Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Case For Lousy Passwords

CmdrTaco posted more than 3 years ago | from the love-for-the-lousy dept.

Security 343

itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."

cancel ×

343 comments

Sorry! There are no comments related to the filter you selected.

Bad usernames too (4, Interesting)

alphatel (1450715) | more than 3 years ago | (#34573232)

Anytime I visit a site that wants a signup, I use a garbage email account, with the same username and weak password. If someone hacks my identity, it's not even "me".
It's not as if the right to post or read is such a valuable commodity that can't be replicated next time you visit the site.

Password keychains? (0)

Anonymous Coward | more than 3 years ago | (#34573282)

Today computers offer keychains like Gnome Keyring and KWallet for Linux, and often offer a password-generating tools, browsers also remember the passwords. Creating a complex 30 character password and keeping in the browser takes 4 clicks, creating a complex password and keeping it in the keyring and browser takes 8-9 clicks, creating a stupid password that anyone can crack takes thinking, 6-7 keystrokes and then having to remember it. Laziness is no excuse when you're encouraged to be even more lazy with the complex ones.

Re:Password keychains? (4, Insightful)

mcvos (645701) | more than 3 years ago | (#34573428)

And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?

As you can probably guess, I use the same, simple password for every single web forum. I use complex passwords only for stuff that matters: my computers, my banking site, my PayPal account (until I canceled it), etc.

What really pisses me off, by the way, is when sites want to restrict my choice of password. The most stupid example is my bank, that doesn't allow (most?) non-alphanumeric characters in a password. Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.

Re:Password keychains? (3, Insightful)

clone52431 (1805862) | more than 3 years ago | (#34573550)

Yeah, I just registered an online banking account and their password requirements were 8-12 characters, no special characters.

WTF people?

But then they use security questions as a second line of defense, which is just another password, and a much longer and therefore stronger one at that (if it’s done properly – which most people don’t do, of course). Now, hopefully they’d require someone logging in from an unrecognized IP address to pass a security question...

Re:Password keychains? (1)

icebraining (1313345) | more than 3 years ago | (#34573720)

My bank allows for weakish passwords, but then they use SMS verification for any operation that involves transferring money.

Re:Password keychains? (1)

clone52431 (1805862) | more than 3 years ago | (#34573860)

Perhaps, but if someone was able to log in with your password could they also just turn off the SMS notifications?

Re:Password keychains? (1)

Deslack (48390) | more than 3 years ago | (#34574042)

They couldn't. They'd have to enter a confirmation code you'd receive via SMS.

Re:Password keychains? (1)

mcvos (645701) | more than 3 years ago | (#34574038)

I've got a 15 year-old piece of paper with codes that I need to enter when I want to transfer money.

It's quite an amazing system.

Re:Password keychains? (1)

DZign (200479) | more than 3 years ago | (#34573754)

Their web app probably dumps your password into an ascii file that's uploaded to a mainframe which cannot handle anything else because of incompatible character sets..

Re:Password keychains? (0)

Anonymous Coward | more than 3 years ago | (#34573952)

Sorta like /. ?

Re:Password keychains? (3, Interesting)

horatio (127595) | more than 3 years ago | (#34573614)

Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.

When I worked for a major university a few short years ago, they contracted our paperless pay statements and W2s to Talx -- who only allowed numbers in the "password". Super frustrating, and of course no one in HR understood why I had a problem with this. They may have gotten smarter since then, but doubtful.

Re:Password keychains? (1)

eleuthero (812560) | more than 3 years ago | (#34573928)

I have the same problem with my ... bank card. In what world is a four digit password based off of ten numbers a secure method of doing business. The immediate answer is, "you have to have a passcard too" but this is no longer true since someone can walk past your wallet with a fancy phone attachment and get your number just by bumping into you to put onto their own fake card. Ah well.

Single point failure [Re:Password keychains?] (2)

Geoffrey.landis (926948) | more than 3 years ago | (#34573822)

Today computers offer keychains like Gnome Keyring and KWallet for Linux, and often offer a password-generating tools, browsers also remember the passwords. Creating a complex 30 character password and keeping in the browser takes 4 clicks, creating a complex password and keeping it in the keyring and browser takes 8-9 clicks, creating a stupid password that anyone can crack takes thinking, 6-7 keystrokes and then having to remember it. Laziness is no excuse when you're encouraged to be even more lazy with the complex ones.

Well, yes. Of course, this means you now have a single-point failure mode for ALL of your accounts now; somebody sneaks into your browser, and your complex passwords are all useless.

And it doesn't help, because when the sites you have to log into vary their URL and you have to log in to their site and your browser doesn't know which password to use, you're toast.

Your browser burps, and you're toast.

Your keychain freezes, and you're toast.

You're accessing from some other system, and you're locked out of everything.

Doesn't help against phishing, either.

Re:Bad usernames too (4, Funny)

Anonymous Coward | more than 3 years ago | (#34573330)

Anytime I visit a site that wants a signup, I don't bother signing up.

Re:Bad usernames too (2)

oldspewey (1303305) | more than 3 years ago | (#34573384)

But what if you want to participate on a discussion board? (And don't worry, I'll wait 10 minutes until you're allowed to post your response AC).

Re:Bad usernames too (5, Funny)

Anonymous Coward | more than 3 years ago | (#34573566)

Look it didn't even take me three minutes to crack his account.

