HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Main » General Discussion (Forum) » Kill the Password: Why a ...

Wed Nov 21, 2012, 07:56 PM

 

Kill the Password: Why a String of Characters Canít Protect Us Anymore

By Mat Honan
Wired
Nov 15, 2012

-snip-

Since that awful day, Iíve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Letís say youíre on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info thatís easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

First thing I do? Search for the word ďbankĒ to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20ótotalóand I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.

The common weakness in these hacks is the password. Itís an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just havenít realized it yet.

More: http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/

34 replies, 4110 views

Reply to this thread

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread
Arrow 34 replies Author Time Post
Reply Kill the Password: Why a String of Characters Canít Protect Us Anymore (Original post)
UnrepentantLiberal Nov 2012 OP
wildbilln864 Nov 2012 #1
customerserviceguy Nov 2012 #2
Canuckistanian Nov 2012 #9
TheBlackAdder Nov 2012 #12
wtmusic Nov 2012 #27
3c273a Nov 2012 #3
Posteritatis Nov 2012 #4
XemaSab Nov 2012 #10
ProfessionalLeftist Nov 2012 #5
gtar100 Nov 2012 #30
Shankapotomus Nov 2012 #6
behindthe8ballnchain Nov 2012 #7
AsahinaKimi Nov 2012 #8
wtmusic Nov 2012 #11
UnrepentantLiberal Nov 2012 #13
Jim Lane Nov 2012 #14
UnrepentantLiberal Nov 2012 #21
wtmusic Nov 2012 #26
RomneyLies Nov 2012 #19
wtmusic Nov 2012 #23
Edweird Nov 2012 #15
NYC Liberal Nov 2012 #16
hobbit709 Nov 2012 #17
MyNameGoesHere Nov 2012 #18
Tracer Nov 2012 #20
backscatter712 Nov 2012 #25
Egalitarian Thug Nov 2012 #22
backscatter712 Nov 2012 #24
gtar100 Nov 2012 #28
unblock Nov 2012 #29
SWTORFanatic Nov 2012 #31
mrsadm Nov 2012 #32
UnrepentantLiberal Nov 2012 #34
cherokeeprogressive Nov 2012 #33

Response to UnrepentantLiberal (Original post)

Wed Nov 21, 2012, 08:07 PM

1. k&r! nt

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Wed Nov 21, 2012, 08:45 PM

2. If you're goofy enough to use AOHell

then maybe you deserve this.

I don't think Gmail or even Yahoo passwords are as easy to get as this article maintains. Also, complicated passwords with both upper and lower case, a number or two, and a special character are really tough to crack. Not impossible, but for a thief, it's easier to move on to less-protected targets. You don't have to be impervious, you just have to be unworth the effort, and you can control the effort.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to customerserviceguy (Reply #2)

Wed Nov 21, 2012, 11:59 PM

9. I trust my Gmail account

With the two-step verification. Practically impossible to hack into unless you also have my SIM card number from my phone.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Canuckistanian (Reply #9)

Thu Nov 22, 2012, 02:27 AM

12. The GMAIL password is in clear text format for the Tech Support and AdWord folks to see. n/t

Reply to this post

Back to top Alert abuse Link here Permalink


Response to TheBlackAdder (Reply #12)

Thu Nov 22, 2012, 11:35 AM

27. Really?

I'd be amazed that there isn't a liability issue there.

Usually they store just the last four digits in plaintext for verification purposes.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Wed Nov 21, 2012, 09:06 PM

3. Read the entire link, plz

No password is safe...alone.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Wed Nov 21, 2012, 09:20 PM

4. A chunk of my own security is about screwing up the password reset questions

If I get to pick the questions I can be pretty creative with the challenge and response; if I can't (and the password in question is important), then the answers are outright lies. A properly robust password, some care taken on those, and enough awareness not to blunder into phishing sites and the like is good enough for just about anything, even if a really truly concerted effort against you in particular still has chance of getting through.

(Also: password reuse is, of course, evil, and something I only use on don't-care-if-it's-compromised accounts.)

