How secure is your password?

**Phil Thien** · 08-06-2014, 2:05 PM

Originally Posted by Pat Barry

If the NY Times article Scott provided has any merit it don't matter how secure you think you are or what those fancy calculations tell you. You are at risk just like if you were using abc123 (one of my old passwords)

It probably does not have any merit, IMHO.

The outfit that announced this "discovery" (local to me, BTW, and they have a new office across the hall from a client of mine) indicates they get their information from chat rooms and discussion groups frequented by hackers. They (Hold Security), to the best of my knowledge, have not released any details that could be used to substantiate these statements.

IMHO, this is an effort by an outfit to make a name for themselves. Here, look at the Wikipedia article they apparently created about their announcement:

http://en.wikipedia.org/wiki/2014_Ru...password_theft

FWIW, these types of attacks would typically not net actual passwords, but hashes of passwords. You would need the key and the hash to get the actual password. But again, I'm doubting anyone has 1.2 billion of anything at this point.

**Dan Hintz** · 08-06-2014, 3:22 PM

I'm (somewhat) inclined to agree with Phil... read the August 6th post on http://krebsonsecurity.com/ for a bit of background. The owner isn't exactly a household name in the security world (and we're a surprisingly small community). My guess is he came across a slew of material that was already stolen, then backtracked the source by listening to the people pawning it off for cash. It's a useful technique, but hardly worthy of a security company's resume... if that's their only real method of finding hacks, they're an info source, not a security company.

**Myk Rian** · 08-06-2014, 10:13 PM

It would be prudent for everyone to change their sensitive passwords, now.

From:
http://fox6now.com/2014/08/06/russia...ion-passwords/

NEW YORK (CNNMoney) — Russian criminals have stolen 1.2 billion Internet user names and passwords, amassing what could be the largest collection of stolen digital credentials in history, a respected security firm said Tuesday.
The news was first reported by The New York Times, which cited research from Milwaukee-based Hold Security. The firm didn’t reveal the identities of the targeted websites, citing nondisclosure agreements and a desire to prevent existing vulnerabilities from being more widely exploited.
Hold Security founder Alex Holden told CNNMoney that the trove includes credentials gathered from over 420,000 websites — both smaller sites as well as “household names.” The criminals didn’t breach any major email providers, he said.

**Dan Hintz** · 08-07-2014, 6:19 AM

Myk,

See the last several posts...

**Phil Thien** · 08-07-2014, 9:36 AM

Originally Posted by Dan Hintz

Myk,

See the last several posts...

There is an article in the morning local newspaper that goes somewhat into Alex Holden's (Hold Security) background. Apparently his LinkedIn profile says he earned an engineering degree from UW-Milwaukee. He confirmed that during an interview w/ the newspaper. They (newspaper) called the university, and they say he attended and never graduated.

Now, I guess a lot of people pad their resumes. However, I (just a personal thing) can't stand cheaters. I cannot stand people that cheat on assignments or quizzes or exams. And misrepresenting your academic achievements has to be the highest form of cheating.

I do not trust anyone that would misrepresent what is so easily confirmed.

Just my humble opinion, but I would take anything this guy says with a giant grain of salt.

**Ole Anderson** · 08-11-2014, 9:44 AM

Why would anyone try to individually hack your password when all they have to do is hack a website that stores passwords? And most secure websites give you a time out after three bad attempts. Even so, I upgraded my passwords to sites I wouldn't want hacked. No so with sites like this.

**Garth Almgren** · 08-11-2014, 3:21 PM

Reminds me of this:

http://xkcd.com/936/
password_strength.png

And based on that comic, someone created a secure password generator that generates passwords that are easy to remember but hard for a computer to guess: http://correcthorsebatterystaple.net/

**Ole Anderson** · 08-12-2014, 12:48 AM

Seems like every time I ask someone if I can fax a document to them, forgetting that I am not at the office anymore so I have no fax machine, I get the reply that they would prefer that I scan it and attach it to an email. Faxes are going the way of the Labrador Duck. An attachment can be saved "in the cloud" and forwarded in a split second, a fax can be saved in a manila folder and forwarded by snail mail. But I have no scanner in my RV, so when I am in FL during April, I usually need to walk to the park office and pay to fax something to my tax preparer.