Re:Bad usernames too (0, Funny)

Anonymous Coward | more than 3 years ago | (#34573670)

You think that's secure? Well it took me just under sixty seconds to hack your account Mr. "Anonymous Coward". Now I'm going to spend the rest of the day on this site playing the fool and saying stupid things in your name.

Re:Bad usernames too (1)

mark72005 (1233572) | more than 3 years ago | (#34574012)

Personally, I keep an extra gmail account to sign up for websites that is only used for that purpose. My real email address is never entered into a signup form, only my spamtarget address.

I don't share passwords between my spam target email or accounts and my real life email and accounts.

But yes, the day I (sign up for and) am worried about a useless account like gawker getting cracked is the day I know that I truly have no life.

Re:Bad usernames too (3, Informative)

zwei2stein (782480) | more than 3 years ago | (#34573340)

Ever heard of http://www.bugmenot.com/ [bugmenot.com] ?

It's nifty, use that instead ...

Re:Bad usernames too (0)

Anonymous Coward | more than 3 years ago | (#34573538)

Bugmenot blacklists sites on demand, and other sites disable all logins listed on bugmenot pretty quickly. It still has the largest database of free logins. If bugmenot doesn't work, use one of these:
* http://freelogin.net
* http://bypass.rd.to
If none of these work, register an account with a throwaway email address (mailinator etc.) and share it on bugmenot and its clones.

Re:Bad usernames too (2)

clone52431 (1805862) | more than 3 years ago | (#34573586)

IMHO bugmenot is pretty much useless since (a) permitting websites to opt themselves out and (b) webmasters got savvy and started banning accounts listed on bugmenot.

Re:Bad usernames too (1)

Exry (1515287) | more than 3 years ago | (#34573374)

People aren't as smart as the average /.er. So the problems starts when other people believe that it is you that have written/said something on the web when you haven't. OK, I don't know if this is the case here with McDonald's and Gawker, but it surely is a problem if people gets their Facebook or other social media-accounts hacked. It can cause much confusion, and today much people have their employer(s) as friends there...

Re:Bad usernames too (2)

aardvarkjoe (156801) | more than 3 years ago | (#34573414)

There are several tools you can use to make the whole "required registration for everything" a little less annoying:

http://www.bugmenot.com/ [bugmenot.com] has usernames and passwords that people have submitted for a bunch of sites. Very handy when you want to read something in a web forum (or other site, but I've found forums to be the worst) that has really obnoxious registration requirements.

http://mytrashmail.com/ [mytrashmail.com] is an anonymous email service that lets you use a temporary email address, without requiring registration of any kind. It's good when you need to sign up for a website that insists on a verifying your email address, so you don't have to risk giving them a useful address.

Finally, if you use a password manager (I've been using KeePassX, it's pretty good and cross-platform), then you don't have to remember passwords anymore, so there's no reason to use a weak password for anything. I don't have any idea what most of my passwords are.

Re:Bad usernames too (1)

clang_jangle (975789) | more than 3 years ago | (#34573582)

...use a password manager... I don't have any idea what most of my passwords are.

To me that's unacceptable. What happens when a bad update or a hardware failure renders your passwords inaccessible? But I guess most people are so dull they have no choice -- it's software or 123456, otherwise their pitiful little brains will be overwhelmed. No doubt this laziness and apathy is precisely why everyone will be chipped soon.

Re:Bad usernames too (1)

MareLooke (1003332) | more than 3 years ago | (#34573672)

Ever heard about...backups, Mr. Anderson?

Re:Bad usernames too (1)

TheRaven64 (641858) | more than 3 years ago | (#34573688)

What happens when a bad update or a hardware failure renders your passwords inaccessible?

That's what backups are for...

Re:Bad usernames too (1)

icebraining (1313345) | more than 3 years ago | (#34573844)

I have terrible memory, you insensitive clod. It has nothing to do with being lazy.

But I don't use password managers, I use an algorithm based password generator. I can recreate any password with a SHA-1 hasher.

Of course, I still have about 9 or 10 memorized passwords for important stuff (root accounts, bank, etc), but it would be completely impossible for me to remember the dozens of passwords for every random website that requires me to register.

Re:Bad usernames too (1)

mjeffers (61490) | more than 3 years ago | (#34573866)

It's not laziness, it's that the password system of authentication is fundamentally broken. You tell a person that they have to remember a long, unique, random string of characters that has no connection to anything they've done or anything about them in real life. They have to use a different one of these for each place they go to that requires a password and they have to change them frequently every few weeks/months. If you've got 10 sites you belong to and you change your password every month that's 120 random strings over the course of a year.

Remembering random strings that frequently change isn't something the human mind is made for. It's something computers are great at. It's a bad design decision that forces people to do a task that they aren't made to do. People are better (though still not great) at keeping physical tokens like keys and credit cards secure. Write you passwords on a card and keep it in your wallet. And don't bother using anything more secure that "password" or "12345" for sites like Gawker where the information you stand to lose is so low as to not be worth protecting.

Ironically, the most valuable thing most people lost in the Gawker hack was their passwords.

Re:Bad usernames too (1)

solaraddict (846558) | more than 3 years ago | (#34573892)

What happens when a bad update or a hardware failure renders the service (for which you have the account) inaccessible? What happens when electricity stops existing? What happens when the Martian lizard baby eaters who were behind the JFK assasination fake their moon landing in 2012? What happens when the sky falls on your head? In other words, problems can be solved by parts; trying to solve them in a all-or-nothing way as a single large interconnected hairy mother-of-all-problems blob only leads to hair loss.

