The Shrine

When you make a password it's supposed to be easy for you to remember but hard for someone to guess, and here's a list of examples in how to make your password. Now I don't know about you, but the only way I can remember most of those passwords is if I wrote them down!

G0n2maui (gone to Maui)
Liv42day (live for today)
imlwazL8 (I’m always late)
pwkn0t4U (password not for you)
Iluvmik9 (I love my dog)
Bmusc0ty (beam me up Scotty)

Wh0letthek9z0ut? (Who let the dogs out?)
g0@hedm@kmid@y (go ahead, make my day)
<Going2Maui4vacin_08> (going to Maui for vacation in August)
Dr.Ouch_that_hurtsalot!
1h@teremembering PASSw0rds!
LimeTime4PrimeTime
Icecream_lover@mission_impossible.net
www.PaswordNOT4you.net
16thofJune@68
What fun!January1_2006

i hate the environments that make you change passwords every 6 months and force the new one to not share any similar characteristics to the old one and have to be 6 characters or more with atleast one weird symbol, a capital letter, or number. I mean what the fuck, how am i supposed to have that many revolving passwords i can remember?

The passwords arent even really the issue, what is funny is the fact that most of my friends would be able to unlock any of my accounts because they know me well enough to answer the security questions. I mean, its seriously easy to hack into any of your family members accounts or ex girlfriends because you probably know the street they grew up on, or their first pet, or their best friends first name, etc.

What a joke.

I remember going to be a security forum and the guy was giving a speech, and it was like: "Yesterday this guy from some security place was a great resource so I signed up for his site, and now I have 101 unique passwords I need to keep track of!" Of course the guy uses a program to keep track of all his 101 unique passwords and the point was that it's really dumb to expect anybody to be able to remember that kind of stuff.

I personally believe that it's best if you just faceroll on the secret question that way nobody can ever possibly guess it, including yourself. It'd suck if you ever forget your password but it's really too easy to do stuff like what city were you born in or what's your favorite color.

Flip wrote:i hate the environments that make you change passwords every 6 months and force the new one to not share any similar characteristics to the old one and have to be 6 characters or more with atleast one weird symbol, a capital letter, or number. I mean what the fuck, how am i supposed to have that many revolving passwords i can remember.

Try every 30 days here where I work.

Rules:
Password can't be the same as the last 6 passwords
Can have successive letters (like: password (two s's together))
Must be 8 characters
and your same rules above.

And cant have the same letter in the same position as the previous.

Flip wrote:The passwords arent even really the issue, what is funny is the fact that most of my friends would be able to unlock any of my accounts because they know me well enough to answer the security questions. I mean, its seriously easy to hack into any of your family members accounts or ex girlfriends because you probably know the street they grew up on, or their first pet, or their best friends first name, etc.

What a joke.

Why choose security questions that are that easy then? Like if I choose my mother's maiden name even if my friends know it the chance of them being able to spell it is slim so that's a valid choice.

You could also just lie as long as you could remember the lie, too. What the hell does your bank's account computer know about your first pets name not being aLdesk1211?

Problem with picking bogus answers to security question is that you're likely to forget that you once put your favorite color was Klingon. You don't get to pick the security questions, so you can only mess with the answers.

Pick the same bogus one for all of them, then? My bank does do this super annoying thing where you have to answer a whole slew of security questions and it picks from one randomly whenever you log in. UGH

That's the same as having one password and you're probably not going to forget that anyway.

We have to have 3 passwords:

1) Network Password: changed every 60 days and cannot be the same as the previous 24 (yes, 24), must have a capital, number, and special character
2) Encryption Password: never changes (this one is nice)
3) Taxpayer info access password: changed every 60 days, cannot be even remotely close to the previous 12 (not only can you not just change one letter/number, you actually cannot have too many of the same character in the same position either), must have at least one capital, one number, and one of three special characters only as the 6th or 7th character. Yes, it's that retarded

I like "shift+31337" passwords. It usually tackles all of the requirements. Basically, you hold shift for one word, and let go for another. For example:

G))Dd0ct3r (good doctor)
F##L!NGf1n3 (feeling fine)
th3SHR!N# (the shrine)

I also have a "one-handed" password that is quick to type, as I just use the left side of the keyboard. It doesn't actually form a word, but just uses letters and numbers. You could probably sneak a tilde in there, too.

