Results 21 to 33 of 33
Thread: Hacks - what are users to do?
11-11-2011, 01:31 AM #21
I prefer to keep my passwords in my head, although I have a single physical reminder for the most important ones (that shouldn't be decipherable for anyone who stumbled across it somehow). For low security stuff I have 3 passwords that I cycle through, sometimes I throw in a different number or capital letters if I want a bit of extra security.
For my email and bank accounts, I find a good way to remember multiple complex passwords is to think of a phrase or a rhyme and use bits of that (with some extra characters, not just the words of course). That way I can have long and different passwords for each account, but not struggle to remember them.
11-11-2011, 01:43 AM #22
Some nice options out now for physical authentication - Lastpass sesame and Yubikey come to mind.All times I have enjoyed greatly, have suffered greatly, both with those that loved me, and alone.
11-11-2011, 02:25 AM #23
- Join Date
- Jun 2011
At the moment, I just use Firefox's built-in password manager (with a master password) and their Sync utility to keep it across multiple devices.
11-11-2011, 04:27 AM #24
It's really not worth it to bother with password security on forums and stuff. I just use one simple password for all the forums I use. I just make sure that they all tie back to a dummy e-mail account that I just use for forums and which has no information about me. It's way simpler doing that than remembering 1,000 passwords as forum security gets hacked all the time--so why waste the effort?
As for my bank and steam and other stores I use alot, I do have more complex passwords that I memorize. I have an easy system to remember them, but it'd kind of defeat the purpose if I told you it.
11-11-2011, 10:47 AM #25
My gaming-related email-address is a pure forewarding address to my "real" address. It is completely inaccessible from the outside for anyone without the forewarding address. The emails are not even remotely connected and cannot be guessed.
I'm a follower of the XCKD password strength method. I generate a few random words and line them up. They mostly have do to something with the game or forum they're related to.
It did take me around 20 minutes until I figured out how to change my Steam password without installing the Steam-client. What a fucked up, useless website...
11-11-2011, 10:55 AM #26
11-11-2011, 10:58 AM #27
Click on "Support", select "Billing, Account, etc" issues (after logging in), then click on the tiny hidden "edit account" link on the top right above the "search for topic" field.
There MUST be an easier way to do that, but that's the only thing I could find.
11-11-2011, 12:26 PM #28
As far as the topic goes: KeePass. I prefer to manage my passwords myself, rather than letting some third-party web-based tool do it for me. I also keep all my game and software CD/License keys in there, which is great for those MSDNAA-supplied license keys that like to disappear on the MSDNAA 'store'...
11-11-2011, 01:16 PM #29
His approach does increase brute force complexity by suggesting lengthening the password but reduces complexity by saying you should limit your range of characters to letters.
Much more worringly his approach is open to a dictionary attack. There are maybe 250,000 words in the English Language and if you are using four straight this will require less time to compute than a string of 11 ascii characters. Also because you are using full words their length will not increase the complexity so words like loquacious will be as easy to crack as dog."A victory so bitter it would be better we had not won," --General Transh
The Devpit: For all your literature, gaming, IT and defenestration needs.
11-11-2011, 02:15 PM #30
- Join Date
- Jul 2011
I'm also a bit stuck on this.
Like many here I use 3 levels of passwords - Banks& Stuff, Secure Stuff (inc steam), and general rubbish (like forums).
But the problem is that over the years the number of sites has increased a lot... so the steam password/email is in use in a number of places. (sometimes with different gmail dot-hack addresses, and with different site-specific prefixes (but those are easy to guess, i now realise).
I've kind of decided to move over to Keepass. I keep looking longingly at LastPass, but I can't bring myself to trust it. They may only store hashed info, but that's all most sites do... doesn't mean it can't be un-hashed. It would be the most user-friendly option.
Keepass works pretty well on ONE pc. I've set it up to open minimised and locked, and then when I need to enter details I just CTRL-ALT-A and it usually inserts them correctly. But it's still a hassle... if i change a password on a site it doesn't automatically update on Keepass for example.
The problem is that, for some sites, I need to be able to remember the passwords... I use them on my cellphone and need to be able to type them in without it taking 6 hours (Ie: short and basic). I also need access at work sites on non-windows pcs, and I just got an android phone... keepassdroid is hardly quick and user-friendly.
Also, syncing involves dropbox, and you have to remember to keep a copy of keepass online, because if you lose your local copy you'd be screwed.
What I'm saying is I haven't worked out a great solution.... and the fact I have lots of legacy simple passwords from old sites and safer times doesn't help the matter.
11-11-2011, 04:57 PM #31
you probably only "know" the "bad" hackers.
Also, yesterday, AnonAustria got the Wolo prize for anti-internet behaviour, because they released a bunch of private phonenumbers and adresses of police officers in austria. Which is in direct "violation" of hacker rule #8, as set out by the ccc.
So basically, all of "antisec" is bad hackery.
Last edited by QuantaCat; 11-11-2011 at 04:59 PM.
11-11-2011, 05:20 PM #32
- Join Date
- Jun 2011
- Don't even ask...
11-11-2011, 05:30 PM #33
- Join Date
- Jun 2011
11 ascii chars including non-printing: 128^11 ~ 1.5 * 10^23
11 ascii chars including only those in regular use: 94^11 ~ 5*10^21
So four words in a small dictionary ignoring other languages or different spelling is about as good as 11 ascii chars including punctuation.
Even pretending you have a small cluster, you won't generate enough hashes to crack that easily, especially not with properly salted hashes going through 1k or more rounds of hashing the resulting hash with itself, creating a huge amount of overhead to sift through.
Dictionary attacks are incredibly unhelpful with such a high entropy. It's probably easier to find a hash collision...
And that's assuming the hash is exposed. Usually, it isn't.
Last edited by Batolemaeus; 11-11-2011 at 05:39 PM.