And as another XKCDstrip suggests, beyond a certain point the effort to crack a password would be high enough that any scary people who want it could employ other methods. (the hovertext is probably also true).
If the site they’ve gotten the password file from is a bank, then every individual password is valuable, to the tune of however much that user has in their bank account and lines of credit. And a reasonably-constrained brute force search will run plenty fast enough, even applied to every single account, to quickly get a large proportion of matches. Even more so, if you use something just a little smarter than brute force (using dictionary words, keyboard patterns, common letter substitutions, and so on).
Yes, that is exactly what I do at work. I use an 8 digit word followed by a 2 digit number. When a special character is needed it goes between the word and the numbers. And when the password needs to be changed the number on the end goes up by one.
Why? Because of the dozens of times I must log in each day I have got to have a password I can easily remember. You see some of the information on my screen is sensitive and personally identifiable, so they set the time-out for inactivity to about 5 minutes so that no one can see what you are working on if you step away from your computer. The office has a continual parade of people coming in with various issues and several co-workers are also in this same office.
Log in to local machine, log in again thru a Citrix portal to the main computer located somewhere on the moon judging by the response time, login a 3rd time to each application I work in.
But wait, someone has a question for me, so I take care of it and shit!! Access lost due to inactivity.
Log in, log in, log in, start again, all fucking day. Log in, log in, log in, a few minutes of work and shit again! Fucking passwords, fucking log ins. I am looking forward to the day when biometrics will log me on as soon as I grab the mouse.
Why yes, it is government work. How did you know?
My understanding is that major banks don’t use hashing for password security. They actually encrypt the password databases with separate, ultra-secret keys. So obtaining the password database wouldn’t be enough, you’d need the key(s) too. Banks have the means and experience to keep the necessary keys secret. Ordinary websites don’t, so for them hashing is a good, simpler solution.
I don’t think that quite works.
First, this “ultra-secret key” would need to be used every time a password is validated. That’s the reason behind the typical scheme (ala UNIX) where the password file doesn’t need to be kept secret, but the passwords aren’t stored there: only the hash to verify the password is kept there. The hash doesn’t reveal the password (although as mentioned above, having it makes cracking the password easier).
It does make sense to encrypt the password file regardless, so that it’s not easy to get the list of user IDs. But as I mentioned above, it would need to be decoded frequently, to do the password check, which raises the likelihood of it being spied.
Now, I would expect banks to use significantly more sophisticated systems than what I mentioned above. But a ‘super secret password’ doesn’t help, since it would need to be used so frequently.
It seems to me that the chances of some scrote hacking the bank, stealing the password list and all the other information, cracking my password, security code and number, and then stealing my funds, are much lower than the chances that our local friendly burglar will break in and steal all my goods, including my computer.
Or, even more likely, get mugged when I draw cash from an ATM.
Yes, that’s how I remember it. They had an outer system, still secure by the standards of your average website, which had encrypted passwords stored on it, and a specialised, heavily-protected and locked-down system, that had the encryption keys and was queried by the outer system to verify that the passwords were correct. Because the inner system didn’t have to do anything except store a few keys and check incoming passwords, it could be a simpler, one-purpose system and therefore easier to secure. ISTR there were also reasons involving network latency, can’t remember the details. The outer system was more like a regular server.
I’ve never really understood why writing down a password is so frowned on in certain circles. If an attacker has physical access to your computer, you’ve very likely got much bigger problems than password issues.
Consider a public space or private office where hundreds of people have legitimate access to the computer’s physical location. It’s easy enough to lock everything down by user account, but if you’ve provided easy access to your password it’s easy to impersonate you and gain access to any data that you have access to.
If you’re in a cubicle farm, then that just means that you should keep the little slip of paper in your wallet instead of stuck to your keyboard. People are generally pretty good about keeping their wallets secure.
And if a bank wants to add extra layers of security to its password handling, that’s fine, as long as the extra layers are in addition to, not instead of, the standard ones.
There have certainly been instances of old computers turning up at a tip or recycling depot with sticky notes listing passwords still attached to the screen.
There is little doubt that the weak link in security has been the human, and this is something that is unlikely to change.
I know it does and has happened - but to me, a moderately strong password is good enough on my side. It’s the bank that needs the super security.
And to me it makes sense when you think about it. Absent hacking of the bank, what does the super nerd criminal need to get access to my account?
- He has to know I bank there
- My self chosen, minimum 8 character username
- My password
I have five attempts before I’m (permanently) locked out and must either wait 1 week for the reset mailer to arrive or visit the bank personally.
And even if the SNC gets past that - he still has to send the money somewhere. My bank doesn’t allow international transfers, (unless they are preset-up to a white list) - which means he has to have a local bank account. To open an account, he must have ID…
And even then - we have 2 factor identification here, so after getting the password right, he still has to get past the 2nd factor dongle that generates an 8 digit onetime password.
Meh - Frankly, I’m not going to get too concerned about leaving myself open to a dictionary attack by choosing a password like indoctrination83
Or to think about it another way -
I used to work at a petrol kiosk / station.
They were super vigilant about fuel spills.
But as the safety officer pointed out to me…
When we watch the pumps, then pump at what 50-60 litres a minute? How much can be spilled.
When the tanker truck comes, he dumps 3000-5000 litres a minute
Where should I spend my effort in being vigilant?
[edit] I changed my mind about posting this.
That’s OK. I saw your password before you deleted it. You’d better move your funds.
Too late, I’ve already snarfed them.
Well, enjoy that £1.50.
Why absent that, though? Major financial institutions have been hacked in the past, and it will surely happen again.
Also, you shouldn’t count on any security at all from knowing that you use that bank, or knowing what your user ID is. Those are both considered public knowledge.
The problem is that it’s a cat and mouse game. He may be safe now but maybe not next year. For anyone curious about how actual crackers go about figuring out password, please take a look at this article.
The problem is that when there’s a leak, and they happen often enough that you should assume that there will be one, the password list gets spread to every single cracker on the planet who will then start working on it. If passphrase become popular, then crackers will adapt their techniques and dictionaries. No matter how long, how apparently obscure your password is, if it can be broken down into two parts that are in a dictionary, as possibly “ScroogeMcDuck” and “has$80Billion” are, then your password will be cracked.
Crackers know all about obvious substitutions, so something random like “Scxooge” is actually stronger than “$cr00ge.”
Is this paranoid? Somewhat. However, people are so bad at coming up with anything truly random that just advising people to use phrases won’t much improve their security. See in the article how the phrase-like password “momof3g8kids” fell rather easily.
I think security experts are divided on this topic. Certainly, sticking a post-it on your workplace monitor or keyboard is stupid and defeats the purpose of passwords. However, as some note, people are much better and smarter when it comes to protecting their physical property, so that writing a good password (or even just part of the password) down on a piece of paper you keep in your wallet, while not perfect, is probably fairly safe.
Well, we can do it, and it’s not actually that hard. For instance, when I set up my online banking, I created my password by rolling dice. I guaran-damn-tee that that one’s random, and no cracker is guessing it.