Here's Why Your Password is Hackable - Comments Page 2

Category: Security



All Comments on: "Here's Why Your Password is Hackable"

Comment Page:  1  | 2 |  3 

Posted by:

Walter
12 Sep 2017

It is completely untrue that hackers can try billions of passwords per minute. It's a worst/best case scenario where they have a copy of the password hash on an outside fast computer where they can run a brute force attack at speed. This can happen, but it's not really the concern. You can't just try to log into a computer system a billion times per minute. It's easy to put in place delays and try limits. Now to be fair I've seen constant attacks from China with random usernames and passwords on every public system I've put up, but a few simple firewall rules and even that lame attack is rendered pointless.

Running cracking software on an actual hash will produce all the Love123 passwords in minutes, but when it goes into brute force attacks it'll take some serious time and then it just comes down to how long the password is. Of course you could rent a really expensive/fast computer to run it on to speed things up but now you're investing money.

My big point here is your bank password isn't going to get hacked using the hash, and if it does the bank is going to contact you to change it and be very embarrassed. Even if they do get the bank hash, their going to try the Love123 accounts first as running a hash on thousands of accounts is going to take a long time. They probably won't even bother with a brute force if a dictionary attack doesn't do it as they'd know that all the passwords would have been changed by the time they get results.

As to trying to guess your bank password, they'll get locked out within four or five tries. There's not enough time for them to do a brute force. So pick a password that's going to withstand a dictionary attack, but beyond that you're fine.

Posted by:

Dan
12 Sep 2017

First I'd like to address NB, did you not read close enough to understand it's the hacker and their software processing the possibilities not the actual user.
Right or wrong I store passwords due to the amount that any given person has to use in my iPhone. It's locked by finger print or a numerical code, one step further, if they can get past that 'Notes" allows you to lock your "Notes". My banks require a change every six (6 ) months. You can't use anything that was used before in the prior six (6 ) months. I don't know where I read about password rules, but I have always did as suggested, uppercase in the middle, no successive numbers, no keyboard keys running together. Love the idea of a quote from a book, that helps tremendously with the banks and their requirements.
Thanks Bob.

Posted by:

-JimP
12 Sep 2017

Henry: Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password and the keys used to encrypt and decrypt data are never sent to LastPass’ servers and are never accessible by LastPass.

Posted by:

JimM
12 Sep 2017

Personally, I don't know of ANY website that handles bank information that allows a billion tries. Most will lock you out after only 5 tries or less. I got locked out of my mortage payment website and waited two days before trying and still couldn't get in. I eventually resorted to calling them to straighten the matter out. If you haven't been hacked what is the use of changing the PW ? You could very well be changing it to one that is in the hackers database. At the very least your still in the same situation as you were before you changed it. Best thing is two party authentication.

Posted by:

Lawrence Mills
12 Sep 2017

I find it frustrating to create passwords for sights that I might use only once to make an unusual purchase. I use upper and lower case, numbers, characters and I try for something to relates to something in my life like a broken numerical address, not the whole. Or maybe a birthday with characters and text intermingled. Each time I change a password it's about 12 characters and I don't change one but all the characters in the password. I write these down in a password book, heaven forbid that anyone finds it, so that I can refer to it when I need to access that unusual web site for some reason a second time.
Now with all that said, my email was hacked and I've spent hours with Microsoft customer service (ha!) trying to recover my email account. It is the first time in forever that my email has been hacked and I believe it was because our mortgage companies server was hacked and personal information stolen. Can I offer this information on the form that Microsoft has me fill out??? No! And how am I to remember emails from two months ago along with the subject line. If only I could deal with a real customer service person. Well I guess I do understand Microsoft's viewpoint but that certainly doesn't help me. So I will keep struggling with Microsoft and work at creating passwords that are less hackable. Larry.

Posted by:

Jerry B
12 Sep 2017

Having also used Roboform for many years to keep my 100+ passwords unique, secure and frequently updated, I can't imagine living without it.

Posted by:

Ron
12 Sep 2017

I wrote a simple Excel formula to generate random passwords and I store them in a password-protected file not named "password."

Posted by:

Thomas
12 Sep 2017

RoboForm all the way. For those sites that block auto-filling or have two screens, I drag-n-drop or copy/paste from the RoboForm editor.

Posted by:

Paul
12 Sep 2017

Being using Keepass for years along with an encrypted password vault stored in dropbox for multi-device synch.

Posted by:

Paul
12 Sep 2017

@BobD Keepass can fill in online forms just fine. See here: http://keepass.info/help/base/autotype.html

Posted by:

J
12 Sep 2017

My password for my Yahoo mail will take a hacker 1,000 years to crack according to a password rater recommended by this website. What good did that do when the company was hacked and all information, including passwords, was stolen?

I have not written down passwords and tried to obey the "one password for each site" rule. This has wasted a lot of time when trying to remember what ending went with the strong root for each password needed. I have been locked out of sites because the right password could not be remembered in three tries. Passwords have been changed and then forgotten so that they needed to be changed yet again.

My new rule is to write them down with a code for the site to be accessed and hide the list where it will, hopefully, be remembered.

