Proof that a Complex Password Can Work

Raptor · January 09, 2024, 11:41:54 AM

For the record not defending anything here except the usefulness of complex passwords.

BTW password, 123456 & @lert need not apply....

If you ever want to know if a complex passcode is enough to stop a brute force attack by a .gov entity with virtually unlimited resources I submit this as exhibit A.

Since Oct 2022 the RCMP tried brute force attacks on the password. 175 million to be precise. About 410,000 per day...without success. A lot of attempts, except that there are 44,012,666,865,176,569,775,543,212,890,625 possible combinations and at the rate of 410,000 per day they are literally decades (centuries?) away from trying all of the combinations.

BTW I do have to point out the bleeding obvious.

The data they want on the phone is available elsewhere likely stored on a google/apple server somewhere which is easier to obtain.

Finally I doubt a totalitarian regime would go to this much trouble if the phone's owner was in their care, custody & control. I suspect some physical torture would produce the password.
Still it is good to remember that a 32 digit random password is really pretty resistant to brute force attacks.

Someone pointed out that clearly the time out after unsuccessful attempts was obviously disabled. That and the remote brick command was disabled as well.

Still it is interesting to see how ineffective the attacks were.

https://ottawacitizen.com/news/local-news/police-must-return-phones-after-175-million-passcode-guesses-judge-says

MacWa77ace · January 09, 2024, 01:17:41 PM

I can't tell you how many movies and TV shows i've seen in the last few days where someone takes someone else's phone, dead or alive, and uses the biometrics [facial id or fingerprint] to immediately open the phone. That's why I use a passcode and disable biometrics. But that's only slightly harder to crack than biometrics when you have a body.

OP: each year the brute hardware will get faster, so todays estimated success, isn't next year's, or 5 years from now.

Remember when humans first started to map the human genome in 1994? It took multiple computer systems 13 years and 2.7 billion dollars. Now it can be done by one computer in hours?

Raptor · January 09, 2024, 06:25:56 PM

Quote from: MacWa77ace on January 09, 2024, 01:17:41 PMI can't tell you how many movies and TV shows i've seen in the last few days where someone takes someone else's phone, dead or alive, and uses the biometrics [facial id or fingerprint] to immediately open the phone. That's why I use a passcode and disable biometrics. But that's only slightly harder to crack than biometrics when you have a body.

OP: each year the brute hardware will get faster, so todays estimated success, isn't next year's, or 5 years from now.

Remember when humans first started to map the human genome in 1994? It took multiple computer systems 13 years and 2.7 billion dollars. Now it can be done by one computer in hours?

I agree in future faster calculations will be inevitable and even a 32 character password will not be adequate for protection from a .gov player.

That an a bit of extreme coercion are inevitable when a .gov player is at bat.

That said it is still interesting and puts a smile on my face to see this type of password work so well.

I am reminded of the ryme response...not by the hair on my chiny, chin, chin....

Z.O.R.G. · January 09, 2024, 09:12:43 PM

Quote from: Raptor on January 09, 2024, 06:25:56 PMI agree in future faster calculations will be inevitable and even a 32 character password will not be adequate for protection from a .gov player.

In the words of Tony Stark - "I respectfully disagree" as long as it chosen correctly and not an address, birthday or the names of all your pets.

For a symmetric encryption key a 96bit key is typically considered safe for the next few hundred years. 96 bits is approximately 7.9 X 10^28 combinations. With 26 characters (52 with caps) and 20 numbers/special characters a 32 character password is 2.7 x 10^59 combinations.

I use passphrases based on characters & events in books. And I make they're spelling mistakes and the do not match the book(s) and sprinkle in special characters. It might look like this (Put in some random caps and special characters - this is just an example and not a real one I use.)

HappyPotter_danced-with_NancyDrewer@Babilon6

Happy, not Harry
Drewery, not Drew
Babilon6 , not Babilon 5

majorhavoc · January 09, 2024, 09:36:31 PM

Yes, but how do you remember that complex password without writing it down, do you have a unique one for every site and did I forget already to ask: how do you remember that complex password without writing it down? Unlike Jason Bourne, I cannot tell you the license plate number of all six cars in the parking lot and I have no idea if that guy at the bar knows how to handle himself in a fight.

I thought I was being so clever years ago developing a code that would generate a different (and fairly complex) password for every website. It was based on an obscure literary reference and certain unique aspects of any given website. I didn't need to remember the password, just the code and I could reliably re-generate the proper password for any website.

I thought I was so brilliant. Until I was informed of the first data breach that impacted me and was advised to immediately change my password. That's happened like upteen times now, so my brilliant code-based password generation scheme went right out the window. I hate hackers ...

Anianna · January 09, 2024, 11:40:06 PM

I have a handful of passphrases based on obscure events that other people wouldn't know about (like something I planted in a given year or some mundane thing I did that nobody would care about) and each one is category-specific rather than site specific, but that's only for low-risk sites and sites I share with my kids, like streaming services. I have had the occasional hack on my streaming services, but it hasn't been difficult to recover them and change the password again. I pay for them via PayPal so my credit card information is not accessible via those accounts.

For sites that require greater security, I use a password locker software that requires a physical key like a Yubikey. I can use the software to generate a unique long password that I could never remember for every site. I just need to be able to access the locker to log into those sites, which requires username, password, PIN, and physical key to get in to. I only need to remember one really good passphrase and one PIN for all of my banking, medical, bills, payment services, etc.

I also use it for shops that I have a credit card saved on. I link PayPal instead of a credit card whenever possible as another layer of protection, but some sites just don't have that option. My PayPal account is also set to 2FA using the key, so if somebody wanted to steal my payment information from a given website, they have to get into two of my accounts with 2FA and two different obnoxiously long gibberish passwords.