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Posteritatis (Reply #4)

Thu Nov 22, 2012, 12:04 AM

10. The set-your-own-question password seems pretty solid.

I hate the passwords that require upper case and lower case and special characters because I always have to write them down, and that's NOT SECURE.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Wed Nov 21, 2012, 09:26 PM

5. Enter two-factor authentication. n/t

Reply to this post

Back to top Alert abuse Link here Permalink


Response to ProfessionalLeftist (Reply #5)

Thu Nov 22, 2012, 12:14 PM

30. And text messaging makes our phones the second factor.

I like those systems that send a pass code by text as an additional layer of security. Certainly a lot more convenient (and cheaper) than personally getting an RSA keyfob.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Wed Nov 21, 2012, 09:27 PM

6. LavaBit email doesn't provide a "Forgot your password?" option

You MUST remember your password or there is no accessing your account.

http://lavabit.com/

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Wed Nov 21, 2012, 10:17 PM

7. i get his point

but it's a bit like saying we're going to stop putting locks on doors because there are people who are good at picking locks.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Wed Nov 21, 2012, 11:54 PM

8. wow..that is scary

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 12:15 AM

11. Ech. Misrepresentative title.

The article tells us what we (most of us) already know - that bad passwords can be cracked, that you shouldn't use the same password, that you shouldn't keep it on a Post-It Note stuck to your monitor.

With a pseudo-random password of uppercase/lowercase alpha and digits, an 8 character password has 628 possible combinations - in decimal terms, 2,183,401,100,000,000,000,000. Just over 2 sextillion. If someone guessed a new password every second, they'd have to guess for 7 million years to be certain of getting into my measly checking account.

The age of the password has come to an end? Nonsense. There is no individual in the world dedicated and devious enough to crack that password.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to wtmusic (Reply #11)

Thu Nov 22, 2012, 04:48 AM

13. Mine has 11 characters.

 

Upper case, lower case, numbers and symbol. And they're all random. I just remember what the password is.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to wtmusic (Reply #11)

Thu Nov 22, 2012, 06:40 AM

14. Does password complexity really matter?

With an 8-character password, if I use no numerals, no symbols, and no lower-case letters, there are many fewer combinations (only 268, or about 200 billion). Nevertheless, in your example of someone guessing one per second, it would still take (by my math) more than 6,000 years to cover all of them. Granted, 7 million years is in some respects more secure, but is there any practical difference?

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Jim Lane (Reply #14)

Thu Nov 22, 2012, 08:53 AM

21. There are devices and computer programs that do that much quicker.

 

That's why the upper case, lower case and numbers.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Jim Lane (Reply #14)

Thu Nov 22, 2012, 11:24 AM

26. Probably not.

As UnrepentantLiberal notes, there are programs that can guess, in theory, millions in a few seconds.

In practice, it's much longer. Passwords are nowadays stored on a server in one-way encrypted form (hash). When you enter your password, the server uses the same encryption algorithm on your entry and compares it to the encrypted form on the server. There is no way to decode it, which is why you can't retrieve your passwords any more - they need to be reset.

Any secure website will disable an account after x number of tries (usually under ten), and a round trip HTTP authentication takes at least a second. So you might be able to guess ten passwords in ten seconds, but then you would have to re-enable the account. Practically speaking, a five-character pseudo-random password with upper/lower alpha and numerals is sufficient protection against brute force attacks for anything except your investment/banking accounts.

By a factor of thousands (millions?) the biggest risk you face is by not keeping your password secret.

The next biggest risk is by using a simple password. I always discounted the ability of hackers to guess simple passwords until I had a client's website hacked through (what we found out later to be) a guess. His password? "Butthead".




Reply to this post

Back to top Alert abuse Link here Permalink


Response to wtmusic (Reply #11)

Thu Nov 22, 2012, 08:27 AM

19. I use an 18 character passphrase

 

For security questions I always use pet names from my childhood, regardless of the question.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to RomneyLies (Reply #19)

Thu Nov 22, 2012, 11:09 AM

23. As long as your dog's name wasn't Max, you're probably ok nt

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 06:48 AM

15. I use numerous email accounts with multiple providers.

 

The email address I might give you is different than the email address I gave DU. My bank/ebay/paypal and all that have unique addresses. I lie on the canned security questions. I lie about my real name when I sign up for the email accounts. In other words, knowing my real name and my mother's maiden name is worthless. I'm certainly not bulletproof, but I'm not low hanging fruit.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 07:27 AM

16. Both my banks and my email require that I

confirm password changes with a confirmation code sent to my phone via SMS.

