Jump to content


Photo

What Makes a Password Stronger


  • Please log in to reply
27 replies to this topic

#1 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,082 posts

Posted 27 June 2011 - 05:42 AM

What Makes a Password Stronger

Many people use just a single password across the Web. That's a bad idea, say online-security experts.

"Having the same password for everything is like having the same key for your house, your car, your gym locker, your office," says Michael Barrett, chief information-security officer for online-payments service PayPal, a unit of eBay Inc.

(...)

No matter how good a password is, it is unsafe to use just one. Mr. Barrett recommends following his lead and having strong ones for four different kinds of sites -- email, social networks, financial institutions and e-commerce sites -- and a fifth for infrequently visited or untrustworthy sites.


Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,281 posts

Posted 27 June 2011 - 10:40 AM

Article doesn't mention desirability of having more than 8 characters in password. Mine all have more than 12 characters. Of course it doesn't matter how long it is if it is easy to guess - but other things being equal, making the password longer makes it many times harder to decode.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#3 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,082 posts

Posted 27 June 2011 - 11:03 AM

I think it mentions it: The longer the password -- at least eight characters, experts say -- the safer it is.
I'd agree that 8 characters (letters+numbers) is the minimum...
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 27 June 2011 - 12:05 PM

(letters+numbers)


Quite so. By combining/mixing the alpha-numeric characters, you can generally thwart a dictionary attack.

Are there any good PW generators/managers around now?

#5 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,281 posts

Posted 27 June 2011 - 12:32 PM

I use the one provided by RoboForm. http://www.roboform....sword-generator

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#6 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,082 posts

Posted 27 June 2011 - 12:40 PM

Are there any good PW generators/managers around now?

I came across such a list: Password Tools, but I'm not familiar with most of the programs...
Personally, I use KeePass, some recommend LastPass or RoboForm Password Manager (as cnm mentioned)...
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#7 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 03 July 2011 - 08:19 AM

Thx.

I remember RoboForm from yrs gone by. It always seemed to have a good user base with little said about mishaps.

KeyPass sounds good too.

For more than a decade now, I've just used a simple text file archived and locked with WinRAR...plenty secure but not to convenient.

I think I will avoid LastPass or any other that stores PW's and your other reg info on a web server. Avoidance isn't because I think the db can't be secured. Instead, it's because I don't trust third parties with my info and I don't trust other admin to really care and not become complacent. Interesting ref; http://news.cnet.com...0061445-83.html

Thx again for the suggestions.

#8 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,281 posts

Posted 03 July 2011 - 09:41 AM

RoboForm offers saving passwords in a cloud but I have avoided that for the same reasons you give, mikey.

That said, I do love desktop RoboForm and was happy to upgrade to the paid version in order to be able to store more than 200 passwords. I've discovered that its tools such as password generator can be run independently outside of a browser.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,276 posts

Posted 05 July 2011 - 11:33 AM

Nothing like giving the hacks a boost. Just the sort of thing they can use, and do.

- http://www.h-online....er-1273585.html
5 July 2011 - "Version 1.7.8 of John the Ripper, a free password cracker, promises to be up to 20 per cent faster when cracking the Data Encryption Standard (DES) algorithm... In practice, this increases the speed of brute force attacks by 12 to 14 per cent..."
- http://www.openwall.com/press/20110622
June 22, 2011 - "... a password security auditing tool... providing the community with significant improvements in the performance of cracking password hashes based on the Data Encryption Standard (DES) algorithm on CPUs... provides a 17 percent improvement over the previous best results..."

Top Attacks (past 24 hours)...
MYSQL brute-force login attempts
- http://atlas.arbor.net/attacks/2001689
Microsoft Windows RPC Bind Request buffer overflow attempt
- http://atlas.arbor.net/attacks/9601

:( :!:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#10 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 05 July 2011 - 01:27 PM

brute-force login attempts


We use various IPSwares, honeypots, BLs, etc,etc,etc and still the logs are full of attempts.

