Hashed Passwords

[Canoas]

You're telling me that "50PrePAring 72PlAnk's" is not a secure password? (of course this is not one I used but I just made it up using my method)

 

Altought it's probably secure against a common cracker It's definitely not nearly as secure as you think. It's not going to take a sentillion years to crack, if a cracker is determined to get it then it'll probably take a week or even less. If he really wants your password then he'll start by using an extended dictionary method instead of trying a basic one and moving right away to regular brute forcing, and when he does put more effort into the dictionary method your password won't hold. However, If he's not determined to get the 10% stronger passwords, which is a huge waste of time, then he won't use such a method and just settle for 90% of the passwords for a day's work, which is what will happen unless he's testing new algorithms.

 

And your password doesn't help at all when you need a unique password for each website. How are you going to remember 50 different passwords with that method? Remember, each website needs a unique password. Why? Because if you use the same password everywhere then if just one website doesn't properly encrypt their data then no matter how strong your password is any cracker will get it in seconds and use it everywhere else. If you're not using unique passwords then start changing them now since it's probably been cracked already.

 

Not to mention it's a huge password which means it takes longer to type and is prune to mistypes while you can make a password with just 10 characters that's stronger than yours and can be adapted to be unique to every website while remaining easily remembered.

[walkerasindave]

And your password doesn't help at all when you need a unique password for each website. How are you going to remember 50 different passwords with that method? Remember, each website needs a unique password. Why? Because if you use the same password everywhere then if just one website doesn't properly encrypt their data then no matter how strong your password is any cracker will get it in seconds and use it everywhere else. If you're not using unique passwords then start changing them now since it's probably been cracked already.

 

Not to mention it's a huge password which means it takes longer to type and is prune to mistypes while you can make a password with just 10 characters that's stronger than yours and can be adapted to be unique to every website while remaining easily remembered.

 

Hence the reason for on-the-fly generating.  The hasing will generate a different password for each site and you don't even have to type them in.  With some clever browswer integration the code used to generate the hash can fill in the password field for you.

 

Best of all worlds.

[qwertywarrior]

im not making this up

but my password looks "vaguely" like this

874B72jkTIKZOPF

and i have it memorized

it takes a few weeks then u can memories anything

also if u want to keep something secure and easy

just use a phrase like

1Dayiwasinthetoiletandisawabugsoicrushedit

but try to use numbers letters and symboles in the phrases because a custom dictionary attack can break it

i have a dictionary file thats about 40GB (combined)

[LAwLz]

So let me get this straight OP. You take the domain name, runs it through a hashing algorithm with a salt you have added yourself, and then you use that as the password? Your test has seems very short, what algorithm do you use? Even md5 produces much longer output that an.

The problem with this (assuming it works like I think it does) is that:

1) It relies on you having the extension, so if you are on a phone or someone else's computer, you are in trouble.

2) If your master password gets compromised you are screwed and they will get ALL your passwords.

 

 

You just think of a random character password for every website and then add a 2-3 letter from the website's name, like the first character + second vowel (or only vowel, if that's the case) + last letter from the extension. For example, linustechtips.com becomes "lum", and you just add "lum" to the end of your password. This way you have a unique random charcater password for each website than is very easy to remember.

Not a good idea, since it can be hard to remember which characters you picked.

[Flynn]

Easy, do what I do, don't use a password at all.  I have a key fob that is used with software on my home computer and my government computer.  Downside, if I'm not at my computer I can't access the sensitive sites I need access to because the fob requires the software in order to actually work.  Upside, my shit is secure.

 

The only other thing I can recommend, but this is also dependent on hardware that you have to use in conjunction with software and AD, is to use either a CAC (common access card) or bioreader.  Anyone who has taken any simple security cert will know that two phase authentication is always the best.  (A CAC requires the card, and a pin in order to work.  It's something you know, and something you have.  A bioreader is something you are, and something you know in order to pass).

 

 

As for the validity of if a password is complex enough, I can't lay claim to which way or the other.  Fact is that most brute force cracking systems actually do not use a dictionary.  It's completely different software.  You need a program to first generate the words to use, then a program to read those words and test them.  it formulates these words based on what you tell it to use (IE:  A-Z;a-z;!@#$%^&*()_+;0-9) and min and max characters to use (IE: between 4 and 12 characters).  SO guess what, if someone uses an = sign and you forget to include it, it'll never crack the password.  If the password is only 3 characters, incredibly insecure btw, but the program wont crack it because you said 4-12.  And the more characters you tell it to use (All my passwords that I cant use my fob with are 18+ characters) the longer it will take. it'll be about 5 days to a week before it even reaches the 18 character range (it starts with every 4 digit combo possible, then 5, etc).

