The Virtues and Vicissitudes of Passwords

[anorlunda]

Can you point me to this? It sounds like a pretty egregious HIPAA violation.

It happened in the 80s, so no link, and it predates HIPAA. But HIPAA, applies only to health care providers. Non providers who come into possession of confidential information by any means are not restricted by HIPAA. If the NY Times gets protected info, Congress shall pass no law prohibiting them from publishing it.

https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent.

Life insurance companies ask you to sign a waiver giving them access to your medical records. But HIPAA can't restrict what they do with the information thereafter because they are not covered entities.

 

[jack action]

You can make good passwords that you can remember but don't rely on a pattern, e.g., five or six random words generated by Diceware.

The keyword in your statement is "random". This means you take whatever the Diceware gives you on your first attempt.

The mistake to avoid is not to be tempted to generate another password until you find one set of words you find easier to remember. In such a case - even though all passwords were randomly generated - the selected one does follow some rules you made up to easily remember it.

 

[Vanadium 50]

This is a classic case of trying to improve an already very-secure part of the system.

 

[Vanadium 50]

ind a pattern in ANY ONE of these and I'll give you a prize:

nS3dQu4u

Oddly, this has the same cadence as I've Got A Gal In Kalamazoo.

"Hi there Tex, how's your new ro-mance"
"N S 3, d Q u 4 u"

 

[Vanadium 50]

Many, many years ago, when IBM 3278 terminals roamed the earth...

I worked in a shop where every so often (14 days?) we were assigned new passwords. Assigned. We didn't get to pick them. Security, you see. You'd log in and it would tell you "your new password is"...sorry, it was the olden days.."YOUR NEW PASSWORD IS" and then seven random characters.

People were expected to memorize this in a few seconds, and of course each system had a different password .Security, you see.

Fortunately, we all had notepads on our desk, so we could quickly write down the new passsword before it faded from view, and conveniently, the 3278 had a little hinged cubbyhole for pens, paperclips, and little slips of paper.

Security, you see.

 

[pbuk]

No. I already accounted for that by using 4 bits per letter, and 3 after that. 33 million also excludes the ringer. There is a huge difference between "cdewq7sxz" and "maga2020!" Anyone who would use the latter is a moron.

Now you are arguing against yourself. Yes there is a huge difference between "cdewq7sxz" and "maga2020!", but there is not a huge difference between "sw234rfd" and "maga2020!", in fact "sw234rfd" appears to be associated with at least 38 password leaks!

 

[Algr]

That is not what I meant. By obeying a set of rules (for example choosing letters based on their position on a keyboard), you are excluding a lot of passwords that a hacker doesn't need to try.

Ugg! I just told you that I accounted for that. There are 16 keys that don't border any edge on the keyboard. So that is 4 bits. Then there are eight keys surrounding those 16. That is 3 bits per key. So: 7x3+4 = 25 bits. 2^25 = 33,554,432 possible passwords using the adjacent key tactic. And that ignores the salt.

But doing so - for someone who assumes you used this rule - you drop from 209 billion possibilities (= 26^8) to 207 million possibilities (= (20 X 6)^4)

Five chances out of 207 million before the account locks up? That is NOT how the hackers are getting through.

Yes there is a huge difference between "cdewq7sxz" and "maga2020!", but there is not a huge difference between "sw234rfd" and "maga2020!",

"cdewq7sxz" is my tactic with salt as I originally described.

 

[pbuk]

Five chances out of 207 million before the account locks up? That is NOT how the hackers are getting through.

No it isn't. You have repeatedly been told how the "hackers are getting through" - they are using matched lists of passwords and email accounts. To find out more about where these lists have come from see https://www.troyhunt.com/password-r...other-1-billion-records-in-have-i-been-pwned/

 

[Algr]

You have repeatedly been told how the "hackers are getting through" - they are using matched lists of passwords and email accounts.

Then why aren't you acknowledging the obvious consequence of this. Your password could be a billion digits long, but it won't make any difference if the hackers already have it.

 

[pbuk]

No, there have been very few data leaks of plain text passwords. Almost all the email/password combinations available on the dark web have been cracked by dictionary attacks on salted hashes. Choose an obvious password like the ones you suggest and you are vulnerable to a dictionary attack.

