How I'd Hack Your Weak Passwords

[app103]

Stop whatever you are doing and read this article. Then go fix your password issues. Don't wait till tomorrow or next week, do it now.

   * You probably use the same password for lots of stuff right?
    * Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.
    * However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.
    * So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
    * Once we've got several login+password pairings we can then go back and test them on targeted sites.
    * But wait? How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker's computer, and the speed of the hacker's Internet connection.

http://lifehacker.co...-your-weak-passwords

[wraith808]

It still wouldn't work in most cases today... that's why banks have the authorization questions and pins in place, because they figured this out already.  If you try to login from a computer that the user hasn't already used, you'll get one of a series of questions before you get in... questions that are based on the user, not the password.  Then, if your bank is extremely paranoid like mine is, you'll have to enter a pin before you do anything after that.

They have a point, but it's not as big of a deal as it used to be.

[gexecuter]

I use Keepass to handle my password generation, i suggest all of you do the same because it's pretty handy.

[Eóin]

I'm happy to believe my common password isn't human guessable, but I'd say it is bruteforce-able. I don't use it for any site which deal with money but still if someone guessed it there'd probably be a way to go from it to some of what I'd consider by more secure passwords.

[app103]

It still wouldn't work in most cases today... that's why banks have the authorization questions and pins in place, because they figured this out already.  If you try to login from a computer that the user hasn't already used, you'll get one of a series of questions before you get in... questions that are based on the user, not the password.  Then, if your bank is extremely paranoid like mine is, you'll have to enter a pin before you do anything after that.

They have a point, but it's not as big of a deal as it used to be.

-wraith808 (April 01, 2010, 08:21 AM)

Sites like Paypal aren't as paranoid as your bank, but access to a site like that could be just as devastating for some people, considering Paypal accounts are usually tied to checking and/or credit card accounts, and may also contain a cash balance, sometimes a large one if you run a business that accepts payments through Paypal.

How about hijacking your domain name?

How about gaining access to your account at the site you have your car insurance, changing the address, phone number etc, and then canceling your insurance and asking for a refund on unused premiums?

There is a whole lot more than just access to your bank's website to worry about, and a lot of those sites are not as paranoid about security.

[wraith808]

Paypal actually does have checks and balances (which I've run afoul of several times), but point taken, even though I never activate online access to most of those other services...

[mouser]

paypal has a wonderful and cheap hardware security key that generates one-time use pins that can be required for login.  i wish my bank and credit card account was so secure.

[wraith808]

And an (over?) zealous fraud department that calls me all the time 

[app103]

paypal has a wonderful and cheap hardware security key that generates one-time use pins that can be required for login.  i wish my bank and credit card account was so secure.

-mouser (April 01, 2010, 11:04 AM)

Most people don't know about that hardware key.

AOL has a similar key that can protect your account and email, if you use their service. The key is required on accounts for all AOL employees (and they get it for free), and optional for their customers, who get charged for each one. And each screen name needs it's own key, so to fully protect an account containing 7 screen names, it would cost you $140 initially for setup and the hardware devices, and $1.95/month to continue using it. It's not something they advertised all that much, and if you want it you'd have to already know it exists through some other means of finding out about it (like reading this post) and then contacting their customer service and asking how to get one. (this is why adoption by their users has been considered a failure...nobody knows it's available)

[Carol Haynes]

My business bank account demands you login as normal and then to access account info you have to use a device that that looks like a calculator which you have to insert your debit card, use your card pin in the device and it creates a unique 8 digit code for that session. Very effective - and even puts me off using online banking because it is so convoluted!

[40hz]

FWIW  

Spoiler

[KynloStephen66515]

My business bank account demands you login as normal and then to access account info you have to use a device that that looks like a calculator which you have to insert your debit card, use your card pin in the device and it creates a unique 8 digit code for that session. Very effective - and even puts me off using online banking because it is so convoluted!

-Carol Haynes (April 01, 2010, 02:58 PM)

I have that same system, from Barclays PLC Business Banking, and one for my personal accounts.  It also annoys me enough that I have used online banking ONCE to check out the system, then decided it was quicker and easier to find a cash machine!

