The current thread on passwords nudged me to ask this question about the security of various passwords produced according to a formula.

I know nothing about how bad guys get passwords. Is the most common way today by random testing, or do they look for patterns in data stolen from servers? I have seem many examples of something like the following from purveyors of password security measures, which suggests the bad guys are looking for patterns:


If in fact thieves are looking for patterns that suggest a password, wouldn't schema that require unusual patterns, such as requiring an unusual length (e.g., ≥10 characters), inclusion of unusual characters (e.g., $,&,^) and numbers, and so forth actually make a password more easily detected? Wouldn't a common word or typical combination of letters be a better password? In other words, if you want to be anonymous in a large crowd, don't wear a bright, lime-green suit.

John

 

Password crackers depend on large dictionaries of passwords, lists of common words, generated passwords and previously cracked passwords. A quick Google search turned up this. It's an inexpensive source of almost fifteen gigs of passwords. Your conservative business suit would be pwned almost immediately. Longer passwords need more time to crack, and the hacker may give up or be thwarted by system timeout parameters.

 

This is what I do:

I start with a sentence I can easily remember:

"Ann went to Charley's house for Thanksgiving dinner!"

Then, I take the first letter of each word, change words that sound like numbers to numbers, and keep the punctuation:

Aw2C'h4Td!

This gives you protection against dictionary attacks, and makes secure passwords that are easy to remember.

 

Joeyd999,

That's the technique we used to espouse in my last company's annual security training!

Good one.

 

And you can do this any number of ways. Get my drift?

Aucdta#ow.Gmd?

 

It would be good to hear from is a real password thief, if that has not already happened.

I can believe that 20 years ago, dictionary attacks were the most common, but is that true today? Like when HD had its files stolen, would the thieves search for "hammer" or for "xxxx^&?" It seems the latter would be more of a flag for a password. The same goes for short words and long words. Most of us don't use long words frequently, so a search for strings greater than xx might be more productive than a search through all strings, particularly if you knew that the targeted company required passwords of ≥10 characters.

I suspect all of us have ways to remember our passwords. I will pass on the opportunity to share mine. BTW, it has nothing to do with birthdays.

John

 

Hello,

This page might interest you:
http://strongpasswordgenerator.com/

Bertus

 

This page might interest you:
http://strongpasswordgenerator.com/

The problem with this is that it is impossible to remember passwords without writing them down.

 

A different password for everything is crucial. Brute forcing passwords is less likely than just stealing them from an insecure site via a back door, once someone has your password and email address they can do a lot of damage if you have used the same password on many sites.

 

joey's got the right idea.

on the other side of the table (receiving end) servers here get a beating at times (well, not really, just a lot of log files to read through) from failed login attempts. inbound mail failures are the main culprit, followed by ftp and the odd ssh attempts - 6 failed logins and they get a rest for a few hours, repeat offenders dropped permanently.

most of the logins are using scripts with default passwords listings.

me does smirk now and then with all the 'administrator' and 'root's that attempt to login, seeing as neither of those accounts exist/enabled in ubuntu.

 

Our administrator's password at one place I worked was "bigbaby." I always found it oxymoronic that an administrator for a critical mainframe system (hospital laboratory information system) not only would have such a password, but would let others know it.

But that was not my question.

John

 

But that was not my question.

John

sorry John,

to the fact you know you need a strong password makes you aware of the fact and i would assume you use strong passwords. EG lower/upper case/numeric mix? if so, chances of your password being found out is in the millions to 1

mr and mrs average that doesn't use a strong password EG: abc123/dogs/wifes/husbands name/birthday/same as login name/etc are the ones that are going to get caught. these are all listed in generic default password scripts used by these hackers/schoolkids.

and just a side note, how many people here have actually changed their modem/router/access point password from the default setting? point i'm trying to make, majority of people fail to take passwords seriously enough.

your question(s)

do they look for patterns in data stolen from servers

if they get full access to the servers, then, they will either have or can change passwords to suit themselves, normal procedures are to make a new account up and give themselves full access to the server. this i have seen done on windows servers with 'generic' administrator passwords. and once they are on, they can do whatever they like with it. i have no respect for that hospital administrator, hopefully got marching orders by now.

attacks are normally done by robot script programs, keeps hitting the service authentication system until it runs out of entries or stops when it gets a winner.

