AVSIG: Password Security....should you change it often? wwswsigarch.jpg (7236 bytes)

✈ . . . . . . ✈ . . . . . ✈ . . . . ✈ . . . ✈ . . ✈ . ✈ . . ✈ . . . ✈ . . . . ✈ . . . . . ✈ . . . . . . Touch-and-Go to our Live Forum (This is a Read-only Archive of the 2004-2017 AVSIG Forum)


AVSIG Discussion Sections >> Hardware/Software

Pages: 1 | 2 | 3 | 4 | 5 | >> (show all)
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Russell Holton]
      #428868 - 08/05/16 06:37 PM

>> If it's known the password is all lower case letters . . . <<

But the bad guy doesn't know that, so he must test for caps and numbers too.
I've never seen a site that forbids caps and numbers, have you?

>> ....about 1045 times more complex. <<

So what? Does that take the bad guy's computer another couple of seconds?


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428877 - 08/05/16 08:47 PM

The argument for changing passwords is in case the server gets hacked and the
password files stolen.

The bad guys can then run cracking attacks on the password file. Those
attacks can take a long time, but in principle they will eventually succeed.
A policy of changing passwords means that even if your password is found by
cracking, it won't do the bad guys much good because it'll already have been
changed during the cracking period.

This is the argument against using passwards like NinaNina1 followed by
NinaNina2 when forced to make a change. Easy for you to remember, sure, but
also easy for bad guys to figure out the second one once they've cracked the
first. And the pros know all about stuff like NinaNina1; a lot of people do
that. Hell, I do that for relatively unimportant accounts.

Google "new technology cracks strong passwords forbes" for a Forbes article
about the human vulnerabilities of passwords.

And Russell has already responded: The more characters that can be used in
the password, the harder a brute force search becomes. The reductio ad
absurdum is this: If the alphabet consists of just the letter 'A', then
cracking a password is trivial, since the possibilities are A, AA, AAA, and
so on. In other words, there is only one ten-character password. Make it
any upper case character, and there are 26**10 possibilities: 141 trillion.
Make it any upper or lower case letter, and there are 52**10 possibilities:
146 quadrillion.

Modern desktop computers can try hundreds of millions of passwords per
second, for some kinds of hashes. If outfitted with GPU processors -- which
are cheap -- there are cracking tools that can try billions of passwords per
second. At that rate, those 141 trillion ten-character single-case passwords
can be broken in less than a day.

Again, this is an arms race, and modern password encryption is much trickier
than just hashing a ten-character string. (Search out "bcrypt" and "scrypt",
for example.) That kind of technology makes cracking harder.

I personally use LastPass for most of my password stuff these days, and
anything like banking or PayPal or credit card access uses randomly
generated 12- to 16-character passwords like "Aq&,bzQoP#3z7" and I never even
look at them.

But I keep looking at other possibilities; I figure that sooner or later I'll
start using two-factor authentication for important stuff. That means I'll
have to keep my smart phone with me all the time so that the site can text me
a one-time-only number each time I log in.

There's a lot of excitement about the fingerprint readers now found on smart
phones and tablets. But they scare me a little; inexpensive readers don't
need my thumb to be attached to me, nor do they care whether or not I am
alive.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Nancy Zeitlin [HPN]]
      #428878 - 08/05/16 08:47 PM

Ward, this conversation is -- sort of -- demonstrating why even 8-character
passwords are no longer considered automatically safe.

As I said elsewhere, modern cracking programs on GPU equipped computers can
try about 2.8 billion passwords per second. 26**8 is about 209 billion, and
such a program would take about 75 seconds to go through all of them.

So, yeah, 1,045 times that would be 22 hours.

And as Nancy points out, the bad guys would have created a dictionary of all
of those possibilities. I haven't really designed a system, but suppose the
hash is 256 bits. Storing 209 billion of those would be about 7 terabytes,
which is about $200 of disk storage these days. Fussing and fiddling with
hash storage techniques means that it would take a few milliseconds to come
up with a your password. And that covers *every* possible 8-character
lower-case password for a particular hashing algorithm.

Again, I am not the first person to figure this out; modern password
encryption has grown complicated for the express purpose of reducing
vulnerability to dictionary attacks. Googling "rainbow table" will give you
an idea about how the ever-escalating arms war in passwords and password
crackers has evolved.

Passwords are an area where the bad guys have infinite time and infinite
resources to break the efforts of the good guys. Strange and wonderful
things happen as a result. So my back of the envelope guesswork here is
naive and criminally incomplete; the bad guys are much more advanced than I
am after thinking about it for almost fifteen whole minutes.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428880 - 08/05/16 09:19 PM

Quote:

But the bad guy doesn't know that, so he must test for caps and numbers too.
I've never seen a site that forbids caps and numbers, have you?




Many sites now require a mix.

