View Poll Results: How many passwords do you use online?
just the one
3
3.30%
2-4
40
43.96%
5-10
27
29.67%
10-20
13
14.29%
unique (almost) everywhere
8
8.79%
Voters: 91. This poll is closed
passwords, passwords, everywhere...
Join Date: Jul 2005
Location: Lv426
Posts: 82
Likes: 0
Received 0 Likes
on
0 Posts
If you're interested in the whole area of computer security Evo then I'd recommend Secrets and Lies by Bruce Schneier. Written back in 2000 but still very relevant today.
Most people don't realise that it isn't their password itself which is saved but a Hash of it, otherwise Danny could go around logging into everyone's banking systems.
Also by focussing on the entropic complexity of a password, rather than using a random search (brute force) most passwords can and will be cracked within minutes by a tool such as l0phtcrack. Even without access to the hashcodes (which could have several possible sources) the data itself is only hashed on the serverside so sniffing the first 20 or 30 characters of each ip packet which passes across a node would probably get you enough passwords to interesting places not to need any form of cracking.
In his book he mentions some chap who set up a website of interest to sysadmins. Logon details required a reasonably complex password and company name. He had dozens of root passwords within weeks.....
Most people don't realise that it isn't their password itself which is saved but a Hash of it, otherwise Danny could go around logging into everyone's banking systems.
Also by focussing on the entropic complexity of a password, rather than using a random search (brute force) most passwords can and will be cracked within minutes by a tool such as l0phtcrack. Even without access to the hashcodes (which could have several possible sources) the data itself is only hashed on the serverside so sniffing the first 20 or 30 characters of each ip packet which passes across a node would probably get you enough passwords to interesting places not to need any form of cracking.
In his book he mentions some chap who set up a website of interest to sysadmins. Logon details required a reasonably complex password and company name. He had dozens of root passwords within weeks.....
Spoon PPRuNerist & Mad Inistrator
sniffing the first 20 or 30 characters of each ip packet which passes across a node would probably get you enough passwords
If you are speaking of LANs, it really is no longer the case that logon passwords are sent in clear text to be intercepted by packet analyzers.
MS have implemented Kerberos since 2000 (although care must be taken in mixed NT and 2000 envrionments, as NTLM authentication is considerably weaker), where all authentication traffic is encrypted. There's good docs on Kerberos on the MS website.
SD
Join Date: Jul 2005
Location: Lv426
Posts: 82
Likes: 0
Received 0 Likes
on
0 Posts
Its a shame that Microsoft have tried to turn Kerberos into a proprietary standard of their own. Its about as secure a system as you could wish for.
Trouble is that the encryption is merely a marketing tool rather than a serious security feature. Saying that all authentication uses 128 bit encryption (as NT does) sounds wonderful until you realise what is being encrypted.
You could encrypt a single character password using 128bit cyphers and there would still only be 70 or so possible combinations (without salting). It certainly adds an extra layer to the security but dosn't change the fact that the security of the system is still based upon the complexity of the password.
As stated above it is the entropic complexity rather than the length, though l0phtcrack was reckoned to be abe to check every possible comination of password in 480 hours on a PII. 5.5 hours for every alphanumeric combination etc.
An opteron with shed loads of memory would cut those times massively.
Trouble is that the encryption is merely a marketing tool rather than a serious security feature. Saying that all authentication uses 128 bit encryption (as NT does) sounds wonderful until you realise what is being encrypted.
You could encrypt a single character password using 128bit cyphers and there would still only be 70 or so possible combinations (without salting). It certainly adds an extra layer to the security but dosn't change the fact that the security of the system is still based upon the complexity of the password.
As stated above it is the entropic complexity rather than the length, though l0phtcrack was reckoned to be abe to check every possible comination of password in 480 hours on a PII. 5.5 hours for every alphanumeric combination etc.
An opteron with shed loads of memory would cut those times massively.
