[News] 2014 News (NO POLITICS)

[Tankred]

Memorising them would be safest.

Remembering long strings of words, numbers and other symbols can be a real ball ache, especially if you have to change them every month.

Nosey family members who are bored with life can find pieces of paper

Yeah if you're leaving them right next to your comp.

[Sorrow]

Remembering long strings of words, numbers and other symbols can be a real ball ache, especially if you have to change them every month.

Why do they need to be changed every month?

Yeah if you're leaving them right next to your comp.

You underestimate the lengths some people will go to be nosey.

[Tankred]

Why do they need to be changed every month?

Well not every month, but eventually a large amount have to be changed. Considering all these password scares as well, I wouldn't be surprised if some sites would start forcing a mandatory change every now and then.

You underestimate the lengths some people will go to be nosey.

You underestimate the lengths some people will go to be secretive.

[Sorrow]

Well not every month, but eventually a large amount have to be changed. Considering all these password scares as well, I wouldn't be surprised if some sites would start forcing a mandatory change every now and then.

I don't see the point. If you set a decent password, not related to your favourite actor or your cat's name, then no one will be able to guess it. It is practically impossible to guess a random assortment of symbols. So then I assume the only way someone will get my passwords is through some kind of program. If there is a program I'm unaware of that is reading my passwords then no amount of changing them will help. They'll just get read again or used between the time the password is stolen and when you next wish to change them.

You underestimate the lengths some people will go to be secretive.

Well said, but consider: if you leave something around that could be found, you're not exempt from someone finding it. You can't control who may decide to go hunting or stumble upon it whilst doing something else - if it's in your mind then you're free from such unfortunate events.

Writing it down is an unnecessary risk - especially since changing them infrequently is an unnecessary precaution.

[Chuckman]

A strong password should be at least twenty symbols and a random combination of numbers, letters, and special characters.

No one is "guessing" these passwords, they're using cracking programs that run on GPUs, similar to crypto currency mining algos, that can do massive amounts of parallel calculations very quickly. They don't need to guess your cat's name.

[Sorrow]

A strong password should be at least twenty symbols and a random combination of numbers, letters, and special characters.

No one is "guessing" these passwords, they're using cracking programs that run on GPUs, similar to crypto currency mining algos, that can do massive amounts of parallel calculations very quickly. They don't need to guess your cat's name.

If you re-read my post you'll see that I was saying just that.

If you set a stupid password, like one with your cat's name, then people who know you may be able to guess it. The point was "if you set a decent password it would be impossible for anyone to guess it". So you needn't change your password, ever, for fear of a person figuring it out.

So I then said that the only way someone is getting your password is if they use a program - in which case, occasionally changing your password will not help you out.

[Chuckman]

A strong password makes it mathematically impossible to guess. Password leaks are almost always due to bad policies (like Sony storing PSN passwords on a server in plain text) or user error.

[pwhodges]

Some passwords can be broken; but honestly, few of us have the kind of information that makes it worth the effort. IRL, passwords get stolen or keylogged, and the strength of the password is then completely irrelevant. Multi-factor authentication has to be the only effective way forward, I'm afraid.

[soul.assassin]

http://www.nytimes.com/2014/09/15/world/asia/north-korea-sentences-american-to-6-years-of-hard-labor.html?contentCollection=world&action=click&module=NextInCollection&region=Footer&pgtype=article

Let's just say he walked into the wrong neighborhood.

[Bagheera]

http://www.nytimes.com/2014/09/15/world/asia/north-korea-sentences-american-to-6-years-of-hard-labor.html?contentCollection=world&action=click&module=NextInCollection&region=Footer&pgtype=article

Let's just say he walked into the wrong neighborhood.

Mission Accomplished, I guess?

[delispin25]

http://www.nytimes.com/2014/09/15/world/asia/north-korea-sentences-american-to-6-years-of-hard-labor.html?contentCollection=world&action=click&module=NextInCollection&region=Footer&pgtype=article

Let's just say he walked into the wrong neighborhood.

Nothing wrong with some good old hard work, except for when it can kill you.

[Nuclear Lunchbox]

Ah, international relations with the good ol' DPRK. Good times.

[Catamari]

Ah, international relations with the good ol' DPRK. Good times.

Why anybody would actually go to that country for vacation is beyond me. I mean, come on, why would you visit a country that absolutely hated your guts, for the simple fact that you were American.

As much as I love reading about the USSR, I sure as shit wouldn't have gone there as a tourist.

