Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search
 

UnrepentantLiberal

(11,700 posts)
Wed Nov 21, 2012, 08:56 PM Nov 2012

Kill the Password: Why a String of Characters Canít Protect Us Anymore

By Mat Honan
Wired
Nov 15, 2012

-snip-

Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20—total—and I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.

The common weakness in these hacks is the password. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.

More: http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/

34 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
Kill the Password: Why a String of Characters Canít Protect Us Anymore (Original Post) UnrepentantLiberal Nov 2012 OP
k&r! nt wildbilln864 Nov 2012 #1
If you're goofy enough to use AOHell customerserviceguy Nov 2012 #2
I trust my Gmail account Canuckistanian Nov 2012 #9
The GMAIL password is in clear text format for the Tech Support and AdWord folks to see. n/t TheBlackAdder Nov 2012 #12
Really? wtmusic Nov 2012 #27
Read the entire link, plz 3c273a Nov 2012 #3
A chunk of my own security is about screwing up the password reset questions Posteritatis Nov 2012 #4
The set-your-own-question password seems pretty solid. XemaSab Nov 2012 #10
Enter two-factor authentication. n/t ProfessionalLeftist Nov 2012 #5
And text messaging makes our phones the second factor. gtar100 Nov 2012 #30
LavaBit email doesn't provide a "Forgot your password?" option Shankapotomus Nov 2012 #6
i get his point behindthe8ballnchain Nov 2012 #7
wow..that is scary AsahinaKimi Nov 2012 #8
Ech. Misrepresentative title. wtmusic Nov 2012 #11
Mine has 11 characters. UnrepentantLiberal Nov 2012 #13
Does password complexity really matter? Jim Lane Nov 2012 #14
There are devices and computer programs that do that much quicker. UnrepentantLiberal Nov 2012 #21
Probably not. wtmusic Nov 2012 #26
I use an 18 character passphrase RomneyLies Nov 2012 #19
As long as your dog's name wasn't Max, you're probably ok nt wtmusic Nov 2012 #23
I use numerous email accounts with multiple providers. Edweird Nov 2012 #15
Both my banks and my email require that I NYC Liberal Nov 2012 #16
all someone has to do is access the email servers to read your email hobbit709 Nov 2012 #17
I am not sure passwords are going to become extinct MyNameGoesHere Nov 2012 #18
I actually wish there was a replacement for passwords. Tracer Nov 2012 #20
I keep a password safe application on my smartphone for that purpose. backscatter712 Nov 2012 #25
The myth of the secured, networked computer. There has never been such a thing, Egalitarian Thug Nov 2012 #22
I've got so much stuff on Google that I took the precaution of activating 2 factor authentication. backscatter712 Nov 2012 #24
The same can be said for your home. Passwords are just locks on doors. gtar100 Nov 2012 #28
the main point seems to be that passwords ARE good protection, just don't have a silly one unblock Nov 2012 #29
Dumb dumb. Can't find me on google and certainly can't find the SWTORFanatic Nov 2012 #31
Great article, I learned a lot, thanks for posting! mrsadm Nov 2012 #32
Glad the article was helpful. UnrepentantLiberal Nov 2012 #34
Meh... I use my BofA ATM PIN as my password for every online account. n/t cherokeeprogressive Nov 2012 #33

customerserviceguy

(25,183 posts)
2. If you're goofy enough to use AOHell
Wed Nov 21, 2012, 09:45 PM
Nov 2012

then maybe you deserve this.

I don't think Gmail or even Yahoo passwords are as easy to get as this article maintains. Also, complicated passwords with both upper and lower case, a number or two, and a special character are really tough to crack. Not impossible, but for a thief, it's easier to move on to less-protected targets. You don't have to be impervious, you just have to be unworth the effort, and you can control the effort.

Canuckistanian

(42,290 posts)
9. I trust my Gmail account
Thu Nov 22, 2012, 12:59 AM
Nov 2012

With the two-step verification. Practically impossible to hack into unless you also have my SIM card number from my phone.

wtmusic

(39,166 posts)
27. Really?
Thu Nov 22, 2012, 12:35 PM
Nov 2012

I'd be amazed that there isn't a liability issue there.

Usually they store just the last four digits in plaintext for verification purposes.

Posteritatis

(18,807 posts)
4. A chunk of my own security is about screwing up the password reset questions
Wed Nov 21, 2012, 10:20 PM
Nov 2012

If I get to pick the questions I can be pretty creative with the challenge and response; if I can't (and the password in question is important), then the answers are outright lies. A properly robust password, some care taken on those, and enough awareness not to blunder into phishing sites and the like is good enough for just about anything, even if a really truly concerted effort against you in particular still has chance of getting through.

