Passwords

This is the place for any magazine-related discussions that don't fit in any of the column discussion boards below.
Post Reply
Ed B.
Posts: 45
Joined: Wed Sep 24, 2003 1:01 am
Contact:

Passwords

Post by Ed B. » Tue Jul 10, 2007 7:48 pm

Ladies and Gentlemen,

I thought that I read somewhere that using a word from the English language as a password - that a hacker could 'break the code' in a matter of minutes.

How about using a word from our language but spell it backwards and alternate lower case and caps ??

Such as: "TfArCrIa" or ""ElBiDuA"

Wadya think ?

Ed B.

User avatar
haklesup
Posts: 2978
Joined: Thu Aug 01, 2002 1:01 am
Location: San Jose CA
Contact:

Post by haklesup » Tue Jul 10, 2007 9:20 pm

that a hacker could 'break the code' in a matter of minutes.
Only in an interface that allows tens of thousands of attempts per minute without a timeout or lockout. I'm not sure how many times the windows login will let you try (then how to run a cracker if you can't run the GUI) but any website with a secure server wouldn't give you that many tries.

Such a feat might would be possible on password protected files from the GUI application that uses it though. A protected word or ZIP file for example.

Sure, your password scrambling technique would make it more secure, adding a special character and or number will top it off. Acronyms of your favorite sayings or quotes is a good method too.

It will be nice in the future when reliable biometric scanners become common and we don't have to remember our passwords anymore.

I've not read it anywhere but I believe that by now every word and many common phrases in the english language have a website.

User avatar
jwax
Posts: 2162
Joined: Mon Feb 09, 2004 1:01 am
Location: NY
Contact:

Post by jwax » Wed Jul 11, 2007 4:06 am

I still like the guy who posted ^#23Hf0! labeled, "PASSWORD" on his monitor. The IT guy freaked, and the wise operator said, yes it's the screwball, impossible-to-remember password you assigned me, but I changed one (or two) feature(s) of it. Go ahead and guess. :grin:

User avatar
philba
Posts: 2050
Joined: Tue Nov 30, 2004 1:01 am
Location: Seattle
Contact:

Post by philba » Wed Jul 11, 2007 12:57 pm

simply put, never use an easy password. Dictionary attack is way too easy. Brute force attack isn't that hard either. For financial data or other personal information, don't assume that it's too much trouble for the bad guys to crack. I recommend at least 8 characters with upper and lower case letters and numbers. This isn't as hard to remember as you think. Pick a phrase or collection of words that you can remember. Pull the first couple of letters from each word and add the month number at the end (or any other digits you want). For example, I love my wife, in july - Ilomywi07. No one will guess that and you can change it in September to Ilomywi09.

Dean Huster
Posts: 1263
Joined: Wed Dec 05, 2001 1:01 am
Location: Harviell, MO (Poplar Bluff area)
Contact:

Post by Dean Huster » Fri Jul 13, 2007 5:36 am

And then there's passwords having characters like the one below:

Dean_Huster

Which is not Dean Huster or Dean_Huster.

Using the IBM extended character set (ALT+####7 on the numeric keypad) can add a lot of exciting flavors to passwords. Memorizing them can be not too bad if you substitute them for similarly-shaped traditional letters. Also swapping d for b, p for q, 5 for S, 1 for I and other tricks can keep the password more difficult yet memorable.

Dean
Dean Huster, Electronics Curmudgeon
Contributing Editor emeritus, "Q & A", of the former "Poptronics" magazine (formerly "Popular Electronics" and "Electronics Now" magazines).

R.I.P.

User avatar
dacflyer
Posts: 4472
Joined: Fri Feb 08, 2002 1:01 am
Location: USA / North Carolina / Fayetteville
Contact:

Post by dacflyer » Fri Jul 13, 2007 9:01 am

foreign words also work good.. it took I.T. , here 3 days to crack mine..Hmmm

User avatar
jollyrgr
Posts: 1289
Joined: Thu Jan 03, 2002 1:01 am
Location: Northern Illinois
Contact:

Re: Passwords

Post by jollyrgr » Fri Jul 13, 2007 5:07 pm

Ed B. wrote: I thought that I read somewhere that using a word from the English language as a password - that a hacker could 'break the code' in a matter of minutes.

How about using a word from our language but spell it backwards and alternate lower case and caps ??

Such as: "TfArCrIa" or ""ElBiDuA"

Wadya think ?

Ed B.
This is called a dictionary attack and can be carried out in a few minutes. True logging into a workstation, server, or other secure system will lock out the attempts. But if you copy the user database off and get the encrypted version of the password all you need to do is run all the the possible combinations through the same scheme and compare. So what you do ahead of time is take the Windows encryption software and a list of dictionary words. Encrypt all of those words and put them in a table with their unencrypted version. Now compare the cached password on the computer to the list until you find the match, do a reverse lookup. But using multiple words together causes problems. To encrypt EVERY SINGLE POSSIBILITY of letters, cases, special characters, etc. would take more drive space than is available to most crakers. That is the rub; special characters. Most people do not use them. To create a password table containing every possible combination of alphanumeric characters takes about 1.5GB of data. In fact the table can fit on two CD-Roms. This will allow a cracker to break a password in under 15 seconds. You can read about one such experiment here:

http://www.windowsitpro.com/Article/Art ... 39646.html

Depending on the engine upper and lower case characters are different. This is the case with Windows. Novell NetWare, not so much.

I had to crack a WinZip file password for a user. It took all of a minute to brute force the three letter password with a small program from the Internet. This got me free brownies the user was so happy as she was expecting hours of waiting for her file.

We used to take the entire Domain listing of our network (some 3000 users) and crack their passwords and keep a listing so we could use their account service their e-mail and what not under their local profile. Due to new federal laws we don't risk knowing user accounts anymore. They must be present and login to have their profile fixed. Cracking the entire list took a couple days. Most were done in the first couple hours; it was the last few that were hard. These were mostly IT staff passwords as we knew to use strong ones. But even ours would be eventually cracked. We had one employee who's native language was not English. We never cracked any of this guy's passwords. Why most of the passwords were so easily cracked is a surprising number were the same. You'd have hundreds of passwords of "spring" or other seasons. Once in a great while we'd have to crack individual passwords. It took about a minute or two concentrating on the one password.

Most of the time my passwords are alphanumeric and special character. Vendors hate me for how difficult it is to type a password. But I will do things like: N^7$\/0|7$

Some of you will recognize a modified version of "L337" for "NutsVolts". While very secure, most users don't get it.
No trees were harmed in the creation of this message. But billions of electrons, photons, and electromagnetic waves were terribly inconvenienced!

Post Reply

Who is online

Users browsing this forum: No registered users and 41 guests