Re:Bad usernames too (1)

horatio (127595) | more than 3 years ago | (#34573732)

Finally, if you use a password manager (I've been using KeePassX, it's pretty good and cross-platform), then you don't have to remember passwords anymore, so there's no reason to use a weak password for anything. I don't have any idea what most of my passwords are.

Yep. I use 1Password and have the encrypted file synced through dropbox to my iPhone and other systems. I really don't know what most of my passwords are anymore.

Re:Bad usernames too (1)

Anonymous Coward | more than 3 years ago | (#34573980)

I use 1Password ...

Well, that's one iota better than "Password1", but still...consider a different password ;o)

Re:Bad usernames too (1)

mcgrew (92797) | more than 3 years ago | (#34573848)

Yes, and it depends on the site as well. I use 111111 for newspaper sites, I have a strong password for slashdot simply because I like my user name and have excellent karma. I have an even stronger password for my computers.

Re:Bad usernames too (0)

Anonymous Coward | more than 3 years ago | (#34574018)

How come you didn't post this as an Anonymous Coward?

hard passwords just lead to post it's even more so (3, Insightful)

Joe The Dragon (967727) | more than 3 years ago | (#34573248)

hard passwords just lead to post it's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.

Re:hard passwords just lead to post it's even more (0)

Anonymous Coward | more than 3 years ago | (#34573302)

Am I the only one who found that post unintelligible?

Anyway - I use a very simple passwords, since I don't really care about this account. However, I'm the real Anonymous Coward - most of the others are just fakes who got into my account. As I said, I don't really care, pretty much anyone can get into this account.

Re:hard passwords just lead to post it's even more (3, Informative)

Vanderhoth (1582661) | more than 3 years ago | (#34573506)

I would assume he meant "post it's" as in people just write all their passwords down and stick them all over their PCs

Punctuation would have been useful

hard passwords just lead to post it's. Even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.

Re:hard passwords just lead to post it's even more (1)

trollertron3000 (1940942) | more than 3 years ago | (#34573702)

Man, thanks for that. I was like wtf cannot parse. Too much time thinking literally here in programming-ville.

Re:hard passwords just lead to post it's even more (2)

oliverthered (187439) | more than 3 years ago | (#34573976)

I think the problem was as follows.

the plural of 'post it's is not obvious, often I use quotes for plurals of nouns like that.

but then there's also this problem. the it's fits two ways, I've put two in below.

hard passwords just lead to 'post it's. It's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.

Re:hard passwords just lead to post it's even more (1)

oliverthered (187439) | more than 3 years ago | (#34573914)

unfortunately not....

a translation would be.

Where I worked they got u to change your password ever few months or so, oh and forced you to use some odd characters etc...
Problem with these so called 'secure' passwords was that, well, know one could remember them.
so people ended up putting them on post-its, sharing the admin password around or putting a number on the end and incrementing it every time.

Otherwise, well after 3 goes of a password that's so secure even you can't remember it, it's a 2 hour wait and phone call getting your passwords reset and stuff setup again.

Re:hard passwords just lead to post it's even more (1)

Tim C (15259) | more than 3 years ago | (#34573814)

There's nothing wrong with writing down important passwords, as long as you protect the bit of paper.

For example, if I write down my password for my domain account at work and put the piece of paper in my wallet, the password would be the least of my worries if my wallet went missing.

Re:hard passwords just lead to post it's even more (0)

Anonymous Coward | more than 3 years ago | (#34574000)

I've seen systems set up do you have to change your password every month with a 2-week warning period (I.e. It starts nagging you every 2 weeks), which required a 12 character password with upper-case and lower-case letters, numbers, and non-alphanumeric characters. Plus, it wouldn't let you repeat any of your last 14 passwords.

Along with people keeping the password written down right next to their computers, they came up with passwords like "1234567Aa!01". When that user had to change the password, they'd use "1234567Aa!02". When they hit "1234567Aa!14", they'd start over.

Offtopic but please help (-1, Offtopic)

metrix007 (200091) | more than 3 years ago | (#34573262)

I appear to have broken slashdot.

My stories now load in a way that I have to click "More" a few times to get all comments.

Is there any way to have them load all comments by default, and is there any way to have it set that the majority of comments are abbreviated by default?

I want to do this with D2, and at least comments were fully expanded a few days ago before I broke it so it is possible....

I know I shouldn't post here but there isn't exactly a tech support line....any help appreciated!

Re:Offtopic but please help (1)

Culture20 (968837) | more than 3 years ago | (#34573424)

Agree here. Also try using that slider bar thing with a touchscreen. No hidden posts for you.

Re:Offtopic but please help (1)

clone52431 (1805862) | more than 3 years ago | (#34573652)

Go to http://slashdot.org/my/comments [slashdot.org] , turn off D2, Save, then Restore Defaults, re-customize the options on that page, Save, and then re-enable D2 and Save again. Might help.

