Paranormal.com.au

General => The Gateway => Topic started by: Jazza on September 23, 2005, 02:43:30 AM

Title: IMPORTANT: Password Security
Post by: Jazza on September 23, 2005, 02:43:30 AM
Sorry to bring this up (And to do it) but this is quite important.
Nobody at Paranormal.com.au knows user's passwords. They are all in encrypted and totally illegible.

But they can easily be guessed if the are common words such as "bigpup" or "120674"

In interest of security I cracked paranormal.com.au's user's passwords and there were surprisingly alot of weak passwords

A password should be a combination of capital and normal letters as well as numbers and at least 5 characters long. A symbol like an under score _ can also be used.

Just number's or a word are not strong passwords and can be easily broken.

To change your password go to your Profile and you can change it there

Example of bad passwords:
haunted
ghost
password
bobbie89
puppydog
45621
1password1

Example of good passwords:
B0bb1e_89
PuP_py_d0g
4S_62i
1_Pa55w0rD_1

In the very LEAST, have a symbol!
Remember, just because you may not consider your Paranormal account important doesn't mean you should not have a secure password. Some hacking attacks require authorised access and some people (Like moderators) have got higher access to the forum. This means hackers could get into more parts and damage more things.
SpamBots can also abuse a hacked account.

Please do not use the following examples above as your password
Title: Passwords
Post by: Christine on September 23, 2005, 01:26:54 PM
Hi SJ,
So that obvioucsly means our passwords are case sensitive?
Thanks for the post. I guess we could keep that in mind for any forum we are on.
I know the Australian Idol forum is having problems at the moment with people cracking other peoples passwords and posting stuff up in their name.
Christine
Title: IMPORTANT: Password Security
Post by: Flutterbit on November 20, 2005, 02:03:38 PM
Well I wasn't too worried about passwords at a paranormal forum (I have other things that are more important to protect) but I suppose that is a good point about people saying stuff I wouldn't.  I have one really good password, so I guess I'll go and change it.

Thanks
Flutterbit
Title: IMPORTANT: Password Security
Post by: Christine on November 22, 2005, 07:18:15 PM
Maybe I should change my bank passwords then!
Christine
Title: IMPORTANT: Password Security
Post by: Jazza on November 23, 2005, 10:57:06 PM
To tell you the truth, passwords are obsolete. Biometrics are the future.... (Fingerprints, iris scanners etc.)
Of course everything can be beaten...
Title: Re: IMPORTANT: Password Security
Post by: catseyes on March 21, 2007, 12:49:46 PM
Jazza can you crack mine?  Do I need to change it?  If I make it hard I forget what I put!
Title: Re: IMPORTANT: Password Security
Post by: Trent1 on March 21, 2007, 01:53:45 PM
Sj i was watching mythbusters u can crack a fingerprint scanner with a photocopy of the users fingerprint... ur right, everything is crackable
Title: Re: IMPORTANT: Password Security
Post by: scaredycat on March 21, 2007, 05:12:18 PM
a guy at a computer shop told us to never type in a password, that you should open a document on a page and just cut and paste the password instead.  He said that it is a good one for bank accounts and the like because most hackers use technology that has something to do with the keystrokes typed.

Quite frankly if they can get my bank account details good luck to them getting money out before all the direct debits come out!!
Title: Re: IMPORTANT: Password Security
Post by: TooL on March 21, 2007, 09:37:13 PM
If you are worried about logging keystrokes then you might want to invest in some anti spyware program. Thats why I love my mac. I will never access any financial info on a PC.

I like the password "god". So many IT systems managers have used it.

[I rule soo bad]
Title: Re: IMPORTANT: Password Security
Post by: Jazza on March 21, 2007, 10:12:11 PM
Please, don't follow that advice.
That will still not beat key loggers who log the keys you press at a low level, despite what application.
The problems using that method is that.
1) There is no proper active data protection of the text inside the document sufficient enough for passwords
2) It's clearly visible to people around you or if a hacker can see your screen through remote software
3) When you copy it across to your browser, it has to enter "the clipboard" which any application can view.
4) Passwords are still usually sent through plain text over the internet anyway meaning anybody who is connected to the same route that the traffic takes can sniff out your traffic.