 

Anyway, the security of a password is purely subjective.  You can luck out, or you could not luck out.  If you want to be secure, make sure you use more than one element of authentication.  A password is only something you know, therefore is insecure.  There are 3 levels of authentication, something you know, something you have, something you are.  Use at least 2 of the 3 and you will be secure.

[Canoas]

Not a good idea, since it can be hard to remember which characters you picked.

You don't need to remember, you just need to follow the rule and you'll find the password by looking at th website's name.

[Canoas]

Easy, do what I do, don't use a password at all.  I have a key fob that is used with software on my home computer and my government computer.  Downside, if I'm not at my computer I can't access the sensitive sites I need access to because the fob requires the software in order to actually work.  Upside, my shit is secure.

 

The only other thing I can recommend, but this is also dependent on hardware that you have to use in conjunction with software and AD, is to use either a CAC (common access card) or bioreader.  Anyone who has taken any simple security cert will know that two phase authentication is always the best.  (A CAC requires the card, and a pin in order to work.  It's something you know, and something you have.  A bioreader is something you are, and something you know in order to pass).

 

 

As for the validity of if a password is complex enough, I can't lay claim to which way or the other.  Fact is that most brute force cracking systems actually do not use a dictionary.  It's completely different software.  You need a program to first generate the words to use, then a program to read those words and test them.  it formulates these words based on what you tell it to use (IE:  A-Z;a-z;!@#$%^&*()_+;0-9) and min and max characters to use (IE: between 4 and 12 characters).  SO guess what, if someone uses an = sign and you forget to include it, it'll never crack the password.  If the password is only 3 characters, incredibly insecure btw, but the program wont crack it because you said 4-12.  And the more characters you tell it to use (All my passwords that I cant use my fob with are 18+ characters) the longer it will take. it'll be about 5 days to a week before it even reaches the 18 character range (it starts with every 4 digit combo possible, then 5, etc).

 

Anyway, the security of a password is purely subjective.  You can luck out, or you could not luck out.  If you want to be secure, make sure you use more than one element of authentication.  A password is only something you know, therefore is insecure.  There are 3 levels of authentication, something you know, something you have, something you are.  Use at least 2 of the 3 and you will be secure.

 

That is extremely unecessary for common passwords and much too troublesome. A proper 13 character password is uncrackable at least until quantum processors are available to the public.

[LAwLz]

You don't need to remember, you just need to follow the rule and you'll find the password by looking at th website's name.

Oh right, I missed that "second vowel" part. What if the website/service does not have a vowel though, or is just 2 characters long?

[Flynn]

That is extremely unecessary for common passwords and much too troublesome. A proper 13 character password is uncrackable at least until quantum processors are available to the public.

 

I don't work in the public sector, I'm a government contractor.  Unnecessary isn't in our vocabulary.  And which part is troublesome?  You quoted my entire post.  I made several points, and the 2 phase authentication is actually MANDATORY by any US government position.  CACs are actually used by both DoD contractors, DoD civilians, and any military member, you are actually issued one in basic training.

 

So, what you call unnecessary, we call prudent planning; not to mention the standard of ALL professionals with confidential or above clearance.  When you have secrets worth keeping, you will also think that overboard precautions are a must if your secrets are indeed worth keeping.

 

And just an added note, it takes me less time to log into a computer using a CAC than it does for you to type in a 13 digit password.  (Plus I only have to use a 4 digit pin, just slide in the card and type in 4 digits).  As for the FOB, it's based on my proximity to the computer (namely the sensor) and a 4 digit pin.  That 4 digit pin, tied with the added security, is more fail proof and far less likely to be forgotten than a 13 character password.

[walkerasindave]

So let me get this straight OP. You take the domain name, runs it through a hashing algorithm with a salt you have added yourself, and then you use that as the password? Your test has seems very short, what algorithm do you use? Even md5 produces much longer output that an.

 

 

Yes that's correct.  It uses sha1 to start with, then based on the output and the selected options* it produces the final password.

 

*Options such as length, inclusion of special characters, etc. (I can't believe there are still websites out there that restrict characters and length?!?!)

 

 

1) It relies on you having the extension, so if you are on a phone or someone else's computer, you are in trouble.

