.0.html


ROFL -- comic relief on this serious subject = https://www.mcsweeneys.net/articles/nihilistic-password-security-questions (e.g. "What is your ex-wife's newest last name?" :)



** on that note, WTF with all these big name corp websites saying "8-15 characters, NO SYMBOLS" R U SERIOUS!? morons
( and FFS devs, make sure a stolen database password table does not look like THIS, let alone worse -- https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/ )

Amazingly, *NIST* is doing something smart about the headache of "special questions" authentication or w/e it is called:
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/ ( via https://twitter.com/philipbsugg/status/818917750043185152 )
_____________________

Strive for progress. Not perfection.
_____________________

Mr. Analog

Security questions can be close to 2-factor auth if you use them "incorrectly"

What is your Mother's maiden name: "Optimus Prime"

What was your first pet's name: 79edba46-fb54-489c-a882-1c4d07dee7f0

Good luck Phishing for my pet's name fuccbois
By Grabthar's Hammer

Thorin

I'm concerned that no one even acknowledged my IT Crowd reference back then.  It's the last line:

Quote from: Thorin on September 12, 2013, 07:26:19 PM
From that page: "Copy and paste the new password(s) into the website and set your web browser to remember them".

So now all I need to do is find a way to read your browser's password store.

Or trade a chocolate bar for your password.

Or pretend I'm from IT (with requisite coffee cup ring on my back).

It's almost like you guys don't watch that show religiously and internalize its gags!
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Mr. Analog

I have the brain damage

Sent from my SM-T810 using Tapatalk

By Grabthar's Hammer

Darren Dirt

Quote from: Thorin on January 17, 2017, 10:45:39 PM
I'm concerned that no one even acknowledged my IT Crowd reference back then.  It's the last line:

Quote from: Thorin on September 12, 2013, 07:26:19 PM
From that page: "Copy and paste the new password(s) into the website and set your web browser to remember them".

So now all I need to do is find a way to read your browser's password store.

Or trade a chocolate bar for your password.

Or pretend I'm from IT (with requisite coffee cup ring on my back).

It's almost like you guys don't watch that show religiously and internalize its gags!

Masterful classic. And speaking of coffee cup rings, well it's understandable innit, some damn some good casting in the "extras" esp. the girls in accounting, they were all pretty damn hot IIRC.

The "final episode" [now on NetFlix!] was pretty cool, seeing what happened / happens to Richmond (stay for the ending credits!)
_____________________

Strive for progress. Not perfection.
_____________________

Darren Dirt

Quote from: Darren Dirt on January 17, 2017, 02:06:04 PM
ROFL -- comic relief on this serious subject = https://www.mcsweeneys.net/articles/nihilistic-password-security-questions (e.g. "What is your ex-wife's newest last name?" :)

BTW might I suggest this be a "first week of January introspection routine" for all of us seeking to motivate ourselves to do better and be better going forward... actually partly serious.

What is the name of your least favorite child?
In what year did you abandon your dreams?
What is the maiden name of your father?s mistress?
At what age did your childhood pet run away?
What was the name of your favorite unpaid internship?
In what city did you first experience ennui?
What is your ex-wife?s newest last name?
What sports team do you fetishize to avoid meaningful discussion with others?
What is the name of your favorite canceled TV show?
What was the middle name of your first rebound?
On what street did you lose your childlike sense of wonder?
When did you stop trying?
_____________________

Strive for progress. Not perfection.
_____________________