Author Topic: IMPORTANT: Password Security  (Read 41448 times)

Offline Jazza

  • Site Technician
  • Administrator
  • Centurion
  • *****
  • Posts: 158
  • Mr. No-Moar-Upgrades-Plz
IMPORTANT: Password Security
« on: September 23, 2005, 02:43:30 AM »
Sorry to bring this up (And to do it) but this is quite important.
Nobody at Paranormal.com.au knows user's passwords. They are all in encrypted and totally illegible.

But they can easily be guessed if the are common words such as "bigpup" or "120674"

In interest of security I cracked paranormal.com.au's user's passwords and there were surprisingly alot of weak passwords

A password should be a combination of capital and normal letters as well as numbers and at least 5 characters long. A symbol like an under score _ can also be used.

Just number's or a word are not strong passwords and can be easily broken.

To change your password go to your Profile and you can change it there

Example of bad passwords:
haunted
ghost
password
bobbie89
puppydog
45621
1password1

Example of good passwords:
B0bb1e_89
PuP_py_d0g
4S_62i
1_Pa55w0rD_1

In the very LEAST, have a symbol!
Remember, just because you may not consider your Paranormal account important doesn't mean you should not have a secure password. Some hacking attacks require authorised access and some people (Like moderators) have got higher access to the forum. This means hackers could get into more parts and damage more things.
SpamBots can also abuse a hacked account.

Please do not use the following examples above as your password
« Last Edit: March 20, 2007, 05:19:21 PM by SargentJazza »
There's always the Back button. Is your browser up to date?


Offline Christine

  • Administrator
  • Senior Contributor
  • *****
  • Posts: 28912
    • http://www.spookspotters.com.au
Passwords
« Reply #1 on: September 23, 2005, 01:26:54 PM »
Hi SJ,
So that obvioucsly means our passwords are case sensitive?
Thanks for the post. I guess we could keep that in mind for any forum we are on.
I know the Australian Idol forum is having problems at the moment with people cracking other peoples passwords and posting stuff up in their name.
Christine
If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family anatidae on our hands.
Douglas Adams


Offline Flutterbit

  • Contributor
  • *****
  • Posts: 661
IMPORTANT: Password Security
« Reply #2 on: November 20, 2005, 02:03:38 PM »
Well I wasn't too worried about passwords at a paranormal forum (I have other things that are more important to protect) but I suppose that is a good point about people saying stuff I wouldn't.  I have one really good password, so I guess I'll go and change it.

Thanks
Flutterbit

Offline Christine

  • Administrator
  • Senior Contributor
  • *****
  • Posts: 28912
    • http://www.spookspotters.com.au
IMPORTANT: Password Security
« Reply #3 on: November 22, 2005, 07:18:15 PM »
Maybe I should change my bank passwords then!
Christine
If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family anatidae on our hands.
Douglas Adams


Offline Jazza

  • Site Technician
  • Administrator
  • Centurion
  • *****
  • Posts: 158
  • Mr. No-Moar-Upgrades-Plz
IMPORTANT: Password Security
« Reply #4 on: November 23, 2005, 10:57:06 PM »
To tell you the truth, passwords are obsolete. Biometrics are the future.... (Fingerprints, iris scanners etc.)
Of course everything can be beaten...
There's always the Back button. Is your browser up to date?


Offline catseyes

  • Cryptocat
  • Spookspotter Team
  • Senior Contributor
  • *****
  • Posts: 19840
  • Felineous caticus pusspuss
Re: IMPORTANT: Password Security
« Reply #5 on: March 21, 2007, 12:49:46 PM »
Jazza can you crack mine?  Do I need to change it?  If I make it hard I forget what I put!