I think it'd be hard to remember where you used numbers instead of letters if you had to change them every 180 or less days. It can certainly work if it's something you plan to keep for years.

As an aside, if you've a restriction of 'can't be same as before' then that implies the actual password is stored somewhere and that seems to present a pretty significant security risk, since if you only store the hashed password there's no way you can tell Don1 and Don2 are alike as they'd hash to totally different values. I was always under the impression that in a good security even an admin should only be able to reset your password, but he'd never be able to know what your password is/was.

Zeus wrote:We have to have 3 passwords:

1) Network Password: changed every 60 days and cannot be the same as the previous 24 (yes, 24), must have a capital, number, and special character
2) Encryption Password: never changes (this one is nice)
3) Taxpayer info access password: changed every 60 days, cannot be even remotely close to the previous 12 (not only can you not just change one letter/number, you actually cannot have too many of the same character in the same position either), must have at least one capital, one number, and one of three special characters only as the 6th or 7th character. Yes, it's that retarded

The problem with over-doing security is that you make it less secure. Any password scheme that you can't remember will breakdown to simple patterns and post-it notes. For example, at work, several people with the billing password scheme (the one Mully is talking about), will do something like this:

qwerty123
asdfgh456
zxcvbn789

So, you've gone to passwords that could actually securely lock data to ones that could be figured out by running through a pattern dictionary or just stealing sticky notes or just looking at the person's hand.

These are the rules that work:

1. Eight characters in length
2. Using 1 capital, 1 number, 1 symbol (either one or all of those rules)
3. Cycling through 2 or 3 or 4 passwords.

Anything else is LESS secure than these rules! Unless somebody documents a process for remember these type of passwords, because I can't fucking remember 24 different passwords or make sure that a password does have the same LETTER as one from 12 months ago.

Don wrote:I was always under the impression that in a good security even an admin should only be able to reset your password, but he'd never be able to know what your password is/was.

For most systems, yeah. (read: any system that isn't a total piece of shit.) These systems use one-way encryption, so it compares the result (after the typed word is encrypted) with what is stored in its database.

I keep four secure passwords that are all variants of the bullshit four letter ones I used when I was a kid. I jumble up the letters and capitalize one of them and then use four numbers that follow a pattern, but not one that has any real guessable meaning.

I talked to my father about this once and he has to keep track of several different passwords at once. Two he has small devices that fit in a wallet/key chain that get sent updates for the password for a couple things he uses and the others are mostly patterns of punctuations (periods, commas) - something complicated but easy to type in quickly.

The guy giving a speech on why passwords are dumb says he has a program that keeps track of his 100+ passwords and it requires some kind of master password (so he better not forget that one) to get all his other 100+ passwords. He was in favor of a two factor authentication because even a password like '12345' isn't trivial to crack if you limit to 3 logins in a period of time, and presumably that's enough time for the guy to notice he's missing his token to call the guys to get the token revoked, and certainly you won't forget your password was '12345' if it was that easy.

Of course, needing to carry around some kind of token to log onto anything can be a pain in itself.

SineSwiper wrote:

Zeus wrote:We have to have 3 passwords:

1) Network Password: changed every 60 days and cannot be the same as the previous 24 (yes, 24), must have a capital, number, and special character
2) Encryption Password: never changes (this one is nice)
3) Taxpayer info access password: changed every 60 days, cannot be even remotely close to the previous 12 (not only can you not just change one letter/number, you actually cannot have too many of the same character in the same position either), must have at least one capital, one number, and one of three special characters only as the 6th or 7th character. Yes, it's that retarded

The problem with over-doing security is that you make it less secure. Any password scheme that you can't remember will breakdown to simple patterns and post-it notes. For example, at work, several people with the billing password scheme (the one Mully is talking about), will do something like this:

qwerty123
asdfgh456
zxcvbn789

So, you've gone to passwords that could actually securely lock data to ones that could be figured out by running through a pattern dictionary or just stealing sticky notes or just looking at the person's hand.

