What is Digg?52 Comments
- Craga89, on 10/12/2007, -6/+34Tell me about it, if this gets to the frontpage whats next?
"Cancer is bad for you!" - holmes101, on 10/12/2007, -6/+30The word "duh" may be in order here...
- jfair, on 10/12/2007, -1/+13"1 2 3 4 5? That's amazing! I've got the same combination on my luggage!"
- mtwoar, on 10/12/2007, -2/+13@Craga89
Why digg the story if you don't want it to make it to the front page? - OBDriftwood, on 10/12/2007, -1/+12Read the story. Schneier does some good analysis on current cracking methods, provides usable metrics, and gives sage advice on creating better passwords.
One piece of advice he doesn't give is to use pass-phrases instead of passwords. Each character added to a password increases time to crack by a logarithmic factor. Unfortunately many systems limit passwords to 8 or 12 characters. - NanoStuff, on 10/12/2007, -1/+10"Secure Passwords Keep You Safer"
I gotta write this down somewhere so I don't forget. - dtfinch, on 10/12/2007, -0/+8The title is about as obvious as they come, but the article is a little better, and anything by Bruce Schneier gets a digg.
- armbar, on 10/12/2007, -1/+8So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life!
- Urusai, on 10/12/2007, -0/+7Too bad secure passwords are so baroque that people end up sticking them on the flip side of their keyboard or the side of their monitor.
- Narwaffle, on 10/12/2007, -1/+7Sometimes I like to be really devious and make my passwords 5 4 3 2 1.
- capiCrimm, on 10/12/2007, -1/+6@Craga89
unless your name is Lance Armstrong, in which case cancer gives you magical powers. - Hercules, on 10/12/2007, -0/+3Two ways of security breach are important... perimeter security and social engineering.
Perimeter security refers to your firewalls. Are they hardened against attacks? Do they have backdoors to make an admin's life easier (and a hacker's life easier too!)? If a hacker can get past your hardened firewall, then your internal passwords for Windows and the like, stored in hashes are a J-O-K-E.
Social engineering is the second problem, where you walk in as a printer repair guy, and hack a company's servers. It's easy to do too. And if you train your employees, they will be able to ward it off.
So to review, harden your firewalls, and don't make password complexity a burden, because how secure is a password when it's written underneath the keyboard of the user? Because let's face it... password resets are like the #1 call at help desks, and when you have complex passwords well........ people just take it upon themselves to make it easy. - bitterg, on 10/12/2007, -6/+9There are few stories I've thought were truly worth of "OK, this is lame." This is one of them.
- bpapa, on 10/12/2007, -2/+5Did any of the ***** even read the article? It's actually very interesting.
- kz26, on 10/12/2007, -0/+3Yup. I can testify to the weakness of most passwords. I cracked my school's WinXP Pro Admin account password in about 1 minute using ophcrack. The password, believe it or not, was "tinman". WTF.
- crilen007, on 10/12/2007, -1/+4or you can just type a bunch of random ***** and remember it.
Remembering a few alphanumeric characters isn't hard.
Although the sentence idea is better than both of our ideas, because its good for the normal folk. - inactive, on 10/12/2007, -0/+3Only if you have the password hashes stored in memmory beforehand. There are two problems with that.
1. It takes too long to compute all the hashes.
2. No computer, or computer server system has enough memmory for 2^128 hashes. Remember that the largest hard drive stores only 2^40 bytes. Google might have a few petabytes or 2^50 in their server system. This is so far beyond that. 2^128 is such a phenomellally large number. - heavensblade23, on 10/12/2007, -0/+3I think the best reasonable thing to do is to use a password saving program. Then you can use a maximum length secure password for everything and you only have to remember one strong master password.
- skymt, on 10/12/2007, -0/+2@capiCrimm
That's it then! I'll just change my name!
Now... where can I find an old x-ray machine so I can soak up some radiation? eBay? - mc7winkie, on 10/12/2007, -0/+2The best password is just an easy to remember sentence like"myfavoritefoodispie" None of those password crackers can do very long passwords and if it is a sentence it is easy for you to remember.
- crilen007, on 10/12/2007, -0/+2No haha, its all *****.
