Leo Leporte Corrects 'CBS Sunday Morning' Segment on Passwords


Recommended Posts

Is this guy really that stupid? Passwords are nothing but a theater show. If hackers want your password, they will get it. Look to Sony for the perfect example. How many sites have Anonymous giving out passwords for. His claim that any competent hacker can hack a password in 30 seconds is stupid. Social engineering is how they get passwords these days, not brute force because websites can actually detect that now. If they are a competent hacker, they won't use brute force, they will use social engineering. This guy thinks he's smart and ignores the reality of the situation. His advice is to store all of your passwords in one location which happens to be web accessable for someone to get to. That site must have paid him a fee to advertise for him to say that load of garbage.

Link to comment
Share on other sites

Yeah those password advice she gave were horrible.

 

 

Is this guy really that stupid? Passwords are nothing but a theater show. If hackers want your password, they will get it. Look to Sony for the perfect example. How many sites have Anonymous giving out passwords for. His claim that any competent hacker can hack a password in 30 seconds is stupid. Social engineering is how they get passwords these days, not brute force because websites can actually detect that now. If they are a competent hacker, they won't use brute force, they will use social engineering. This guy thinks he's smart and ignores the reality of the situation. His advice is to store all of your passwords in one location which happens to be web accessable for someone to get to. That site must have paid him a fee to advertise for him to say that load of garbage.

 
Do you know what the general public uses?  Things like Tony96.  You are telling me that a hacker cannot brute force that in under 30 seconds?  Not all sites require special characters.
Link to comment
Share on other sites

 

Yeah those password advice she gave were horrible.

 

 

 
Do you know what the general public uses?  Things like Tony96.  You are telling me that a hacker cannot brute force that in under 30 seconds?  Not all sites require special characters.

 

You can brute force Tony96 in under 30 seconds huh? Do you know what a brute force attack is? You try out millions of combinatins until one matches. Can you run a script like that that would get to Tony96 in under 30 seconds. Sure. Can you do it with less than 3-10 guesses before google, yahoo, or any other email provider locks the account? No. Like I said, he ignored the real world situation.

 

FYI her advice isn't very good but his advice is no better. Storing all of your passwords online in one central location is the dumbest thing you could possibly do short of posting all your passwords on your facebook feed.

  • Like 1
Link to comment
Share on other sites

You can brute force Tony96 in under 30 seconds huh? Do you know what a brute force attack is? You try out millions of combinatins until one matches. Can you run a script like that that would get to Tony96 in under 30 seconds. Sure. Can you do it with less than 3-10 guesses before google, yahoo, or any other email provider locks the account? No. Like I said, he ignored the real world situation.

 

FYI her advice isn't very good but his advice is no better. Storing all of your passwords online in one central location is the dumbest thing you could possibly do short of posting all your passwords on your facebook feed.

 

Okay really?  Have you ever used LastPass?  It is highly recommended by A LOT of people.  So that is ALMOST AS BAD as posting you passwords IN PLAIN TEXT in FaceBook?  Okay....whatever you say.

 

For the people that use the same passwords over and over and over again, or have passwords like Tony96, LastPass is a good option since it generates a secure password that you do not need to memorize.  All you will need to do is remember ONE password.  And if you make just THAT ONE safe and secure, you do not have to worry about somebody getting into it.  Yes if you make your LastPass password Tony96 it would cause issues.

Link to comment
Share on other sites

Okay really?  Have you ever used LastPass?  It is highly recommended by A LOT of people.  So that is ALMOST AS BAD as posting you passwords IN PLAIN TEXT in FaceBook?  Okay....whatever you say.

 

For the people that use the same passwords over and over and over again, or have passwords like Tony96, LastPass is a good option since it generates a secure password that you do not need to memorize.  All you will need to do is remember ONE password.  And if you make just THAT ONE safe and secure, you do not have to worry about somebody getting into it.  Yes if you make your LastPass password Tony96 it would cause issues.

/facepalm. Yes I have used it, and when I realized its entire model is based on storing all of your passwords in on location, I promptly quit using it. Anyone who can't see why storing all of your passwords in one location that anyone can access is a bad idea has absolutely no idea about security. Who cares who highly recommends something. A LOT of people recommended using Sony's online environment for gaming. Clearly what A LOT of people recommend is always the best choice. Storing your passwords in one location is and will always be the dumbest thing you can do SHORT OF posting it in plain text for everyone to see.

 

But you know what, you are right. Sony never got hacked and even though the info was not stored in plain text, hackers never got to it. I wish I could live in a bubble fantasy that you call reality.

