General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsKill the Password: Why a String of Characters Can’t Protect Us Anymore
By Mat Honan
Wired
Nov 15, 2012
-snip-
Since that awful day, Ive devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Lets say youre on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info thats easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.
First thing I do? Search for the word bank to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.
This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20totaland I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.
The common weakness in these hacks is the password. Its an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just havent realized it yet.
More: http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/
wildbilln864
(13,382 posts)customerserviceguy
(25,183 posts)then maybe you deserve this.
I don't think Gmail or even Yahoo passwords are as easy to get as this article maintains. Also, complicated passwords with both upper and lower case, a number or two, and a special character are really tough to crack. Not impossible, but for a thief, it's easier to move on to less-protected targets. You don't have to be impervious, you just have to be unworth the effort, and you can control the effort.
Canuckistanian
(42,290 posts)With the two-step verification. Practically impossible to hack into unless you also have my SIM card number from my phone.
TheBlackAdder
(28,076 posts)wtmusic
(39,166 posts)I'd be amazed that there isn't a liability issue there.
Usually they store just the last four digits in plaintext for verification purposes.
3c273a
(62 posts)No password is safe...alone.
Posteritatis
(18,807 posts)If I get to pick the questions I can be pretty creative with the challenge and response; if I can't (and the password in question is important), then the answers are outright lies. A properly robust password, some care taken on those, and enough awareness not to blunder into phishing sites and the like is good enough for just about anything, even if a really truly concerted effort against you in particular still has chance of getting through.
(Also: password reuse is, of course, evil, and something I only use on don't-care-if-it's-compromised accounts.)
XemaSab
(60,212 posts)I hate the passwords that require upper case and lower case and special characters because I always have to write them down, and that's NOT SECURE.
ProfessionalLeftist
(4,982 posts)gtar100
(4,192 posts)I like those systems that send a pass code by text as an additional layer of security. Certainly a lot more convenient (and cheaper) than personally getting an RSA keyfob.
Shankapotomus
(4,840 posts)You MUST remember your password or there is no accessing your account.
http://lavabit.com/
behindthe8ballnchain
(14 posts)but it's a bit like saying we're going to stop putting locks on doors because there are people who are good at picking locks.
AsahinaKimi
(20,776 posts)wtmusic
(39,166 posts)The article tells us what we (most of us) already know - that bad passwords can be cracked, that you shouldn't use the same password, that you shouldn't keep it on a Post-It Note stuck to your monitor.
With a pseudo-random password of uppercase/lowercase alpha and digits, an 8 character password has 628 possible combinations - in decimal terms, 2,183,401,100,000,000,000,000. Just over 2 sextillion. If someone guessed a new password every second, they'd have to guess for 7 million years to be certain of getting into my measly checking account.
The age of the password has come to an end? Nonsense. There is no individual in the world dedicated and devious enough to crack that password.
UnrepentantLiberal
(11,700 posts)Upper case, lower case, numbers and symbol. And they're all random. I just remember what the password is.
Jim Lane
(11,175 posts)With an 8-character password, if I use no numerals, no symbols, and no lower-case letters, there are many fewer combinations (only 268, or about 200 billion). Nevertheless, in your example of someone guessing one per second, it would still take (by my math) more than 6,000 years to cover all of them. Granted, 7 million years is in some respects more secure, but is there any practical difference?
UnrepentantLiberal
(11,700 posts)That's why the upper case, lower case and numbers.
wtmusic
(39,166 posts)As UnrepentantLiberal notes, there are programs that can guess, in theory, millions in a few seconds.
In practice, it's much longer. Passwords are nowadays stored on a server in one-way encrypted form (hash). When you enter your password, the server uses the same encryption algorithm on your entry and compares it to the encrypted form on the server. There is no way to decode it, which is why you can't retrieve your passwords any more - they need to be reset.