Whats your email account btw? - Nick22, on 10/12/2007, -2/+3Guess im not the only one who thinks this writer is captian obvious
- stuartcow, on 10/12/2007, -1/+2https://www.grc.com/passwords.htm
thank me later - tmcleroy, on 10/12/2007, -5/+6secure passwords keep you safer??!!?! holy ***** are you serious???
- inactive, on 10/12/2007, -2/+3This is just bad programming. 900 passwords per second in winzip? That's an embarrasment. It's easy to add a computational overhead to increas the ammount of time it takes to try a password. I seriously doubt that the end user will notice a 100ms delay versus a 1ms. That delay really adds up when you repeat a billion times. That's why a program like TrueCrypt hashes the password a 1000 times to increase the delay. With truecrypt you can only try something like 10 passwords per second. Fast enough not to bother the users, slow enough that you can't repeat the process a trillion times in an hour.
Also, Truecrypt uses a cryptographically strong SALT, so that precomputed rainbow tables just don't work. - bpapa, on 10/12/2007, -3/+4To the people slamming this - did you even ***** read the article? It's actually very interesting.
- inactive, on 10/12/2007, -1/+2I am thinking about multiple computers and this will be secure into the future. Right google has one of the biggest network of servers in the world and they can only store 8 petabytes max. Remember a petabyte is 2^50 so google is at 2^53 bytes right now. If you follow moore's law, then in 10 years capacity will only increase 6 fold. That's about 2^56 bytes if you're being generous. In 100 years, capacity will go up 66 fold. That's still nowhere near good enough. That will only put you at 2^59 bytes or 2^60 if you want to be generous. This is nowhere near 2^128. Bottom line, no one is going to steal your (sufficiently complex) TrueCrypt password because they have uber-secret NSA computers. They are going to find the piece of paper you wrote it down on or put in you prison until you tell them.
- inactive, on 10/12/2007, -1/+2Wrong. A 128 bit hash should have 2^128 different hashes. To compute them all would take longer than the life of the sun.
- capiCrimm, on 10/12/2007, -0/+1even better take something like a poem or lyrics, then algorithmically change them.
For example say I choose Robert Frost's Fire and Ice. Say I take the first letter of the first 8 words, and I flip every two of them. Then we can capitalize Nouns, and leetify verbs.
"Some say the world will end in fire; "
s s t w w e i f
ss wt ew fi
$S Wt 3W Fi
You can postfix with our algorithm. 8 words, flip 2
$SWt3WFi^8#2
and normally a constant prefix or postfix you add to all your password(normally symbols like "*7&s"), or the year/month if it's a password that frequently needs to be changed.
pre-$SWt3WFi^8#2-post
It gives you sufficiently complex passwords and you don't have to remember funny passwords, just where you got it from and what you did to it. Other things you could do are take different letters then the first from the word, say the first, then second, then third letter. Whatever you choose to do, be constant with it. Don't take the first letter and flip them for one password, then switch to taking the last letter and doing the line backwards or something. - C0D3R, on 10/12/2007, -0/+1Where is the perimeter for a laptop with wireless 802.11?
Is waterboarding considered social engineering? - skymt, on 10/12/2007, -0/+1My passwords are all Panic! at the Disco song titles. How long would it take a password cracker to come up with "The Only Difference Between Martyrdom and Suicide Is Press Coverage"?
(I kid. Though it's not a bad idea, just choose a better [but equally verbose] band.) - terminalpariah, on 10/12/2007, -0/+1My two favourite password tools:
Keepass - http://keepass.info/
Secure password database, with a nifty built-in generator. Just pull the passwords out with a CTRL-C when you need them (KeePass then clears the clipboard after 10 seconds).
apg - http://www.adel.nursat.kz/apg/download.shtml
Multi-platform password generator that creates *pronounceable* passwords. I find they are much easier to remember. Great for digg, instant messenger, and other sites/services that I might need "on the go." - inactive, on 10/12/2007, -0/+1of course, you could go the bugmenot route and post your password for all to see
- shertzerj, on 10/12/2007, -0/+1When I started at Penn State I was using the default password for my email (8 random lowercase letters). Well, I was really lazy and ended up just memorizing the letters. I graduated last year, but I still use that password as my domain password at work (just added a couple numbers and capitalized some letters and now it's a really strong password).