That's interesting. I've been trying to verify that, but no luck.

One source for partial verification is https://haveibeenpwned.com/PwnedWebsites.

This lists 628 data breaches, with "plain text" mentioned 87 times, "MD5" (an insecure method of password hashing) 186 times and "SHA" (a less insecure method of password hashing but still useless for insufficiently complex passwords) 66 times.

Not very scientific, but as you say we should be careful not to over-analyse data which is by its very nature intended to be shared covertly.

 

[pbuk]

Then why aren't you acknowledging the obvious consequence of this. Your password could be a billion digits long, but it won't make any difference if the hackers already have it.

Of course it wont, but if a password is insufficiently complex, is easy to guess, or was used on a service that has suffered a plain text or poorly hashed password leak such as the Adobe leak of 153 million accounts you can pretty much guarantee that the hackers already have it.

A sufficiently complex, hard to guess password, is only vulnerable if it has been leaked in plain text.

 

[Algr]

SOCIAL ENGINEERING:​

The most successful tool for hackers is not guessing passwords, but social engineering. The PEOPLE using your system are as vital a part of it as any software or hardware. The hackers know this. If your IT department doesn't understand PEOPLE, they are a bad IT department. Overloading your people with excessive burdens is just as much IT's fault as any other hardware failure:

Random passwords generated every two weeks? That is TERRIBLE security because HUMANS don't work that way. As Vanadium 50 and others have mentioned before, excessively burdensome passwords inevitably result in the above pic.

SECURITY = the DIFFERENCE between the difficulty of a legitimate user logging in, and the difficulty of a hacker logging in.​

If you bury a hard drive in cement, it isn't secure, it is useless. The hacker will probably have the best tools to get it out, while legitimate users are stuck.

This is why there are so many security failures in major corporations. IT is so busy keeping out the hackers that they make legitimate users their enemy, who have no choice but to undermine security in order to get any work done.

 

[Algr]

Of course it wont, but if a password is insufficiently complex, is easy to guess, or was used on a service that has suffered a plain text or poorly hashed password leak such as the Adobe leak of 153 million accounts you can pretty much guarantee that the hackers already have it.

A sufficiently complex, hard to guess password, is only vulnerable if it has been leaked in plain text.

Technically true, but you are WAY past the point of diminishing returns if you are saying that anything that can be memorized is a bad password. It's like mopping the deck on a sinking ship - it may superficially look like it helps, but it is completely failing to recognize what the problem really is. As I showed in the previous post, making passwords too burdensome results in LESS security, not more.

 

[pbuk]

Technically true, but you are WAY past the point of diminishing returns if you are saying that anything that can be memorized is a bad password.

I have not said that. I have said that anything that is based on a keyboard pattern is a bad password.

 

[Algr]

I have said that anything that is based on a keyboard pattern is a bad password.

And I've got 33 million passwords that say you are wrong.

 

[pbuk]

And I've got 33 million passwords that say you are wrong.

werfvcxs - pwned 67 times
234rfdsw - pwned 43 times
uiol.,mj - pwned 1 time

How many more of the 33 million would you like to try?

 

[Algr]

What does "pwned" mean? One recorded use of the password that was not guessed, but found on a leaked list? What good does that do for the hacker once they try to hack someone else? I have over 300 passwords. How many lines of gibberish can you remember?

 

[Algr]

I didn't know that "Vissitude" was a real word. I only know it from World of Darkness, where it is something not good. Even my spell check doesn't know the word.

 

[pbuk]

What does "pwned" mean?

https://haveibeenpwned.com/

One recorded use of the password that was not guessed, but found on a leaked list?

"pwned 43 times" means that the password has been found 43 times on lists of matching email addresses and passwords submitted to HIBP (link above). If you go to the HIBP site it will tell you where the data came from.

What good does that do for the hacker once they try to hack someone else?

None at all. Hackers don't need to attack everybody so they only try easy targets: those they have cracked hash passwords for. If you have an easy password then it is likely that it has been cracked, you can lessen the odds by increasing the complexity.

I have over 300 passwords. How many lines of gibberish can you remember?

I can only reliably remember 5 passwords, for which I have mnemonics. I don't need to remember any others, I use a password manager.

