Kill the Password: Why a String of Characters Can’t Protect Us Anymore

Discussion in 'other security issues & news' started by ronjor, Nov 17, 2012.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,027
    Location:
    Texas
    http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    He says he used a 7 character password. Assuming upper case, lower case, and numbers it would take much less than a day to hack that password offline. Even with a symbol it wouldn't take much longer.

    I think what the focus here should be is that every system has a weakest link, and when we integrate all of our accounts online any single weak password degrades the security of all accounts.

    LastPass makes things easy. Always use a 12 character password, random if you like, and make it different for each account. Always use password padding to artificially beef up your passwords (take ExAmPlEPaSwOrd and add <<< and >>> to each end).

    On top of that, don't use a recovery question. Recovery questions typically ask you about something that's public knowledge, or easily could be with very little research.

    I think the article misses the point. He first talks about compromising a system by using a recovery question. Next thing he states is that the weak link is the password - well, no, he just said he got in through a recovery question.

    The password is only a weak link if you allow it to be. Websites should start enforcing 10 character passwords by default. Websites should use HTTPS and HSTS only. Password policies, lack of HTTPS/HSTS, and still using recovery questions - those are the issues, not passwords, which aren't 'outdated' they're time tested.

    At no point here is there an inherent issue with passwords. All of this can be solved by:
    1) Salting passwords (not even necessary if you enforce a password length of 12 or more)
    2) Enforcing length of 12 character, even if they're all lower case bruteforcing becomes difficult.

    Except for the keylogger, which, again, isn't a password issue. It's an anything issue - you're infected...

    He doesn't bring up MITM but, again, HTTPS and HSTS.

    Chrome is implementing something like LastPass, for autofilling passwords and generating new ones. I'd like to see this happen in Firefox, IE, and Opera - since websites aren't restricting what passwords we can use it's up to the browser to implement password safety.

    Length, salt, and secure transport. Those solve basically every password related issue we've seen (except keyloggers, which, again, I don't see as a password issue).

    Anyways super long article so I didn't finish it, just got halfway. Time for dinner.
     
  3. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I don't understand the hate towards passwords either really, while I do understand the hate towards Captcha and dumb moves like answering default recovery questions. There is nothing wrong with passwords, the problem lies with those who create them and store them. Add a decently long combination like 10-12, use a mix of upper and lowercase letters, numbers, symbols and often forgotten alt codes to make accented letters, and you're safe from anybody but the NSA/CIA. Typical hackers just aren't going to put that much time into something unless it is a huge payday or they're government funded and after state secrets.
     
  4. jna99

    jna99 Registered Member

    Joined:
    Apr 18, 2012
    Posts:
    94
    Location:
    127.0.0.1, Netherlands
    From another point of view, namely mine is that the opposite can happen as well ! What I mean by opposite is having an password that is so complex you cannot possible recover it unless you are very certain you have backed it up somewhere.

    I had a account secured with a very large password with symbols, uppercase, lowercase, numbers, etcetera. Somehow I couldn't get into windows and worst the password I stored within a container of a password program got corrupted beyond repair!

    My password was so strong it was impossible for me to guess it or remember it. Luckily I didn't need the account because I really didn't have a use for it yet. Upside of this is, nobody can get in.

    I have to admit that this happened because I didn't take it all too serious. I could have prevented this by backing up the password container to various mediums (usb, separate hdd, dvd, cd, etcetera).
    Anyway, goes to show that some preperation and afterthought is still advisable when you use password storage programs.

    Either you are haunted by passwords that are too easy to guess to be used, or you have incredible complex passwords that need extra attention in storing or backing up. :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.