Jump to content



Photo

Leo Leporte Corrects 'CBS Sunday Morning' Segment on Passwords

video

  • Please log in to reply
52 replies to this topic

#16 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • 27,190 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 16 July 2013 - 03:16

I have a different password for every website and all of them are similar but have a specific variation based on the website.


No what it implies is nothing. Don't assume because you will likely always be wrong. Stop making a strawman where there isn't one. Of course using one good password is moronic. What leo and whiplash are both telling us to do is don't bother making any good passwords. Just store them all online so that if someone gets to them, you loose everything at once. It would be no different than using one password for everything which is what you are doing anyway since they all tie back to that one password.

 

Is your password method good enough where if 1 site is hacked they won't look at the password notice what you made specific to that site?




#17 Rigby

Rigby

    Neowinian Senior

  • 7,104 posts
  • Joined: 08-August 05

Posted 16 July 2013 - 03:17

password_strength.png



#18 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 03:18

Is your password method good enough where if 1 site is hacked they won't look at the password notice what you made specific to that site?

It is good enough that I can easily come up with and remember it on the spot when needing it but not obvious in any way.



#19 Anibal P

Anibal P

    Neowinian

  • 4,410 posts
  • Joined: 11-June 02
  • Location: Waterbury CT
  • OS: Win 8.1
  • Phone: Android

Posted 16 July 2013 - 03:32

It is good enough that I can easily come up with and remember it on the spot when needing it but not obvious in any way.

 

So all I need is one of your passwords and with a little effort be able to guess pretty much all the others, good system there skippy



#20 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • 27,190 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 16 July 2013 - 03:35

So all I need is one of your passwords and with a little effort be able to guess pretty much all the others, good system there skippy

That's what I was thinking

 

Security Now # 266

Password Cracking Update: The Death of “Clever”



#21 astropheed

astropheed

    astropheed

  • 1,929 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 16 July 2013 - 03:37

CBS Chick: You're an idiot. Everything you said is fine with me though, not because it's right, but because I want those dumb naive enough to listen to your advice to figure it out the hard way.

Leo Laporte: Not bad, a little to know-it-all. The advice you give is sound but you are just catering to a crowd that already should know this, stop kissing ass.

iLikeTobacco: For the most part, you have no idea what you're talking about. You're at least right sometimes, probably by accident.

 

Lastpass is perfectly fine.

 

Do I recommend it? No.

Is it safe to use? Mostly.

What does Mostly mean? It means its pretty safe, but nothing is impenetrable.

Is that safe enough? Yes, probably.

So what is safe? A Physical factor of identification.

Huh? Two-factor Authentication.

Huh?? Google is your friend.

Should I use it? If you can, probably don't need to.

How can I trust you? You can't, if you could you're already doing security wrong.

 

so, what is a good password? Anything greater than 12 characters with a random variation of capital letters, symbols, numbers in an ambiguous arrangement. For example: Peps1.pickelgAr@ge (Spell a word wrong for bonus points)

Why Words? Easier for you to remember, but still difficult to crack

Why not just do what XKCD said to do? Because crackers already know to string words together, if you're going to use this system then adding just 1 random variation will incredibly strength the result. (like spelling a word wrong, or using a symbol)

That's still too hard to remember, is there an easier way? Yes, have a weaker password.

Website X won't let me enter a 12 character password, why? Because their database administrator / web developer is an idiot. You're going to have to remove some characters and email them about being stupid.



#22 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 03:52

So all I need is one of your passwords and with a little effort be able to guess pretty much all the others, good system there skippy

Good luck coming up with the more than 10 steps that make up the algorythm. Just because I can do it in my head within 2 or 3 seconds doesn't mean its easy. Comes right back to you have to figure out one of them. And since you can't brute force the sites I use, I will be dead before you get the the first password to start with.



#23 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 03:57


iLikeTobacco: For the most part, you have no idea what you're talking about. You're at least right sometimes, probably by accident.

Well thought out arguement you got there. You are right. Store all your passwords in one central location. Clearly the smartest thing to do... even though anyone who knows about security will tell you storing your passwords in one location is the dumbest thing you could do.

 

So lets see what we have learned here today. Everyone should put all their passwords on one website that can be hacked, but we will ignore that because that would never happen. Also, the guy in the video clearly states that all the advice (while most of it was bad, some actually works) is bad so don't do any of it. And Whiplash has shown us that if we store all of our passwords in this one central location on the internet, we can just use the password Tony96 and all of our passwords will be fine. Remember, everyone is arguing that you don't need strong passwords anymore. You just need that website. You don't need to learn about making strong passwords. You just need that one website. My favorite part is that you think "hackers" use brute force to get into a website like a banking website... which is beyond moronic. Clearly you are the expert. /facepalm



#24 BajiRav

BajiRav

    Neowinian Senior

  • 10,847 posts
  • Joined: 15-July 04
  • Location: Xbox, where am I?
  • OS: Windows 8.1, Windows 8
  • Phone: Lumia 920

Posted 16 July 2013 - 04:02

I use LastPass for almost everything except my banks and Microsoft account. It has two factor authentication and I think I can be relaxed in knowing that I am using a different password on each website instead of one password everywhere (or even a few).