My "forgot password" answer is a scrambled combination of my phone number and 3 digits from my social.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 07:31 AM

17. all someone has to do is access the email servers to read your email

Which is what governments do. I automatically assume someone out there is reading my email.
As far as security questions go-use an answer that only you know is wrong for the question. The more off the wall the better.
I never use my real name as my account ID on anything-not my bank, not my credit cards, nothing.
I have about 8 different email boxes on 3 different servers, each dedicated to a specific purpose. This helps to identify any phishing emails quickly.
Anything really important is on an encrypted flash drive that I don't leave plugged in to the computer.
Anything extremely important is kept in the safest location of all-inside my skull.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 07:37 AM

18. I am not sure passwords are going to become extinct

but the way we generate them are. I currently have to memorize a 30 character non-recurring password to access, my other 25 character passwords for service accounts etc. I am trying new ways of generating and memorizing passwords without allowing the human factor to be compromised. Things like this give me a little hope other people are working on it an not throwing their hands in the air and proclaim the end of passwords..

http://www.extremetech.com/extreme/133067-unbreakable-crypto-store-a-30-character-password-in-your-brains-subconscious-memory

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 08:40 AM

20. I actually wish there was a replacement for passwords.

I can't be the only person who has a small notebook with lists of different passwords.

Why different?

Because when I attempt a previously used password, I get told that it is "unavailable".

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Tracer (Reply #20)

Thu Nov 22, 2012, 11:13 AM

25. I keep a password safe application on my smartphone for that purpose.

The password safe is itself password protected so people can't steal my passwords.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 08:56 AM

22. The myth of the secured, networked computer. There has never been such a thing,

 

and everybody that understands how these miracles of human communication work, knows it.

But, they couldn't very well sell you hundreds of billions of dollars of crap, nor rid themselves of millions of workers, if they informed you of that fact, now could they? The internet, not just the www., was specifically designed to be open so that all of this is connectivity could happen, but that also makes it inherently insecure. Believe it or not, there were a bunch of us talking about this when they first started convincing you all to put your lives on line.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 11:12 AM

24. I've got so much stuff on Google that I took the precaution of activating 2 factor authentication.

If I log into my Google account from a strange computer, Google will text my phone with a 6 digit code, and I'll need to enter that code to log in.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 12:03 PM

28. The same can be said for your home. Passwords are just locks on doors.

Until a better system or method can be implemented with the same level of convenience as usernames and passwords, we are stuck with them. In the meantime, we use them to stop most crimes of opportunity. But our sense of security that allows us to function normally in this world still requires us to trust each other to a certain degree. Your only other option is to give in to fear and paranoia.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 12:05 PM

29. the main point seems to be that passwords ARE good protection, just don't have a silly one

it's the ways to BYPASS the password that seems to be the main problem.

especially when the standard security questions are easily hacked.

if they want to make it easy to bypass a password, at least they should have questions whose answers can't be easily hacked.

name of first pet, or restaurant where you met your spouse, e.g., aren't likely to be easily googled, although even for those a few standard guesses would have a good hit rate.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 12:22 PM

31. Dumb dumb. Can't find me on google and certainly can't find the

city I was born in (double layer of security because I use the hospital I was born in, not the town my parents were living in)

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 12:39 PM

32. Great article, I learned a lot, thanks for posting!

Time to go do some more work on my passwords and security questions!!!!!

Reply to this post

Back to top Alert abuse Link here Permalink


Response to mrsadm (Reply #32)

Thu Nov 22, 2012, 04:52 PM

34. Glad the article was helpful.

 

It gave me food for thought.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Thu Nov 22, 2012, 12:49 PM

33. Meh... I use my BofA ATM PIN as my password for every online account. n/t

Reply to this post

Back to top Alert abuse Link here Permalink

Reply to this thread