Link to comment
Share on other sites

/facepalm. Yes I have used it, and when I realized its entire model is based on storing all of your passwords in on location, I promptly quit using it. Anyone who can't see why storing all of your passwords in one location that anyone can access is a bad idea has absolutely no idea about security. Who cares who highly recommends something. A LOT of people recommended using Sony's online environment for gaming. Clearly what A LOT of people recommend is always the best choice. Storing your passwords in one location is and will always be the dumbest thing you can do SHORT OF posting it in plain text for everyone to see.

 

But you know what, you are right. Sony never got hacked and even though the info was not stored in plain text, hackers never got to it. I wish I could live in a bubble fantasy that you call reality.

 

You do realize those passwords are encrypted with your master password?  A hacker can't just "hack lastpass" and get access to all your passwords....

  • Like 3
Link to comment
Share on other sites

Oh well okay you are right.  Let's just keep letting the general user use Tony96 instead.  That is MUCH better.

 

and Tony96 for EVERY WEBSITE!!

 

as far as brute forcing that might take a while. Unless it was offline. Then it wouldn't' take long at all. I would assuming it would have a dictionary of names and would start every name by itself

 

then every name with 1 next to it. I would bet it would go up to 2000 given most people use their birthday.

 

Type Tony96 into this.

 

https://www.grc.com/haystack.htm

Link to comment
Share on other sites

Oh well okay you are right.  Let's just keep letting the general user use Tony96 instead.  That is MUCH better.

Let me get this logic of yours straight. You are saying, store all of someones passwords, their emails, the credit cards, their bank passwords in one location instead of teaching them how to make a good password. How can you possible not see how stupid your advise is? Any security course will tell you that storing all of your passwords in one location is absolutely moronic.

 

What planet do you live on that all of those accounts don't lock you out after a few wrong guesses? Brute force attacks are not used on sites like those because by its very nature, it can't work. However storing all of your passwords in one location while hackers work there way into such a valuable source is the absolute dumbest thing you can do for your security. THe only way a hacker would use "Tony96" as one of the first guesses is through social engineering, not brute force. They would have to already know its the password before they put it into the site or they would be locked out.

Link to comment
Share on other sites

Let me get this logic of yours straight. You are saying, store all of someones passwords, their emails, the credit cards, their bank passwords in one location instead of teaching them how to make a good password. How can you possible not see how stupid your advise is? Any security course will tell you that storing all of your passwords in one location is absolutely moronic.

 

 

You said "teaching them how to make a good password, not passowords" Which would imply 1 good password that you would the use on every site. That's also moronic.. At the moment i use roboform and have 280 passwords stored in it. I will never remember 280 passwords.

Link to comment
Share on other sites

You can brute force Tony96 in under 30 seconds huh? Do you know what a brute force attack is? You try out millions of combinatins until one matches. Can you run a script like that that would get to Tony96 in under 30 seconds. Sure. Can you do it with less than 3-10 guesses before google, yahoo, or any other email provider locks the account? No. Like I said, he ignored the real world situation.

 

FYI her advice isn't very good but his advice is no better. Storing all of your passwords online in one central location is the dumbest thing you could possibly do short of posting all your passwords on your facebook feed.

 

I thought brute force was when you press the keys as hard as you can, the web site has no choice but to let you in.

Link to comment
Share on other sites

Let me get this logic of yours straight. You are saying, store all of someones passwords, their emails, the credit cards, their bank passwords in one location instead of teaching them how to make a good password. How can you possible not see how stupid your advise is? Any security course will tell you that storing all of your passwords in one location is absolutely moronic.

 

What planet do you live on that all of those accounts don't lock you out after a few wrong guesses? Brute force attacks are not used on sites like those because by its very nature, it can't work. However storing all of your passwords in one location while hackers work there way into such a valuable source is the absolute dumbest thing you can do for your security. THe only way a hacker would use "Tony96" as one of the first guesses is through social engineering, not brute force. They would have to already know its the password before they put it into the site or they would be locked out.

 

So how do you manage your passwords? Do you write them down? Do you use the same password on every website? Do you have 3 or 4 passwords you use on every website?

Link to comment
Share on other sites

So how do you manage your passwords? Do you write them down? Do you use the same password on every website? Do you have 3 or 4 passwords you use on every website?

I have a different password for every website and all of them are similar but have a specific variation based on the website.

You said "teaching them how to make a good password, not passowords" Which would imply 1 good password that you would the use on every site. That's also moronic.. At the moment i use roboform and have 280 passwords stored in it. I will never remember 280 passwords.

No what it implies is nothing. Don't assume because you will likely always be wrong. Stop making a strawman where there isn't one. Of course using one good password is moronic. What leo and whiplash are both telling us to do is don't bother making any good passwords. Just store them all online so that if someone gets to them, you loose everything at once. It would be no different than using one password for everything which is what you are doing anyway since they all tie back to that one password.

Link to comment
Share on other sites

I have a different password for every website and all of them are similar but have a specific variation based on the website.