Offline Trent1

  • Senior Contributor
  • *****
  • Posts: 1085
Re: IMPORTANT: Password Security
« Reply #6 on: March 21, 2007, 01:53:45 PM »
Sj i was watching mythbusters u can crack a fingerprint scanner with a photocopy of the users fingerprint... ur right, everything is crackable
We are merely a part of the universe, in its entirety. like a leaf on a tree, in the ground, covered by atmosphere, pulled by gravity around the sun... it goes on.
We are all one.
Don't you think its time we started acting like it

Offline scaredycat

  • Senior Contributor
  • *****
  • Posts: 2881
Re: IMPORTANT: Password Security
« Reply #7 on: March 21, 2007, 05:12:18 PM »
a guy at a computer shop told us to never type in a password, that you should open a document on a page and just cut and paste the password instead.  He said that it is a good one for bank accounts and the like because most hackers use technology that has something to do with the keystrokes typed.

Quite frankly if they can get my bank account details good luck to them getting money out before all the direct debits come out!!
Ability is what you're capable of doing...
Motivation determines what you do...
Attitude determines how well you do it. ~ Herman de Zwaan

Offline TooL

  • Senior Contributor
  • *****
  • Posts: 1209
  • [I rule soo bad]
    • http://www.dissectional.com
Re: IMPORTANT: Password Security
« Reply #8 on: March 21, 2007, 09:37:13 PM »
If you are worried about logging keystrokes then you might want to invest in some anti spyware program. Thats why I love my mac. I will never access any financial info on a PC.

I like the password "god". So many IT systems managers have used it.

[I rule soo bad]
I rule so bad I'm going to vomit baby sea turtles

Offline Jazza

  • Site Technician
  • Administrator
  • Centurion
  • *****
  • Posts: 158
  • Mr. No-Moar-Upgrades-Plz
Re: IMPORTANT: Password Security
« Reply #9 on: March 21, 2007, 10:12:11 PM »
Please, don't follow that advice.
That will still not beat key loggers who log the keys you press at a low level, despite what application.
The problems using that method is that.
1) There is no proper active data protection of the text inside the document sufficient enough for passwords
2) It's clearly visible to people around you or if a hacker can see your screen through remote software
3) When you copy it across to your browser, it has to enter "the clipboard" which any application can view.
4) Passwords are still usually sent through plain text over the internet anyway meaning anybody who is connected to the same route that the traffic takes can sniff out your traffic.

Nothing is hack proof, that method simply makes it easier, the password fields at least have some protection from rogue programs accessing the data within them.
If someone wants to get into an account, and has the skill, they will get in. You won't hear any company say that, but it's true. All it takes is time. At least with a strong password it takes a longer amount of time to break into an account, therefore it doesn't become viable to do it since the benefit can be so little.
Could you PM the name of computer place you got that advice so I know never to go there?

By the way, there are many types of finger print scanning methods, the cheap ones (Consumer types, <$1000) use a special light scanning method and do not scan the entire finger print. So it is easier to fake.

the password "god" would only take 108^3 combinations to crack, at an average of ~2000 combinations per second it would take 10.49 minutes to crack, using simply bruteforce.
Other more complex methods (Non dictionary) I know of will crack that with 3 seconds :P
« Last Edit: March 21, 2007, 11:13:00 PM by SargentJazza »
There's always the Back button. Is your browser up to date?


Offline Bigbird

  • Centurion
  • ****
  • Posts: 121
Re: IMPORTANT: Password Security
« Reply #10 on: April 01, 2007, 11:41:04 AM »
hope i dont have to change mine
over the last couple of weeks i tried to sign on to 5 other forums ..cant get to any of them ..i used different usernames different passwords and forgot the darn lot even registered as under 13 on one by mistake so it was all a waste of time, dont tell me i should have written it down  cos i did ...where is it ?? so no more wandering for me..to old to learn new tricks lol..please dont tell me to change mine or iam may never find myself again.
want to live forever dont want to miss a thing.