[Nuclear Lunchbox]

It's kind of like how you don't see me going to any of the countries neighboring Israel.

[Trajan]

A strong password should be at least twenty symbols and a random combination of numbers, letters, and special characters.

That's way to hard for me to memorize. There has to be a middle ground between secure and total-pain-in-the-ass. I have about a fifteen different sites that require passwords right now and even accounting for the fact that some of them have the same password, coming up with a different random stream of symbols for each one would be impossible for anyone without a photographic memory to remember. And honestly, if someone wants to break into my EvaGeeks account that badly, they're welcome to do so. My bank account and email passwords are over 8 characters, have a capital and a symbol along with numbers for my bank account specifically.

Writing passwords down defeats the whole purpose in my mind, so they have to have enough personal meaning for me that I remember them, so random keystrokes isn't the way to go for me.

[Bagheera]

Why anybody would actually go to that country for vacation is beyond me. I mean, come on, why would you visit a country that absolutely hated your guts, for the simple fact that you were American.

As much as I love reading about the USSR, I sure as shit wouldn't have gone there as a tourist.

Our own Drinian has visited the place at least once (DPRK, that is, not USSR). Even after he explained it to me I still have no idea why.

[Ornette]

A strong password makes it mathematically impossible to guess. Password leaks are almost always due to bad policies (like Sony storing PSN passwords on a server in plain text) or user error.

Aside from data breaches, most individual passwords are stolen through phishing, spear-phishing, malware and/or key-logging. That's why password stores like PWSafe has a copy to clipboard option, so you don't even type the password. Data breaches where hashes are taken simply need to take time, and is not mathematically impossible to guess. Not even close. Most everyone still uses MD5 which isn't safe anymore, EC2 has issues, and recently in an application I worked on, we used PBKDF2. Various strengths between different hashes but you can divide up the work. I regularly run John the Ripper on my servers to make sure users are not picking stupid passwords and I can crack 20-30 character long passwords in a few days on my laptop. Complexity of passwords matter less and less when there's almost no brute force guessing on the front end anymore.

Though email passwords are different, since those passwords are almost always sent plaintext and require re-auth everytime you send an email or fetch from your inbox (no sessions), simply because of the way the protocol works. Those are high visibility and high use, and you should definitely pick something strong in that case. Gmail and the like are an exception, since they require authorized app keys if you want to use your own mail reader and not use your browser.

[Catamari]

Most everyone still uses MD5 which isn't safe anymore

Good god, really? I've only ever had to write password systems a couple of times, but I almost always used whirlpool. This was before PHP had built in Bcrypt support.

I regularly run John the Ripper on my servers to make sure users are not picking stupid passwords and I can crack 20-30 character long passwords in a few days on my laptop. Complexity of passwords matter less and less when there's almost no brute force guessing on the front end anymore.

I wish my boss would listen to my about password security. But no, she wants all the passwords to be the same, simple, 6-character password. It's insane. What's worse is that you can get into anyone's email (including her's, and the accountants', but excluding mine and the other IT peoples', because we are administrators) by just knowing the username, since everyone has to have the same bloody password.

Though email passwords are different, since those passwords are almost always sent plaintext and require re-auth everytime you send an email or fetch from your inbox (no sessions), simply because of the way the protocol works. Those are high visibility and high use, and you should definitely pick something strong in that case. Gmail and the like are an exception, since they require authorized app keys if you want to use your own mail reader and not use your browser.

I've picked dozens, nay hundreds, of email passwords out of the air using airodump, over the years. I have no reason to use them, but it's funny just how little protection is used. Since more people are switching to Gmail, it's getting harder, but there are the still the odd elderly people using AOL.

[Ornette]

Good god, really? I've only ever had to write password systems a couple of times, but I almost always used whirlpool. This was before PHP had built in Bcrypt support.

Once you start using MD5, be it 5 or 15 years ago, it's not like you can flip a switch and start using a new hashing algorithm. You can support multiple hashes and favor one over the other but you can't just rehash all the passwords in your database, since, you don't have the actual passwords. So they'll stick around until, along with the contingency, every one of your users have changed their passwords thus causing it to get hashed with the newer algorithm. And that's simply not something that's feasible with a large enough user base.

[Chuckman]

Well, fuck. Guess I'll have to start rotating them again.

Our own Drinian has visited the place at least once (DPRK, that is, not USSR). Even after he explained it to me I still have no idea why.

I hear Mordor is nice this time of year.