If LastPass somehow exposes my passwords, I will be locked out of my Neowin account in worst case.



#25 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 04:04

You do realize those passwords are encrypted with your master password?  A hacker can't just "hack lastpass" and get access to all your passwords....

According to you guys, that means nothing. Remember, just use this magical thing you call brute force and your master password is there for all to know. So which is it? Can't be both like you are claiming.



#26 astropheed

astropheed

    astropheed

  • 1,929 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 16 July 2013 - 04:08

[Things regarding LastPass]

 

LastPass: "We only had the salted hash in our database, so they'd have to guess password, compute the salted hash, and then compare it to the value stored in the database. But even if they managed to do this they still don't have access to your actual encrypted data. We secured against this threat by locking down all user accounts. Specifically, if a user tries to log into their LastPass vault from a new location (an IP address from which they never logged in before), then we would deny them access. To gain access, they have to prove to us that they are who they say they are by clicking on an link that we send them by email."

 

 

Yeah, to the LastPass Cracker who some how managed to get their hands on LastPass's database, ready for a brute-force session: Good luck, buddy.


According to you guys, that means nothing. Remember, just use this magical thing you call brute force and your master password is there for all to know. So which is it? Can't be both like you are claiming.

 

Not all of us 'guys' think that.



#27 MasterTargus

MasterTargus

    Neowinian

  • 36 posts
  • Joined: 08-April 07
  • Location: Canada
  • OS: Windows 8 Desktop

Posted 16 July 2013 - 04:10

Okay really?  Have you ever used LastPass?  It is highly recommended by A LOT of people.  So that is ALMOST AS BAD as posting you passwords IN PLAIN TEXT in FaceBook?  Okay....whatever you say.

 

For the people that use the same passwords over and over and over again, or have passwords like Tony96, LastPass is a good option since it generates a secure password that you do not need to memorize.  All you will need to do is remember ONE password.  And if you make just THAT ONE safe and secure, you do not have to worry about somebody getting into it.  Yes if you make your LastPass password Tony96 it would cause issues.

yup store you're passwords online at lastpass and all a hacker has to do is hack lastpass and they will have all your passwords. :rofl:



#28 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 04:12

LastPass: "We only had the salted hash in our database, so they'd have to guess password, compute the salted hash, and then compare it to the value stored in the database. But even if they managed to do this they still don't have access to your actual encrypted data. We secured against this threat by locking down all user accounts. Specifically, if a user tries to log into their LastPass vault from a new location (an IP address from which they never logged in before), then we would deny them access. To gain access, they have to prove to us that they are who they say they are by clicking on an link that we send them by email."

 

 

Yeah, to the LastPass Cracker who some how managed to get their hands on LastPass's database, ready for a brute-force session: Good luck, buddy.


 

Not all of us 'guys' think that.

Thats my point. Brute force is not something that works like they seem to think they do. You will never be able to brute force your way into a online bank account. Mine locks up after 5 guesses and the only way to unlock it is to physically go to the bank. Brute force has no meaning. Like I said, its great that a brute force attack in theory can make its way through millions of possible passwords, but it doesn't change the fact that in real life, a brute force gets less than 10 guesses.


yup store you're passwords online at lastpass and all a hacker has to do is hack lastpass and they will have all your passwords. :rofl:

No they don't. They just have to do some social engineering for that one password and now they have all of your passwords. That simple. There is a reason you NEVER store your passwords in a central location. Nobody brute forces websites anymore. They use social engineering so they only "guess" once. You can't brute force a website that locks the account in less than 10 tries. It's just not happening.



#29 astropheed

astropheed

    astropheed

  • 1,929 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 16 July 2013 - 04:15

Thats my point. Brute force is not something that works like they seem to think they do. You will never be able to brute force your way into a online bank account. Mine locks up after 5 guesses and the only way to unlock it is to physically go to the bank. Brute force has no meaning. Like I said, its great that a brute force attack in theory can make its way through millions of possible passwords, but it doesn't change the fact that in real life, a brute force gets less than 10 guesses.

 

Apparently you don't know how brute force works, the irony is staggering.



#30 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 04:17

Apparently you don't know how brute force works, the irony is staggering.

You do know the internet is a thing right? Definitions are very easy to look up. Or just take a security course which so many people seem to not have done. But again, all of my passwords are clearly weak and bad. I mean, I don't know how I can live with myself constantly having to reset passwords because I just get hacked.....sooo....much... But again, social engineering and you have given all your passwords away because you thought writing them down in one location is somehow a good idea. Even Leo says that if you fall for that, all bets are off. You are arguing against the very guy you are trying to defend.