Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
1348 posts

Uber Geek
+1 received by user: 159


  # 2221465 20-Apr-2019 13:58
One person supports this post
Send private message quote this post

One thing I noticed in that article is that while it deals in patterns and heuristics to make a point, it seemed to be quite lacking in the math.

I find it interesting that the brain is really good at working with patterns and so using common patterns in passwords may be not the greatest thing to be doing as suggested.

I did notice that the article referred to a dictionary attack. This in itself can be something worth doing the math on. I wonder if there is any difference in entropy/probability between the word ‘Mechanic’ and the word ‘Velviriki’ (spelt with an acute accent on the e)

I find it also just as interesting in looking at the theory behind storing all of ones passwords in a well known password store in the belief that they are any more safe.




Software Engineer

 


1353 posts

Uber Geek
+1 received by user: 281

Subscriber

  # 2221475 20-Apr-2019 14:32
One person supports this post
Send private message quote this post

Geektastic:
sparkz25:

 

This is a good test on you password strength

 

https://howsecureismypassword.net/

 

And this is good to see if you password has been pwned

 

https://haveibeenpwned.com/Passwords

 

I use these a bit for clients to show them how crap their password is and how long it will take to crack their crappy password

 



Very happy that the Dashlane site you linked to another told me one of my passwords would take 607 million years to crack.

I can live with that risk....

 

I'm a bit adverse to online password keepers. LastPass got compromised if memory serves me correctly.

 

Dashlane is installed on Acer computers. I had them up one time about the fact their website featured user testimonials using stock photos of the users giving testimonials (e.g. the users were BS with purchased or free images off the net).

 

Dashlkane have not stopped doing this. In their testimonials they have this image next to the testimonial.

 

 

It is a stock photo found in adobe and other places. https://www.tineye.com/search/5aafabce7533ced939c690a42a6dc830ff74f709/

 

Yes - they dont say she is Alex S but the photo is contained within a border that contains the quote, lumping them together. You may say they dont expect us to connect the two but just below the new york times logo is surrounded in exactly the same borders with a quote from a new york times user.  Misleading. Not as bad as when I had them up about it - but still shady.

 

I use KeePAss. Locked with encryption, a strong 16 char password and an encryption key. Synchronized via ftp / rsync and onto a pen drive. It's on my phone, laptop and desktops. Works a treat with a separate 20 char plus random password for all sites, ssh connections, servers, etc etc etc.  I could use dropbox but I worry about file locking so prefer a manual backup process or inbuilt plugin.

 

BTW - THe password checker reference above says Password1234 takes 3000 years to guess. Password strength checkers are dodgy at best.   JesusJohn3:16 takes millions of years to crack -- except it doesn't. Dashlanes ideas on password strength are a little dated.





nunz

 
 
 
 


87 posts

Master Geek
+1 received by user: 23


  # 2221527 20-Apr-2019 15:29
Send private message quote this post

timmmay:

I use KeePass2 to randomly generate passwords. My geekzone password has 65 bits of entropy, my AWS has 100 bits plus MFA. My work password only has 21 unfortunately, but I have to type it 100 times a day so it can't be too difficult to type.

 

Geektastic: I like short phrases or character names from books I've read.

 

Anything in a dictionary is easy to crack, even if you add a few numbers on the end.

 

 

So on that note, if I am not mistaken the other issue or the main one is not how easy passwords can be bruteforced with dictionary attacks but how {function-trustworthy} the server admin team of the service at question is. Where {function-trustworthy}=admin keeps every product patched,employs penetration testers,logs all access attempts to separate secure equipment,incorporates MFA where possible,compartmentalises employee privelege,etc...

 

 

By invoking {function-trustworthy} in my brain, am I engaging in also relying upon {function-assumptions-are-T.M.O.A.F} a bit too much? Is this what any of us do when picking a high entropy password for a service with a bad track record for platform breaches in the marketplace?

 

 

So my point is that my fictitious entity of {function-trustworthy} is a sort of heuristic of trust many of us do, when picking or generating passwords that the host itself will remain secure. All those password dumps on haveibeenpawned usually came from attacks on the hosts API zero-days and server side scripting primarily didn't they?

Circumspice
583 posts

Ultimate Geek
+1 received by user: 143

Trusted
Lifetime subscriber

  # 2221559 20-Apr-2019 18:42
Send private message quote this post

Hmm, ns8vfpobzmx098bf4coj with a number added to the end of it should just about be impenetrable...


563 posts

Ultimate Geek
+1 received by user: 194


  # 2221565 20-Apr-2019 19:53
quote this post

These password attacks require unlimited attempts until the correct one is stumbled upon.

 

Don't banks, online stores, etc have a limit to how many times an incorrect password can be entered before the account is locked out?

 

How many failed attempts does GZ allow?


2731 posts

Uber Geek
+1 received by user: 1319

Trusted
Subscriber

  # 2221567 20-Apr-2019 20:02
2 people support this post
Send private message quote this post

A lot of discussion about brute force attacks, but in reality how many sites we log into are at risk of brute force attack?

 

Unless you have an unprotected database on some obscure server, most of us use passwords for the likes of email, social media, banking, cloud services etc, all of which will have protection against brute force attacks. If i stuff up my password for gmail more than a few times I'm stuffed, so I'm not particularly concerned about statistics of the time required for brute force attempts to crack my gmail password.

 

I use long passwords, unique by service, and protected for MFA where available, so I'm not particularly concerned about hackers trying to hack me at so many thousands of attempts per nano second.


14743 posts

Uber Geek
+1 received by user: 2746

Trusted
Subscriber

  # 2221569 20-Apr-2019 20:04
2 people support this post
Send private message quote this post

How has no-one posted this yet?

