Author Topic: Episode #586  (Read 2594 times)

0 Members and 1 Guest are viewing this topic.

Offline gebobs

  • Not Enough Spare Time
  • **
  • Posts: 164
  • Me like hockey!
Re: Episode #586
« Reply #30 on: October 04, 2016, 04:12:15 PM »
IDK, convergent evolution is a thing.  If a plan worked once there's no reason why evolution would come up with something similar elsewhere.  On the other hand, there's no reason why it would.  As we only have sample size of one biosphere, we really have no way to guess how life might evolve elsewhere.

That's a good point. N=1 is pretty small, eh? Independent evolution of DNA or whatever seems pretty unlikely but who the heck knows? Maybe all roads lead to Rome.
« Last Edit: October 04, 2016, 04:16:40 PM by gebobs »

Offline Pusher Robot

  • Frequent Poster
  • ******
  • Posts: 2181
  • Do you have stairs in your house?
Re: Episode #586
« Reply #31 on: October 04, 2016, 04:15:57 PM »
Yeah, but how much less secure is my strong password after a year, compared to after 3 months?  Is 3 months some sort of optimized compromise between how often hackers get access to my mid-sized engineering consulting company's password list and how often I need to enter my password?  Or is it some arbitrary bullshit thing that makes upper management feel better, as per TSA theater at the airport?

How less secure it is after a year compared to 3 months depends entirely on how often you re-use that password, because the more it is reused and the more time as passed, the likelier that the password has been stolen from a hacked website on which you used it.  Once that happens, all your other accounts using the same password are highly vulnerable.

A lock on your door won't keep burglars out. It will just make the door a more difficult entry point than, say, breaking a window or cutting through a wall. Perhaps it will make the burglars decide that your neighbor's house is an easier target than yours.

There are various ways a hacker may gain access to my accounts. But if and when they do, it won't be by guessing my passwords, because those are more difficult to guess than other ways over which I have no control. As long as nobody has come close to guessing my password, there is no good reason to force me to change it.

The site operator has no way of knowing how frequently you re-use your passwords, so they have to make some assumptions that suit the average person (who re-uses them frequently).

Quote
Note also that standard good procedure for web sites is to block access entirely after a specific number of failed attempts. So a hacker can only try three or four, or maybe at most ten guesses before the account is locked and I am notified. If I was not the one who was trying wrong passwords (because I forgot mine) then the alert will let me know that something is going on. And even then, changing the password is not necessarily the best choice, since the hacker didn't get in.

That's not how large-scale attacks work.  They work by compromising the service and stealing the database of hashed and salted passwords (pray that they are at least hashed and salted!)  They can then run unconstrained offline attacks on these databases using dictionaries and, if they manage to find the salt, rainbow tables.  Then, once they've obtained your password through an offline attack, they will use it to log in.

Quote
Again, I don't use guessable passwords.

If it's 10 characters or less and contains any dictionary words, it probably wouldn't last very long against an offline attack.

Quote
It would be much easier for someone to bribe a banker into turning over my social security number and then calling the bank and pretending to be me, as a reporter did with a friend of his (with permission) to show how easy it is to hijack someone's account using information about them that's easily available.

Not if you live in another country, it probably isn't.

Quote
Strong passwords are not the weak link in account security. The problem with passwords is just the people who use weak ones, or who don't even bother to change the default password. And even then, social engineering is probably responsible for more hacked accounts than anything to do with passwords.

Not a chance.  Social engineering might possibly be responsible for more targeted hacked accounts than weak passwords (or reset questions) but mass offline attacks on stolen password databases are by far the most prolific source of stolen usernames and passwords.  It's not even close.  Strong passwords help protect against this, but the older they are the greater the likelihood they have been cracked or stolen.
A novice was trying to fix a broken Lisp machine by turning the power off and on.
Knight, seeing what the student was doing, spoke sternly: “You cannot fix a machine by just power-cycling it with no understanding of what is going wrong.”
Knight turned the machine off and on.
The machine worked.

Offline gebobs

  • Not Enough Spare Time
  • **
  • Posts: 164
  • Me like hockey!
Re: Episode #586
« Reply #32 on: October 04, 2016, 04:17:24 PM »
Wazz "social engineering"?