Re:Offtopic but please help (2)

Tteddo (543485) | more than 3 years ago | (#34573698)

Presuming it was working the way you wanted before, log out, delete all your SlashDot cookies, then log back in. I have to do that every couple of months since the CSS makeover. Last time I was horrified to see Facebook "like" icons! *shudder*

Re:Offtopic but please help (1)

clone52431 (1805862) | more than 3 years ago | (#34573750)

I’ve adblocked Facebook’s content on non-Facebook sites.

And you might also try what I suggested to metrix007 in my other comment, next time /. breaks, if it’s a recurring problem for you. I had something screwy with my account that your method didn’t fix, and none of the controls in the D2 system would fix (that /my/comments page isn’t accessible from within D2).

Re:Offtopic but please help (1)

eleuthero (812560) | more than 3 years ago | (#34574016)

speaking of adblock, (and yes, this is somewhat offtopic, and if someone wants to waste mod points on a nested comment so far down, kudos to you), have you noticed that more ads seem to be getting through on Chrome lately? Is this a "feature" of the browser or is this isolated to me (likely user error or some such)?

If you eliminate all the weak passwords (-1)

Anonymous Coward | more than 3 years ago | (#34573278)

By blocking ones less than 8 characters, without numbers, without uppercase letters, without symbols then all thats left for someone to brute force is the 'strong' passwords.

I hate when some lousy Web 2.0 service i feel the need to use once forces me to make an account with an 8 character password requirement and some other silly rules; I don't care if my account on some stupid website gets hacked. An account on such a site has practically 0 value to me. I'd use a 3-character if they'd let me.

people write down hard passwords (4, Insightful)

alen (225700) | more than 3 years ago | (#34573286)

one time i worked at a place where every 6 months they would randomly change your password to a random 8 letter string of letters, numbers and a special character. and your username was some cryptic combination of initials, numbers and department. needless to say most people would keep a copy under the keyboard. meanwhile the admins thought they were james bond with their cool security

Re:people write down hard passwords (0)

Anonymous Coward | more than 3 years ago | (#34573410)

Our security research group estimates everyone has to remember 8-10 unique passwords (or told to keep unique) for work. IT policy states each password needs to be:

- 12 characters long
- mix of digits, letters (at least 1 upper case)
- must have at least 1 special character (i.e. !#*$, etc.)
- no words
- can't be one you used in the last 8 passwords
- changed every 90 days

So yeah, people write down passwords. To think they don't is foolish.

Re:people write down hard passwords (1)

Chanc_Gorkon (94133) | more than 3 years ago | (#34573498)

Or keep it in an unencrypted spreadsheet.

Re:people write down hard passwords (1)

Cro Magnon (467622) | more than 3 years ago | (#34573650)

Or keep it in an unencrypted spreadsheet.

And name it "passwords.xls".

Re:people write down hard passwords (2)

clone52431 (1805862) | more than 3 years ago | (#34573768)

Or keep it in an unencrypted spreadsheet.

And name it "passwords.xls".

And put it in My Documents, which they’re sharing on Limewire.

Re:people write down hard passwords (1)

Geoffrey.landis (926948) | more than 3 years ago | (#34573722)

If only all the systems would have the same requirements for passwords, I would be able to deal with even those requirements, and come up with a system that gives me a different password on every system.

Unfortunately, the systems are all different. One system I log into says I have to begin and end with a letter. Another says I CAN'T end with a letter or number. Another says I have to include a symbol character, but not at the beginning or end, and only from the set of nine symbols !@#$^&*() --OK, so why not %? Why not or ? Another system says I have to --

I can't come up with a system, because so far EVERY system I've come up with gets broken by one or another "requirement" for what's not allowed.

Re:people write down hard passwords (0)

Anonymous Coward | more than 3 years ago | (#34573880)

... and the problem with these rules is: they make cracking passwords easier, since now you have the 'syntax', you can eliminate all that doesn't fit the 'syntax'

Re:people write down hard passwords (2)

Vanderhoth (1582661) | more than 3 years ago | (#34573918)

So what's harder to crack, a Secure password you've described above written on a sticky note stuck to a monitor or under a keyboard or a slightly less secure password most people can remember?

We have similar password requirements where I work only you can't reuse a password with in the last 14 passwords and it's changed every 3 months. I manage several databases, have 10 different application accounts, 3 HR accounts (for requesting time off, training and such), 3 e-mail accounts and at least four web forum accounts. All with different user names and password requirements.

unfortunately I've had to resort to writing everything down. I keep them locked up, but all it would take is for me to pull them out to log in to a system and get distracted and forget to put them away. Many of the people in my office just write their new passwords on post it notes and stick them to their monitors. I've commented on it before and was promptly told to STFU and mind my own business.

It's gotten to the point that I'm just refusing to use accounts that have ridiculous requirements. I'm no longer using the HR Training forum because they require a 16 character, no real words, non-repeating character, mixed case, alphanumeric with special characters password that must be changed every 30 days. That's just to look at what courses are being made available to my group, there's a separate site and account I have to log on to in order to request training that may or may not be listed on the former site. I sent the group in charge of the courses site an e-mail explaining why I wouldn't be using their site and they tattled to section head, who had never used the site before. After he tried to create an account and understood why I was refusing to use it he replied to them with an e-mail starting with "I'm going to make this as politically correct as I can, but..."

What I believe it boils down to is the managers of a site need to evaluate what information is being made available on their site and what level of security is necessary. For forums like /. I would say a low security password of at least 3 characters would be sufficient. I'd consider a bank account a high security password, which should have more restrictive conditions place on it.