Yes, this is an issue.  I have made it in javascript so I have embedded it into a simple HTML file a copy of which resides on my phone so I have complete mobile use as required.  (The HTML file is I realise a week point as it shows the algorithm, but the master password would also be required.  Anyway, I have put some security on accessing the file, e.g. to access it itself is password protected... Also the code is obfuscated, not that that would deter the most persistant hackers.)

 

 

2) If your master password gets compromised you are screwed and they will get ALL your passwords.

If they somehow did, which they would have to be damn persistant to (brute force the password then reverse engineer it into the masster password)  They would also need the algorithm, as it is not a plain sha1.  I was also thinking of differing the master password based on a character/characters of the domain as well, just as an additional layer.

[Langdon]

Personally I make my password a sentence like

"My cat's fur has 5 pancakes that ARE delicious!"

[Canoas]

Oh right, I missed that "second vowel" part. What if the website/service does not have a vowel though, or is just 2 characters long?

You just think of a random character password for every website and then add a 2-3 letter from the website's name, like the first character + second vowel (or only vowel, if that's the case) + last letter from the extension. For example, linustechtips.com becomes "lum", and you just add "lum" to the end of your password. This way you have a unique random charcater password for each website than is very easy to remember.

 

 

I don't work in the public sector, I'm a government contractor.  Unnecessary isn't in our vocabulary.  And which part is troublesome?  You quoted my entire post.  I made several points, and the 2 phase authentication is actually MANDATORY by any US government position.  CACs are actually used by both DoD contractors, DoD civilians, and any military member, you are actually issued one in basic training.

 

So, what you call unnecessary, we call prudent planning; not to mention the standard of ALL professionals with confidential or above clearance.  When you have secrets worth keeping, you will also think that overboard precautions are a must if your secrets are indeed worth keeping.

 

And just an added note, it takes me less time to log into a computer using a CAC than it does for you to type in a 13 digit password.  (Plus I only have to use a 4 digit pin, just slide in the card and type in 4 digits).  As for the FOB, it's based on my proximity to the computer (namely the sensor) and a 4 digit pin.  That 4 digit pin, tied with the added security, is more fail proof and far less likely to be forgotten than a 13 character password.

And that's why I said it is extremely unecessary for common passwords, which is clearly what this topic is about. In most companies where you work with sensitive information there are already specific rules set in place to ensure your password is uncrackable, whatever is discussed in this topic is not in any way relevant to such cases. Or are you claiming that you use those methods for each forum you join and each new game you start playing? Because, once again, that is extremely unnecessary.

[Blade of Grass]

That is extremely unecessary for common passwords and much too troublesome. A proper 13 character password is uncrackable at least until quantum processors are available to the public.

What would a "proper" 13 character password be?

[Canoas]

What would a "proper" 13 character password be?

once again, my suggestion is to make a 10 character password including at least one upper case, one number and one character from the extended ascii table and then add 3 characters to the password specific to each different website so it becomes unique.

 

Example:

I take the phrase "What would a proper 13 character password be?", which makes it easy to remember, and use the first letter from each word

wwap13cpb

Now I make some changes to make it secure

wWÁp13cpB.

And then add 3 characters from the website with a particular rule so I can always remember what it is, for example, the first and last characters and the second character from the extension, so linustechtips.com = lso, and add it to a specific place in the password.

lsowWÁp13cpB

 

And it's done. The password is easy to remember, fast to type, unique to each website and secure against any cracker.

[tom564]

once again, my suggestion is to make a 10 character password including at least one upper case, one number and one character from the extended ascii table and then add 3 characters to the password specific to each different website so it becomes unique.

 

Example:

I take the phrase "What would a proper 13 character password be?", which makes it easy to remember, and use the first letter from each word

wwap13cpb

Now I make some changes to make it secure

wWÁp13cpB.

And then add 3 characters from the website with a particular rule so I can always remember what it is, for example, the first and last characters and the second character from the extension, so linustechtips.com = lso, and add it to a specific place in the password.

lsowWÁp13cpB

 

And it's done. The password is easy to remember, fast to type, unique to each website and secure against any cracker.

What happens when one site does not encrypt stored passwords? if someone know this method is in use it would be easy to crack any other password. 

[Canoas]

What happens when one site does not encrypt stored passwords? if someone know this method is in use it would be easy to crack any other password. 

So from lsowWÁp13cpB someone can figure out the passwords for other websites? How?

[rashdanml]

I can't believe nobody has posted that one comic from XKCD yet. 

[the21robot]

TOO MANY WORDS!