[Ashraf]

I don't know if anyone noticed but that article is over 3 years old. LH just had the author copy and paste it onto LH - it is nothing new. So, yes some techniques may be outdated.

[KynloStephen66515]

Outdated or not, old, or brand spanking new, this is still a good subject to touch upon from time to time.

People who are not exactly tech savvy will find this a very interesting read indeed and even those of us who do know what we are doing, sometimes need reminding to choose passwords people cant simply guess or bruteforce, and to stop us using the same passwords for everything.

[wreckedcarzz]

I use Keepass to handle my password generation, i suggest all of you do the same because it's pretty handy.

-gexecuter (April 01, 2010, 08:43 AM)

same here, works great

[clemo1]

I use 'Key Scrambler' but it only scrambles and decodes against keyloggers.

[Deozaan]

http://lifehacker.co...-your-weak-passwords

-app103 (April 01, 2010, 06:14 AM)

Oh the Irony! My LifeHacker (Gawker) account was just compromised, and the login details were used to get into my (old) Gmail account and send spam to everyone in my contact list.

[wreckedcarzz]

Oh the Irony! My LifeHacker (Gawker) account was just compromised, and the login details were used to get into my (old) Gmail account and send spam to everyone in my contact list.

-Deozaan (December 14, 2010, 04:34 AM)

can you recover them? Recovery questions and whatnot? Or get a new password via the 'forgot your password?' system?

[mouser]

Once again app103 alerted us ahead of time, and if you had listened to her you would be safe.
Lesson: LIST TO APP103 when she posts something!

[Eóin]

Interesting little note: How To Safely Store A Password.

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

And that’s without investing anything.

-http://codahale.com/how-to-safely-store-a-password/

[f0dder]

Eóin: bcrypt or pbkdf2... when will the world learn? ZOMG I CAN ROLL MY OWN SUPERSECURE USER VALIDATION SYSTEMS!!1!oneoneeleven!

[Renegade]

Interesting little note: How To Safely Store A Password.

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

And that’s without investing anything.

-http://codahale.com/how-to-safely-store-a-password/

-Eóin (December 14, 2010, 09:32 AM)

For easy to remember but stronger passwords, pass-phrases are great.

The scale there is logarithmic, so if you use a pass-phrase, each character beyond 6 multiplies the brute force time by 10. So:

thisismyphrase

has 14 characters, and would take 40 seconds * (14 chars - 6 chars)^10 seconds, or 40 * 100,000,000 seconds = 126.755059 years.

A dictionary pass-phrase attack could cut that time down, but is more complex.

[Eóin]

It's better than that Renegade, for lowercase alphanumeric, each additional character increases the search space by 36 (26 letters + 10 digits).

[Deozaan]

Oh the Irony! My LifeHacker (Gawker) account was just compromised, and the login details were used to get into my (old) Gmail account and send spam to everyone in my contact list.

-Deozaan (December 14, 2010, 04:34 AM)

can you recover them? Recovery questions and whatnot? Or get a new password via the 'forgot your password?' system?

-wreckedcarzz (December 14, 2010, 07:18 AM)

My login details were not changed. In fact, I think my account wasn't actually logged into by a person. I think my credentials were just used to authenticate a robot to grab my contact list and mass send spam to 10 people at a time (or whatever) without actually signing in to the Gmail website. But that's just a guess. I could be completely wrong about that.

But anyway, yeah, I just signed in, Google alerted me of suspicious activity and recommended to me that I should change my password, which I did. I also removed everybody from my contact list since I don't use that account anymore (for sending e-mail), in case it somehow gets compromised again.

Now I'm using a password manager and going crazy with the password generator. So far I've generated passwords using Alphanumerics + Special Characters that were anywhere from the "lowly" 20 to "insane" amount of 40 characters long. Now I just have to hope beyond hope that my password manager never loses it's database or becomes compromised.

[wraith808]

^ That really sucks.  I wish there was some way to hold people responsible for this kind of stuff accountable for their actions.   I've never been really paranoid about my passwords... but I'm getting there.  I just don't want to use a password generator/manager.  I started along that path with 1Password, but just never got to the using it part.    I do like the idea of using a passphrase, though.