 

[Algr]

:: Hacks pbuk's password manager using a keystroke monitor, or similar exploit. ::

 

[Vanadium 50]

You don't really mean that, do you? Because on can use a keylogger to crack secure passwords, it's OK to use insecure ones?

Do you believe that because your front door can be dynamited open, there is no need for a lock?

 

[Algr]

It's like mopping the deck on a sinking ship - it may superficially look like it helps, but it is completely failing to recognize what the problem really is. As I showed in the previous post, making passwords too burdensome results in LESS security, not more.

If you can see the guy outside with the dynamite, choosing that moment to install a lock does seem rather silly.

 

[Algr]

If the hacker has your password, and also your account name, then it makes no difference how long or complex you password was.

If the hacker has a list of 33 million passwords and one of them happens to be yours, then how does he make use of that? What is the risk?

BTW, here is the lock on your front door. How many different keys would you say are possible based on what you see here?
I get 1024.

 

[pbuk]

If the hacker has your password, and also your account name, then it makes no difference how long or complex you password was.

Nobody is disputing that, there is no point in repeating that obvious point. And neither is anyone suggesting that you should have excessively long and complex passwords.

What everyone is saying is that you should have sufficiently complex passwords: you are suggesting that 25 bits of entropy is enough and this is not correct.

If the hacker has a list of 33 million passwords and one of them happens to be yours, then how does he make use of that?

I don't know how I can explain this so you can understand, but I will try yet again: every time there is a leak of credentials (emails linked to password hashes), he checks each password hash against each of the 33 million passwords. If one of those password hashes is yours and your email is included in the leak then he can log into your account on that server. He can also try those credentials on thousands of other servers because people who choose weak passwords are also likely to use them more than once.

 

[pbuk]

I didn't know that "Vissitude" was a real word.

It isn't. The correct spelling is vicissitude.

 

[pbuk]

BTW, here is the lock on your front door. How many different keys would you say are possible based on what you see here?

But here there are additional security factors:

• There are no lists of keys corresponding to addresses.
• In order to try a key the attacker has to come to your door.

 

[Wrichik Basu]

My father used the same password for all his accounts, including his credit card. Then there was the breach at Adobe. I told him numerous times to change all the passwords, but he insisted that no one would be able to track him. He didn't believe in password managers and used to jot down all the passwords in a .docx file.

Years later, there was a mysterious transaction on his credit card on some Chinese website. There were two transactions, one with a small amount, and then with a huge amount. Thankfully, our bank blocked the card after the small transaction, and hence the latter didn't succeed. Later, the bank also reversed the small amount. They said that the Chinese website was already in their blacklist.

Finally, he agreed to use random passwords and a password manager. I had a sigh of relief.

 

[DrJohn]

"Change your password every three/six months"
Dreadful advice, as the number of passwords to change is ridiculous and the chance of getting locked out because of a mistake is high. It leads to people just adding a number at the end and adding one to it at each change date.

A college I lecturered at gave all new students the same password - changeme! on day one. Many did update it, some forgot to and got hacked. They were also told to change it at three month intervals. And if they forgot to change it, it was automatically changed for them by the system - back to changeme! . So after termtime breaks, accounts got hacked again because students thought why change it now and not use it for a month, wait till next term starts. Eventually enough lecturers complained that automated changes back to changeme! meant students could try to hack lecturers' accounts!

 

[DrJohn]

But here there are additional security factors:

• There are no lists of keys corresponding to addresses.
• In order to try a key the attacker has to come to your door.

A well-known car manufacturer, name begins with F, during 80s and 90s, had only FOUR different car keys for a while. Thieves loved them.
At a sports event where we all knew at least half the people there, a friend got locked out of his car and was going to break the small side window with a hammer and get me to slip my skinny arm in and unlock it. I simply got out my key and said try this, if it fails, just ask friend after friend with a car by this manufacturer and you'll get in with no damage. And mine worked! Even though it was a different model and several years older than his car. Reward was a drink in the bar.

 

[Vanadium 50]

The correct spelling is vicissitude.

This is good for passwords - it's not a dictionary word!

 

[Vanadium 50]

If the hacker has a list of 33 million passwords and one of them happens to be yours, then how does he make use of that? What is the risk?

