SCS Software

message board
It is currently 28 Apr 2017 10:24

All times are UTC + 1 hour [ DST ]




Post new topic Reply to topic  [ 35 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
PostPosted: 11 Oct 2014 14:33 
Offline
User avatar

Joined: 24 Dec 2012 22:59
Posts: 1241
Location: Italia
Axel Slingerland wrote:
I keep all of my passwords in a text file on a USB stick.

It is not very safe. Many programs have read access to the file. Could end up in the wrong hands.

_________________
Image

Image Image Image Image


Top
 Profile  
 
PostPosted: 11 Oct 2014 16:27 
Offline
User avatar

Joined: 02 Jun 2014 17:22
Posts: 3588
Location: India
Memorizing username & passwords for so many accounts and that too when they seem something like this &CGed8jR32nFkvyffXa*S$Exyg2DkUY6!QT^%fjI? I just can't! Just can't!

Using lastpass and would recommend it with multifactor authentication enabled. Also, keep changing vital account passwords every fortnight or so. ;)

If using lastpass, recommend doing a security check, link is on the left in your vault.

_________________
Image Image Image


Top
 Profile  
 
PostPosted: 11 Oct 2014 16:40 
Offline
User avatar

Joined: 13 Jan 2014 16:28
Posts: 2090
.


Last edited by scanialoverr on 11 Oct 2014 22:04, edited 1 time in total.

Top
 Profile  
 
PostPosted: 11 Oct 2014 18:46 
Offline
User avatar

Joined: 18 Mar 2013 02:59
Posts: 1971
Location: Hammond, Indiana
MartinoPio wrote:
Axel Slingerland wrote:
I keep all of my passwords in a text file on a USB stick.

It is not very safe. Many programs have read access to the file. Could end up in the wrong hands.

If the USB stick is sitting on the desk and not plugged in, the only access to the passwords would be for a thief to break into one's office or home... 8-)

_________________
Fr. Bill
Interests: Gauge Programming - 3d Max Modeling for Eaglesoft Development Group & Military Visualizations
It is not wise to contest forum moderators; they have more ways to admonish than you have of evading, (Shin'a'in Proverb) :)


Top
 Profile  
 
PostPosted: 11 Oct 2014 19:37 
Offline
User avatar

Joined: 24 Dec 2012 22:59
Posts: 1241
Location: Italia
Before entering into a USB stick, it must be connected to a computer. I know that viruses are able to enter in USB drives as soon as you put it (this especially if you have a good antivirus). The only solution is to write on a sheet of paper well preserved.

_________________
Image

Image Image Image Image


Top
 Profile  
 
PostPosted: 12 Oct 2014 03:00 
Offline
User avatar

Joined: 24 Apr 2013 20:08
Posts: 8416
Location: Have no fear, i am from the internets!
On a completely unrelated note...
About remembering passwords.

Some people think that a password like...

"XyDa42TY"

... Is more secure than a password like...

"ieatcowsforbreakfast"

... The latter is more secure... Why?
Because the first one has 8 characters. Comprised of numbers, lowercase and uppercase characters. 10 + 26 + 26 = 62

62^8 = = 2.18340106e14

The last one has 20 characters, all lowercase. 26 = 26

26^20 = 1.99281489e28

The latter basically has 14 more zeroes in how many different variations you can make of that.
Even if they were to make a word composition brute force attempt on it. The latter has 5 words. There are 1025109.8 words in the English language according to a google search.

1025109.8^5 = 1.1320143e30

Ok, even if we were to take a list of the most common words. Say 25000 of them.

25000^5 = 9.765625e21

It still beats the first example.
Mind you, using too few or too common words in a password is also bad practice. An even better one would be "anorexiaisbadforbusiness" (Anorexia is bad for business) or "myfriendgüntherisastrudel" (My friend günther is a strudel)

So which is easier to remember?

"XyDa42TY" vs "ieatcowsforbreakfast"

The latter i'd say, and it's faster to type too... And with white space it in, it adds one complexity level to the password. Unfortunately, a lot of sites refuse to accept whitespace in passwords because they are doing it wrong.
That is, it's more likely that someone is going to get your password from hacking the site and exploiting bad security practice than it is to break either of the two passwords in my example.

The more you know...

...