Nothing is hack proof, that method simply makes it easier, the password fields at least have some protection from rogue programs accessing the data within them.
If someone wants to get into an account, and has the skill, they will get in. You won't hear any company say that, but it's true. All it takes is time. At least with a strong password it takes a longer amount of time to break into an account, therefore it doesn't become viable to do it since the benefit can be so little.
Could you PM the name of computer place you got that advice so I know never to go there?

By the way, there are many types of finger print scanning methods, the cheap ones (Consumer types, <$1000) use a special light scanning method and do not scan the entire finger print. So it is easier to fake.

the password "god" would only take 108^3 combinations to crack, at an average of ~2000 combinations per second it would take 10.49 minutes to crack, using simply bruteforce.
Other more complex methods (Non dictionary) I know of will crack that with 3 seconds :P
Title: Re: IMPORTANT: Password Security
Post by: Bigbird on April 01, 2007, 11:41:04 AM
hope i dont have to change mine
over the last couple of weeks i tried to sign on to 5 other forums ..cant get to any of them ..i used different usernames different passwords and forgot the darn lot even registered as under 13 on one by mistake so it was all a waste of time, dont tell me i should have written it down  cos i did ...where is it ?? so no more wandering for me..to old to learn new tricks lol..please dont tell me to change mine or iam may never find myself again.
Title: Re: IMPORTANT: Password Security
Post by: Christine on September 21, 2008, 03:24:53 PM
Palin E-Mail Hack Shows Webmail's Flaw
Carl Jongsma, Computerworld Australia

Related Articles:
Other Webmail Services Share Password Reset Flaw
Practice Good Online Password Security
New Twists and Turns in Palin E-Mail Hack
Business Tech Risks You Don't Know About
Privacy Issues Darken Cloud Computing Plans
Related Searches:
e-mail security

Find a Review
  Select Category Cell Phones Desktop PCs Cameras Hard Drives Monitors Notebooks Optical Drives Printers Projectors
  Sort By Rating Rating Date Performance Price
Get Reviews
 Close Saturday, September 20, 2008 5:00 AM PDT
If you needed any more reminders about why it isn't a good idea to use external mail services to conduct critical business, the recent break-in to US Republican Vice-Presidential candidate Sarah Palin's gov.palin@yahoo.com Yahoo inbox should be it. Of note is that following the disclosure of the inboxes the compromised address and another address, gov.sarah@yahoo.com, have been suspended.

US politics has been stung by a range of inappropriate email usage incidents, including the use of non-government email accounts to conduct official business. From the images presented as proof of email compromise, it seems that Sarah Palin was also doing this.

Various Information Security mailing lists have from time to time been filled with claims of inbox compromise, usually for free webmail services and it is always two parts voyeurism, two parts fear that it could be you next whenever someone has had their email exposed so publicly.

Some companies have decided that the economy of scale offered by services like Gmail are worth it to have their email needs handled through them rather than maintaining their own in-house systems and servers. The risk, as has been proven time and time again, is now that it only takes a simple password recovery to have your email exposed to all.

Password recovery procedures are an area where the balance between security and usability is so blurred that most times the security aspect is non-existent, despite appearances. The leading theories about how the breach to Sarah Palin's account came about were that it was through the password recovery options associated with the Yahoo webmail interface.

Even if a user has selected non-standard secret questions, or has linked other email accounts, this sort of information isn't going to take a determined hacker very long to dig up, especially if the target is already someone in the public eye. Even if the target is not a public identity, the rise of social networking sites and personal blogs means that it shouldn't take too long to dig up enough information about someone to have a better than average chance at correctly guessing the answers to most secret question choices.