These are the rules that work:

1. Eight characters in length
2. Using 1 capital, 1 number, 1 symbol (either one or all of those rules)
3. Cycling through 2 or 3 or 4 passwords.

Anything else is LESS secure than these rules! Unless somebody documents a process for remember these type of passwords, because I can't fucking remember 24 different passwords or make sure that a password does have the same LETTER as one from 12 months ago.

Don wrote:I was always under the impression that in a good security even an admin should only be able to reset your password, but he'd never be able to know what your password is/was.

For most systems, yeah. (read: any system that isn't a total piece of shit.) These systems use one-way encryption, so it compares the result (after the typed word is encrypted) with what is stored in its database.

You're preaching to the choir here. I've been telling them that since I started working there. But that's the government for ya, over-reaction with little information and then not man enough to admit the mistake and correct it

One thing I don't get is that if you have a '3 failed logins and you're locked out' policy like most places do, you can have a rather trivial password (i.e. '12345') and it is still going to take a very long time to break through it even if it just forces you to wait 10 minutes after 3 failures. I know not every system has that kind of policy implemented but most do, and it doesn't matter what kind of firepower you have, if you can only try 3 times in 10 minutes you're never going to break even a password based purely on English dictionary words.

Don wrote:One thing I don't get is that if you have a '3 failed logins and you're locked out' policy like most places do, you can have a rather trivial password (i.e. '12345') and it is still going to take a very long time to break through it even if it just forces you to wait 10 minutes after 3 failures. I know not every system has that kind of policy implemented but most do, and it doesn't matter what kind of firepower you have, if you can only try 3 times in 10 minutes you're never going to break even a password based purely on English dictionary words.

Some are expecting that a hacker might get a hold of the encrypted password file, so a secure password would at least give them a lot more time before he ever cracks it.

SineSwiper wrote:

Don wrote:One thing I don't get is that if you have a '3 failed logins and you're locked out' policy like most places do, you can have a rather trivial password (i.e. '12345') and it is still going to take a very long time to break through it even if it just forces you to wait 10 minutes after 3 failures. I know not every system has that kind of policy implemented but most do, and it doesn't matter what kind of firepower you have, if you can only try 3 times in 10 minutes you're never going to break even a password based purely on English dictionary words.

Some are expecting that a hacker might get a hold of the encrypted password file, so a secure password would at least give them a lot more time before he ever cracks it.

If the file is already encrypted, the encryption process would already make it impossible to tell the password was easy unless you know the encryption method. And I think in that case you can just use a rainbow table though I'm not exactly sure how it works there.

Interesting article on why it isn't necessarily bad to write down your password:

http://threatpost.com/en_us/blogs/why-y ... etter&CID=

Not saying write it down on a post-it not on your monitor, but sometime writing a password down in a secure location is better than storing them in your browser's auto-fill or in a password-vault application, as a lot of malware out there specifically looks for these types of password caches and are able to compromise them.

Where I work, we have a single sign-on implementation that works not too badly. It gives you 5 attempts before locking you out and gives you the ability to change your password via two security questions if you forget it (and havent already locked yourself out). I would prefer three attempts = lockout and three security questions vs. two, but it's better than the pervious status quo.

And Sine is correct, the reason why it is still important to have a strong password on a system that has a 'X amount of tries = lockout' mechanism is due to the possibility of an attacker gaining access to the encrypted (i.e. post hashed) password file, which they could attempt to then brute-force by trying to replicate the same hash value. The strong password, combined with a salt, makes it much harder to reverse-engineer a hash. Then you couple this with a madatory password reset policy, such as every 60 days, in hopes that if the compromised encrypted password file is actually utilized, that a change of passwords will provide at least a degree of mitigation (as the attacker would have to obtain a new password file to crack). All depends on how quickly the attacker attempts to crack the file after acquiring it, and then how long it actually takes to crack a password.