- TimTheEnchanter, on 10/12/2007, -0/+1I couldn’t find the link to the article or the paper but I did remember something important about the paper. The number of hashes in the final table is not reliant on the length of the hash. It’s reliant on the number of distinct combinations of passwords. So, let’s take a password that is 10 characters in length. Let’s also say we are dealing with alpha-numeric with a few special characters sprinkled in (26 + 10 + 10 = 46). In this case we are dealing with 46 ^ 10 different combinations. To make the comparison easier, let’s make the number of characters from 46 to 64. That’s 64^10 or (2^6)^10 or 2^60. That would be the max number of hashes that needs to be stored. Also, even if the hash is done 1000 times, the table to compare it is still the same because it all starts with the max number of different combinations. Further, even if the hash is done 1000 times, it still only takes at max 60 binary operations of get the password. Now 2^60 is still a very large number but not as large as 2^128. Also, I believe this was just the beginning of the paper and I’m sure there are other ways to reduce the size of the table.
Again, passwords alone are not enough. Not for this reason alone. This may be the least important reason but I just didn’t want people to get false hope. - dstz, on 10/12/2007, -0/+1I have two passord: a simple one for everything that sucks, and a complex one for gmail.
- steal_apps01, on 10/12/2007, -0/+1i thought diggers hated Steve Gibson ref: grcsucks.com. or maybe that was the slahdot crowd.
- SjRaptor, on 10/12/2007, -0/+0I like to put "random letters" on sticky notes on my monitor.. kind of throws people off, having them think it's my password, when in actuality, doesn't mean anything!
- sporm, on 10/12/2007, -0/+0Create passphrases using shocking nonsense. Memorable but very hard-to-guess:
http://www.unix-ag.uni-kl.de/~conrad/krypto/passphrase-faq.html - haggie, on 10/12/2007, -2/+2Ignoring stupid Diggs from MrBabyMan saves you time.
- IceUck, on 10/12/2007, -1/+1Bruce Schneier beats Ric Romero to the punch!
- coldphoenix, on 10/12/2007, -1/+1The most secure password combined with brevity is one that is at least 8 characters long, a combination of upper and lowercase letters if your service permits this of course, and various numbers thrown in not just at the end, but at various points along your password. But when it comes to brute force or rainbow tables, anything with over 8+ characters is next to impossible to crack (not that its impossible, it just takes a super long time to crack and probably not worth the cracker's precious time).
- goat2, on 10/12/2007, -2/+2In other news, fire is hot.
- TimTheEnchanter, on 10/12/2007, -1/+1@truegodofwar
That's absolutely true...today. That has been the factor from making this work. But, we're almost there at a point of making this possible. In fact if someone REALLY wanted to do this, I would think it is possible now. Don't think single computer. Think multiple computers. Also think about 10 years down the line. We have to move past passwords. - LemurHorde, on 10/12/2007, -1/+1A simple spelling mistake would completely boggle the dictionary attack, and is almost as good as random characters. There is an added bonus if that mistake is unpronounceable.
- dlinkwit27, on 10/12/2007, -0/+0so I should stop using abc123?
- vikingcoder, on 10/12/2007, -1/+0I use random.org to generate 8 bytes of random data, and then run it through a hex => base 62 converter [ http://www.triplenine.org/main/baseconverter.asp ].
They work for me, but everybody else rolls their eyes at my passwords.
ex: 8EscWbgHLLU - TimTheEnchanter, on 10/12/2007, -2/+1We can play the numbers game even further and say that if technology gets there by some jump due to some new discovery in data storage, memory and speed, all we have to do is lengthen the hash. My point is to add to the fact that passwords alone are not enough. If I read you right, you believe the same thing. Arguing over the numbers is just distracting us away from the main point I was trying to make. If the numbers seem wrong, I’m sorry. I was just over simplifying a paper I glanced some time ago.
My main point again is that passwords alone are not enough. - TimTheEnchanter, on 10/12/2007, -2/+1The article is good to help the non-technical people to understand why all the security with password strength and regular changes are necessary. For the more technical people, I think we wanted to hear something more along the line of “passwords alone are not good enough”. Technology has gotten to a point that we can load up a table of hashes matched to every possible combination and run a simple binary search to match up the hash. I think something like 128bit hash would at most take 128 steps to get the match. If hashed 1000 times that’s still only 128,000 binary comparisons.
- DerekV, on 10/12/2007, -1/+0This just in
FIRE BURNS -
Show 51 - 52 of 52 discussions
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2009
— Content created and posted by Digg users is