Once the account has been compromised, it then becomes a matter of what the attackers are going to do next. Some attackers have used compromised email accounts to take control of other assets belonging to the legitimate email owner, including Web sites, or have used the inbox access to spread malicious content to the contacts of the real owner.

Since most of these compromises have been about the ability to boast that they have done it, or for short term gain, the real risk of inbox compromise hasn't really been explored very well. The biggest risk following a compromise is from the disciplined attacker. They will not highlight their presence through splashing email content around the place, nor highlight their presence by sending objectionable material to all and sundry. Instead, they will use their access to amass critical information on their target (be it corporate espionage, personal blackmail, or other leverage) or send the occasional message and hope that it is infrequent enough to not be noticed.

Many companies try to block access to webmail services through their corporate networks in an attempt to limit the risk of employees sending sensitive corporate information through channels that can not be managed by the corporation.

It isn't so much to stop employees from wasting time on personal email through webmail, rather it is a risk management practice validated by this most recent compromise. Even if a company has implemented the block to prevent employees wasting time, the risk reduction is a beneficial side effect.

If you are busy using external webmail or email hosting providers, perhaps you should take another look at just how hard it is to gain anonymous access to that information and ensure that you have properly assessed the risk/benefit tradeoffs associated with using the services.

Title: Re: IMPORTANT: Password Security
Post by: Christine on September 21, 2008, 03:26:48 PM
The Importance of Strong Passwords
Keep your computer, data and accounts safe with strong passwords.

Your first line of defense on the Web is creating the strongest password possible to protect your computer, your data and your online accounts. That may sound like common sense, but hackers have become increasingly sophisticated at password “cracking.” What may have been considered a strong password a year ago may now be considered an open window to your computer. Internet security is based on a “weakest link” principle; hackers are constantly searching to find the weakest link possible to give them access to a network or computer. Often that weak link is a weak password.

There are a number of dos and don’ts when creating and managing your passwords, but there are some basics guidelines you can follow.

Use both upper- and lower-case letters
Incorporate numbers or punctuation marks
Use at least one of these special characters: ! @ # $ % * ( ) - + = , < > : : “ ‘ .
Make it at least 8 characters long.
A strong password does NOT, in any way, use your personal information, such as name, phone number, Social Security number, birth date, address or names of anyone you know.
Come up with something you can remember easily, but would be virtually impossible for anyone else to guess.
So, what can happen when you don’t have a strong password? If someone else is able to guess or crack your password, you give them access to your e-mail or IM messages, your bank accounts, your research, your contact lists or anything else you may have on your computer. They could start to alter or destroy files or even overtake your computer and turn it into a zombie. (A zombie computer is one overtaken by a hacker and used to perform malicious tasks, such as sending out large amounts of spam.)

There are a lot of techniques being used to steal passwords. Some of the most common include:

Guessing. There are a number of programs designed to guess a user’s password based on information found online about the user, such as names, birth dates, names of friends or significant others, pet names or license plate numbers. They can even search for a word spelled backwards.
Dictionary-based attacks. Programs and software also exist that will run every word in a dictionary or word list against a user name in hopes of finding or guessing a password.
“Brute Force” attacks. This attack method refers to trying every conceivable combination of key strokes in tandem with a user name to find the password. There are programs that can run brute force attacks in very quickly. The best way to beat a brute force attack is to have a long and complex password, using upper and lower case letters, numbers, special characters and punctuation marks.
Phishing. This is a common scam technique where a hacker will send out an urgent IM or e-mail message designed to alarm or excite users into responding. These messages will appear to be from a friend, bank or other legitimate source directing users to phony Web sites designed to trick them into providing personal information, such as their user names and passwords.
“Shoulder surfing.” Be careful when logging on to a computer in public, such as a computer lab, cybercafé or library. There may be hackers lurking around for the express purpose of watching people enter their user names and passwords. It’s a good idea to have a password you can enter quickly without looking at the keyboard.
Keep in mind that protecting your computer and accounts with strong passwords also protects other users when connected by a network. For instance, just about student, faculty member and staff member at The University of Texas at Austin regularly accesses the university network. If one password is breached, all of the computers on the network are put at potential risk for hackers, viruses or worms. We each need to do our part to protect computing resources at the university. Just remember, a network or account is only as strong as its weakest password.
Title: Re: IMPORTANT: Password Security
Post by: Merrick on September 21, 2008, 10:25:30 PM
Excellent information Christine  :)
Title: Re: IMPORTANT: Password Security
Post by: harvestmoon on October 10, 2008, 12:40:46 PM
LMAO @ "password" being an example of a bad password.

