Galt's Gulch

Automated hacking tools swarm Web site login pages - CSO Online - Security and Risk

Posted by UncommonSense 10 years, 5 months ago to Technology
13 comments | Share | Flag

This is one of my favorite sites for professional Situational Awareness on the IT Security front. Take heed of the information and if anyone has a dictionary word + any numbers as a password, you'd better step up and change it to something harder. FYI.
SOURCE URL: http://www.csoonline.com/article/742796/automated-hacking-tools-swarm-web-site-login-pages

Add Comment

FORMATTING HELP

All Comments Hide marked as read Mark all as read

    -
  • Posted by khalling 10 years, 5 months ago
    what about symbols in the middle of a dictionary word?
    Reply | Mark as read | Best of... | Permalink  
      -
    • Posted by UncommonSense 10 years, 5 months ago
      Good question. Don't know about that one. But, I'll bet a savvy password hacker/true professional programmer may have already included that in their arsenal. (I would)

      Instead, use the NSA guidelines: (yes, I know they aren't exactly popular right now, just keep calm! :) ) Minimum of 2 upper case, 2 lower case, 2 numbers and 2 special characters with a 10 character minimum length overall ~ that means you'll use more than 2 of one of letters/numbers/special characters. Change out every 45 days (if you're really concerned) and you'll be good to go.

      Oh, don't think you're so slick if you substitute one of the letters or numbers in the middle of the word and believe you'll fool a password cracking program: for example...P@ssw0rd....that is very weak and it would be brute forced in no time. Use pass phrases instead.
      Reply | Mark as read | Parent | Best of... | Permalink  
  • Comment hidden by post owner or admin, or due to low comment or member score. View Comment
  • Posted by BambiB 10 years, 5 months ago
    One useful way to generate reasonably secure passwords is to pick a poem or quote you like - preferably an obscure one. Something like: "Never appeal to a man's better nature - he might not have one. Invoking his self interest gives you more leverage." (Heinlein). Then use nth letter from each word. For example, the 3d letter of each word would give you "vpnttgtvevsltvurv" - which is pretty secure.
    Reply | Mark as read | Best of... | Permalink  
  • Comment hidden by post owner or admin, or due to low comment or member score. View Comment
  • Posted by BambiB 10 years, 5 months ago
    The second question is: What if the web site simply adds a 12-character string to all passwords? So if you use "password" as your password, the REAL password (and the one that's hashed) is something like "password12H43b!!-/$04X". You'd have to crack at least two of them to see the addition of "12H43b!!-/$04X" to the base password, after which normal cracking time constraints would apply. But to get the first two passwords would take something on the order of hundreds of billions of years... which I would consider sufficiently secure.
    Of course, if crackers are running loose in your program space, you're hosed anyway.
    Reply | Mark as read | Best of... | Permalink  
  • Comment hidden by post owner or admin, or due to low comment or member score. View Comment
  • Posted by BambiB 10 years, 5 months ago
    The first question is: Where did they get the list of hashed passwords?
    Reply | Mark as read | Best of... | Permalink  
    • Posted by UncommonSense 10 years, 5 months ago
      Hacker underground. Also, everybody in the world has their thing they truly like to do. Some people love writing poetry, some people love working on cars (got tools? =) ), some love tinkering with computer H/W, and others...love cracking weak passwords. They love the technical challenge it poses. That community of like-minded hackers know where to find the latest cracking tools and some know, who to reach out to for custom code cracking algorithmns.

      Others, may employ tools such as cloud-cracking sites such as cloudcracker.com. FYI.
      Reply | Mark as read | Parent | Best of... | Permalink  

FORMATTING HELP

  • Comment hidden. Undo