No what it implies is nothing. Don't assume because you will likely always be wrong. Stop making a strawman where there isn't one. Of course using one good password is moronic. What leo and whiplash are both telling us to do is don't bother making any good passwords. Just store them all online so that if someone gets to them, you loose everything at once. It would be no different than using one password for everything which is what you are doing anyway since they all tie back to that one password.

 

Is your password method good enough where if 1 site is hacked they won't look at the password notice what you made specific to that site?

Link to comment
Share on other sites

Is your password method good enough where if 1 site is hacked they won't look at the password notice what you made specific to that site?

It is good enough that I can easily come up with and remember it on the spot when needing it but not obvious in any way.

Link to comment
Share on other sites

It is good enough that I can easily come up with and remember it on the spot when needing it but not obvious in any way.

 

So all I need is one of your passwords and with a little effort be able to guess pretty much all the others, good system there skippy

Link to comment
Share on other sites

So all I need is one of your passwords and with a little effort be able to guess pretty much all the others, good system there skippy

That's what I was thinking

 

Security Now # 266

Password Cracking Update: The Death of ?Clever?

https://media.grc.com/sn/sn-366.mp3

Link to comment
Share on other sites

CBS Chick: You're an idiot. Everything you said is fine with me though, not because it's right, but because I want those dumb naive enough to listen to your advice to figure it out the hard way.

Leo Laporte: Not bad, a little to know-it-all. The advice you give is sound but you are just catering to a crowd that already should know this, stop kissing ass.

iLikeTobacco: For the most part, you have no idea what you're talking about. You're at least right sometimes, probably by accident.

 

Lastpass is perfectly fine.

 

Do I recommend it? No.

Is it safe to use? Mostly.

What does Mostly mean? It means its pretty safe, but nothing is impenetrable.

Is that safe enough? Yes, probably.

So what is safe? A Physical factor of identification.

Huh? Two-factor Authentication.

Huh?? Google is your friend.

Should I use it? If you can, probably don't need to.

How can I trust you? You can't, if you could you're already doing security wrong.

 

so, what is a good password? Anything greater than 12 characters with a random variation of capital letters, symbols, numbers in an ambiguous arrangement. For example: Peps1.pickelgAr@ge (Spell a word wrong for bonus points)

Why Words? Easier for you to remember, but still difficult to crack

Why not just do what XKCD said to do? Because crackers already know to string words together, if you're going to use this system then adding just 1 random variation will incredibly strength the result. (like spelling a word wrong, or using a symbol)

That's still too hard to remember, is there an easier way? Yes, have a weaker password.

Website X won't let me enter a 12 character password, why? Because their database administrator / web developer is an idiot. You're going to have to remove some characters and email them about being stupid.

Link to comment
Share on other sites

So all I need is one of your passwords and with a little effort be able to guess pretty much all the others, good system there skippy

Good luck coming up with the more than 10 steps that make up the algorythm. Just because I can do it in my head within 2 or 3 seconds doesn't mean its easy. Comes right back to you have to figure out one of them. And since you can't brute force the sites I use, I will be dead before you get the the first password to start with.

Link to comment
Share on other sites

iLikeTobacco: For the most part, you have no idea what you're talking about. You're at least right sometimes, probably by accident.

Well thought out arguement you got there. You are right. Store all your passwords in one central location. Clearly the smartest thing to do... even though anyone who knows about security will tell you storing your passwords in one location is the dumbest thing you could do.

 

So lets see what we have learned here today. Everyone should put all their passwords on one website that can be hacked, but we will ignore that because that would never happen. Also, the guy in the video clearly states that all the advice (while most of it was bad, some actually works) is bad so don't do any of it. And Whiplash has shown us that if we store all of our passwords in this one central location on the internet, we can just use the password Tony96 and all of our passwords will be fine. Remember, everyone is arguing that you don't need strong passwords anymore. You just need that website. You don't need to learn about making strong passwords. You just need that one website. My favorite part is that you think "hackers" use brute force to get into a website like a banking website... which is beyond moronic. Clearly you are the expert. /facepalm

Link to comment
Share on other sites

I use LastPass for almost everything except my banks and Microsoft account. It has two factor authentication and I think I can be relaxed in knowing that I am using a different password on each website instead of one password everywhere (or even a few).

If LastPass somehow exposes my passwords, I will be locked out of my Neowin account in worst case.

Link to comment
Share on other sites

You do realize those passwords are encrypted with your master password?  A hacker can't just "hack lastpass" and get access to all your passwords....

According to you guys, that means nothing. Remember, just use this magical thing you call brute force and your master password is there for all to know. So which is it? Can't be both like you are claiming.

Link to comment
Share on other sites

This topic is now closed to further replies.