Password recovery doesn't work because there's no mail server associated with the forums. SCS knows about it and have tested a few things in the past but i don't know what the current progress is on the matter.

_________________
ImageGreen text = Moderator action.
ImageWhite text = Opinions and general banter.


Top
 Profile  
 
PostPosted: 12 Oct 2014 07:32 
Offline
User avatar

Joined: 02 Jun 2014 17:22
Posts: 3588
Location: India
Cadde wrote:
Some people think that a password like >> "XyDa42TY"... Is more secure than a password like >> "ieatcowsforbreakfast"...


How is a comparison between a 8 & 20 character long password valid? And you didn't mention the special characters. If the site allows a maximum of 32 characters, why shouldn't one go for the max or thereabout? Why settle for the minimum i.e. just 6 or 8? I'd like to read the literature you found, coz I might be seeing your post in a different light and also to understand your equations.

Using words as passwords is easy to remember and difficult to crack but you mentioned the loophole too. Google shows a definitive set of words, a total given number. Wouldn't you feel relieved a bit when your task is simplified? In other words, you know you have to clear out the bad apples from a basket of 500. Then comes the permutations & combinations to arrange 'em and bleh, bleh, bleh. Compare that to an infinitive set of characters and it will prove to be much more difficult.

Until your research changes my mind, I feel more secure in a 40 character long password like this >> &CGed8jR32nFkvyffXa*S$Exyg2DkUY6!QT^%fjI than this >> dRivinGtHruTheMOuntainSiNmYmErCEDesaNTos (driving thru the mountains in my mercedes antos). I dont have to type it, autofill ftw (lastpass). When your on 20 or more sites, it could be waste of time to type in your username & password for every single site.

I ain't underestimating the algorithm writers. If not yet, they will find loopholes in it sooner or later. Till then I'd like to be paranoid-safe, if that is a word. :P

A good read... Cryptography

I do agree with you that hackers won't tie themselves up trying to crack your password. Instead they'll breach in the source/parent company and get the lot instead of just one guy. Its a psychological game. Hence good security practices are a must for minimizing the hit.

_________________
Image Image Image


Top
 Profile  
 
PostPosted: 12 Oct 2014 08:05 
Offline

Joined: 06 Oct 2014 08:47
Posts: 247
Location: Manila, Philippines
XKCD passwords ftw:
http://xkcd.com/936/

https://www.xkpasswd.net/c/index.cgi


Top
 Profile  
 
PostPosted: 12 Oct 2014 15:51 
Offline
User avatar

Joined: 24 Apr 2013 20:08
Posts: 8416
Location: Have no fear, i am from the internets!
@SabR, the reason i am comparing an 8 letter password with a 20 letter password is because most people would assume 20 letters is harder to remember than 8. But it's actually easier.
I am not comparing password strength based on length really, i am comparing it based on how easy it is to remember. That 8 character password is not easy to remember but easy to guess for a computer.

EDIT: Even if that 8 letter password is a word... Like "stonehead", a password like "stoneheads are hard" might actually be easier to recall because you are making an association in your head.
A lot of my passwords are in muscle memory too, a longer password takes longer to type and thusly you develop a muscle memory to type these passwords faster.

There's nothing wrong with being paranoid and having passwords using all 255 characters (if at all possible) available in the extended ASCII table.
If one could use all 255 variations and the hacker/cracker HAD to assume you have used any random ones of those characters then...

255^8 = 1.78781033e19 (Still less than 20 lowercase letters btw)
255^20 = 1.35146128e48 (Now we are talking... But good luck remembering that one.)

Ok, so say i used a password like this, in hex: "AD 20 FF 49 D6 BE EF F0"
It would probably be EASIER to remember the hex values for the password than the characters that would show up if you tried to display it in plain text. Even though the hex values are twice as long as the original password.

Even better yet, if i chose a password like this: "Þ­¾ï7 P"
... would you be able to memorize it?
Here is the same password in hex: "DE AD BE EF 13 37 20 50" That is... "dead beef 1337 2050", more text... Much easier to remember. Albeit not as easy to type in, you can do it with ALT+Numpad.

And that's what it boils down to in the end. If the site is accepting all characters then, for a hacker/cracker it would make little sense in limiting themselves to bruteforcing using a limited set of characters. They could get lucky, or they may just waste a few days/months/years trying to bruteforce without including a character.
I am sure they already know the range of possible password chars, the minimum and maximum length of the passwords BEFORE they start to brute force.