Offline amysrevenge

  • Baseball-Cap-Beard-Baby Guy
  • Stopped Going Outside
  • *******
  • Posts: 4862
  • The Warhammeriest
Re: Episode #586
« Reply #33 on: October 04, 2016, 04:18:30 PM »
Also, I reckon if it was something similar in size/complexity to a bacteria, just normal conversational shorthand would have us calling it some variation of "alien bacteria", at least for a while.
Big Mike
Calgary AB Canada

Offline Ah.hell

  • Poster of Extraordinary Magnitude
  • **********
  • Posts: 10170
Re: Episode #586
« Reply #34 on: October 04, 2016, 04:24:21 PM »
IDK, convergent evolution is a thing.  If a plan worked once there's no reason why evolution would come up with something similar elsewhere.  On the other hand, there's no reason why it would.  As we only have sample size of one biosphere, we really have no way to guess how life might evolve elsewhere.

That's a good point. N=1 is pretty small, eh? Independent evolution of DNA or whatever seems pretty unlikely but who the heck knows? Maybe all roads lead to Rome.
Wouldn't have to use DNA even to get something that looks a lot like a bacteria or a jellyfish, which is how I took the rogues meaning. 

Social engineering in the context of internet security is really old fashioned conning.  Calling some office drone up and suckering them into giving you their password or some other form of access to an other wise secure system. 

Offline gebobs

  • Not Enough Spare Time
  • **
  • Posts: 164
  • Me like hockey!
Re: Episode #586
« Reply #35 on: October 04, 2016, 05:03:54 PM »
Also, I reckon if it was something similar in size/complexity to a bacteria, just normal conversational shorthand would have us calling it some variation of "alien bacteria", at least for a while.

Yeah, I get that. Usually Steve gets his pedantic hackles up but this one slipped by.

How cool would it be though if Europans had something like DNA? Mind blown.

Offline daniel1948

  • Frequent Poster
  • ******
  • Posts: 3951
  • Cat Lovers Against the Bomb
Re: Episode #586
« Reply #36 on: October 05, 2016, 10:51:10 AM »
Yeah, but how much less secure is my strong password after a year, compared to after 3 months?  Is 3 months some sort of optimized compromise between how often hackers get access to my mid-sized engineering consulting company's password list and how often I need to enter my password?  Or is it some arbitrary bullshit thing that makes upper management feel better, as per TSA theater at the airport?

How less secure it is after a year compared to 3 months depends entirely on how often you re-use that password, because the more it is reused and the more time as passed, the likelier that the password has been stolen from a hacked website on which you used it.  Once that happens, all your other accounts using the same password are highly vulnerable.

Which is why I never use the same password twice for accounts I care about. (I use a simple one for accounts that don't matter, like a news site that requires a password to post in the comments section.)


Quote
Quote
Again, I don't use guessable passwords.

If it's 10 characters or less and contains any dictionary words, it probably wouldn't last very long against an offline attack.

Then I'm safe.


I note that while some sites require changing passwords, many other sites, including some big banks, do not. I think that in this day and age the biggest banks are sophisticated enough to be employing best practices. Amazon also does not require regular changing of passwords, and I think they are about as sophisticated as it gets

Wazz "social engineering"?

Social engineering is stuff like sending you an email and convincing you to click on a malicious link. A crude example would be an email that claims to be from PayPal, telling you that you have to log into your account to fix a problem, but the link sends you to a fake PayPal site, and when you give your username and password they use it to access your account. Which is why you should never access any web site using the link in an email. Go directly to the site instead.

In general terms, social engineering is convincing you to give your information, or convincing you to install a malicious program on your computer.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline amysrevenge

  • Baseball-Cap-Beard-Baby Guy
  • Stopped Going Outside
  • *******
  • Posts: 4862
  • The Warhammeriest
Re: Episode #586
« Reply #37 on: October 05, 2016, 10:54:49 AM »
Thought experiment.  Which is more secure.

1) One "good" password, that you use for every account you own, that you change every 3 months like clockwork.