Posted by:

Isaac
12 Sep 2017

I have used 1Password since it got started. They offer a variery of methods and plans now but I am still using the original method. The software is only on my computers. There is no data in a database anywhere on the web. The software can generate unique very long randomly generated passwords or you can make your own. If you do make your own it shows you those that are similar and suggests you make changes to avoid that. It can store an encrypted file on Dropbox or iCloud in your personal account. That allows syncing on all of my Macs and iPhone. It has never failed me. Updates have been free and so is excellent tech support. All I have to remember is the 1Password i.e. the Master Password. That is only on the devices NOT in the encrypted file on Dropbox or iCloud. 1Pw is one of two pf the best software products that I have ever purchased. I could not be without and it is worth more than the price I paid.

Posted by:

LeRoy
12 Sep 2017

I built a set of Excel random generators, each inside the other, to give me something that's pretty random. Or was. After this latest debacle, I'll be going the memorable phrase route. I should only take me as long to change my passwords as it will take the hackers to hack my old ones.

Posted by:

Melanie
12 Sep 2017

I have been using Roboform Everywhere for several years - it works on our iPhones, Macs and PC products and syncs across platforms. On occasion I have to manually enter a username or password (especially with 2 step authentication), but I love that I can generate random passwords and not have to try to remember anything (except the password to Roboform, of course!). I love that I can access my password list on my phone. Just use Bob's advice when you create your master password, and hope Roboform is never hacked!

Posted by:

Melanie
12 Sep 2017

I have been using Roboform Everywhere for several years - it works on our iPhones, Macs and PC products and syncs across platforms. On occasion I have to manually enter a username or password (especially with 2 step authentication), but I love that I can generate random passwords and not have to try to remember anything (except the password to Roboform, of course!). I love that I can access my password list on my phone. Just use Bob's advice when you create your master password, and hope Roboform is never hacked!

Posted by:

Edwin
12 Sep 2017

Most passwords are unnecessary for security purposes as they access websites that nobody else would have the slightest interest in. The fellow who invented the current crazy password creation has since said that he was wrong and that its complexity is unnecessary. Apart from my financial records anybody is welcome to my passwords.

Posted by:

Therrito
13 Sep 2017

I created an easy to remember complex base password of lower case letters mixed with numbers to use with all of my online accounts then I added a prefix or suffix specific for each account consisting of upper case letters and/or special characters so that the end result is a very complex password that is unique for each account and is very easy to remember each one.

Posted by:

Walter
13 Sep 2017

Just to clear up one point.

When a hacker breaches a system and "gets the passwords" they don't actually get the passwords, at least in modern times and with anything that is remotely secure. They get a list of account hashes. So your password could be Love123 and the hash might be klj#c98q34 (just made up). When you log on and enter Love123 the server runs a hash program on what you entered that will put out klj#c98q34 which is then compared to the hash table. I think it's even mathematically possible that another different password could produce the same hash.

This is why modern Systems Administrators don't know what your password is. They might be able to see the hash, but can't really do anything with it. Many years ago on UNIX systems the hash was readable by anyone on the system as nobody could decode it. But now we have decoder programs that can.

So say you've got a hash and you run cracker software on it on your modern i7 with many GPUs. It's going to use a list of known words and simple rules to try and guess the password. So it tries Love122 and fails and then Love123 and succeeds. It's get passwords like that pretty fast, but passwords like uzKmkJdB are not going to be cracked with the word lists. It then has to go into brute force mode, which takes some time. Might sit there for a week before it gets it and that's just one password. What if the system has a hundred thousand accounts?

You can see that running a brute force attack even with the hash file is going to take forever. I don't think they'd bother unless they knew some key accounts that were more worthwhile hacking, perhaps BillGates or a similar account. So they're probably only going to run dictionary attacks at the huge list for a day or two and see if they can get into accounts with stupid passwords.

So, don't use a stupid password on anything important, but you don't need to go too crazy.

Posted by:

david sparkman
13 Sep 2017

My bank disables my account after 3 incorrect tries so cracking that will take a very long time. On the other hand, I use a wireless keyboard so an external keylogger is a threat. I prefer not to access by bamk account while on the road. I am using Avasts EasyPass but I am bugged that it keeps trying to save my bank password which is the one password I prefer to only keep in my memory and my home safe.

Posted by:

BobD
13 Sep 2017

@Paul Re:"Keepass can fill in online forms just fine"
Thanks! I just started using KeePass a couple of days ago, so I have some research to do.

Comment Page:  1  | 2 |  3 

Read the article that everyone's commenting on.

To post a comment on "Here's Why Your Password is Hackable"
please return to that article.

Send this article to a friend. Jump to the Comments section. Buy Bob a Snickers. Or check out other articles in this category:





Need More Help? Try the AskBobRankin Updates Newsletter. It's Free!

Prev Article:
Equifax Takes The Data Breach Cake
Send this article to a friend
The Top Twenty
Next Article:
Geekly Update - 13 Sep 2017

Link to this article from your site or blog. Just copy and paste from this box:



Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter


About Us     Privacy Policy     RSS/XML