The defense against brute forcing passwords is the strength of the salt not the strength of the password. By definition even something like '12345' combined with some random bits and hashed would not yield any information that '12345' was in it at some point or you wouldn't have a good hash function, so having a big enough value for salt alone will stop you from brute forcing the password. Even with extremely simple password, assuming you didn't tell the attacker that the password was either 12345 or 54321, he still has to start at a reasonably large (say thousands) password sample space and then that number is increased exponentially for each bit of salt.

If the password contains no salt then a rainbow table will usually be enough anyway given storage is cheap today unless you use some really exotic characters.

Don: yup, you're right. As long as the password isn't easily guessable within the amount of attempts allowed before lockout, odds are you password is good enough in a properly secured environment (lock-out attempts, proper password hashing storage, proper use of salting, etc). My previous comment regarding adding a salt to a stong password doesn't really apply after reading it again, because as you said, you can't rainbow table the salt+password hash, and odds are the salt value combined with the password is long enough that brute-forcing would simply not be feasible.

If you can assume that all of those measures are in place, you really don't have to worry about your password being attacked successfully, strong or not. If any of those are missing, however (especially salting), then the need for strong passwords is still there.

I'm more worried about a user (a specifically targetted user, such as an exec) using a password on some forum that doesn't have the proper password measures in place, the password becoming compromised at that point, and then the password is then applied to his work user accounts and, wouldn't you know it, he uses the same password! This is where strong passwords still have a place.

This is also why you see so much password-stealing malware out there: it just doesn't make much sense to try and crack them if the proper password management measures are in place.

Multi-factor authentication is definitely the way to go on any system that needs protecting. I know some people hate carrying around RSA tokens, but with the existence of so much password-stealing software out there, it's the best way to be secure.

I think when the guy make the presentation his point is that storage is so cheap these days, if you didn't have a salt almost certainly whatever password you have is going to be on a rainbow table somewhere since it's cheap to store huge amount of data.

If you use the same password for multiple sites then having a strong word doesn't make the same password that was compromised harder to crack because it's the same password. Here forcing you to change passwords constantly will help but it also means you got to keep track of more passwords. I just end up changing most of my passwords at the same time because otherwise I'll never be able to keep track of them. Either way you're either back to one password or you have to store the password somewhere.

Two factor is pretty much foolproof assuming you believe they can't intercept anything from the token (seems to be pretty much impossible but obviously I can't say for sure), but it sure is annoying to always carry something with you.

Eh, my RSA token is small enough to fit on my keychain. The larger, credit card-sized (but 10x as thick) ones were a pain in the ass.

But then if you get into needing a separate RSA token for each system you are accessing, then yea, massive pain in the ass that users won't put up with.

Honestly, I just want one for work, and for my bank account. If paypal and WoW offer this type of security for accounts, why the fuck doesn't my bank?!!?

I usually cycle through my typical four: love, sex, secret, and god.......

If there's a 6 character minimum requirement, I mix it up a little: lovesex, or secretsex for example; my favourite is secretgodsex.

Don wrote:The defense against brute forcing passwords is the strength of the salt not the strength of the password.

Wrong! Do you even know how that works? The salt is IN the encrypted password. When comparing passwords, the salt from the encrypted password is used to encrypt the typed result and see if they match. If the password is 12345, something which is in any brute force dictionary file, it doesn't matter if the salt is 2 characters or 16 characters, as it's right there plain as day.

Say your hash function is just hash(password+salt). Let's say the salt is just one byte, so you end up hash(123450X00000001) all the way up to hash(123450X11111111) and there are 256 possibilites. Because it's a hash function you can be sure hash(123450Xanything) does not remotely look like hash(12345) because that's the definition of a good hash function. Therefore there's no way any of the results will look like hash(12345) no matter what. Now yes you can clearly compute all 256 ways to hash this but that's also only 1 byte. A 10 byte password would require computing 2^80 per password you're trying to crack. This also assumes you know exactly how the salt is used. It doesn't necessarily have to be as simple as password+hash. It can be something trickier.