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,281 posts

Posted 05 July 2011 - 01:40 PM

No way to stop attempts, but we make them very unlikely to succeed by limiting the rate via iptables.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#12 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 05 July 2011 - 01:51 PM

No way to stop attempts, but we make them very unlikely to succeed by limiting the rate via iptables.

Using APF/BFD?

Edited by mikey, 05 July 2011 - 01:54 PM.


#13 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,281 posts

Posted 05 July 2011 - 02:00 PM

IPB limits number of failed attempts to login to forum.

And on the server, a simple trap in iptables limits new SSH.

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j AUTOBAN
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j AUTOBAN
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j AUTOBAN
....
-A AUTOBAN -m recent --set --name SSH --rsource
-A AUTOBAN -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
-A AUTOBAN -m recent --set --name SSH --rsource
-A AUTOBAN -m recent --set --name SSH --rsource

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#14 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 05 July 2011 - 02:14 PM

EDIT: Disregard. I read every word wrong.

Edited by mikey, 05 July 2011 - 02:29 PM.


#15 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 05 July 2011 - 03:07 PM

Let's try again. :)

-A AUTOBAN -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP


That looks much faster than using a script to monitor. Is it as effective?

Even blocking the source IPs temp like that, the shear # of sources is staggering and still filling the logs. I think that the staggering # is what AplusWebMaster was trying to point out.

Edited by mikey, 05 July 2011 - 03:10 PM.


#16 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,281 posts

Posted 05 July 2011 - 03:21 PM

The logs rotate and do not grow without limit. But I find that when a particular IP gets dropped for doing more than 4 in 60 seconds, they generally give up. A few will wait a few minutes and then send four more attempts, but the most I ever saw one do in one day was 24. When I see a very persistent IP I just unconditionally drop it in iptables. This is faster than blocking with .htaccess because the connection doesn't get as far - the iptables firewall is the first thing it hits. And yes, I think processing in the firewall is going to be much faster than running a script.

http://wiki.centos.o...etwork/IPTables

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#17 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 07 July 2011 - 11:00 AM

Thx for the tip.

I don't really want to go to far further OT but...

I was imediately struck by the simplicity of that set. It performs just as expected with the FW in a raw state;

[root@bench ~]# iptables -N SSH_BAN
[root@bench ~]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_BAN
[root@bench ~]# iptables -A SSH_BAN -m recent --set --name SSH
[root@bench ~]# iptables -A SSH_BAN -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
[root@bench ~]# /sbin/service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

[root@bench ~]# iptables -L -v
Chain INPUT (policy ACCEPT 275K packets, 16M bytes)
pkts bytes target prot opt in out source destination
14 736 SSH_BAN tcp -- any any anywhere anywhere tcp dpt:ssh state NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 148K packets, 661M bytes)
pkts bytes target prot opt in out source destination

Chain SSH_BAN (1 references)
pkts bytes target prot opt in out source destination
14 736 all -- any any anywhere anywhere recent: SET name: SSH side: source
6 300 DROP all -- any any anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source

[root@bench ~]# iptables -L -v
Chain INPUT (policy ACCEPT 275K packets, 16M bytes)
pkts bytes target prot opt in out source destination
26 1348 SSH_BAN tcp -- any any anywhere anywhere tcp dpt:ssh state NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 149K packets, 662M bytes)
pkts bytes target prot opt in out source destination

Chain SSH_BAN (1 references)
pkts bytes target prot opt in out source destination
26 1348 all -- any any anywhere anywhere recent: SET name: SSH side: source
15 756 DROP all -- any any anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source

[root@bench ~]#



The simplicity made me want to see if I couldn't 'simplyfy' our own sets some(not a ref to the VOP-01 as it's basically just a test bed these days).