 I haven't been to the sire for a while... I've got 9 pages of unread posts!
Title: Re: IMPORTANT: Password Security
Post by: Christine on October 10, 2008, 12:58:31 PM
You'd be suprised how many people use such bad passwords though!
Title: Re: IMPORTANT: Password Security
Post by: skye131924 on April 24, 2011, 04:44:43 PM
http://www.pcmag.com/article2/0,2817,2383890,00.asp

In my lifetime, I have created exactly one awesome password. It's 24 characters long, includes letters and numbers, and is a memorable sentence that no rational person, with the exception of myself, would ever know. Every other password I've created—and occasionally still use—is crap.

I use this awesome password with my LastPass account, which actually handles all of my password creation and management. It generally spits out shorter passwords full of letters and numbers, but they're created in such a way that they're neither guessable nor memorable. LastPass, by the way, is the free, online, award-winning password manager I've been using for almost two years. I don't know what I'd do without it, but I now know what many other people do when they don't use password creation and management products, such as LastPass, RoboForm or perhaps Norton Internet Security: They create some of the worst and most embarrassing passwords known to man.

I asked my Twitter followers to reveal their worst and most embarrassing passwords (though not ones they currently use) and got back some whoppers. I suspect that a few of these are the same as your embarrassing digital code words. My hope is that this list will entertain (some are chuckle-worthy) and educate you (now you have proof that your own passwords are ridiculous). I swear folks, these are real.

Before we get to the list, though, if you insist on creating your own passwords, here are some rules to live by:

    Use at least six characters
    Mix letters and numbers
    Other characters, like underscores, work, too
    Use uppercase and lowercase letters
    A sentence is great as long as it's not a famous quote
    Do not use the same password in multiple places

With that out of the way, let's look at some of your worst and most embarrassing passwords.

1) password
As you might guess, this is one of two password selections that showed up more than once. If you're still using it, you might as well print out all your personal documents, financial records, and photos, tape them to a minivan, and drive it around the neighborhood.

2) 12345
This guy is popular on computers and, apparently, luggage. It's no easier to remember a physical lock combo than it is a digital one, so many people who buy briefcases with locks and either never set them and pull the red tab (that would be me) or make sure that the combo is the most obvious in existence.

3) CaseSensitive
This one wouldn't be so terrible if it weren't so painfully obvious.

4) Teletubbie
Having trouble writing this because I…am…laughing…so…hard. Parents of young children can be partially excused for using this embarrassment, but next time, I suggest something with a bit more edge like: DoraTheImpaler.

5) F*ckOffPlease
One Twitter follower told me that every one of his passwords at his old job was a profanity or a phrase featuring a profanity. Clearly, the guy had some issues at work. Here's hoping he's now at a new job where the spiciest password he uses is EveryoneHereIsSoNice.

6) hellogod
This one isn't so bad, but if someone gets a hold of this one, you may be pegged as a religious zealot.

7) homeboyee
This one might be a little embarassing when you have that conversation with your IT administrator. You'll say it, the admin will likely snicker (and assume he heard you wrong), you'll spell it out, and then you'll get that look.

8) <3BSB<3
This is actually a good password (look at those characters!), but completely embarrassing subject matter. Its author revealed that she was very into the Backstreet Boys when she came up with it. I wonder if her new password is NKOTB.

9) goldeneye
Nerds and geeks have a habit of using their favorite characters and/or movie and book titles in their passwords. This one isn't too nerdy, but if anyone knows you're a fan of James Bond, your goose is cooked. As an aside, all Star Wars fans should steer clear of Jedi, Luke, and Darth.

10) OpenUp
This is easily one of the worst passwords ever. In fact, I doubt any real thought went into it.

11) asdfhgjkl
This one is a classic. At first, it looks pretty good and you might think, "Look, it's just random letters. Who would ever figure that one out?" However, those letters look kind of familiar, don't they? Take a good look at your keyboard. That's right, it's all the letters in the third row, from "a" to "l."

12) gotohell40
No one likes turning 40 (or 50, 60 or 70), but this kind of password is only safe when you're not 40

Title: Re: IMPORTANT: Password Security
Post by: Saturn on April 24, 2011, 09:42:16 PM
When Bill Clinton was president I remember the two most common passwords were "sex" and "Bill Clinton" lol.
Title: Re: IMPORTANT: Password Security
Post by: Jazza on April 25, 2011, 07:48:19 PM
Quote from: skye131924
http://www.pcmag.com/article2/0,2817,2383890,00.asp
Not the best article I've seen about password protection.

Authentication (http://en.wikipedia.org/wiki/Authentication#Authentication_factors_and_identity) by use of passwords (a knowledge factor, something you know) is done in a few stages:
The user enters in the password they want to use for their account. The password is put through a crytographic hash function (http://en.wikipedia.org/wiki/Cryptographic_hash_function) which turns a user's password into a hash (Eg: 'passw0rd' when put through the hash function SHA-1 becomes '7c6a61c68ef8b9b6b061b28c348bc1ed7921cb53').
This hash is kept on the service which holds your account.

When you go to login later, you enter in your password just like before. This too is hashed and this hash is then checked against the one in the database associated with your account. If the hashes matches, it means the password that was entered was the same as the one originally used to create the hash in the database (assuming the hash function being used doesn't suck).
One of the reasons hashes are used is so passwords are not kept in plaintext (as-is) in databases is if they are compromised it makes it more difficult to obtain the original password used to create the hash and use that with the service. You can't just grab a hash and use it as the password for an account, because that hash will be treated as a normal password and it will create a hash of the hash to check against (which won't be the same). It also means administrators like me can view the raw user data of a database without knowing your passwords.

I think it's important people understand the mechanisms of how password authentication works, many important services from social networking, banks, government websites, eBay, other shopping websites etc. can rely solely on passwords. With so much at stake (identity theft etc.) I would hope people would care about how these things work as much as they do about how the safety features in a car work.

People should also avoid using the same password for multiple services because if one account is compromised, it's possible that an attacker can attempt to use the same details on other accounts such as a linked email or social networking account.

Also, symbols are a definite plus, in a perfect world I'd make them mandatory. They can dramatically increase the time it takes to for an attacker to brute-force a password and it can reduce their options in using precalculated tables (http://en.wikipedia.org/wiki/Rainbow_tables) in case they manage to actually steal your password hash from a service. A good service will use a salt (http://en.wikipedia.org/wiki/Salt_%28cryptography%29) to make those pre-calculated tables less effective, even if the user picks a weak password.

Avoid dictionary words where possible, a password comprised of mostly dictionary words makes your password vulnerable to a dictionary attack (http://en.wikipedia.org/wiki/Dictionary_attack).

Though, in reality, a lot of services will limit the number of password attempts before locking you out for a set period of time. The trouble really comes in when an attacker has gotten access to your password hash, from either hacking your computer and taking a saved password or breaking into a service and extracting it from a database. In those scenarios, they can brute-force them or use pre-calculated tables using their own equipment and their own time without interacting with the target any further.

However, the future really is in multi-factor authentication (http://en.wikipedia.org/wiki/Two-factor_authentication). An example being a bank account with a password (something you know) and a token (something you have).
SimplePortal 2.3.3 © 2008-2010, SimplePortal