linux servers we can discuss some other time, lets just leave at more secure, though exploits still exist.

have seem many examples of something like the following from purveyors of password security measures, which suggests the bad guys are looking for patterns

through security loopholes, exploiting known faults in services, unless your actually running server/web services open to the internet with a static ip(s), the people that are doing it probably wouldn't be interested in you.

this is where the wheels start falling off, can feel i'm losing my train of thought here. will get back to this

Tom

 

Simply put, my question is what defines a "strong" password? And if the answer is as so many have suggested, how can you show it is strong? It seems to me that to say it is strong, you have to know how it is being tested. Ultimately, that is the question I asked. When databases containing passwords are stolen, how are those databases searched and/or read? I felt the image of an imaginary database with a password that stood out was a good illustration of my question.

John

 

Hello,

There are many criteria to make a password strong.
Take the test here:
http://www.passwordmeter.com/

As stated on that site the password should contain:

• Minimum 8 characters in length
• Contains 3/4 of the following items:
  - Uppercase Letters
  - Lowercase Letters
  - Numbers
  - Symbols

Bertus

 

Several years ago, I read an article about cyber security. The gist of it was that one group came up with a "strong" encryption scheme. Their tests showed it would take millennia to crack. Another team cracked it quite quickly -- at least relative to millennia. Their method was based on how long it took the "uncrackable" algorithm to process a set of specific challenges.

Wikipedia (http://en.wikipedia.org/wiki/Timing_attack) describes such "timing attacks," and this may be the relevant paper:
http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

Anyway, it seems there are at least two things to consider in terms of password security: 1) Cracking a password by testing; and 2) Finding passwords in stolen files. The latter is what prompted my question and is my greater worry. However, on searching Google, I find there are schemes to crack passwords by testing other than by random trials or dictionary attacks.

Here are just two sources I found particularly interesting:
http://resources.infosecinstitute.com/10-popular-password-cracking-tools/
https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/

From the second link, I pass on this bit of advice:



Regards, John

 

As there will always be more, new, and better ways to crack passwords, the best option would be to choose passwords that:

a) are not prone to dictionary attacks;
b) are strong enough to survive brute-force attacks over a reasonable period of time;
c) are easily memorizable (i.e. not written down);
d) are changed frequently.

In the end, social engineering will always be a weakness. This is why passwords alone will never be enough for complete security.

If we can add something the user has (i.e. a key card or biometric), in addition to something the user knows (password), security goes up dramatically. Unfortunately, this is when people start getting their fingers removed or eyes popped out -- at least in Hollywood.

Edit: BTW, this still doesn't resolve the issue of Server Side security, including physical security of the server itself. If someone wants something bad enough, and is willing to lose his life in the process, he's going to be successful -- or dead.

 

and just a side note, how many people here have actually changed their modem/router/access point password from the default setting? point i'm trying to make, majority of people fail to take passwords seriously enough.

Why should they take passwords seriously , rather than just regarding them as a nuisance?

The big boys (Microsoft etc) act in a totally cavalier fashion towards passwords.

With one hand they (now) force you to use so called 'strong' passwords.
With the other they include programs that remember your password for you as part of the basic system!

Everything has to be implemented in software for some reason.

Why, what is wrong with hardware solutions or even combination solutions?

Look at the chip and pin card.

Everyone grumbled at having to have a pin, so now the big boys are trying to force through wifi cards that remember the pin for us and we have to wrap our cards in cooking foil to keep them safe.

An unbreakable password?

Simple, but it would require some custom hardware, hated by the afficionados of conformism and mass production.

 

I agree completely with studiot.

From reading the newspaper, the greatest risk to our personal information is the lackadaisical care exercised by companies that collect it. Hardly a week goes by that some company or government agency doesn't report the theft/loss of a massive amount of personal information. For a list of the companies involved, just check the Fortune 500.

In contrast, in my decades of using a credit card, I have only had two bogus charges. Ironically, those were on a Chase card, and Chase is one of the companies that had its security breached.

John

 

https://www.kickstarter.com/projects/everykey/everykey-the-wristband-that-replaces-keys-and-pass

 

https://www.kickstarter.com/projects/everykey/everykey-the-wristband-that-replaces-keys-and-pass

This simply replaces "that which you know" with "that which you have".

Only if there were some local authentication with something known only to the wearer would it be an improvement.