We apparently are still unclear. Maybe a specific example will help. Consider the following users:

User	Password
Alice	baseball
Betty	qwerty
Charlene	&#JpS63UDj8Zvp2n
Donna	Z6s2a*#*qKP%hQDG

Storing a file with the name and password is horribly insecure - if that file leaks or is stolen, everybody is compromised. So instead, there exists a file containing users and the output of a function that takes the password as input. The actual test is not "has the user entered the same password as in the database" but rather "has the user entered a password that produces the same output as stored in the password database when this function is applied. So what's actually stored is more like this:

User	Password Output
Alice	67863462408908
Betty	56536561877978
Charlene	11780956528780
Donna	31268681278999

Now if the password database is stolen, it is less bad. It's still very bad, but at least it doesn't expose all four passwords.

However, the thief can keep trying passwords as often as she wants as quickly as she wants. It doesn't matter if the real system locks you out after N incorrect attempts in M minutes, because the thief can wait until she has a hit before trying. All she has to do is apply the password function to every password she can think of and see if it matches one of the four numbers above when the password function is applied.

Obviously, the place to start is the list of most common passwords. This includes words like "baseball" and keyboard patterns like qwerty.

If one can test 1000 words per second (which sounds low in this age of parallel processing), the most common "acceptable" password form - a six-letter word with the first letter capitalized, a number, and an exclamation point - takes on average two minutes to find by brute force. Less secure ones, like dictionary words and keyboard patterns, are just that much faster.

 

[Algr]

So hacking the server doesn't usually get you the passwords, just this "hash" that can tell you if the password is right or not. At two minutes per password, it would take 3.8 years for a hacker to break them all. Not good, but not "walk right in" either. And when used, the server would still know that the request is coming from a different machine and IP, and can react accordingly. Given how often I have servers suddenly fail to recognize passwords I have written down, I can't see the burden getting any higher without people just giving up on one account after another.

The problem I have with password managers is that I don't believe the claim that "You'll never have to type the password in yourself." What if I need to log in from a different device? It isn't humanly possible to write down Il|1¡iO0りˆ^`' on a piece of paper and then type it back correctly a year later. Even case sensitive passwords are a major issue. We are all taught to reflexively change lower case letters to upper case at the beginning of a sentence and in many other places. It is not natural for us to think of them as separate objects. This is what my analogy pic with the burning resistor is about.

https://www.wired.com/story/apple-p...4724cd-c3e2-43ed-b8f4-ec7850c212d3_popular4-1

I'm reading this now. I'm hopeful, but these are the people who said that webcam would be unhackable.

 

[PeroK]

By the way, the word in the title should be vicissitudes:

https://www.merriam-webster.com/dictionary/vicissitude

 

[DavidSnider]

So hacking the server doesn't usually get you the passwords, just this "hash" that can tell you if the password is right or not. At two minutes per password, it would take 3.8 years for a hacker to break them all. Not good, but not "walk right in" either. And when used, the server would still know that the request is coming from a different machine and IP, and can react accordingly. Given how often I have servers suddenly fail to recognize passwords I have written down, I can't see the burden getting any higher without people just giving up on one account after another.

The problem I have with password managers is that I don't believe the claim that "You'll never have to type the password in yourself." What if I need to log in from a different device? It isn't humanly possible to write down Il|1¡iO0りˆ^`' on a piece of paper and then type it back correctly a year later. Even case sensitive passwords are a major issue. We are all taught to reflexively change lower case letters to upper case at the beginning of a sentence and in many other places. It is not natural for us to think of them as separate objects. This is what my analogy pic with the burning resistor is about.

https://www.wired.com/story/apple-p...4724cd-c3e2-43ed-b8f4-ec7850c212d3_popular4-1

I'm reading this now. I'm hopeful, but these are the people who said that webcam would be unhackable.

You wouldn’t have to use Il|1¡iO0りˆ^`' you can compensate just by making your password longer. inzlsybkueuxkuxzjlwbbhbol has no special characters but more entropy.

 

[Algr]

Where did you get "inzlsybkueuxkuxzjlwbbhbol" from? All the password generators I've see are bit wize and mind foolish.