That is, it doesn't really matter if you are using all lowercase or the entire character set. In a sense, if your password is "zzzzzzzzzzzzzzzzzzzz" and their brute force isn't testing for that like a dictionary attack it's going to take a LONG time for them to bruteforce it.
Which brings me to another point... Uppercase characters are actually less secure than lowercase, they appear earlier in the ASCII table. If they are counting from 0 and up for each column, they will bruteforce a password with uppercase characters in it before they bruteforce one with all lowercase. Mixing upper/lowercase only complicated the password for you to remember and makes it easier to iterate to the correct one for bruteforcers, if all characters are involved.

Yes, once again. hackers/crackers use "clever" tricks to save some time. They go over the most common passwords first like "1234", "password", "****" (dat be a swear word), "*****" (dat be asterisks).
And they might start with lowercase characters because humans are too lazy to bother with the shift key/caps lock but in the end. The chance that one character is a different one means a hacker/cracker eventually would start going...

A
B
C
D
...
AA
AB
AC
...
AAAAAAAAB
AAAAAAAAC

Now then, since all passwords are "equal" after a certain point (you have passed the threshold for "too common" and "too short".
Here are your two passwords in normal text and in hex.

Code:
&CGed8jR32nFkvyffXa*S$Exyg2DkUY6!QT^%fjI = 26 43 47 65 64 38 6A 52 33 32 6E 46 6B 76 79 66 66 58 61 2A 53 24 45 78 79 67 32 44 6B 55 59 36 21 51 54 5E 25 66 6A 49
dRivinGtHruTheMOuntainSiNmYmErCEDesaNTos = 64 52 69 76 69 6E 47 74 48 72 75 54 68 65 4D 4F 75 6E 74 61 69 6E 53 69 4E 6D 59 6D 45 72 43 45 44 65 73 61 4E 54 6F 73

Code tags for monospace font...

As you can tell, on the hex end, there no real difference. On the text end, the one with words is easier to remember.

Finally, on the use of password keepers like lastpass. To me, the best kept password is the one you can memorize.
I have a large number of passwords kept in my head. Some are really complex, the most important ones. The rest are really simple to remember, i have associated them with an object, location, feeling or thought train that i can quickly "revisit" to recall my password.

Having your passwords stored, in ANY digital/analog (pen and paper) format is generally a bad idea.
Especially if anyone can poke and prod the storage like they can with lastpass.

Even so, both your passwords are strong enough to where a hacker/cracker going for you personally wouldn't even bother with your password. They would attack your PC, your internet persona and every site that you visit to get at you.
They would be done with that LOOOONG before they broke your super strong passwords.
They are more likely to kidnap/threaten/corrupt the maintenance staff of lastpass and force them to sniff your password/key/credentials as you login to their service than actually bruteforcing your password.

That is, your best (of all possible) securities is to not make yourself a target in any way.

EDIT:
I wanted to get into unicode passwords... But i forgot, so it get's a late mention here.
With unicode you have more characters to pick from... But in the end, you are still using bytes to store them. It's the bytecount that... counts!
And unicode has some characteristics that can be used to make bruteforcing them easier if they have your hash and salt.

_________________
ImageGreen text = Moderator action.
ImageWhite text = Opinions and general banter.


Top
 Profile  
 
PostPosted: 06 Feb 2015 17:22 
Offline
User avatar

Joined: 31 Jan 2015 13:45
Posts: 1
So I wiped my machine due to Windows shenanigans.

Like usual, I lost my password, and the recovery dont work. Not only that, but I cant remember the username and password to caekdaemon2 either, so I ended up making a third account.

I seriously need a notebook with my passwords or something.

EDIT : I also spelt my damned username wrong. Auxiliary, not Auxilary Caek.


Last edited by Reef on 06 Feb 2015 17:30, edited 1 time in total.
Please don't use the attachment feature for anything other than official SCS bug report screenshots or game logs, upload your images to an image hoster instead.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 35 posts ]  Go to page Previous  1, 2, 3, 4  Next

All times are UTC + 1 hour [ DST ]


Who is online

Users browsing this forum: deco13 and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: