nVidia Forums Hacked

Thorin · August 12, 2012, 01:00:00 AM

Well if you're cracking passwords you might not want to use cloud computing as you might be paranoid about who could be recording what you're doing

Also, the time required to crack the password(s) might exponentially increase due to network speed becoming the bottleneck...

Lazybones · August 12, 2012, 01:08:34 AM

Quote from: Thorin on August 12, 2012, 01:00:00 AM
Well if you're cracking passwords you might not want to use cloud computing as you might be paranoid about who could be recording what you're doing Also, the time required to crack the password(s) might exponentially increase due to network speed becoming the bottleneck...

You give the job to many difference servers and assign each a difference start / search space... When they find the answer the winner reports back to you..

You are correct that using public clouds would increase the risk of getting found.

Darren Dirt · August 13, 2012, 10:14:36 AM

Quote from: Thorin on August 11, 2012, 03:58:04 PM
Interesting Rainbow Table post from 2007: http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html. The salient point from this post was that desktop computers were getting so powerful that very large rainbow tables could be loaded.

Interesting Rainbow Table Is Dead post from 2011: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html. The salient point is that GPUs are getting so damn fast now that brute forcing passwords is even quicker than using rainbow tables. And hey, Tom had even talked recently about getting a couple of GPUs going to do BitCoin mining, or something.

I love how attention-grabbing some of the titles of the links at the bottom...
http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
http://www.codinghorror.com/blog/2009/05/i-just-logged-in-as-you-how-it-happened.html

Quote from: Thorin on August 11, 2012, 03:58:04 PM
Security is hard.

Also remember the 10 Immutable Laws of Security: http://technet.microsoft.com/library/cc722487.aspx

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea

Darren Dirt · August 13, 2012, 10:58:49 AM

well here's a gem -- as a developer especially

http://www.codinghorror.com/blog/2012/04/speed-hashing.html

Quote
Secure hashes are designed to be tamper-proof
A properly designed secure hash function changes its output radically with tiny single bit changes to the input data, even if those changes are malicious and intended to cheat the hash. Unfortunately, not all hashes were designed properly, and some, like MD5, are outright broken and should probably be reverted to checksums.

...

I'm too busy to read all this.
If you are a user:

Make sure all your passwords are 12 characters or more, ideally a lot more. I recommend adopting pass phrases ( http://www.codinghorror.com/blog/2005/07/passwords-vs-pass-phrases.html ) , which are not only a lot easier to remember than passwords (if not type) but also ridiculously secure against brute forcing purely due to their length.

If you are a developer:

Use bcrypt or PBKDF2 exclusively to hash anything you need to be secure. These new hashes were specifically designed to be difficult to implement on GPUs. Do not use any other form of hash. Almost every other popular hashing scheme is vulnerable to brute forcing by arrays of commodity GPUs, which only get faster and more parallel and easier to program for every year.

http://en.wikipedia.org/wiki/Bcrypt
http://en.wikipedia.org/wiki/Pbkdf2

so I guess laziness (i.e. using MD5 with a "random" salt) should no longer be a default ... damn you increasing clock speeds and whatnot!

Mr. Analog · August 13, 2012, 11:43:38 AM

Yepp, it's essentially a processing race, lengthening and increasing password complexity only buys time.

So gotta start getting better at locking down passwords in the first place, amirite?

Thorin · August 13, 2012, 01:49:54 PM

I dunno, I like the newest tack security professionals are taking - make the hashing algorithm slow instead of fast so that it takes way longer to generate all the hashes for either brute forcing or rainbow tabling. And adding a long salt that is different for every password will certainly significantly increase the time it takes.

Still, "Hello, this is George from IT. We're having a problem on the mail server with a large attachment sent to you. Can I have your password to try and fix that, please?"...

Mr. Analog · August 13, 2012, 03:10:23 PM

Exactly, humans will always be the weakest link when it comes to security.

Tom · August 13, 2012, 09:53:20 PM

Speaking of security... What about those nice security questions places like to ask for? this guy has figured out how to have some fun with them.

Darren Dirt · August 14, 2012, 12:21:50 AM

Quote from: Tom on August 13, 2012, 09:53:20 PM
Speaking of security... What about those nice security questions places like to ask for? this guy has figured out how to have some fun with them.

article = 8/10

most of the suggestions in the COMMENTS =

!

and similar to "fun with secret questions and answers", check this prankster out...
http://www.fourhourworkweek.com/blog/2010/05/01/credit-card-concierge/