(Also: password reuse is, of course, evil, and something I only use on don't-care-if-it's-compromised accounts.)

XemaSab

(60,212 posts)
10. The set-your-own-question password seems pretty solid.
Thu Nov 22, 2012, 01:04 AM
Nov 2012

I hate the passwords that require upper case and lower case and special characters because I always have to write them down, and that's NOT SECURE.

gtar100

(4,192 posts)
30. And text messaging makes our phones the second factor.
Thu Nov 22, 2012, 01:14 PM
Nov 2012

I like those systems that send a pass code by text as an additional layer of security. Certainly a lot more convenient (and cheaper) than personally getting an RSA keyfob.

Shankapotomus

(4,840 posts)
6. LavaBit email doesn't provide a "Forgot your password?" option
Wed Nov 21, 2012, 10:27 PM
Nov 2012

You MUST remember your password or there is no accessing your account.

http://lavabit.com/

7. i get his point
Wed Nov 21, 2012, 11:17 PM
Nov 2012

but it's a bit like saying we're going to stop putting locks on doors because there are people who are good at picking locks.

wtmusic

(39,166 posts)
11. Ech. Misrepresentative title.
Thu Nov 22, 2012, 01:15 AM
Nov 2012

The article tells us what we (most of us) already know - that bad passwords can be cracked, that you shouldn't use the same password, that you shouldn't keep it on a Post-It Note stuck to your monitor.

With a pseudo-random password of uppercase/lowercase alpha and digits, an 8 character password has 628 possible combinations - in decimal terms, 2,183,401,100,000,000,000,000. Just over 2 sextillion. If someone guessed a new password every second, they'd have to guess for 7 million years to be certain of getting into my measly checking account.

The age of the password has come to an end? Nonsense. There is no individual in the world dedicated and devious enough to crack that password.

 

UnrepentantLiberal

(11,700 posts)
13. Mine has 11 characters.
Thu Nov 22, 2012, 05:48 AM
Nov 2012

Upper case, lower case, numbers and symbol. And they're all random. I just remember what the password is.

 

Jim Lane

(11,175 posts)
14. Does password complexity really matter?
Thu Nov 22, 2012, 07:40 AM
Nov 2012

With an 8-character password, if I use no numerals, no symbols, and no lower-case letters, there are many fewer combinations (only 268, or about 200 billion). Nevertheless, in your example of someone guessing one per second, it would still take (by my math) more than 6,000 years to cover all of them. Granted, 7 million years is in some respects more secure, but is there any practical difference?

 

UnrepentantLiberal

(11,700 posts)
21. There are devices and computer programs that do that much quicker.
Thu Nov 22, 2012, 09:53 AM
Nov 2012

That's why the upper case, lower case and numbers.

wtmusic

(39,166 posts)
26. Probably not.
Thu Nov 22, 2012, 12:24 PM
Nov 2012

As UnrepentantLiberal notes, there are programs that can guess, in theory, millions in a few seconds.

In practice, it's much longer. Passwords are nowadays stored on a server in one-way encrypted form (hash). When you enter your password, the server uses the same encryption algorithm on your entry and compares it to the encrypted form on the server. There is no way to decode it, which is why you can't retrieve your passwords any more - they need to be reset.

Any secure website will disable an account after x number of tries (usually under ten), and a round trip HTTP authentication takes at least a second. So you might be able to guess ten passwords in ten seconds, but then you would have to re-enable the account. Practically speaking, a five-character pseudo-random password with upper/lower alpha and numerals is sufficient protection against brute force attacks for anything except your investment/banking accounts.

By a factor of thousands (millions?) the biggest risk you face is by not keeping your password secret.

The next biggest risk is by using a simple password. I always discounted the ability of hackers to guess simple passwords until I had a client's website hacked through (what we found out later to be) a guess. His password? "Butthead".




 

RomneyLies

(3,333 posts)
19. I use an 18 character passphrase
Thu Nov 22, 2012, 09:27 AM
Nov 2012

For security questions I always use pet names from my childhood, regardless of the question.

 

Edweird

(8,570 posts)
15. I use numerous email accounts with multiple providers.
Thu Nov 22, 2012, 07:48 AM
Nov 2012

The email address I might give you is different than the email address I gave DU. My bank/ebay/paypal and all that have unique addresses. I lie on the canned security questions. I lie about my real name when I sign up for the email accounts. In other words, knowing my real name and my mother's maiden name is worthless. I'm certainly not bulletproof, but I'm not low hanging fruit.