2) A unique "good" password for every site, that you change never, or rather only for known hacking incidents.
Big Mike
Calgary AB Canada

Offline Swagomatic

  • Frequent Poster
  • ******
  • Posts: 2248
Re: Episode #586
« Reply #38 on: October 05, 2016, 11:05:11 AM »
I've been using a password storage/generation program for the past year or so.  Mainly because between work and all my personal crap, there's no way I can remember a unique password for everything without writing it down.  I used to carry a cheat sheet in my wallet.  What does everyone think of these type programs?  I use Dashlane.
Beware of false knowledge; it is more dangerous than ignorance.
---George Bernard Shaw

Offline Ah.hell

  • Poster of Extraordinary Magnitude
  • **********
  • Posts: 10170
Re: Episode #586
« Reply #39 on: October 05, 2016, 11:27:11 AM »
I've been using a password storage/generation program for the past year or so.  Mainly because between work and all my personal crap, there's no way I can remember a unique password for everything without writing it down.  I used to carry a cheat sheet in my wallet.  What does everyone think of these type programs?  I use Dashlane.
I listen to This Week In Tech, and the last time this subject came up, they recommended doing exactly that. 

Offline amysrevenge

  • Baseball-Cap-Beard-Baby Guy
  • Stopped Going Outside
  • *******
  • Posts: 4862
  • The Warhammeriest
Re: Episode #586
« Reply #40 on: October 05, 2016, 11:46:32 AM »
Putting all your eggs in one basket can be a great thing, if the basket is good enough.
Big Mike
Calgary AB Canada

Offline 2397

  • Seasoned Contributor
  • ****
  • Posts: 533
Re: Episode #586
« Reply #41 on: October 05, 2016, 01:26:39 PM »
Do make sure to keep a copy of the basket and eggs somewhere else, though.

Offline Swagomatic

  • Frequent Poster
  • ******
  • Posts: 2248
Re: Episode #586
« Reply #42 on: October 05, 2016, 01:30:10 PM »
I have a password on the program itself that is not quite a word and includes odd characters and a couple of numbers, but it is close enough to a word that I can remember it.
Beware of false knowledge; it is more dangerous than ignorance.
---George Bernard Shaw

Offline The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Reef Tank Owner
  • *****
  • Posts: 8671
Re: Episode #586
« Reply #43 on: October 05, 2016, 03:22:36 PM »
I use LastPass.  My password vault is protected by a very long passphrase (hashed locally with multiple rounds of SHA265; not even LastPass knows my passphrase) and two-factor authentication. The passwords are encrypted locally with AES-256 and transmitted to the server where they are stored in encrypted form. To get access to my passwords, someone would have to get not only my master passphrase but also physical access to my phone and the ability to unlock it (my phone itself is protected by a very long passphrase & TouchID).  Well, I suppose if they got hold of the password hash from LastPass servers they could try to calculate a collision.  But that's pretty much impossible, and even if they did they'd still run into my two-factor authentication.

The passwords I have stored in LastPass are all long, randomly-generated, mixed-case, alphanumeric with special characters.  I have no idea what any of them is, but I don't need to.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline amysrevenge

  • Baseball-Cap-Beard-Baby Guy
  • Stopped Going Outside
  • *******
  • Posts: 4862
  • The Warhammeriest
Re: Episode #586
« Reply #44 on: October 05, 2016, 03:23:42 PM »
I use LastPass.  My password vault is protected by a very long passphrase (hashed locally with multiple rounds of SHA265; not even LastPass knows my passphrase) and two-factor authentication. The passwords are encrypted locally with AES-256 and transmitted to the server where they are stored in encrypted form. To get access to my passwords, someone would have to get not only my master passphrase but also physical access to my phone and the ability to unlock it (my phone itself is protected by a very long passphrase & TouchID).  Well, I suppose if they got hold of the password hash from LastPass servers they could try to calculate a collision.  But that's pretty much impossible, and even if they did they'd still run into my two-factor authentication.

The passwords I have stored in LastPass are all long, randomly-generated, mixed-case, alphanumeric with special characters.  I have no idea what any of them is, but I don't need to.

It's nice to have a hobby.  ;)
Big Mike
Calgary AB Canada

 

personate-rain