[tom564]

So from lsowWÁp13cpB someone can figure out the passwords for other websites? How?

if i understood you correctly you have this part of the password that is the same for every site wWÁp13cpB ? 

Say 2 sites that you use get compromised and the passwords leaked with corresponding emails someone could see that only one part of the passwords differ and can begin either brute forcing the additional characters or trys to figure out what method you used to create the additional characters. 

[Flynn]

And that's why I said it is extremely unecessary for common passwords, which is clearly what this topic is about. In most companies where you work with sensitive information there are already specific rules set in place to ensure your password is uncrackable, whatever is discussed in this topic is not in any way relevant to such cases. Or are you claiming that you use those methods for each forum you join and each new game you start playing? Because, once again, that is extremely unnecessary.

 

No, forums and websites I use a keyring, and my computer uses 2 phase security, so the keyring cannot be accessed without the two phase verification.  Once again, you say unnecessary (well you said unecessary), I say cautious.  If it's not your bag don't use it, I do, I was just giving my two cents on how to achieve security (very easy security).  If it's too secure and easy for you don't use it.

[Canoas]

if i understood you correctly you have this part of the password that is the same for every site wWÁp13cpB ?

Say 2 sites that you use get compromised and the passwords leaked with corresponding emails someone could see that only one part of the passwords differ and can begin either brute forcing the additional characters or trys to figure out what method you used to create the additional characters.

That already requires 2 websites that I'm registered in to not use any form of encryption and both be targeted by the same hacker who also decides to crossreference passwords for accounts with the same e-mail adress. Even the most basic websites use MD5, such a thing is very highly unlikely and unless you're registering on really crappy non-template websites then it'll never happen.

No, forums and websites I use a keyring, and my computer uses 2 phase security, so the keyring cannot be accessed without the two phase verification. Once again, you say unnecessary (well you said unecessary), I say cautious. If it's not your bag don't use it, I do, I was just giving my two cents on how to achieve security (very easy security). If it's too secure and easy for you don't use it.

It has a needless level of security that can turn out to be incredibly unpracticle.

[Flynn]

It has a needless level of security that can turn out to be incredibly unpracticle.

 

You keep using that word (I think the word you are looking for is impractical):  Not adapted for use or action; not sensible or realistic.

 

​Now, I'm not going to argue with you for the sake of argument, but there is nothing about the level of security that millions or more people use that is not adapted for use or action, and there is nothing about only having to spend only 2 seconds to quickly tap in 4 digits that is not sensible or realistic.  So yes, not only is it practical, but it is also going to continue to be in use regardless of your opinion.  I have already stated twice in as many posts that if it's not for you, don't use it.  But you are so stuck that your way is the only way you would rather argue over nothing than just to say ok and carry on.  I"m sorry but you are simply saying the same thing over and over without reason (which by the way is impractical).

 

Now with that said, it's painfully obvious that you are unreasonably obstinate on this topic and there is no room for movement into any reasonable discussion on this.  I'm trying to simply show that you can be very secure very easily.  I don't know if you are simply not familiar with the technology, or are just obtuse, either way this is going no where.  These are forums, from my understanding it is a place where many ideas get organized and debated in a single place in order to learn or find solutions to real life issues.  Many people will pose many sides and thoughts on the topic.  So feel free to argue or whatever from here on out, I'm gracefully making my exit from this discussion.

 

If there is anything I have learned from owning a business and dealing with hundreds of thousands of people in networking security and penetration testing (not to mention life in general), "Don't bother trying to educate a pig, you will just waste your time and annoy the pig."  Have at it fellas.

[Canoas]

You keep using that word (I think the word you are looking for is impractical):  Not adapted for use or action; not sensible or realistic.

 

​Now, I'm not going to argue with you for the sake of argument, but there is nothing about the level of security that millions or more people use that is not adapted for use or action, and there is nothing about only having to spend only 2 seconds to quickly tap in 4 digits that is not sensible or realistic.  So yes, not only is it practical, but it is also going to continue to be in use regardless of your opinion.  I have already stated twice in as many posts that if it's not for you, don't use it.  But you are so stuck that your way is the only way you would rather argue over nothing than just to say ok and carry on.  I"m sorry but you are simply saying the same thing over and over without reason (which by the way is impractical).