(a bear of little brain)
Join Date: Aug 2001
Location: 51 10 03.70N 2 58 37.15W
Age: 75
Posts: 273
Likes: 0
Received 0 Likes
on
0 Posts
I've got 3 basic passwords. One 'high security' (banks, etc.), the other two relatively low
I use the low often suffixed by a number, at work for instance, where the password has to be changed every month - but all the data is on shred drives so anyone there can access it anyway.
(The best passwords I've ever seen where used by a mate of mine, of Polish extraction. He had a load of the things, all collections of random consonants. I asked him where he got them from and he said they were all names of his cousins).
I use the low often suffixed by a number, at work for instance, where the password has to be changed every month - but all the data is on shred drives so anyone there can access it anyway.
(The best passwords I've ever seen where used by a mate of mine, of Polish extraction. He had a load of the things, all collections of random consonants. I asked him where he got them from and he said they were all names of his cousins).
Join Date: Jul 2005
Location: Lv426
Posts: 82
Likes: 0
Received 0 Likes
on
0 Posts
Ooooh eck....
Tried L0phtcrack out on my 2000 machine (for legitimate purposes I hasten to add).. 7 passwords on there in total, it had 5 of them within 5 minutes.....
Its doing 650,000 keys per second and all alphanumeric passwords will be checked within 3.5 hours. Figure less than 2 hours on average to find any password. Hell it isn't even a fast machine....
Tried L0phtcrack out on my 2000 machine (for legitimate purposes I hasten to add).. 7 passwords on there in total, it had 5 of them within 5 minutes.....
Its doing 650,000 keys per second and all alphanumeric passwords will be checked within 3.5 hours. Figure less than 2 hours on average to find any password. Hell it isn't even a fast machine....
Official PPRuNe Chaplain
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
I use one simple, probably easy-to-guess password for all those annoying sites that demand an e-mail address and login password. The e-mail address is the name of the annoying site @ my domain.
Mail to any unknown address at my domain is automatically forwarded to my Spamcop account (which gets a stunning amount of mail every day). Those few that aren't spam are forwarded to me.
The important stuff (PayPay, Ebay, banks, etc) all have unique and hard-to-guess passwords. I keep them all in my iPaq - and have to look them up all too often.
Mail to any unknown address at my domain is automatically forwarded to my Spamcop account (which gets a stunning amount of mail every day). Those few that aren't spam are forwarded to me.
The important stuff (PayPay, Ebay, banks, etc) all have unique and hard-to-guess passwords. I keep them all in my iPaq - and have to look them up all too often.
Everybody's gotta be somewhere
Join Date: Feb 2003
Location: Denham
Age: 63
Posts: 103
Likes: 0
Received 0 Likes
on
0 Posts
Looks like I'm fairly unique (well 9%) in having 2 sheets of A4 covered in log-in ids and passwords. Maybe I need to rethink my strategy!
I have two work log-ins, my main log-in is supposed to be secure, but all and sundry seem to need to get into my workstation so it's a well known password - just append the number scribbled on the masking tape on the top of my monitor! My other log-in is secure and secret and not written down (it relates to my time sheet).
I have two work log-ins, my main log-in is supposed to be secure, but all and sundry seem to need to get into my workstation so it's a well known password - just append the number scribbled on the masking tape on the top of my monitor! My other log-in is secure and secret and not written down (it relates to my time sheet).
Join Date: Dec 2003
Location: UK
Posts: 211
Likes: 0
Received 0 Likes
on
0 Posts
As others have stated, you don't need 101 passwords if you reserve certain ones for high-security / low-security-web-based etc etc.
The trouble I have is that I'm prompted to suggest a password when I least expect it, suggest one that seems memorable at the time, and therefore find myself in the stressful situation I'm in now where I have over 10 different ones, and can never remember which for which...
I'm nervy about writing them down, and as stated before, reserve certain ones for low-security stuff such as Ppruning, and others for the credit card etc, however, it often takes me several attempts for passwords I don't use regularly, and on top of all the PINs I have to remember I feel as if I'm going into mental overload to be honest...
