Passwords

[MJuric]

Can someone with more experience with this than I explain something to me.

I just got a notice from our ERP/MRP whatever company that "We are excited to announce an update to our password security....." Blah Blah Blah. They made it case sensitive.

Everywhere I go I get some twisted version of "More secure" passwords, special characters, caps, numbers etc etc etc.

I'm trying to figure out why any of this matters.

To me and my feeble understanding you have only a few ways to "HAck" based on beating the password. Brute force, which is essentially trying every possible combination and "Guessing" or some combination of the two.

Unless the hacker has some insight into the person they are attempting to hack then guessing really has no impact as far as I can see.

Outside of that brute force essentially has to assume that any character can be in any position. The only way this is not true is if somehow they figured out that the password is somehow limited to only a certain set of characters....which seems like a stupid idea for a password.

So assuming I'm not horribly wrong about the above for some reason wouldn't the only factor that mattered for the majority of cases is the number of characters? Two characters are twice as difficult to crack as one character, three is eight more difficult than 1 character and so on....or something like that if I did my maths right.

So assuming that a password has the possibility of containing any character, cap, no cap, number, special etc....what difference does it make if you use them? "11111111" would be as secure as "A1@#stU)" because they have the same number of characters.

[Tom G]

As you say, https://xkcd.com/936/

I strongly believe that passwords are obsolete, and improving them does not greatly improve your security. The notice you received is security marketing, merely security theatre to make them look good, maybe make you feel better, but it is only polishing a turd.

Two Factor Authentication (2FA) is ideal, and fairly simple. Security Keys like Yubico are a handy authenticator also. Microsoft reports that 99.9% of breached accounts did not have 2FA active. That is, nothing is absolutely assured, but 2FA is tremendously more effective security than passwords alone.

[Jaylin Hochstetler]

But..
The Brute Force software will try 1111111 then 11111112 then 11111113 and so forth (I believe). Which makes it easy to crack...
Edit: Or rather it will try the easy ones first.

BTW I use LastPass to manage my passwords. It is an awesome software (actually it's an extension for your browser). It will generate pws for you, it can store pws, credit cards, banking info, and a bunch of other stuff, plus your data can be backed up. And it will autofill the info for you!!

I use Authy for 2FA.

[Merovingien]

imagine a password XXX :

with 3 numbers, possibilities = 10 x 10 x 10 = 1 000

with 3 letters = 27 x 27 x 27 = 19 683

3 numbers or letters = 37 x 37 x 37 = 50 653

3 numbers, letters, caps = 64 x 64 x 64 = 262 144

3 numbers, letters, caps, symbols (about 10, i don't really know) = 74 x 74 x 74 = 405 224

if a password "can be with "numbers, letters, caps, symbols"
at the begining, user had the full choice, but as being lazy, choose for example : 1111111
so, a hacker know the majority of users are lazy, and will only use numbers,
so hacker can adapt his to do less work by searching only with numbers...

forcing the user to put numbers and letter, increase the safety,
forcing the user to put numbers, letters, caps, symbols, increase the safety

[mike miller]

Where r is reward, e is effort, and p is probability of an attack (or relative juiciness of morsel).

r/e=p

To illustrate, which is more likely:
-a hacker in Pakistan cracks my password for this forum account.
-a team of hackers breaks into My Small-town Bank's servers and steals everyone's card numbers.

That's why I don't worry about 2FA for small fry accounts....but banking.....that's another story.

[Merovingien]

i agree,
2FA should not be standard for everywhere,
not for small things...

[MJuric]

forcing the user to put numbers, letters, caps, symbols, increase the safety

I think what you're saying here is that the "Guessing" factor becomes an issue because of human nature. IE hackers know that people are lazy and thus unless they are forced to use a password that is not ridiculously obvious they will use them and the hackers know it.

That's a valid point.

[MJuric]

BTW I use LastPass to manage my passwords. It is an awesome software (actually it's an extension for your browser). It will generate pws for you, it can store pws, credit cards, banking info, and a bunch of other stuff, plus your data can be backed up. And it will autofill the info for you!!

I use Authy for 2FA.

I have my own method for "Randomly" generating passwords. I apply that formula to all my passwords. So if someone figured out the formula then they would have access to all my accounts, which is probably bad. That being said certain websites that require some oddball criteria that does not fit my formula end up making me add/subtract something and then I can't remember what was changed.

[Tom G]

Every year, the most used passwords are publicized and ranked. These are the first 100 or so attempts within a brute force attack, followed by factory-default passwords. Human nature has been analyzed, and leveraged against humans by humans.