Any secure website will disable an account after x number of tries (usually under ten), and a round trip HTTP authentication takes at least a second. So you might be able to guess ten passwords in ten seconds, but then you would have to re-enable the account. Practically speaking, a five-character pseudo-random password with upper/lower alpha and numerals is sufficient protection against brute force attacks for anything except your investment/banking accounts.
By a factor of thousands (millions?) the biggest risk you face is by not keeping your password secret.
The next biggest risk is by using a simple password. I always discounted the ability of hackers to guess simple passwords until I had a client's website hacked through (what we found out later to be) a guess. His password? "Butthead".
RomneyLies
(3,333 posts)For security questions I always use pet names from my childhood, regardless of the question.
wtmusic
(39,166 posts)Edweird
(8,570 posts)The email address I might give you is different than the email address I gave DU. My bank/ebay/paypal and all that have unique addresses. I lie on the canned security questions. I lie about my real name when I sign up for the email accounts. In other words, knowing my real name and my mother's maiden name is worthless. I'm certainly not bulletproof, but I'm not low hanging fruit.
NYC Liberal
(20,132 posts)confirm password changes with a confirmation code sent to my phone via SMS.
My "forgot password" answer is a scrambled combination of my phone number and 3 digits from my social.
hobbit709
(41,694 posts)Which is what governments do. I automatically assume someone out there is reading my email.
As far as security questions go-use an answer that only you know is wrong for the question. The more off the wall the better.
I never use my real name as my account ID on anything-not my bank, not my credit cards, nothing.
I have about 8 different email boxes on 3 different servers, each dedicated to a specific purpose. This helps to identify any phishing emails quickly.
Anything really important is on an encrypted flash drive that I don't leave plugged in to the computer.
Anything extremely important is kept in the safest location of all-inside my skull.
MyNameGoesHere
(7,638 posts)but the way we generate them are. I currently have to memorize a 30 character non-recurring password to access, my other 25 character passwords for service accounts etc. I am trying new ways of generating and memorizing passwords without allowing the human factor to be compromised. Things like this give me a little hope other people are working on it an not throwing their hands in the air and proclaim the end of passwords..
http://www.extremetech.com/extreme/133067-unbreakable-crypto-store-a-30-character-password-in-your-brains-subconscious-memory
Tracer
(2,769 posts)I can't be the only person who has a small notebook with lists of different passwords.
Why different?
Because when I attempt a previously used password, I get told that it is "unavailable".
backscatter712
(26,355 posts)The password safe is itself password protected so people can't steal my passwords.
Egalitarian Thug
(12,448 posts)and everybody that understands how these miracles of human communication work, knows it.
But, they couldn't very well sell you hundreds of billions of dollars of crap, nor rid themselves of millions of workers, if they informed you of that fact, now could they? The internet, not just the www., was specifically designed to be open so that all of this is connectivity could happen, but that also makes it inherently insecure. Believe it or not, there were a bunch of us talking about this when they first started convincing you all to put your lives on line.
backscatter712
(26,355 posts)If I log into my Google account from a strange computer, Google will text my phone with a 6 digit code, and I'll need to enter that code to log in.
gtar100
(4,192 posts)Until a better system or method can be implemented with the same level of convenience as usernames and passwords, we are stuck with them. In the meantime, we use them to stop most crimes of opportunity. But our sense of security that allows us to function normally in this world still requires us to trust each other to a certain degree. Your only other option is to give in to fear and paranoia.
unblock
(51,974 posts)it's the ways to BYPASS the password that seems to be the main problem.
especially when the standard security questions are easily hacked.
if they want to make it easy to bypass a password, at least they should have questions whose answers can't be easily hacked.
name of first pet, or restaurant where you met your spouse, e.g., aren't likely to be easily googled, although even for those a few standard guesses would have a good hit rate.
SWTORFanatic
(385 posts)city I was born in (double layer of security because I use the hospital I was born in, not the town my parents were living in)
mrsadm
(1,198 posts)Time to go do some more work on my passwords and security questions!!!!!
UnrepentantLiberal
(11,700 posts)It gave me food for thought.