**Phil Thien** · 08-12-2014, 9:29 AM

Originally Posted by Ole Anderson

Why would anyone try to individually hack your password when all they have to do is hack a website that stores passwords? And most secure websites give you a time out after three bad attempts. Even so, I upgraded my passwords to sites I wouldn't want hacked. No so with sites like this.

Websites don't store passwords, they store password hashes.

Watch this:
http://www.wimp.com/knowpassword/

So what these "hackers" have are databases of password hashes, mostly (worthless). About the only way to get an actual password is a phishing scheme, or a virus with a key logger.

**Al Launier** · 08-12-2014, 9:44 AM

I may be paranoid, but I'm reluctant to enter my real password on a PW checker as that would be an easy way for a hacker to set up the software to get your PW.

**Eric DeSilva** · 08-12-2014, 10:58 AM

Phil, not entirely true. Hashing isn't a sinecure:

http://lifehacker.com/5919918/how-yo...-doesnt-matter

**Ole Anderson** · 08-12-2014, 11:24 AM

So how insecure a site will allow a computer to start guessing passwords unchecked? I usually get three tries.

**Phil Thien** · 08-12-2014, 11:51 AM

Originally Posted by Eric DeSilva

Phil, not entirely true. Hashing isn't a sinecure:

http://lifehacker.com/5919918/how-yo...-doesnt-matter

Not understanding your use of the word "sinecure" here, but the article you linked has some fundamental errors. For example, it says "This means the strength of your password still matters, since the longer and more complex it is, the longer it will take to crack in a brute force attack." But if someone is using brute force, all that really matters is the weakest passwords in the hash. Once they have those, they have yours.

But of course, getting even the weakest passwords is difficult because they don't just hash your password. As the article states, they will typically prepend, append, and insert strings into the password which you provide before running whatever algorithm they use. Whatever text they are inserting is often dependent on the login name. So unless you have the tables _and_ the actual source code being used for authentication, you're not going to be able to convert those hashes into passwords.

Yes, there will always be exceptions (outfits that don't follow best practices). But the media sensationalizes this stuff and people think the movies are reality, where the tech guy "logs in through a back door and gets all the passwords." It just isn't that easy.

**Eric DeSilva** · 08-12-2014, 12:16 PM

I've noticed that the older I get, the more I tend to think one thing and type another.

I understand what you are saying. But when a professional website like LinkedIn uses unsalted hashes and leaks 6.5M passwords, I'm not going to assume that unsalted hashes are "exceptions."

As I understand it, my linked article is correct. Just because you can do a brute force attack to identify the hash of a particular password does not mean, from what I've read, that you can reverse the hashing process to recover all of the passwords from a hash file. See http://en.wikipedia.org/wiki/SHA-1, and in particular, where it states: "Constructing a password that works for a given account requires a preimage attack, as well as access to the hash of the original password, which may or may not be trivial. Reversing password encryption (e.g. to obtain a password to try against a user's account elsewhere) is not made possible by the attacks. (However, even a secure password hash can't prevent brute-force attacks on weak passwords.)"

**Phil Thien** · 08-12-2014, 1:07 PM

Originally Posted by Eric DeSilva

As I understand it, my linked article is correct. Just because you can do a brute force attack to identify the hash of a particular password does not mean, from what I've read, that you can reverse the hashing process to recover all of the passwords from a hash file. See http://en.wikipedia.org/wiki/SHA-1, and in particular, where it states: "Constructing a password that works for a given account requires a preimage attack, as well as access to the hash of the original password, which may or may not be trivial. Reversing password encryption (e.g. to obtain a password to try against a user's account elsewhere) is not made possible by the attacks. (However, even a secure password hash can't prevent brute-force attacks on weak passwords.)"

LOL, good point (slaps forehead). I was thinking encrypted again, not hashed.

Although, there are broken hashes where clear text can be derived. But that was not what I was thinking when I wrote that, I was just being dumb.

Thread: How secure is your password?

Thread Tools

Rate This Thread

Display

Passwords hacked

Posting Permissions