Re:people write down hard passwords (5, Insightful)

hey! (33014) | more than 3 years ago | (#34573436)

Actually having a hard password and writing it down is not such a bad idea. It's leaving the password under the keyboard that's a bad idea.

Look at this this way. That guy driving a Ferrari around town unlocks it with a key that *anyone* can use. It's reasonably safe, however, because he keeps the key in his pocket.

Of course, wallets get stolen. So what you do is this: you generate a strong eight character password, print it on a laminated card and keep it in your pocket. You choose a memorable six character password and keep it in your head. Then concatenate the two to form your working password. That's poor man's two factor security.

Re:people write down hard passwords (1)

oldspewey (1303305) | more than 3 years ago | (#34573570)

So what you do is this: you generate a strong eight character password, print it on a laminated card and keep it in your pocket.

I'd say that between all the sites/resources I use that enforce periodic password changes, I am forced to create at least one new password every 3-4 weeks. That's a lot of printing and laminating.

Re:people write down hard passwords (1)

mdarksbane (587589) | more than 3 years ago | (#34573772)

So write it on a scrap of paper and stick it in your pocket. If it isn't meant to last more than 4 weeks a scrap of printer paper will last plenty long enough.

160 seconds? Windows? Bad example (5, Interesting)

fahlenkp (1939942) | more than 3 years ago | (#34573336)

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

Re:160 seconds? Windows? Bad example (3, Insightful)

Culture20 (968837) | more than 3 years ago | (#34573472)

The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP.

I'm sure you've noticed from your logs that brute force attempts are made from botnets now too? A lot harder to block.

Re:160 seconds? Windows? Bad example (1)

gparent (1242548) | more than 3 years ago | (#34573530)

Yeah, they've been trying to bruteforce my RSA key for a while now. Oops.

Re:160 seconds? Windows? Bad example (1)

Exry (1515287) | more than 3 years ago | (#34573554)

Why not just block the account rather than the sources of the login-attempts?

Re:160 seconds? Windows? Bad example (1)

AntiNazi (844331) | more than 3 years ago | (#34573726)

Opens the door to a trivial denial of service by just spamming x number of bad logins per y amount of time for all (or some number of) usernames.

Re:160 seconds? Windows? Bad example (0)

Anonymous Coward | more than 3 years ago | (#34573824)

Because that would make denial of service attacks trivial to pull off. Businesses can't afford that. It would be more secure, but having huge swaths of your customers locked out of your system because bots around the world keep trying to hack their accounts would drive your customers away in droves.

Re:160 seconds? Windows? Bad example (1)

Z00L00K (682162) | more than 3 years ago | (#34573574)

Sure, but many of the bots are running the same password list, and if you block an IP address after a certain number of connections you will make it harder to penetrate your server.

Re:160 seconds? Windows? Bad example (2)

fahlenkp (1939942) | more than 3 years ago | (#34573638)

A little harder to block, yes I would agree, however even a botnet of 1 million computers all active on my pathetic site can only guess 5 million per hour. I would love to see your logs that are a clear show of botnet force. Doesn't happen to my company's webservers. (knock on wood) Still a long time until the example password gets cracked. So at the heart of this question- are strong passwords like "Fgpyyih804423" worthless because an old NTLM hash cracker with precalculated tables can hit it in 160 seconds? Absolutely not. The example does not belong in the article.

Re:160 seconds? Windows? Bad example (2)

Lloyd_Bryant (73136) | more than 3 years ago | (#34573572)

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

You missed the point of using rainbow tables in the first place. It's not about brute force guessing a password - any system that's still vulnerable to that sort of attack should have the admin taken out and shot. It's in the case where an attacker get hold of the file containing *hashed* passwords, and want to work out what passwords correspond to those hashes (which is what happened in this case).

Windows, Linux, whatever - if a file of hashed passwords can be obtained, and those hashes aren't salted, then they are vulnerable to a rainbow table attack. They probably just used Windows as an example because there are so many attack tools written specifically for the hashes employed by the folks in Redmond.

Not really (2)

Sycraft-fu (314770) | more than 3 years ago | (#34573830)

The problem is rainbow tables quickly get too large to be of practical use, and take too long to generate. This fast cracking is again people banging on about old LM passwords. The old 3com/MS LanMan OS used a really weak hashing system. Passwords were limited to 14 characters in length, and were case insensitive. Further, they were stored as 2 7 character hashes. Windows versions prior to Vista stored these LM hashes by default unless you changed the security settings or used a password longer than 14 characters. Ok well generating a rainbow table for that is pretty easy, and you can go and download them online. An alphanumeric table is only like 2GB and it covers the entire possible PW size from 1-14.

Ya well you don't get so luck with newer hashes. If you use MD5, which many OSes do (that is also what NTLMv2 is based on) a table that can do only lowercase alpha and space passwords from length 1-9 is 52GB. That means if the password is over 9 characters, or has a capital letter or a number or a special character it is fucked.

People love to bang on about how cool Rainbow tables are at cracking even complex passwords, and they are always going it against LM hashes it seems. Reason is it is easy. Fine but that doesn't matter. Want to try yourself? Ok fire up your favourite rainbow table program and have a go at this: f01889f696f2b20192b8ba7522481a98. I'll even give you the parameters: It is an MD5 hash, no salt, the password is an English phrase, any human can read it no problem. It is more than 20 but less than 30 characters in length.

