'How to have lots of passwords without struggling to remember them' blog discussion

124

Replies

  • macutmoremacutmore Forumite
    28 Posts
    Even encryption is being succesfully 'decrypted' nowadays, using the power of the cloud itself. It's only the inconvienience of the time it takes, but the potential reward might just outweigh that.

    At least if you use stronger individual passwords, those that have the weaker ones will ultimately be victims first before you or better still instead of you!
  • John_PierpointJohn_Pierpoint Forumite
    8.4K Posts
    Part of the Furniture 1,000 Posts
    ✭✭✭✭
    I'm noticing that a lot more sites are making rules for passwords along the lines of
    "Password is case sensitive, it must be at least 8 characters including two letters 2 numbers and 2 punctuation characters"
    The last requirement can cause problems if you are trying to use "the cloud" from a "foreign" keyboard.
  • How did the hackers crack sony and facebooks user passwords? Did they guess them randomly or have a program which did it for them? the reason for asking is that no matter how complex your password, if a program is used it will crack them no matter what? Im not techy so feel free to correct me if i am wrong!
    :):):):):):):j:):):):):):)
  • edited 15 May 2011 at 1:46PM
    macutmoremacutmore Forumite
    28 Posts
    edited 15 May 2011 at 1:46PM
    safetygirl wrote: »
    How did the hackers crack sony and facebooks user passwords? Did they guess them randomly or have a program which did it for them? the reason for asking is that no matter how complex your password, if a program is used it will crack them no matter what? Im not techy so feel free to correct me if i am wrong!


    That's a good 'million dollar question', & it seems the likes of Sony & facebook are still trying to work that out somehow. It wouldn't be 'one' responsible individual in my guess. The sheer power of multiple computing (cloud botnet style), & simple passwords (lets start with abc123 etc) make it a bit easier. The likes of an SQL injection attack & beyond start to get a bit more complex.

    It is now possible on accounts like gmail and facebook to enable a feature called "login approval", which effectively locks out a hack attempt by positively identifying yourself using a unique security code if any attempt is made to login to your account from a different computer.

    http://m.readwriteweb.com/archives/facebook_launches_login_approvals_new_secure_two_factor_authentication.php

    :T
  • cgk1cgk1 Forumite
    1.3K Posts
    Tenth Anniversary 1,000 Posts Combo Breaker
    ✭✭✭
    safetygirl wrote: »
    How did the hackers crack sony and facebooks user passwords? Did they guess them randomly or have a program which did it for them? the reason for asking is that no matter how complex your password, if a program is used it will crack them no matter what? Im not techy so feel free to correct me if i am wrong!

    Most facebook passwords are of the weak dictionary types. Passwords are the weak link in any system so martin's advice of using dictionary words is pretty lousy.
    It is now possible on accounts like gmail and facebook to enable a feature called "login approval",

    Yes and no - Gmail and google accounts use two-factor authentication (if you turn it on) - you put in your password and then you are required to put in a random number generated from an app - this is good.

    Facebook's "login approval" is as much use as a chocolate fireguard, it allows you to log in from a strange machine and then simply sends you an email saying you've done it - relying on the user seeing the email before the account is changed and they are logged out. the system described in your link does not seem to be currently available to UK customers. A waste of time in it's current form.
  • cgk1cgk1 Forumite
    1.3K Posts
    Tenth Anniversary 1,000 Posts Combo Breaker
    ✭✭✭
    macutmore wrote: »
    Even encryption is being succesfully 'decrypted' nowadays, using the power of the cloud itself. It's only the inconvienience of the time it takes, but the potential reward might just outweigh that.

    At least if you use stronger individual passwords, those that have the weaker ones will ultimately be victims first before you or better still instead of you!


    Which is why two-factor is the way to go - I use lastpass with a strong password and also a Yubikey. Unless they manage to steal the actual yubikey off me they are straight out of luck.
  • edited 17 May 2011 at 12:26AM
    asbokidasbokid
    2K Posts
    ✭✭✭✭
    edited 17 May 2011 at 12:26AM
    cgk1 wrote: »
    safetygirl wrote: »
    How did the hackers crack sony and facebooks user passwords? Did they guess them randomly or have a program which did it for them?
    Most facebook passwords are of the weak dictionary types

    I don't buy that old chestnut for a minute.

    The theory of these attacks being brute force dictionary-based attacks is a very tall fairytale.

    This is a myth put out by company insiders and stooges who would rather cast aspersions on the victims than admit liability for their own security failings.

    Think about the scale of the task of performing a successful brute force attack over the internet. It would be vast, and there are time constraints involved, too.

    Remember you've got to submit the correct username and password combination before the authentication server locks you out. That typically happens after n incorrect password tries on the same account.

    The OED has 100,000 commonly-used words, and there are maybe another 10,000 more words that are popular proper nouns. 110,000 words to choose from, two cases for every letter, and five goes to get it right. No chance!

    Much more likely is that the security breaches occur in the authentication systems of the companies themselves. That often includes data theft by disgruntled former employees who leave with inside knowledge and then sell that data to criminals.

    Alternatively, passwords can be stolen on-the-wire, using packet sniffing tools. Until recently, facebook did not offer encrypted HTTP sessions during login. At any point along the network path from the user to Facebook's authentication server, login passwords could be sniffed using off-the-shelf tools like wireshark.

    Or malicious code can be installed remotely onto the PC of a victim. That code typically includes its own deep network packet inspection capabilities, and keystroke logging.

    The next time the victim logs into his Facebook or Sony account, his password is automatically picked up by the malicious code that is running on his machine. The malicious code secretly forwards his password to a listening socket that has been set up by the hacker on another machine that he has also hacked (so as to obfuscate the audit trail).

    We are not talking script-kiddies here. We are into the realms of serious organised crime. When you think about the vast sums stolen in the numerous internet-based attacks on the banking system, this is a multi-billion dollar black industry.
  • MothballsWalletMothballsWallet Forumite
    15.8K Posts
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    ✭✭✭✭✭
    I use one of those password database programs (can I mention the one I use personally?) that saves the data in its own format, and can save it as a CSV file that can be loaded into a spreadsheet (handy for keeping a copy on the old pen drive).
  • Eco_MiserEco_Miser Forumite
    4.5K Posts
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    ✭✭✭✭
    I use one of those password database programs (can I mention the one I use personally?) that saves the data in its own format, and can save it as a CSV file that can be loaded into a spreadsheet (handy for keeping a copy on the old pen drive).
    I keep the encrypted database on a pendrive, so there's nothing on the computer even if it gets stolen, and the data on the pendrive is still secure.
    Eco Miser
    Saving money for well over half a century

  • StompaStompa Forumite
    8.2K Posts
    Part of the Furniture 1,000 Posts Name Dropper
    ✭✭✭✭
    I use one of those password database programs (can I mention the one I use personally?) that saves the data in its own format, and can save it as a CSV file that can be loaded into a spreadsheet (handy for keeping a copy on the old pen drive).
    I hope the CSV file is not stored unencrypted?
    Stompa
This discussion has been closed.
Latest MSE News and Guides

Stoozing, sublets & summer sips

This week's MSE Forum highlights

MSE News

Martin Lewis quizzes Rishi Sunak

Watch the cost of living support Q&A here

Join the MSE Forum discussion

48 craft beers for £50 delivered

One-off bundle for newbies. Excludes Northern Ireland

MSE Deals