# Interesting secure password theory



## dpeters11 (May 30, 2007)

Came across this and thought it was interesting. I'm still listening to security now, where they discuss it.

Interesting method at least for things like wifi passwords etc. I'm considering using this method for mine, maybe my LastPass master password.

I'd especially be interested in Wilbur the Goose's thoughts on this.

https://www.grc.com/haystack.htm


----------



## matt (Jan 12, 2010)

Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)	1.04 years

I'm good.


----------



## Herdfan (Mar 18, 2006)

I use fairly complex passwords, but they are based on a sentence.

For example, the sentence: I am going to Home Depot at 2, becomes the password: IagtHDa2. It just uses the first letter of each word keeping capitalization.

As long as you can remember a sentence, you can remember your password.


----------



## dpeters11 (May 30, 2007)

What irritates me is that there are sites, capital one as an example, that instantly make that that password less secure. They let you enter uppercase when you set the password, but they ignore it. Entering it in all lowercase or caps lock on, or any improper capitalization in-between all let you in.


----------



## wilbur_the_goose (Aug 16, 2006)

First of all, the guy running www.grc.com is a god in the IT Security world. He's really great and knows his stuff.

Secondly, he's completely right - the bad guys all use algorithms today to crack passwords... By bad guys, I'm talking about organized crime rings. Obviously, passwords like "rover" (your dog's name) are by far the worst.

Two items that can help with passwords:
1. Do what www.grc.com says
2. Don't ever post anything on social media sites that you use as a password OR as the answer to a challenge question.

In other words, don't choose a challenge question like "What is the name of your high school mascot" if your high school name is in your Facebook profile. You're giving the bad guys the keys to the kingdom.

Remember - they're not after your dbstalk.com password - they're after your online banking account, your credit card account, your iTunes account, etc. THOSE are the passwords to make really strong.

Of course, ever a great password won't save you if the bad guys use a back door exploit. Ask Sony, TJ Maxx, DSW Shoes, etc... for details.
-------------------
PS - Be sure to keep your AV software up to date, get off Windows XP as soon as you can, apply all Windows/Adobe/Java/etc updates ASAP, and run the Microsoft Malicious Software Remover at least monthly.


----------



## klang (Oct 14, 2003)

Isn't a brute force password attack pretty useless for most financial institutions since 3 bad tries will lock out the account?


----------



## SayWhat? (Jun 7, 2009)

> First of all, the guy running www.grc.com is a god in the IT Security world. He's really great and knows his stuff.


I've heard both sides of that. Some think he's great, others think he's a fool. I've used several of his tools and tests before.



> In other words, don't choose a challenge question like "What is the name of your high school mascot" if your high school name is in your Facebook profile.


First, don't use FB. If you do, don't post ANY personal information.

On the challenge questions, make the answer irrelevant.

Q: What city were you born in? 
A: Yellow

Q: What's your favorite color?
A: Denver

Q: What's your favorite band?
A: F-Troop.


----------



## wilbur_the_goose (Aug 16, 2006)

I think Gibson is great because he helps increase awareness. So many laymen are 100% unaware of how to secure their electronic lives. They'll deadbolt their front door in an area with zero/low crime, but leave their PC wide open. That's where Gibson helps.

SayWhat - great idea!


----------



## scooper (Apr 22, 2002)

For what it's worth - within the last month, one other site I use got hacked and my email address and password got taken. I had to go through and change several sites and my email password to stop the phony emails from me . I do hope dbstalk and avsforum are using encrypted databases for these.


----------



## Mustang Dave (Oct 13, 2006)

Overly complex passwords do very little this day and age to prevent computer crime. Account lockouts make brute force or dictionary attacks a thing of the past.

Phishing and social engineering get a user's password straight from the owner no matter what it is. Most of the "hacking" you see in the news now is someone inside a company got duped into coughing up their password in some way and hackers used that account to get inside and steal information or other accounts.

All email must be treated with suspicion. That is the real threat.


----------



## dpeters11 (May 30, 2007)

But doesn't the safety of a lockout assume an online attack? If for example, the hackers get the actual database, they wouldn't have to worry about it. If the hashed password is unsalted, they may have a rainbow table that can look passwords up.

I've actually thought about coming up with fake info for the challenge questions, but with my luck I wouldn't remember the answer it was looking for.

The big vulnerability of his method is that if someone sees you type it in, they may also remember it. He says he has that solved as well, but hasn't revealed it yet.


----------



## Mustang Dave (Oct 13, 2006)

dpeters11 said:


> But doesn't the safety of a lockout assume an online attack? If for example, the hackers get the actual database, they wouldn't have to worry about it. If the hashed password is unsalted, they may have a rainbow table that can look passwords up.
> 
> I've actually thought about coming up with fake info for the challenge questions, but with my luck I wouldn't remember the answer it was looking for.
> 
> The big vulnerability of his method is that if someone sees you type it in, they may also remember it. He says he has that solved as well, but hasn't revealed it yet.


Account lockouts are capable of being implemented on external and internal systems so no assumption of only an online attack as you call it is being made.

If hackers got access to a database without compromising an account first then that IT Department has bigger problems.

The point I was making is high profile companies with the highest degree of network security are being compromised by their own employees lack of dilligence.


----------



## SayWhat? (Jun 7, 2009)

From what I've read, the Sony thing was a hack, while the gMail thing was a Phishing campaign.

If you're gullible enough to fall for a Phish email, I'm not sure how you can be protected from yourself.


----------



## dpeters11 (May 30, 2007)

"Mustang Dave" said:


> The point I was making is high profile companies with the highest degree of network security are being compromised by their own employees lack of dilligence.


That certainly was the case at RSA, an employee opening an attachment that used a 0-day Flash vulnerability.

As for phishing and spear phishing, those are becoming more sophisticated and believable.


----------



## SayWhat? (Jun 7, 2009)

Yeah, they are unfortunately, and the companies are partially to blame.

Used to be you could look at the underlying URL of a link and determine authenticity. Now, with more and more companies using third party email marketing services/forwarders/redirecters, you can't always do that.


----------



## Stewart Vernon (Jan 7, 2005)

A couple of things in play here, when you get right down to it...

First... IF you have to tell someone not to do something stupid, then they are probably going to do something stupid anyway. Like the person who sticks their tongue on a cold metal pole on a cold day and gets stuck... telling them NOT to do that serves no purpose if at any time they think "hey, let me try that"...

Second... people are people, and no matter how secure you think something is... someone, somewhere will be trying to get into it... and eventually will.

You can lock your door... you can deadbolt your door... you can bar the windows... dig a moat... put sharks in the moat... install an alarm... hire guards... but there's still a way in.

It might be possible to lock everyone out of some specific thing... but that would mean locking yourself out too... and completely defeat the purpose of protecting it from others.


----------



## billsharpe (Jan 25, 2007)

SayWhat? said:


> Q: What's your favorite band?
> A: F-Troop.


My favorite band is Benny Goodman. Nobody except some of my old friends who don't even have computers would think of him.

Of course I've never been asked to use that as a secret question, so it shouldn't matter that I am broadcasting that info.


----------



## wilbur_the_goose (Aug 16, 2006)

If you're not in the biz and want to see an example of a REAL threat - do a Google on "zeus botnet".

Another scary trend is keylogging malware.

Best of all, subscribe to "Krebs on Security" - http://krebsonsecurity.com/


----------

