Automated hacking tools swarm Web site login pages - CSO Online - Security and Risk

Posted by UncommonSense 10 years, 6 months ago to Technology
13 comments | Share | Flag

This is one of my favorite sites for professional Situational Awareness on the IT Security front. Take heed of the information and if anyone has a dictionary word + any numbers as a password, you'd better step up and change it to something harder. FYI.

All Comments

  • Posted by UncommonSense 10 years, 6 months ago in reply to this comment.
    Hacker underground. Also, everybody in the world has their thing they truly like to do. Some people love writing poetry, some people love working on cars (got tools? =) ), some love tinkering with computer H/W, and others...love cracking weak passwords. They love the technical challenge it poses. That community of like-minded hackers know where to find the latest cracking tools and some know, who to reach out to for custom code cracking algorithmns.

    Others, may employ tools such as cloud-cracking sites such as cloudcracker.com. FYI.
    Reply | Permalink  
  • Posted by Rocky_Road 10 years, 6 months ago in reply to this comment.
    What is a "cracker", and why would they be running loose in my program space (whatever that is)?
    Reply | Permalink  
  • Comment hidden due to member score or comment score too low. View Comment
  • Posted by BambiB 10 years, 6 months ago
    One useful way to generate reasonably secure passwords is to pick a poem or quote you like - preferably an obscure one. Something like: "Never appeal to a man's better nature - he might not have one. Invoking his self interest gives you more leverage." (Heinlein). Then use nth letter from each word. For example, the 3d letter of each word would give you "vpnttgtvevsltvurv" - which is pretty secure.
    Reply | Permalink  
  • Comment hidden due to member score or comment score too low. View Comment
  • Posted by BambiB 10 years, 6 months ago
    The second question is: What if the web site simply adds a 12-character string to all passwords? So if you use "password" as your password, the REAL password (and the one that's hashed) is something like "password12H43b!!-/$04X". You'd have to crack at least two of them to see the addition of "12H43b!!-/$04X" to the base password, after which normal cracking time constraints would apply. But to get the first two passwords would take something on the order of hundreds of billions of years... which I would consider sufficiently secure.
    Of course, if crackers are running loose in your program space, you're hosed anyway.
    Reply | Permalink  
  • Posted by richrobinson 10 years, 6 months ago
    Thanks for the info OS. I think I need to change at least one password.
    Reply | Permalink  
  • Posted by khalling 10 years, 6 months ago
    what about symbols in the middle of a dictionary word?
    Reply | Permalink  
  • Posted by UncommonSense 10 years, 6 months ago in reply to this comment.
    yep. Pass the hash. Rainbow tables...I test my 17+character passphrases after the fact with a few 'good fellas' who like the challenge. They don't like the strength of mine...takes them awhile. I always tell them they can use mine if they like for their sites...funny, they never take me up on the offer. :)
    Reply | Permalink  
  • Posted by UncommonSense 10 years, 6 months ago in reply to this comment.
    Good question. Don't know about that one. But, I'll bet a savvy password hacker/true professional programmer may have already included that in their arsenal. (I would)

    Instead, use the NSA guidelines: (yes, I know they aren't exactly popular right now, just keep calm! :) ) Minimum of 2 upper case, 2 lower case, 2 numbers and 2 special characters with a 10 character minimum length overall ~ that means you'll use more than 2 of one of letters/numbers/special characters. Change out every 45 days (if you're really concerned) and you'll be good to go.

    Oh, don't think you're so slick if you substitute one of the letters or numbers in the middle of the word and believe you'll fool a password cracking program: for example...P@ssw0rd....that is very weak and it would be brute forced in no time. Use pass phrases instead.
    Reply | Permalink  

  • Comment hidden. Undo