 

Now with that said, it's painfully obvious that you are unreasonably obstinate on this topic and there is no room for movement into any reasonable discussion on this.  I'm trying to simply show that you can be very secure very easily.  I don't know if you are simply not familiar with the technology, or are just obtuse, either way this is going no where.  These are forums, from my understanding it is a place where many ideas get organized and debated in a single place in order to learn or find solutions to real life issues.  Many people will pose many sides and thoughts on the topic.  So feel free to argue or whatever from here on out, I'm gracefully making my exit from this discussion.

 

If there is anything I have learned from owning a business and dealing with hundreds of thousands of people in networking security and penetration testing (not to mention life in general), "Don't bother trying to educate a pig, you will just waste your time and annoy the pig."  Have at it fellas.

 

I'm not saying my way is the only way, I'm saying that your way makes no sense. Your method doesn't have anything to do with passwords, requiring a specific file/key does not in any way deter crackers. They're not going to your house and log into your computer to see if they can steal your passwords, which means your two step activation does nothing whatsoever. Requiring a keyfile/signature is utterly useless unless you're using it with the objective of stopping someone in the physical world from accessing it. A cracker doesn't care what you need to do to log into your computer, it can even require you to gather all 7 dragon balls and it wouldn't make a difference. The only thing that matters to a cracker is the password that you use to log in. Not what you do to log in, but the password that the website receives. That password is the only thing that a cracker will attempt to crack, and as such what you need is not a multi-step activation BUT AN ACTUAL SECURE AND UNIQUE PASSWORD. I can't stress this enough, your multi-step activation will not in any way influence anything a cracker will ever do, only the password matters. And, since you never mentioned anything about unique and secure password and instead focus on things that are entirely irrelevant, I think it's safe to assume that your actual passwords aren't that secure, if you use unique passwords at all, so maybe you should spend less time jerking off to your useless two step activation method and actually listen to people who know what they're talking about.

 

Good luck with your security busisness, you'll need it.

[tom564]

I'm not saying my way is the only way, I'm saying that your way makes no sense. Your method doesn't have anything to do with passwords, requiring a specific file/key does not in any way deter crackers. They're not going to your house and log into your computer to see if they can steal your passwords, which means your two step activation does nothing whatsoever. Requiring a keyfile/signature is utterly useless unless you're using it with the objective of stopping someone in the physical world from accessing it. A cracker doesn't care what you need to do to log into your computer, it can even require you to gather all 7 dragon balls and it wouldn't make a difference. The only thing that matters to a cracker is the password that you use to log in. Not what you do to log in, but the password that the website receives. That password is the only thing that a cracker will attempt to crack, and as such what you need is not a multi-step activation BUT AN ACTUAL SECURE AND UNIQUE PASSWORD. I can't stress this enough, your multi-step activation will not in any way influence anything a cracker will ever do, only the password matters. And, since you never mentioned anything about unique and secure password and instead focus on things that are entirely irrelevant, I think it's safe to assume that your actual passwords aren't that secure, if you use unique passwords at all, so maybe you should spend less time jerking off to your useless two step activation method and actually listen to people who know what they're talking about.

Good luck with your security busisness, you'll need it.

are you serious key files are more secure than passwords as long as you don't let lose it and by adding another factor of authentication such as something you are is fingerprint or something you know such as a password. A key pair is much harder to crack than a password if the websites support this.

And you could use that method to authenticate to a password manager that has a completely unique password for each site

[Canoas]

are you serious key files are more secure than passwords as long as you don't let lose it and by adding another factor of authentication such as something you are is fingerprint or something you know such as a password. A key pair is much harder to crack than a password if the websites support this.

 

And which websites support that? So far in my entire life I have not come upon a website/game that gives me the option of using a keyfile. Password storage and encryption programs offer it, but websites don't.

Again, it doesn't matter how many keyfiles you need to use, the websites only accept a single password. It even can require a thousand keyfiles hidden in the deepest parts of the antartic ocean and the password you use for the website remains easily crackable.

I also require my keycard to access the labs in my university, does that mean I can use such a method for this forum? No. I cannot. Over 99.99% of the internet does not support such features. Suggesting it is the best way to ensure your login is secure is not in any way relevant to this topic.

 

 

Either get a password manager or hashing program that will make your passwords uncrackable, but it can turn out to be rather unpractical if you need to access any random website on a different machine and a nightmare if you forget about it when you format your computer/HDD dies, or you can use a shorter password that is still uncrackable by any common cracker and some reasoning to make it unique for each website. Those are the only two ways you can have secure passwords, whatever your password manager/computer requires you to do to log in has nothing to do with the crackers and only serves to stop other people in the physical world to access your passwords, which is not usually a problem.