[zwei]

A lot of time they are:
→ Min 12 characters
→ Include special characters
→ Include Upper case
→ Include Lower case
→ Include Number
→ Change your password every X months

Ironically, when it come to changing password, a lot of user either just replace 1 character or just add a character...
A lot of time they are even using the same password for multiple account...

[Glenn Schroeder]

I'm always annoyed with sites that don't have sensitive information, where no one would bother to hack and I wouldn't care if they did, but they still require complex passwords.

[Tom G]

A lot of time they are even using the same password for multiple account...

One breach reveals the password, and it affects far more than that resource.

You can find out if your email is included within disclosed breaches at https://haveibeenpwned.com/ which is run by Troy Hunt, a respected security researcher. Results include, per breach, what information was captured and appropriate recommendations.

[AlexLachance]

I can answer about the brute forcing a bit.

I used to play Starcraft when I was a teenager and people would steal accounts on there by brute forcing passwords because generally they were all very fairly simple.

Depending on the way it is done, the brute force will try different word combinations, until it reaches it's "word limit combiniaton" and then it starts trying letters by letters and so on.

So the more possibilities per character, the more complex it becomes to brute-force something. The more characters, the more complexity it adds, because it's exponential.

There are some people who are really good at it and can break down passwords rather easily, but the rather "general" brute force method is as I described it. It could take a solid 24 hours to brute force an 8 character password and back then symbols were not allowed and there was no distinction between capitalization.

[MJuric]

I used to play Starcraft when I was a teenager and people would steal accounts on there by brute forcing passwords because generally they were all very fairly simple.

I had already started my business when Starcraft came out. Me and a couple of my employees would play Starcraft after work regularly. Friday was often Pizza, Beer and Starcraft night at the office

Unreal Tournament and other FPS games were also regularly on rotation.

[Frederick_Law]

One way to brute force is use words in dictionary.
Another thing is people reuse passwords in different accounts.

If you hack a bank database, you'll need to decrypt all the info. The bank, police, FBI, CIA will be after you.
If you found someone's password, you could have everything they got. And they can't do anything because you took everything. They can't even hire a lawyer.

I use a password manager now. So I don't even know most of my passwords.

[matt]

Hackers also get lists of popular passwords from past hacks, and from news reports. From there it's just a matter of statistics and probability to get hits on some of those. In fact, I get hack attempts every day on my blog for user names that don't exist. There really are people who don't have anything else to do but mess around like this. Even if they got in, there's nothing of value, but they get bots to do the big work, and it doesn't matter if 99.9% or more of their time is completely wasted. They just need one big hit.

[Merovingien]

but some websites have a limitation to "failure password" after 3 attempts.
so bots can't test their infinite combination during hours.

i prefer not used a software or an external site to create-manage passwords for me.
And hackers can get interest of hacking them, because they centralized passwords.

i prefer manage passwords myself, with a paper.

[MJuric]

i prefer manage passwords myself, with a paper.

I live about five miles from a nuclear power plant. Every other year they do an "Open house", to their visitor center not the actual plant. In the Visitor center is their training center. It's essentially an exact replica of the control center for the plant except it doesn't actually control anything.

While I was walking thru the place I noticed that essentially everything was mechanical. 10-15 way mechanical switches, a bunch of them, mechanical gages, readouts etc etc. I asked why they haven't updated anything to say, 1990. His response was "We haven't found anything that can't be hacked". Pretty hard to hack a mechanical switch or a piece of paper

[Frederick_Law]

Yes, and pretty hard to shut it down when the switch and paper is beside the core .....

[jcapriotti]

Had a guy here who used to write his passwords down in a notebook to all his sites and our internal systems. But he was a little paranoid about his security so he would list several potential passwords, there may have even been some personal memory encryption scheme involved as well (He wouldn't tell). Anyway, we had to keep resetting his password to various systems because he kept forgetting what password he used.

[mike miller]

Had a guy here who used to write his passwords down in a notebook to all his sites and our internal systems. But he was a little paranoid about his security so he would list several potential passwords, there may have even been some personal memory encryption scheme involved as well (He wouldn't tell). Anyway, we had to keep resetting his password to various systems because he kept forgetting what password he used.

The worst ones are the guys with a sticky note hanging off the monitor and all the rest of the passwords under "P" in the Rolodex.

[zwei]

I had come across someone who write their password in a notebook, but with a Caesar cipher/shift.
He used a fixed number (according to him it is his favorite number) for shifting all his password...

It sound good in paper, no one can really guess his password even he leave the notebook with his password on his desk...

Until one day the notebook is lost