But the point is that if you allow all lower case, then chances are there are a number of common passwords in all lower case and the hacker can crack them. And once you've cracked some, now you know how that system encodes them and it becomes easier to crack the rest.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Password Security....should you change it often? [Re: Bob Dubner]
      #428881 - 08/05/16 09:26 PM

Quote:

There's a lot of excitement about the fingerprint readers now found on smart phones and tablets. But they scare me a little; inexpensive readers don't need my thumb to be attached to me, nor do they care whether or not I am
alive.




What I don't get is how it's that much more secure than the mag stripe on the back of a credit card. If you've broken into the system, once you get ahold of the data the thumbprint reader creates, you don't even need the reader.

In case your thumb's data has been stolen, good luck changing your thumb.


Post Extras: Print Post   Remind Me!   Notify Moderator  
sreyoB yrraL
AVSIG Member


Reged: 05/16/04
Posts: 9442
Re: Password Security....should you change it often? [Re: Russell Holton]
      #428883 - 08/05/16 09:50 PM

The Security Now podcast has talked extensively about passwords and security (go figure) over the years. It makes a lot of sense while I'm listening to the explanations of the technology, techniques, and challenges but I don't remember enough of the details to relate them. I do remember that eliminating words found in the dictionary, have both upper and lowercase letters, and including both numbers and symbols takes a brute force attack from trivial to nearly impossible due to the amount of time it will take to find a solution.

https://www.grc.com/securitynow.htm

Search for something like "passwords" in the episode descriptions.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Bob Dubner]
      #428884 - 08/05/16 10:29 PM

>> The argument for changing passwords is in case the server gets hacked and
the password files stolen. <<

Okay, so they recommend changing all my 60 passwords once a week. That would
take a minimum of 3 hours. But wait a minute! What if the guys break into
the server in 4 days? Guess I should change them every other day. Maybe
daily?

Bob, I'll let all you guys worry about passwords. I've said before, I have
nothing to protect that matters that much. I suspect if some who are hot
about passwords, if they REALLY thought about it, have the same situation.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428924 - 08/06/16 08:00 PM

<grin> Ward, you aren't wrong.

I don't change most of my passwords, for just the reason you describe: I
really don't care if somebody hacks into my nytimes.com account.

And it would be a pretty sad hacker making a significant effort to get into
nytimes.com. What would be the point?

Most of the fuss and bother has to do with business accounts and the like. I
don't work at an asset management firm any more, but all of the computers in
the company are attached to the same network -- and I had a lot of
capability; I had access to many shared folders, and I had a lot -- a *real*
lot -- of power in several of the databases.

If somebody hacked into the system, got hold of the right password file, and
started cranking and grinding on it, found my password and used it to log in
as me and start doing Bad Things using my permissions, it conceivably would
have made the front page of the New York Times business section, have
resulted in a big hit on the stock price, and could have resulted in a bunch
of people and institutions closing their accounts. I took that seriously; I
used long, nasty passwords, and I changed them more often than the 90 days
that company policy required.

And, yeah, that requires two steps; they'd have to know my password, and
they'd have to have access to the system -- that is, they'd have to be behind
the firewall. I used long, nasty passwords anyway.

The company is under constant, and serious, attack. All the financial firms
are; that's where the money is.

And that's where the bad guys can get leverage. Most companies use Windows
as their desktop machines. The Windows password mechanism is well known and
doesn't use salting, and so huge cracking dictionaries for Windows passwords
have been built.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Scott Dyer [HPN/NY]
Top Gun


Reged: 01/11/03
Posts: 20065
Re: Password Security....should you change it often? [Re: Bob Dubner]
      #428931 - 08/06/16 09:14 PM

Quote:

I don't work at an asset management firm any more, but all of the computers in the company are attached to the same network -- and I had a lot of capability; I had access to many shared folders, and I had a lot -- a *real* lot -- of power in several of the databases. ****

The company is under constant, and serious, attack. All the financial firms
are; that's where the money is.




Bob -- Yup. Our IT guys know that they can't stop a determined attack from, among others, a sovereign power (pick your favorite bad actor). But we can keep some of the others relatively at bay. And our bank clients are very much the driver in requiring law firms to do more with their IT security. It's a bit of a mixed bag because it has shut down a lot of professional access to files that can be helpful as forms from one deal to the next.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Bob Dubner]
      #428940 - 08/06/16 10:41 PM

Another reason for a long, nasty password behind the firewall: You don't
know on which side of the firewall the next bad guy is.

My time in data security consulting (long time ago) was involved entirely
with internal threats, e.g., skimming the fractional cents off the daily
compound interest calculations. Lotsa variations on that theme, nearly all
of which would be caught instantly today.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1 | 2 | 3 | 4 | 5 | >> (show all)



Extra information
0 registered and 110 anonymous users are browsing this forum.

Moderator:  Mike Overly 

Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled

Rating:
Topic views: 7125

Rate this topic

Jump to

Contact Us AVSIG

Powered by UBB.threads™ 6.5.5

Logout   Main Index    AVSIG Aviation Forum