Jump to content



Photo

Leo Leporte Corrects 'CBS Sunday Morning' Segment on Passwords

video

  • Please log in to reply
52 replies to this topic

#31 Garnet H.

Garnet H.

    astropheed

  • 1,617 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 16 July 2013 - 04:19

You do know the internet is a thing right? Definitions are very easy to look up. Or just take a security course which so many people seem to not have done.

 

They don't brute force a login form on a webpage, they dump the database and brute force the hashs (if they need to at all). Speaking of Google and learning..................




#32 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 04:21

They don't brute force a login form on a webpage, they dump the database and brute force the hashs (if they need to at all). Speaking of Google and learning..................

So once again, you say that having a strong password means nothing. I can't beleive people are on a tech site claiming that knowing how to make a strong password is a waste of time. The stupidity of that argument baffles me.

 

You do realize you just said that you agree that people should store all of there passwords in a single database for someone to dump and then brute force... you got that right? You just proved my point for me. You don't store all your passwords in one place.



#33 Garnet H.

Garnet H.

    astropheed

  • 1,617 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 16 July 2013 - 04:26

So once again, you say that having a strong password means nothing. I can't beleive people are on a tech site claiming that knowing how to make a strong password is a waste of time. The stupidity of that baffles me.

 

Are you literally avoiding everything I say and mixing me in with everyone else?

 

You're way out of your element here. The fact you continue to refer to these malicious people as 'hackers' just further strengthens my argument. Calm down, go back, read my wall of text on what a good password is (that oddly enough goes completely against what you just said that I said), understand I know a lot more on this subject than you do, and post a rational response showcasing your capability to admit in certain situations some people know more than you do. Or, continue to be a stubborn child and pretend you can talk to the grown-ups.

 

You're wrong, I'm sorry. This isn't about me winning, it's about the proper information being propagated on a website devoted to these types of things. Please, stop trying. 



#34 grayscale

grayscale

    Neowinian

  • 1,480 posts
  • Joined: 13-February 11

Posted 16 July 2013 - 04:29

So once again, you say that having a strong password means nothing. I can't beleive people are on a tech site claiming that knowing how to make a strong password is a waste of time. The stupidity of that argument baffles me.

Passwords generated by LastPass are not common words (or variation of common words) that a brute force using word lists can easily generate. So for those who do not/cannot remember those awesome algorithms that alters easily remembered terms/words/whatever, services such as LastPass may be good enough.



#35 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • 25,845 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 16 July 2013 - 04:30

Passwords generated by LastPass are not common words (or variation of common words) that a brute force using word lists can easily generate. So for those who do not/cannot remember those awesome algorithms that alters easily remembered terms/words/whatever, services such as LastPass may be good enough.

 

eS2k956R85eKoBs



#36 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 04:32

Are you literally avoiding everything I say and mixing me in with everyone else?

 

You're way out of your element here. The fact you continue to refer to these malicious people as 'hackers' just further strengthens my argument. Calm down, go back, read my wall of text on what a good password is (that oddly enough goes completely against what you just said that I said), understand I know a lot more on this subject than you do, and post a rational response showcasing your capability to admit in certain situations some people know more than you do. Or, continue to be a stubborn child and pretend you can talk to the grown-ups.

 

You're wrong, I'm sorry. This isn't about me winning, it's about the proper information being propagated on a website devoted to these types of things. Please, stop trying. 

I read what you said and thats what it translates to in the real world. If they dump the database, then the password strength will no longer matter. Just the number of computers they have to brute force it. You are once again left with the only issue I really have. You don't ever store all of your passwords in one location. You claim to know about security and you still agree with storing all of your passwords in one location?

 

Also, I never claimed to know everything about anything. That is just one of the basic truths that everyone knows. Storing all of them in one locations means one person has to screw up and all of your passwords are out in the open. Every single year we here about websites having their entire database downloaded. Yet magically this one website is so hacker proof that you can trust anything and everything you own to it. How is that sound advice? You claim to know about security and which means you should know better.

 

Also, I use the term hacker because most people here don't care to distingiush between cracker, script kiddie, white hat or black hat hackers.



#37 vcfan

vcfan

    POP POP RET

  • 4,735 posts
  • Joined: 12-June 11

Posted 16 July 2013 - 04:33

good old angelfire random auto generated password that I've memorized like my name,and I still use today.



#38 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 04:33

Passwords generated by LastPass are not common words (or variation of common words) that a brute force using word lists can easily generate. So for those who do not/cannot remember those awesome algorithms that alters easily remembered terms/words/whatever, services such as LastPass may be good enough.

Again, it has absolutely nothing to do with the password its generates and everything to do with all of those generated passwords are in one place. If you are so forgetful that you have to write down your passwords, you never put them all in one place ever. That logic is right there with putting it on your desk on a piece of paper. You are betting that nobody will ever get to it even though you have no way of knowing it except you've made it worse because its not just one password to one place, its every single password you have to your entire life.



#39 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • 25,845 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 16 July 2013 - 04:34

I read what you said and thats what it translates to in the real world. If they dump the database, then the password strength will no longer matter. Just the number of computers they have to brute force it. You are once again left with the only issue I really have. You don't ever store all of your passwords in one location. You claim to know about security and you still agree with storing all of your passwords in one location?

 

Also, I never claimed to know everything about anything. That is just one of the basic truths that everyone knows. Storing all of them in one locations means one person has to screw up and all of your passwords are out in the open. Every single year we here about websites having their entire database downloaded. Yet magically this one website is so hacker proof that you can trust anything and everything you own to it. How is that sound advice? You claim to know about security and which means you should know better.

 

The difference between sites who have all their passwords dumped and last pass is, the information on lastpass is encrypted up the ass. Yes throwing computers at that will speed it up. So now instead of taking 200 years it will take 190 years.