Try any table you like, I've never seen the one that can handle it, and it is a simple password, relatively speaking. It isn't some randomly generated garbage, it is meant to be human readable.

All rainbow tables have really done is made cracking short, simple passwords fast. Fine, but that isn't really all that intensive anyhow. You can crack LM passwords in less than 24 hours on modern hardware, no tables. They are cool, but they don't really change anything. They don't allow for this "We have a table that cracks any hash no matter how long," kind of thing. Not only would such a table take a stupid amount of disk space, but it would take far too long to generate it. Even if you said "Sure we can spare 100EB of storage for a massive table!" what you can't spend is the thousand years it'd take to make it.

Re:160 seconds? Windows? Bad example (1)

abolitiontheory (1138999) | more than 3 years ago | (#34573590)

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

Right, but the issue is, they weren't cracking over an IP. They made off with a hash file. This is why system-level security is more important than user-level security. The problem isn't that the users had weak passwords, it's that Gawker's servers were compromised. Now the hackers don't have to worry about IP auth denial.

A hacker making off with a hash file is like a thief making off with your portable safe. Sure, it's fire proof and has a padlock, but he has all the time in the world now, in a safe environment, to gain access to your personal documents.

The bigger question is, why was your doors unlocked?

Weak passwords and fake information for meaningless sites, stronger passwords for financial and personal sites. Differentiation is the key, not complexity.

Re:160 seconds? Windows? Bad example (1)

jimicus (737525) | more than 3 years ago | (#34573654)

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP.

Any attacker worth their salt won't carry out the attack directly themselves, they'll instruct a botnet of 20,000 PCs to make 3 attempts each and log any that come back as working.

Re:160 seconds? Windows? Bad example (1)

trollertron3000 (1940942) | more than 3 years ago | (#34573766)

The example was supposed to show how a brute force effort can be made if a cracker has a set of hashed passwords. Guess it flew over your head because you heard Windows and went into YEAH BUT LINUX mode. It was supposed to show why a salt is so important, which you obviously understand, yet you missed the point of the article.. hrm. Strange. If a cracker has your auth database with the hashes then they can brute force easily. That was the point.

Unrealistic time to crack a password? (4, Insightful)

GreatBunzinni (642500) | more than 3 years ago | (#34573394)

The coding horrors article claims that that given password was "cracked" in 160 seconds with a cracker kit but it fails to claim that it is a brute force attack where the attacker has physical access to the system (the cracker software is a bootable DVD, for fuck's sake). Meanwhile, in the real world, this sort of attack is practically impossible to pull off from any site which has any semblance of security. I mean, you only need to place a delay of a fraction of a second between login attempts to drive the time needed to "crack" the login/password combo to months, if not years. Adding to that the fact that it has become pretty much standard for sites to simply block any login attempt after N failed attempts then this reference to this so called cracking software goes from irrelevant to pathetic.

Re:Unrealistic time to crack a password? (1)

Xenna (37238) | more than 3 years ago | (#34573556)

That was a rainbow table attack. A way of cracking password hashes by having all possible character combinations and their corresponding hashes in a huge precomputed table. You need access to the password hashes for that and the security system needs to be badly designed. Rainbow tables are easily defeated by using large salt values that would require the rainbow tables to be not simply huge but impossibly huge.

http://en.wikipedia.org/wiki/Rainbow_table [wikipedia.org]

Re:Unrealistic time to crack a password? (2)

Spy der Mann (805235) | more than 3 years ago | (#34573564)

In addition to salting the password, I design my systems to sleep for one second after each failed password attempt, and for 3 seconds before booting the guy off. That should take care of brute force attacks.

Re:Unrealistic time to crack a password? (1)

anegg (1390659) | more than 3 years ago | (#34573594)

Hash table-based password attacks depend on having access to the hashed password value; they are not used in a brute-force front-door attack. The article should have been clear about this, as it is essentially pointing out that passwords aren't safe from discovery if the password database itself has been taken, even though the password values are hashed.

From a belt-and-suspenders security viewpoint, it is reasonable to want the database of hashed password values to be secure against "reversing" the hash to obtain the original password values, which can then be used for an unauthorized login.

If the article had made clear the particular vulnerability it was identifying, it would be a good discussion about how to make such a database of hashes more secure (for example, using a random salt value for each password in the password database is a highly effective defense against the use of pre-computed hash tables of every possible password character combination - at least for now).

So no, the approach in the article doesn't work against the front door, when standard login failure counts, retry limits, and retry delays already blunt brute force attacks. But it does work against stolen password hash values, which in some cases might not be protected as well as one things (especially if it is thought that the hashed values aren't particularly useful for a cracker).

Re:Unrealistic time to crack a password? (1)

Anonymous Coward | more than 3 years ago | (#34573704)

Yes and no. Brute forcing over a network generally is not attempting to log in 500 times, any more then orphcrack bootable CD is run while windows is open. The brute force is done against the encrypted store of passwords, which in gawkers case was stolen and copied locally. Once that security is comprimised then the brute force attacks can be run as fast as the hackers CPU will allow.

It was also being done against an LM hash (2)

Sycraft-fu (314770) | more than 3 years ago | (#34574056)

Which is extremely weak. Now I'll grant you it could be an issue: If someone gets access to your system and your SAM file and if you are running XP or earlier and if your password is 14 characters or less then there will be an LM hash. Vista or 7? No LM hash by default. Longer password? No LM hash (as LM is limited to 14 characters).