A work in progress, I suppose. ref; APF cfged to use the IDS(Snort) logs

BTW cnm, congrats on the new year and thx again for the tip. :)

#18 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,281 posts

Posted 07 July 2011 - 11:24 AM

You're welcome mikey. I got it from someone else, at http://www.linuxquestions.org/ I think. I spend a lot of time there in their Newbie forum http://www.linuxques....org/questions/ :)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,276 posts

Posted 07 July 2011 - 11:32 AM

'Thought you might be interested in this article from h-online, not that you'd use everything in it, but some things might be helpful:

Storing passwords in uncrackable form
> http://www.h-online....rm-1255576.html
20 June 2011

;)

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#20 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 07 July 2011 - 04:09 PM

That is a very well written and interesting article. The way he went on about app sec, I'm a little surprised he didn't also mention something like PHPIDS or mod_security etc.

Thx for the ref.

#21 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,281 posts

Posted 09 July 2011 - 10:03 AM

This article suggests length of password is the main thing and you can have as many repeats in it as you want without weakening it.
http://www.streetwis...k.html#00000188

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#22 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 09 July 2011 - 12:08 PM

You know, one of my pet PW peeves is all the so called webmasters out there who think they can handle sensitive data with a hosting account that doesn't even include shell access. In addition to the basic fact that no shell = no sec, they transfer files and PWs in the clear(plain text) over FTP and then wonder why their stuff gets stolen. If you're not using an SFTP bridge or SCP, your info can be captured.

ref; PuTTY

ref; Tunnelier (my fav way to talk to my appliances :) )

Edited by mikey, 09 July 2011 - 02:41 PM.


#23 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 09 July 2011 - 06:15 PM

This article suggests length of password is the main thing and you can have as many repeats in it as you want without weakening it.
http://www.streetwis...k.html#00000188

I pretty much believe that premise too.

A bit OT some more; cnm, that site you linked above is throwing the "Scanstyles does nothing in Webkit/Firefox" error I've been hearing about but hadn't actually seen yet. It must be pretty generic as it misinterpreted my munged UserAgent and yet didn't prevent me from seeing the page or getting any captures. So thx for the link on multiple levels.

Edited by mikey, 09 July 2011 - 06:17 PM.


#24 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,281 posts

Posted 09 July 2011 - 06:19 PM

mikey, I don't see anything odd with Chrome (my main browser) or Firefox 5 (FF 5 is sloooow to load!)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#25 mikey

mikey

    Advanced Member

  • Expert
  • PipPipPip
  • 104 posts

Posted 09 July 2011 - 06:39 PM

Sorry, I often think faster than I elaborate or vice versa. :)

Most probably wouldn't see it and the majority of those who do, are probably doing something unorthodox. But I found it interesting, so thx.

#26 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,082 posts

Posted 17 July 2011 - 09:11 AM

An interesting move by Hotmail...

Hey! My friend’s account was hacked!

These two observations led us to develop a couple of new features that help protect your accounts. The first lets you report a friend’s account as compromised – a feature unique to Hotmail – and the second prevents you from using common passwords that make your account easy to hack.

We will now prevent our customers from using one of several common passwords. Having a common password makes your account vulnerable to brute force “dictionary” attacks, in which a malicious person tries to hijack your account just by guessing passwords (using a short list of very common passwords). Of course, Hotmail has built-in defenses against standard dictionary attacks, but when someone can guess your password in just a few tries, it hardly constitutes “brute force!”

Common passwords are not just “password” or “123456” (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like "ilovecats" or "gogiants."


Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#27 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,281 posts

Posted 05 December 2011 - 05:54 PM

Why Password Wisdom Is All Wrong - http://www.internete...evolution_gnews is worth reading.

Suggests that just picking several English words and remembering the order, such as "vagrant pizza mouse garden pick." This is a much simpler phrase to remember than "p1ZZapi3" would have been, and at the same time, it is much more secure, because of its significant length.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#28 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,082 posts

Posted 11 December 2011 - 07:17 AM

Indeed, an interesting read!.. Thanks for sharing, cnm... :)

One another link I've bookmarked recently (to read it later): Internet Insecurity: The 25 Worst Passwords of 2011
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button