#40 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 04:44

The difference between sites who have all their passwords dumped and last pass is, the information on lastpass is encrypted up the ass. Yes throwing computers at that will speed it up. So now instead of taking 200 years it will take 190 years.

And the bigger difference is that you don't have to decrypt all the data. You only have to decrypt one password that gives you access to the rest. On another site, you decrypt the data and you have information about one user and one password. In this case, that one password means every password for that user on every site is now yours. Spend a year getting your one password and now they have 280 of your passwords.



#41 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 04:49

Hell, I will make it simple because everyone is still using the most complicated path. Social engineering. Send out a few hundred thousand phished emails and end up with someones LastPass account info. Account info that potentionally contains someones entire life. There is a reason phishing attacks are so popular and there is a reason one of the basic rules for security is never store your passwords in one place.



#42 Garnet H.

Garnet H.

    astropheed

  • 1,617 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 16 July 2013 - 04:51

Again, it has absolutely nothing to do with the password its generates and everything to do with all of those generated passwords are in one place. If you are so forgetful that you have to write down your passwords, you never put them all in one place ever. That logic is right there with putting it on your desk on a piece of paper. You are betting that nobody will ever get to it even though you have no way of knowing it except you've made it worse because its not just one password to one place, its every single password you have to your entire life.

 

You seem to think that if you get the database than you get the passwords.... This is not correct. You will now need to crack every single hash in that database, and considering that hash derives from a complex password generated by LastPass the probability of you even cracking one person's password is so low that it basically amounts to zero.

 

For example, let's say my password from LastPass is: N*&nH839j879h&*N which hashed with a salt in the LastPass Database is say 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 when hashed with some random salt. Now, the way in which a cracker would go about finding this password is:

 

First they know the hash, since they have the database. They now need to figure out which string of characters generates that Hash (once they find that then they have your password, or a statistically unlikely variation that also generates that identical hash). They do this by first making some assumptions of your password and using that logic applied to brute forcing certain traditional formations of typical passwords. The problem here is nothing is typical, LastPass uses a weird non-human like password, so basically no assumptions can be made, they need to crack each ascii character in a size up to the max password size LastPass creates (I don't know what that it, let's assume it's 16).

 

Now let's apply the the number of permutations from the maximum string size and figure out how long it'll take to crack a SINGLE password in LastPass's database assuming they generated a 16-character password.... Hmm not a year, not 100 years, not a million years....Not a hundred million years..... damn this number is getting large... Per password....

 

How likely is it that that password is yours? Well, how many people use LastPass * AverageAmountOfPasswordsPerPerson

 

You're right, that's terribly insecure....

 

You're welcome.

 

EDIT: This is assuming within the billion years LastPass doesn't change their salt.



#43 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 04:59

You seem to think that if you get the database than you get the passwords.... This is not correct. You will now need to crack every single hash in that database, and considering that hash derives from a complex password generated by LastPass the probability of you even cracking one person's password is so low that it basically amounts to zero.

 

For example, let's say my password from LastPass is: N*&nH839j879h&*N which hashed with a salt in the LastPass Database is say 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 when hashed with some random salt. Now, the way in which a cracker would go about finding this password is:

 

First they know the hash, since they have the database. They now need to figure out which string of characters generates that Hash (once they find that then they have your password, or a statistically unlikely variation that also generates that identical hash). They do this by first making some assumptions of your password and using that logic applied to brute forcing certain traditional formations of typical passwords. The problem here is nothing is typical, LastPass uses a weird non-human like password, so basically no assumptions can be made, they need to crack each ascii character in a size up to the max password size LastPass creates (I don't know what that it, let's assume it's 16).

 

Now let's apply the the number of combinations into a formula into the maximum string size and figure out how long it'll take to crack a SINGLE password in LastPass's database assuming they generated a 16-character password.... Hmm not a year, not 100 years, not a million years....Not a hundred million years..... damn this number is getting large... Per password....

 

How likely is it that that password is yours? Well, how many people use LastPass * AverageAmountOfPasswordsPerPerson

 

You're right, that's terribly insecure....

 

You're welcome.

Why are you trying to hack the passwords that is stored on the account? You are making it intentionally hard for no reason. You get the password for the account and you have free reign. The password that is not "a weird non-human password" so your entire logic about how a traditional formation is not usable is out the window. You are hung on the fact that only the generated passwords are overly secure. Not the account password. Stop going for the hard stuff and get the low hanging fruit. Like I said, you store all your passwords in one place and then a phish email gets you. All lost. We are not hacking every single password like you are trying to argue. We are hacking the one single LastPass account password. The one that Whiplash claims is Tony96, not some 16 character random string.



#44 Garnet H.

Garnet H.

    astropheed

  • 1,617 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 16 July 2013 - 05:03

The passwords are encrypted.



#45 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 05:09

The passwords are encrypted.

 

1. Make your own account and password with them and crack your own knowing the outcomes. Encryption is not as hard as people think. And with a goldmine like that database, the resources would be used to do it. I think people watched a few to many movies and think encryption is magic. Do you really think that a free website uses extremely expensive methods of encrytion. Please keep it in reality here, not this fantasy world were brute force attacks work on websites, phishing emails don't exist or work, and encryption is 100% secure.

2. You are still avoiding telling me how putting your passwords all on one site is safe when one phishing email makes you lose it all.

 

Remember, we are talking about people who are bad with passwords to begin with because of people like Leo who are claiming you shouldn't waste your time learning how to make a good password. These are the exact same people uneducated enough to fall for phishing emails and the argument here is these same people should store all of there information in one location.





Click here to login or here to register to remove this ad, it's free!