 




BDFL - Memuneh
63292 posts

Uber Geek
+1 received by user: 13834

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2221576 20-Apr-2019 22:16
Send private message quote this post

k1w1k1d:

 

These password attacks require unlimited attempts until the correct one is stumbled upon.

 

Don't banks, online stores, etc have a limit to how many times an incorrect password can be entered before the account is locked out?

 

How many failed attempts does GZ allow?

 

 

Five attempts every few minutes then block for ten minutes. This would foil most brute force attempts for a strong password.





931 posts

Ultimate Geek
+1 received by user: 195

Trusted

  # 2221584 20-Apr-2019 23:32
Send private message quote this post

Jase2985:

 

its hard to memorize 50+ passwords especially when they are complex and especially when you change them regularly.

 

 

Very true indeed

 





Please keep this GZ community vibrant by contributing in a constructive & respectful manner.




BDFL - Memuneh
63292 posts

Uber Geek
+1 received by user: 13834

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2221587 21-Apr-2019 00:35
Send private message quote this post

k1w1k1d:

 

These password attacks require unlimited attempts until the correct one is stumbled upon.

 

Don't banks, online stores, etc have a limit to how many times an incorrect password can be entered before the account is locked out?

 

How many failed attempts does GZ allow?

 

 

Also worth mentioning we are now using Google reCAPTCHA v3... Instead of solving a CAPTCHA this version gives a score to each page view or transaction and we are able to block based on this. Check a test transaction here.





12738 posts

Uber Geek
+1 received by user: 4243

Trusted
Lifetime subscriber

  # 2221592 21-Apr-2019 06:31
Send private message quote this post

paulchinnz:

Hmm, ns8vfpobzmx098bf4coj with a number added to the end of it should just about be impenetrable...



But utterly impossible to remember unless you're Rainman...





12738 posts

Uber Geek
+1 received by user: 4243

Trusted
Lifetime subscriber

  # 2221593 21-Apr-2019 06:33
Send private message quote this post

The sooner passwords can be replaced with biometrics the better, really, I would think.

Why we haven't seen Apple put Face Unlock into computers yet I don't know.





339 posts

Ultimate Geek
+1 received by user: 198

Lifetime subscriber

  # 2221596 21-Apr-2019 08:09
One person supports this post
Send private message quote this post

Geektastic: The sooner passwords can be replaced with biometrics the better, really, I would think.
Why we haven't seen Apple put Face Unlock into computers yet I don't know.

 

There are two difficulties with biometric identification

 

     

  1. There is no privacy / anonymity anymore. No way to interact on the web except with potential full exposure of yourself.
  2. There is no security anymore. If someone guesses or steals your password / PIN / credit card number, you just get a new one. If they get access to the string that uniquely represents your biometric details, then you ... no, you're stuffed. And their uniqueness and non-repudiation will make them very high value targets.

379 posts

Ultimate Geek
+1 received by user: 99


  # 2221597 21-Apr-2019 08:19
Send private message quote this post

Geektastic: The sooner passwords can be replaced with biometrics the better, really, I would think.

Why we haven't seen Apple put Face Unlock into computers yet I don't know.


Even biometrics have downsides, i have mutiple sites where we have biometrics setup and there are a few that cannot use the biometrics or their biometrics cannot be read, so you are back in the same position of passwords or cards

1353 posts

Uber Geek
+1 received by user: 281

Subscriber

  # 2221603 21-Apr-2019 09:35
Send private message quote this post

sparkz25:
Geektastic: The sooner passwords can be replaced with biometrics the better, really, I would think.

Why we haven't seen Apple put Face Unlock into computers yet I don't know.


Even biometrics have downsides, i have mutiple sites where we have biometrics setup and there are a few that cannot use the biometrics or their biometrics cannot be read, so you are back in the same position of passwords or cards


Two downsides to biometrics.
1. They don't work for me and others. Finger print scanners fail me. Probably same reason touch screens dont respond to my touch all the time. Dry and roughed up fingers from wood work and maybe age.
2. An eyeball or finger removed still work. The theives will take your hand not your swipe card.

A security pen drive or rfid key or similar backed with an unlock password works as does 2fa if txt or similar are working at the time

Quantum computing will render all this obsolete




nunz

1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

HPE to acquire supercomputing leader Cray
Posted 20-May-2019 11:07


Techweek starting around NZ today
Posted 20-May-2019 09:52


Porirua City Council first to adopt new council software solution Datascape
Posted 15-May-2019 12:00


New survey provides insight into schools' technology challenges and plans
Posted 15-May-2019 09:30


Apple Music now available on Alexa devices in Australia and New Zealand
Posted 15-May-2019 09:11


Make a stand against cyberbullying this Pink Shirt Day
Posted 14-May-2019 20:23


Samsung first TV manufacturer to launch the Apple TV App and Airplay 2
Posted 14-May-2019 20:11


Vodafone New Zealand sold
Posted 14-May-2019 07:25


Kordia boosts cloud performance with locally-hosted Microsoft Azure ExpressRoute
Posted 8-May-2019 10:25


Microsoft Azure ExpressRoute in New Zealand opens up faster, more secure internet for Kiwi businesses
Posted 8-May-2019 09:39


Vocus Communications to deliver Microsoft Azure Cloud Solutions through Azure ExpressRoute
Posted 8-May-2019 09:25


Independent NZ feature film #statusPending to premiere during WLG-X
Posted 6-May-2019 22:13


The ultimate dog photoshoot with Nokia 9 PureView #ForgottenDogsofInstagram
Posted 6-May-2019 09:41


Nokia 9 PureView available in New Zealand
Posted 6-May-2019 09:06


Motorola Solutions joins local partners to deliver advanced communications network in New Zealand
Posted 30-Apr-2019 21:50



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.