NYC Liberal

(20,134 posts)
16. Both my banks and my email require that I
Thu Nov 22, 2012, 08:27 AM
Nov 2012

confirm password changes with a confirmation code sent to my phone via SMS.

My "forgot password" answer is a scrambled combination of my phone number and 3 digits from my social.

hobbit709

(41,694 posts)
17. all someone has to do is access the email servers to read your email
Thu Nov 22, 2012, 08:31 AM
Nov 2012

Which is what governments do. I automatically assume someone out there is reading my email.
As far as security questions go-use an answer that only you know is wrong for the question. The more off the wall the better.
I never use my real name as my account ID on anything-not my bank, not my credit cards, nothing.
I have about 8 different email boxes on 3 different servers, each dedicated to a specific purpose. This helps to identify any phishing emails quickly.
Anything really important is on an encrypted flash drive that I don't leave plugged in to the computer.
Anything extremely important is kept in the safest location of all-inside my skull.

 

MyNameGoesHere

(7,638 posts)
18. I am not sure passwords are going to become extinct
Thu Nov 22, 2012, 08:37 AM
Nov 2012

but the way we generate them are. I currently have to memorize a 30 character non-recurring password to access, my other 25 character passwords for service accounts etc. I am trying new ways of generating and memorizing passwords without allowing the human factor to be compromised. Things like this give me a little hope other people are working on it an not throwing their hands in the air and proclaim the end of passwords..

http://www.extremetech.com/extreme/133067-unbreakable-crypto-store-a-30-character-password-in-your-brains-subconscious-memory

Tracer

(2,769 posts)
20. I actually wish there was a replacement for passwords.
Thu Nov 22, 2012, 09:40 AM
Nov 2012

I can't be the only person who has a small notebook with lists of different passwords.

Why different?

Because when I attempt a previously used password, I get told that it is "unavailable".

backscatter712

(26,355 posts)
25. I keep a password safe application on my smartphone for that purpose.
Thu Nov 22, 2012, 12:13 PM
Nov 2012

The password safe is itself password protected so people can't steal my passwords.

 

Egalitarian Thug

(12,448 posts)
22. The myth of the secured, networked computer. There has never been such a thing,
Thu Nov 22, 2012, 09:56 AM
Nov 2012

and everybody that understands how these miracles of human communication work, knows it.

But, they couldn't very well sell you hundreds of billions of dollars of crap, nor rid themselves of millions of workers, if they informed you of that fact, now could they? The internet, not just the www., was specifically designed to be open so that all of this is connectivity could happen, but that also makes it inherently insecure. Believe it or not, there were a bunch of us talking about this when they first started convincing you all to put your lives on line.

backscatter712

(26,355 posts)
24. I've got so much stuff on Google that I took the precaution of activating 2 factor authentication.
Thu Nov 22, 2012, 12:12 PM
Nov 2012

If I log into my Google account from a strange computer, Google will text my phone with a 6 digit code, and I'll need to enter that code to log in.

gtar100

(4,192 posts)
28. The same can be said for your home. Passwords are just locks on doors.
Thu Nov 22, 2012, 01:03 PM
Nov 2012

Until a better system or method can be implemented with the same level of convenience as usernames and passwords, we are stuck with them. In the meantime, we use them to stop most crimes of opportunity. But our sense of security that allows us to function normally in this world still requires us to trust each other to a certain degree. Your only other option is to give in to fear and paranoia.

unblock

(52,075 posts)
29. the main point seems to be that passwords ARE good protection, just don't have a silly one
Thu Nov 22, 2012, 01:05 PM
Nov 2012

it's the ways to BYPASS the password that seems to be the main problem.

especially when the standard security questions are easily hacked.

if they want to make it easy to bypass a password, at least they should have questions whose answers can't be easily hacked.

name of first pet, or restaurant where you met your spouse, e.g., aren't likely to be easily googled, although even for those a few standard guesses would have a good hit rate.

SWTORFanatic

(385 posts)
31. Dumb dumb. Can't find me on google and certainly can't find the
Thu Nov 22, 2012, 01:22 PM
Nov 2012

city I was born in (double layer of security because I use the hospital I was born in, not the town my parents were living in)

mrsadm

(1,198 posts)
32. Great article, I learned a lot, thanks for posting!
Thu Nov 22, 2012, 01:39 PM
Nov 2012

Time to go do some more work on my passwords and security questions!!!!!

Latest Discussions»General Discussion»Kill the Password: Why a ...