So let's say this password was on 7 instead. Ok so it is 13 characters and uses upper, lower and numeric. Surf over to Ophcrack's site and... no tables that could get it. Their largest Vista stable, 137GB, only does 8 character passwords, so it is too long. they have one that does 12 character passwords, but only numeric. Same deal at Freerainbowtables.com. They've got a 453GB NTLM table that'll do mixed case and numeric but only up to 8 characters.

So with a modern hash, even with no salt, that password is just fine.

Well what if you are running XP? For one you can just turn off LM hashes but suppose you don't want to. Fine, just make a simple phrase. "OrphCrack is 2 stupid 4 this 1." would be a password that none of their tables could handle. It is over 14 characters, so no LM hash gets stored. It is also way too long, even if they doubled the length of their tables (and remember each character is exponentially harder than before, requires exponentially more space and time to make the table) it wouldn't touch it.

This is just people trying to make a scare story where these is no story. Yes rainbow tables can crack passwords in their range really fast provided they have the has file and it isn't salted. Don't use a short password and you are good. Long passwords aren't hard, just make it a phrase of some kind. Given that the best tables are just eeking in at maybe 9 characters, I wouldn't worry about the future if your password is 15+. Be a long ass time before that is a problem.

Passwords are stupid (5, Insightful)

betterunixthanunix (980855) | more than 3 years ago | (#34573400)

Passwords are a very poorly designed security mechanism, yet no matter how many times this is pointed out, people still seem to think that the solution is to educate users about password security. Human brains just do not generate or remember random strings very well, and it is ludicrous to expect users to do so. Of course, passwords will always be around because password based systems are convenient.

Re:Passwords are stupid (1)

Chanc_Gorkon (94133) | more than 3 years ago | (#34573544)

And cheap.

Re:Passwords are stupid (0)

Anonymous Coward | more than 3 years ago | (#34573806)

I'd certainly like to hear about your replacement idea.

You're doing it wrong. (1)

Ihlosi (895663) | more than 3 years ago | (#34573878)

Human brains just do not generate or remember random strings very well,

If you keep your password in your brain by remembering a random string, you're either a genius or you're doing it wrong.

The brain is bad a remembering random strings, but it's excellent at remembering sequences of movements, like the one necessary to type those random strings. If you wanted to know one of my passwords, I'd have to ask you for a keyboard first.

Re:You're doing it wrong. (1)

Vanderhoth (1582661) | more than 3 years ago | (#34574008)

A sequence of movements is great until you're required to change your password every 30-60 days. At which point by the time I get the sequence down so I don't need to remember the password it's changed and I have to learn a new one.

That method works well with some things, like phone numbers. I can't remember my wife's cell number so I have an excuse not to give it out to people, but I can still dial it when I have to call her.

Re:Passwords are stupid (1)

at_slashdot (674436) | more than 3 years ago | (#34573884)

PIN number for debit cards are only 4 digits and they work pretty well. The problem doesn't seem to be the password but the system that allows too many automatic tries. There's a problem with denial of service, but there are solutions for that....

Re:Passwords are stupid (1)

MobyDisk (75490) | more than 3 years ago | (#34573970)

Agreed. Passphrases solve these problems, and cost nothing to implement. Yet most systems still insist on passwords 10 characters or some other such nonsense.

Re:Passwords are stupid (0)

Anonymous Coward | more than 3 years ago | (#34574030)

They aren't convenient, they are the only choice right now. Fingerprint scanners are too easy to fool, so they aren't currently an option. And imagine trying to implement such a thing across the internet for every site? And all the problems that come with that? Good bye anonymity. And if someone does hack it, every system everywhere would be screwed because you can't even reset your security system ("Sorry users, due to a hacking attempt against our system we are requiring everyone to change their fingerprints".)

We need an alternative, but I have no idea what that would look like.

Password lock outs (1)

Rik Sweeney (471717) | more than 3 years ago | (#34573460)

the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker

I've noticed that some websites will lock you out for 5, 10 or 15 minutes if you get the password wrong too many times in a row. That might slightly deter the hacker.

Although they might simply start hacking other accounts and simply cycle through them...

my password (1)

theblackarrow0 (1695326) | more than 3 years ago | (#34573464)

Wow I guess "mEginf0xnude0" wouldn't last very long?

This is why... (5, Funny)

RivenAleem (1590553) | more than 3 years ago | (#34573466)

12345 has always worked for me, on every site I've used. Some sites require a 6, and some even 7 and 8. I've never been hacked once!

I'd also like to add that I'm a giant douche and a poopy-head!

Re:This is why... (0)

Anonymous Coward | more than 3 years ago | (#34573598)

I gotta change the combination on my luggage!

Re:This is why... (1)

Modeverything (1960202) | more than 3 years ago | (#34573954)

12345?

That's amazing! I've got the same combination on my luggage!

Why have an account anyway? (1)

rreay (50160) | more than 3 years ago | (#34573468)

The gawker staff accounts is a different issue, but forcing you to have an account just to comment caused lot of this problem.

I used one of these accounts once to post a comment and don't even remember the password. It's probably a crap password but because I don't remember it I needed to change everything else. Thanks Gawker

Lots of bad password advice out there (3, Interesting)

ron_ivi (607351) | more than 3 years ago | (#34573486)

This was one of the best password articles I've seen.

