How secure is your password?

[Eric DeSilva]

I wouldn't put too much stock in how long that site says it will take to crack your password. Even for data vaults that are long term, those numbers are meaningless--given that the old adage was that processor speeds double every two years, processors will run at 16x today's speeds 10 years from now, so something that takes 160 years to crack is suddenly very crackable. And people who break passwords professionally use distributed processing anyway, which bring those numbers down by orders of magnitude.

I would also point out that having a super strong password doesn't do you any good if you use the same password everywhere and some site stores it without good encryption. I'm shifting everything I can to two factor authentication and long pass phrases with site-specific components...

[Dave Sheldrake]

Only secure passworded system is one not connected to the internet.

cheers

Dave

[Dan Hintz]

Only secure passworded system is one not connected to the internet.

Sorry, that won't necessarily help you, either

[Pat Barry]

Sorry, that won't necessarily help you, either

Dan, why don't you provide some direction and guidance. If you have the knowledge then help us out.

[Scott Shepherd]

Pat, I think he's referring to some of the reports that Snowden released. One of the plans in place was for "operatives" in a special task force to intercept new computer and computer equipment orders going to foreign governments and companies and insert something into that devices that would allow them to be remotely monitored even if they were not connected to the internet. It was a stunning report to read, meaning even being unplugged from the internet isn't safe. Smart phones are the worst. They have complete and total control over those, even if you have them turned off, completely turned off. They can access the cameras, microphones, etc.

My guess is it's that type of information that has led Dan to say you aren't safe when unplugged with a wink.

[Dan Hintz]

Dan, why don't you provide some direction and guidance. If you have the knowledge then help us out.

Do some research using the term "air gap". Highly secure systems (or at least those thought to be) are air-gapped to prevent infiltration/exfiltration.

I'll also add... just because someone has knowledge of a subject does not mean they are allowed to help others out.

[Scott Shepherd]

Dan, what about making your outside walls a faraday cage? Would that help?

[Dan Hintz]

Dan, what about making your outside walls a faraday cage? Would that help?

Help? Yes. Solve the problem? No.

[Scott Shepherd]

Help? Yes. Solve the problem? No.

You ubergeeks are some sneaky people

[Jessica Pierce-LaRose]

I don't know how that site works, so maybe it's not like this, but previous things like this I've seen, are estimating how long it might take a computer to "brute force" your password, trying all combos until it hits something that works. That's not usually the case. Usually, well thought out programs start with large compiled tables of known passwords, words in the dictionary (including things like substituting "1" or "I", etc.) common "patterns", (things like typing "squares" on your keyboard, etc.)

The other thing, is these sites generally aren't trying to log into a site over and over - they're usually working against a table of data, trying to match passwords from there.

A couple of interesting articles I remember from last year on this stuff:

http://arstechnica.com/security/2013...our-passwords/

http://arstechnica.com/security/2013...sword-cracker/


In my experience, one of the best things you can do is enable two factor authentication when you can. My bank, for example, if I log into the website from a different computer, I have to both enter my password and a code that is texted to my phone.

[Scott Shepherd]

I don't worry too much about it. My belief is there's a lot better value for the time spent by trying to get into my bank, rather than trying to get into my individual account. Get into the bank, you have millions of people's information that could be worth a lot of money on the black market. I think it's far worse when someone hits someone like the Target breach months ago, since they've collected data about me that I didn't willingly sign up to give them by swiping my debit card. That, I can't control too much, other than paying cash for everything, but my passwords, I can control.

Get into a bank or medical database and you've got some pretty serious data bad people would love to have access too.

[Pat Barry]

I don't worry too much about it. My belief is there's a lot better value for the time spent by trying to get into my bank, rather than trying to get into my individual account. Get into the bank, you have millions of people's information that could be worth a lot of money on the black market. I think it's far worse when someone hits someone like the Target breach months ago, since they've collected data about me that I didn't willingly sign up to give them by swiping my debit card. That, I can't control too much, other than paying cash for everything, but my passwords, I can control.

Get into a bank or medical database and you've got some pretty serious data bad people would love to have access too.

Related to this, I was talking with my financial advisor yesterday (Ameriprise) and they have a "Total View" money management system. You log into your Ameriprise account and then link it to your other financial accounts and it displays everything for you thru the Ameriprise portal. I'm curious what you guys think of that? Makes me nervous thinking about the level of security that would be needed. He also mentioned this is similar in some ways to a service you can get through Mint.com. Too risky?

[Curt Harms]

Related to this, I was talking with my financial advisor yesterday (Ameriprise) and they have a "Total View" money management system. You log into your Ameriprise account and then link it to your other financial accounts and it displays everything for you thru the Ameriprise portal. I'm curious what you guys think of that? Makes me nervous thinking about the level of security that would be needed. He also mentioned this is similar in some ways to a service you can get through Mint.com. Too risky?

To me? Yeah.

[Curt Harms]

I don't worry too much about it. My belief is there's a lot better value for the time spent by trying to get into my bank, rather than trying to get into my individual account. Get into the bank, you have millions of people's information that could be worth a lot of money on the black market. I think it's far worse when someone hits someone like the Target breach months ago, since they've collected data about me that I didn't willingly sign up to give them by swiping my debit card. That, I can't control too much, other than paying cash for everything, but my passwords, I can control.

Get into a bank or medical database and you've got some pretty serious data bad people would love to have access too.

Yup, and they have essentially unlimited time to hack on any (weakly?) encrypted data.

[Scott Shepherd]

Yup, and they have essentially unlimited time to hack on any (weakly?) encrypted data.

And I'm sure if that were your target, you're not some hack in your parent's basement, you're backed by some serious money, which would allow you to step up to some fairly serious computing power where your supercomputer(s) did nothing but work on the issue 24/7 at a really fast pace. You could spend $20,000,000 on a state of the art computer center that did nothing but work on cracking it, and you'd still make a ton of money if you could ever crack it.