Offline Christine

  • Administrator
  • Senior Contributor
  • *****
  • Posts: 28912
    • http://www.spookspotters.com.au
Re: IMPORTANT: Password Security
« Reply #11 on: September 21, 2008, 03:24:53 PM »
Palin E-Mail Hack Shows Webmail's Flaw
Carl Jongsma, Computerworld Australia

Related Articles:
Other Webmail Services Share Password Reset Flaw
Practice Good Online Password Security
New Twists and Turns in Palin E-Mail Hack
Business Tech Risks You Don't Know About
Privacy Issues Darken Cloud Computing Plans
Related Searches:
e-mail security

Find a Review
  Select Category Cell Phones Desktop PCs Cameras Hard Drives Monitors Notebooks Optical Drives Printers Projectors
  Sort By Rating Rating Date Performance Price
Get Reviews
 Close Saturday, September 20, 2008 5:00 AM PDT
If you needed any more reminders about why it isn't a good idea to use external mail services to conduct critical business, the recent break-in to US Republican Vice-Presidential candidate Sarah Palin's gov.palin@yahoo.com Yahoo inbox should be it. Of note is that following the disclosure of the inboxes the compromised address and another address, gov.sarah@yahoo.com, have been suspended.

US politics has been stung by a range of inappropriate email usage incidents, including the use of non-government email accounts to conduct official business. From the images presented as proof of email compromise, it seems that Sarah Palin was also doing this.

Various Information Security mailing lists have from time to time been filled with claims of inbox compromise, usually for free webmail services and it is always two parts voyeurism, two parts fear that it could be you next whenever someone has had their email exposed so publicly.

Some companies have decided that the economy of scale offered by services like Gmail are worth it to have their email needs handled through them rather than maintaining their own in-house systems and servers. The risk, as has been proven time and time again, is now that it only takes a simple password recovery to have your email exposed to all.

Password recovery procedures are an area where the balance between security and usability is so blurred that most times the security aspect is non-existent, despite appearances. The leading theories about how the breach to Sarah Palin's account came about were that it was through the password recovery options associated with the Yahoo webmail interface.

Even if a user has selected non-standard secret questions, or has linked other email accounts, this sort of information isn't going to take a determined hacker very long to dig up, especially if the target is already someone in the public eye. Even if the target is not a public identity, the rise of social networking sites and personal blogs means that it shouldn't take too long to dig up enough information about someone to have a better than average chance at correctly guessing the answers to most secret question choices.

Once the account has been compromised, it then becomes a matter of what the attackers are going to do next. Some attackers have used compromised email accounts to take control of other assets belonging to the legitimate email owner, including Web sites, or have used the inbox access to spread malicious content to the contacts of the real owner.

Since most of these compromises have been about the ability to boast that they have done it, or for short term gain, the real risk of inbox compromise hasn't really been explored very well. The biggest risk following a compromise is from the disciplined attacker. They will not highlight their presence through splashing email content around the place, nor highlight their presence by sending objectionable material to all and sundry. Instead, they will use their access to amass critical information on their target (be it corporate espionage, personal blackmail, or other leverage) or send the occasional message and hope that it is infrequent enough to not be noticed.

Many companies try to block access to webmail services through their corporate networks in an attempt to limit the risk of employees sending sensitive corporate information through channels that can not be managed by the corporation.

It isn't so much to stop employees from wasting time on personal email through webmail, rather it is a risk management practice validated by this most recent compromise. Even if a company has implemented the block to prevent employees wasting time, the risk reduction is a beneficial side effect.

If you are busy using external webmail or email hosting providers, perhaps you should take another look at just how hard it is to gain anonymous access to that information and ensure that you have properly assessed the risk/benefit tradeoffs associated with using the services.

If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family anatidae on our hands.
Douglas Adams


Offline Christine

  • Administrator
  • Senior Contributor
  • *****
  • Posts: 28912
    • http://www.spookspotters.com.au
Re: IMPORTANT: Password Security
« Reply #12 on: September 21, 2008, 03:26:48 PM »
The Importance of Strong Passwords
Keep your computer, data and accounts safe with strong passwords.