I couldn't remember the word I used for a credit card, and could only log in to see my statement after having the card for 2 months (the software wouldn't say you had the wrong word, just that the "server was busy").... Not that I should have anything to worry about, but one should check financial statements for obvious reasons...
So anyway, my point is that I don't think having all these passwords makes life any less stressful...far from it.
I have a safe, so I guess maybe I should write them all down and put them in there in case reference is needed.
Not sure if my experience will benefit Evo's article, but it really is a PITA to remember all these words and PINs...
The trouble I have is that I'm prompted to suggest a password when I least expect it, suggest one that seems memorable at the time, and therefore find myself in the stressful situation I'm in now where I have over 10 different ones, and can never remember which for which...
I'm nervy about writing them down, and as stated before, reserve certain ones for low-security stuff such as Ppruning, and others for the credit card etc, however, it often takes me several attempts for passwords I don't use regularly, and on top of all the PINs I have to remember I feel as if I'm going into mental overload to be honest...
I couldn't remember the word I used for a credit card, and could only log in to see my statement after having the card for 2 months (the software wouldn't say you had the wrong word, just that the "server was busy").... Not that I should have anything to worry about, but one should check financial statements for obvious reasons...
So anyway, my point is that I don't think having all these passwords makes life any less stressful...far from it.
I have a safe, so I guess maybe I should write them all down and put them in there in case reference is needed.
Not sure if my experience will benefit Evo's article, but it really is a PITA to remember all these words and PINs...
I'matightbastard
Join Date: Jul 2001
Location: Texas
Posts: 1,747
Likes: 0
Received 0 Likes
on
0 Posts
I should actually read htis thread because I've been meaning to have a rant on JetBlast for a while now about this.
It really p1sses me off
I would like to have two, maybe three "levels" of password: an easy one for email, a middle one and a strong one for on line banking. The trouble it that I can't do this because each site seems to have its own rules. Must have eight character, must have specials, must have letters and numbers.
It's the same for IDs too. I want just a couple. Some places have an underlying "account number" and you can give yourself a nickname, but a lot of places are not that flexible. I have this one banking site and they gave me a random ten digit number that I couldn't change (because of security they said) . This has one of two outcomes: either (1) I have to write it down to remember it, which is of course less secure than me choosing my own or (2) I just don't use their stupid site.
It's the same at work, I have four different Id with different password rules, and different expiration frequencies. So what do I do? You got it, it's all written on a post it note stuck to my monitor
It really p1sses me off
I would like to have two, maybe three "levels" of password: an easy one for email, a middle one and a strong one for on line banking. The trouble it that I can't do this because each site seems to have its own rules. Must have eight character, must have specials, must have letters and numbers.
It's the same for IDs too. I want just a couple. Some places have an underlying "account number" and you can give yourself a nickname, but a lot of places are not that flexible. I have this one banking site and they gave me a random ten digit number that I couldn't change (because of security they said) . This has one of two outcomes: either (1) I have to write it down to remember it, which is of course less secure than me choosing my own or (2) I just don't use their stupid site.
It's the same at work, I have four different Id with different password rules, and different expiration frequencies. So what do I do? You got it, it's all written on a post it note stuck to my monitor
High Flying Bird
Join Date: Dec 2000
Location: Old Sarum ish
Posts: 2,297
Likes: 0
Received 0 Likes
on
0 Posts
I use about four. I've got the same one for all the sites that demand a password, but I'm not worried about other people logging on as me. Then others for forums, email and bank.
None of the passwords I use are easily guessable. The one I've been using longest (15 years or so) is a random corruption of a latin name of a fish I used to keep! The others are either random letters, randomly capitalised, or people's unusual names, followed by a number.
None of the passwords I use are easily guessable. The one I've been using longest (15 years or so) is a random corruption of a latin name of a fish I used to keep! The others are either random letters, randomly capitalised, or people's unusual names, followed by a number.