I think the worst advice I've seen is when people recommend using some algorithm to make long painful "good" passwords that are variations of each other.

Someone who uses:
      mysecr1tword4gawker.com
for fun and
      mysecr1tword4mybank.com
for their bank isn't that much safer than if they had just used the same password for both.

Much better to use throwaway ones for sites like gawker; and truly random ones for banking.

IMHO OpenID is the best idea. You only need to put your trust in 1 identity provider - where it's worth the effort to set up a good password and 2-factor auth (easy to do for $0 at myopenid.com, and for a few bucks at Verisign's openid provider); rather than needing to trust every site you come across.

Re:Lots of bad password advice out there (1)

pnuema (523776) | more than 3 years ago | (#34573846)

Why is that algorithm a bad idea? It is certainly safer than using the same password for both. Bonus points if you add other algorithmic goodness (capitalize the 2nd vowel in the site name, replace the third letter with a number, etc...). Look, I need a password to log into my bank. My newspaper. My email. My blog. My kid's school. I actively use dozens of passwords. Algorithms like this are certainly no worse than writing everything down, and are certainly better than using the same password for everything.

Re:Lots of bad password advice out there (1)

Geoffrey.landis (926948) | more than 3 years ago | (#34573972)

I think the worst advice I've seen is when people recommend using some algorithm to make long painful "good" passwords that are variations of each other.

Someone who uses:
      mysecr1tword4gawker.com
for fun and
      mysecr1tword4mybank.com
for their bank isn't that much safer than if they had just used the same password for both.

If passwords were cracked by humans, like in the movies, with one very intelligent person focussing on one password: true.

However, passwords are not cracked by humans, they're cracked by algorithms. Do the algorithms calculate: "delete the string gawker.com and substitute the string mybank.com and then try this on all the possible banks where target might have an account? Dubious."

...IMHO OpenID is the best idea. You only need to put your trust in 1 identity provider - where it's worth the effort to set up a good password and 2-factor auth.

Single-point failure.

You've now put your trust in a system that you don't actually control, which is a high-enough value target that it IS worth an intelligent attack, by humans, instead of a dumb attack by robots. And using techniques more sophisticated than "random trial and error of commonly used phrases".

It is not true that your passwords are insecure (2)

junglebeast (1497399) | more than 3 years ago | (#34573492)

To quote the referenced article,

"Why is Ophcrack so fast? Because it uses Rainbow Tables. ....If you've salted your password hashes, an attacker can't use a rainbow table attack against you-"

In other words, any service with 1/10 of a brain will salt their passwords and be immune. They are also only vulnerable if they let their system get hacked and database stolen.

In other words its the same classic trade off as ever: you have to trust the person who runs the service to know what they are doing with your password. But if they do know what they are doing, then you shouldn't have to worry.

Ophcrack (3, Insightful)

Kiaser Zohsay (20134) | more than 3 years ago | (#34573528)

If "Fgpyyih804423" had at least one non-alpha-numeric character in it, it would have survived at least the free download ophcrack.

Lastpass (5, Informative)

defaria (741527) | more than 3 years ago | (#34573600)

In a word - Lastpass. 'Nuff said.

TFS Fail... (4, Interesting)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34573812)

The summary makes the incredibly naive and misleading mistake of conflating online trial-and-error attacks with offline hash attacks.

Against a system you do not control, the system has total power over how frequently you may try a username/password combination, how informative it is about your success/failure(ie. does it just say "no" does it say "wrong password" does it say "username not recognized"?), as well as being able to, if it wishes, just start ignoring all attempts from your IP/terminal or all attempts against a specific account(subject to the risk of denial of service techniques exploiting this). In this scenario, the difference between a terrible password and an OK password is enormous. The 12345 or 'password' are quite likely to be simple enough to crack by trial and error, even against a remote system. Modestly more complex ones will either be impossible or require days/weeks of low-speed guessing, or careful guessing from multiple hosts.

With an offline hash attack, you have total control over the hashes, and the only limiting factor in how fast you can attack them is your computer(and hash attacks generally parallelize really well). Here, the difference between a terrible password and a merely mediocre one will likely be less than the refresh rate of the attacker's monitor, and the difference between an OK password and a superb one will still be fairly small. Only a password so good that it is basically a nonstandardized type of private key will be of any use. However, offline hash attacks only happen against compromized systems, you can't get the hash table otherwise. They are an excellent argument for not re-using passwords, since systems get cracked all the time; but they are of only limited relevance in discussing the importance of password complexity, or lack thereof, for online attack scenarios...

Its not the password that gets cracked ... (1)

fuzzylollipop (851039) | more than 3 years ago | (#34573930)

its the way the password is encrypted. Hashing is not encryption, because you can just brute force it using a dictionary attack and find the hash that matches. A long random string of characters is hard to "crack" if you are repeatedly trying to login with every combonation, but when you have a list of hashes, you can spend as many cycles as you can throw at it in a multiprocessor environment and discover, the password that matches the hash. Hashing is a terrible way to "protect" a password for discovery, especially a hash without a secret salt combined with it. People get confused when things are called "cryptographic hashes" thing they mean encryption when they mean really hard to recover, which with unsalted inputs and simple database comparable inputs they are trivial to recover.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?