Salt only makes brute force attacks harder if the attacker is comparing computed passwords. That is, the attacker takes the passwords, the salt and computes the cyrpographic function themselves, and compares their result against the known real value. This is relevant if, say, you're already logged into a Unix system and you can see hashed passwords in /etc/passwd. If the attacker goes through the normal way of logging in - they don't already have access to the system - then the salt doesn't matter.

I think someone should invent a password verification system that compares the speed, cadence, and rhythm that each letter/symbol is typed, give or take a small timing buffer.

I know in my instance, i whip out the first 6 characters fast, then there is a slight pause while i hit shift and whatever follows. THAT, would be hard to duplicate.

Once you invent it, credit me.

12345 was the combination on my lunchbox.

It's hard for me to imagine any system that'd just let you log in thousands of times without at least noticing some kind of red flag. I know they exist but that's a pretty insecure system there so it's likely to have some other problems anyway.

Flip wrote:I think someone should invent a password verification system that compares the speed, cadence, and rhythm that each letter/symbol is typed, give or take a small timing buffer.

I know in my instance, i whip out the first 6 characters fast, then there is a slight pause while i hit shift and whatever follows. THAT, would be hard to duplicate.

Once you invent it, credit me.

That doesn't account for complicated passwords that one is just beginning to learn or doesn't use very often. There's a forum I frequent whose password requirements are ten characters and it has to include upper caps and capitalized letters, numbers, and punctuation/special characters. I have to type it in at most two or three times a month and constantly forget it. I'm considering moving up my secure password list to this same ideal password, but have been way too lazy about it as my standard secure passwords I can whip out in no more than a few seconds since I've had them or variants for years.

I love being a windows admin. Even with the password policy in place it can be bypassed by actually logging into the DC and changing your pw there.

If you're the Windows Admin, maybe you should dictate the password policy to be more reasonable.

SineSwiper wrote:If you're the Windows Admin, maybe you should dictate the password policy to be more reasonable.

If he's stating that the password policy can be bypassed by going to a Domain Controller, how exactly is altering the password policy going to change that fact?

Better securing the DC to prevent user access? Sure (although users better-the-hell-not have access to the DCs). Changing the fact that the DC has the ability to disregard the password policy when setting new passwords? Maybe (depends on whether or not it is technically possible/feasible). Changing the password policy? Barking up the wrong tree.

Oracle wrote:If he's stating that the password policy can be bypassed by going to a Domain Controller, how exactly is altering the password policy going to change that fact?

Because, if he's bypassing the password policy, then that means that the password policy is annoying enough to need bypassing.

SineSwiper wrote:

Oracle wrote:If he's stating that the password policy can be bypassed by going to a Domain Controller, how exactly is altering the password policy going to change that fact?

Because, if he's bypassing the password policy, then that means that the password policy is annoying enough to need bypassing.

.... or it means he's a lazy Windows admin who doesn't follow IT policies, or who likes to uses the same password over and over?

j/k Barret.

The point is he didn't say the password policy was 'bad', just that he loved being a Windows admin because he could go straight to the DC to change his password. Then you started to talk about changing the policy :p

So, for interest sake, how bad is the password policy where you work Barret? :p

Bad. Basically the DC remembers the last 24 passwords you use (MS maximum) and the minimum amount of time you have to use it is 3 days to keep people from cycling through 24 passwords to get back to their original password. Password expiration is 45 days. If I'm in a pinch (say the weekend is approaching and I need to do some work remotely and don't feel like teaching myself a new pw) I'll reset it on the dc and then monday I'll teach myself the new password out of catholic guilt.

This is done because of the audits our customers are starting to go through so we need to be compliant as well.

Imakeholesinu wrote:This is done because of the audits our customers are starting to go through so we need to be compliant as well.

What audit? What ridiculous organization is requiring these stupid systems in place?