Your first line of defense on the Web is creating the strongest password possible to protect your computer, your data and your online accounts. That may sound like common sense, but hackers have become increasingly sophisticated at password “cracking.” What may have been considered a strong password a year ago may now be considered an open window to your computer. Internet security is based on a “weakest link” principle; hackers are constantly searching to find the weakest link possible to give them access to a network or computer. Often that weak link is a weak password.

There are a number of dos and don’ts when creating and managing your passwords, but there are some basics guidelines you can follow.

Use both upper- and lower-case letters
Incorporate numbers or punctuation marks
Use at least one of these special characters: ! @ # $ % * ( ) - + = , < > : : “ ‘ .
Make it at least 8 characters long.
A strong password does NOT, in any way, use your personal information, such as name, phone number, Social Security number, birth date, address or names of anyone you know.
Come up with something you can remember easily, but would be virtually impossible for anyone else to guess.
So, what can happen when you don’t have a strong password? If someone else is able to guess or crack your password, you give them access to your e-mail or IM messages, your bank accounts, your research, your contact lists or anything else you may have on your computer. They could start to alter or destroy files or even overtake your computer and turn it into a zombie. (A zombie computer is one overtaken by a hacker and used to perform malicious tasks, such as sending out large amounts of spam.)

There are a lot of techniques being used to steal passwords. Some of the most common include:

Guessing. There are a number of programs designed to guess a user’s password based on information found online about the user, such as names, birth dates, names of friends or significant others, pet names or license plate numbers. They can even search for a word spelled backwards.
Dictionary-based attacks. Programs and software also exist that will run every word in a dictionary or word list against a user name in hopes of finding or guessing a password.
“Brute Force” attacks. This attack method refers to trying every conceivable combination of key strokes in tandem with a user name to find the password. There are programs that can run brute force attacks in very quickly. The best way to beat a brute force attack is to have a long and complex password, using upper and lower case letters, numbers, special characters and punctuation marks.
Phishing. This is a common scam technique where a hacker will send out an urgent IM or e-mail message designed to alarm or excite users into responding. These messages will appear to be from a friend, bank or other legitimate source directing users to phony Web sites designed to trick them into providing personal information, such as their user names and passwords.
“Shoulder surfing.” Be careful when logging on to a computer in public, such as a computer lab, cybercafé or library. There may be hackers lurking around for the express purpose of watching people enter their user names and passwords. It’s a good idea to have a password you can enter quickly without looking at the keyboard.
Keep in mind that protecting your computer and accounts with strong passwords also protects other users when connected by a network. For instance, just about student, faculty member and staff member at The University of Texas at Austin regularly accesses the university network. If one password is breached, all of the computers on the network are put at potential risk for hackers, viruses or worms. We each need to do our part to protect computing resources at the university. Just remember, a network or account is only as strong as its weakest password.
If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family anatidae on our hands.
Douglas Adams


Offline Merrick

  • Paranormal Guru
  • Senior Contributor
  • *****
  • Posts: 1467
  • Nam Myōhō Renge Kyō
Re: IMPORTANT: Password Security
« Reply #13 on: September 21, 2008, 10:25:30 PM »
Excellent information Christine  :)
URL=http://imageshack.us][/URL]
By far the most usual way of handling phenomena so novel that they would make for a serious rearrangement of our preconceptions is to ignore them altogether, or to abuse those who bear witness to them.

Prof. William James

Offline harvestmoon

  • Contributor
  • *****
  • Posts: 510
  • You reap what you sow
    • Harvest Moon Australia
Re: IMPORTANT: Password Security
« Reply #14 on: October 10, 2008, 12:40:46 PM »
LMAO @ "password" being an example of a bad password.

 I haven't been to the sire for a while... I've got 9 pages of unread posts!

 


SMF 2.0.18 | SMF © 2021, Simple Machines | Terms & Conditions | Privacy Policy
SimplePortal 2.3.3 © 2008-2010, SimplePortal