Additionally, I also have individual sites set up for 2FA, either with the key or my phone (I am very annoyed that most banks do not support 2FA with a physical key, which is the more secure option - my social media accounts are better protected than my banking accounts). Is it a PITA to 2FA into the locker and then also 2FA into each site? Yes, which I figure means my accounts are less likely to be breached.

I initially balked at doing this because it feels counter-intuitive to put all important logins in one place, but these lockers have proven secure over an extended period of time. They are more secure than any other option at this point. The more likely scenario would be if the locker service stopped functioning and I could no longer access my accounts than the accounts actually getting hacked, but I think even that risk is very low and worth the added protection.

ETA: Also, never let your browser save your login information or credit card information. Those are not secure password lockers and makes it super easy for anybody who gets hold of your device to get into literally anything and everything you saved that information for.

Raptor · January 10, 2024, 11:21:35 AM

Quote from: majorhavoc on January 09, 2024, 09:36:31 PMYes, but how do you remember that complex password without writing it down, do you have a unique one for every site and did I forget already to ask: how do you remember that complex password without writing it down? Unlike Jason Bourne, I cannot tell you the license plate number of all six cars in the parking lot and I have no idea if that guy at the bar knows how to handle himself in a fight.

I thought I was being so clever years ago developing a code that would generate a different (and fairly complex) password for every website. It was based on an obscure literary reference and certain unique aspects of any given website. I didn't need to remember the password, just the code and I could reliably re-generate the proper password for any website.

I thought I was so brilliant. Until I was informed of the first data breach that impacted me and was advised to immediately change my password. That's happened like upteen times now, so my brilliant code-based password generation scheme went right out the window. I hate hackers ...

This topic is pretty complex but you bring up some good points.

I have never been successfully hacked ... yet. That said I have had all of my data (name address SS#, etc) compromised twice that I know about. Most likely more but I can confirm two instances.

The IRS compromised my data in a data breech and even had a tax return filed in my name. The IRS admitted the breach was through their tax transcript site.

The State of LA had 100% of the data at their DMV compromised; everything including my drivers license photo.
None of these issues arose because of a compromised password on my part, but rather due to institutional stupidity and carelessness. There is nothing you can do to prevent this.

That said passwords you can do something about. The problem with complex passwords is the human issue. How do you remember them?

I do have one suggestion that is useful. Many (but not all) sites allow you to use a User name and well as a password. Most site simply default your user name to your email address.

Here is my suggestion:

Do not use the email that is in common circulation for you for any important site. If the site does not allow you assign yourself a user name, use an email that exists for the sole purpose of logging onto secure sites.

If the site allows you to set a user name use a unique user name for the site. This will add complexity to any hacker attempt to get in your account.

For instance if it is bank site set up an email and use it only for logging onto secure sites. For instance "dblsecreteemail@nowhere.com" is the address and logon id if the user name cannot be changed. Set up that email address to forward the emails to your regular account and do not use it for any other purpose.

If you can set up a user name do so. So instead of your regular email account make the user name for example "Dblsecrte1234"...at least 12 digits and then use a good unique password that is also at least 12 digits long. BTW do not repeat characters if at all possible in the password even spaces. You want as many unique characters as possible and preferable many more than 12.

That said two unique ID's basically doubles the effort to force the ID and password combination. Since it requires the pair to be entered at the same time. Still many sites do not encrypt the user ID data like they do with passwords so that may not be as safe as it seems

As far 2A goes, use it if available. There are several versions but quite honestly I would note that the text message version, if you monitor your phone, will at least give you warning that someone is fooling around. That said it is so easy to clone a phone that this is not ideal unless you use a burner phone for the 2A. The other methods have their weaknesses also but at least all of these stop or slow down all but a state player.

If you are dealing with a hacker they are looking for easy targets. There are literally millions of them so why bother with a harder target when you can simply move on. State players like in the article are whole different matter.

Z.O.R.G. · January 10, 2024, 02:49:04 PM

If people are interested I can write up the method that passwords are stored in a (good) system and the two basic methods of how the black hats can get users passwords - without too much teckno-babble.

majorhavoc · January 10, 2024, 02:51:58 PM

Quote from: Z.O.R.G. on January 10, 2024, 02:49:04 PMIf people are interested I can write up the method that passwords are stored in a (good) system and the two basic methods of how the black hats can get users passwords - without too much teckno-babble.

I'd like to see that. Sounds like a highly sticky-able post.

Z.O.R.G. · January 10, 2024, 07:57:09 PM

OK, Techno-babble up front.

Checksums are functions that take in an input of bytes (any length) and outputs a fixed length number. If any byte is changed, the output number changes drastically. The output number can be anywhere from 8 to 256 bits (each character or byte is 8 bits) depending on the chosen function. Longer checksums functions may also be called a hash or digest. Good systems use 256-bit hashes which have 1.7 x 10^77 possible values. That's a really, really big number - so the chance of a duplicate is pretty much zero.

This is important because good computer systems don't store your password - they store a hash of your password. This prevents an insider from stealing everyone's passwords. It also is why they can only "reset" your password - they don't have a clue what it actually is.

When you enter your password to login in, it's run thru the function and the hash of what you typed is compared to what the system has stored for it. If they match, you're in. When you create a password, the system may check the length and if it has numbers, caps, lower case and special characters in it to determine its strength.

There are three main ways bad guys get passwords: "Dictionary" attacks, "Brute Force" attacks and Phishing.

In a dictionary attack bad guys get access to the table of usernames and password hashes either thru an insider or by hacking into that part of the system. Offline they've already run millions of potential passwords thru the checksum function and calculated the hashes for them. They then compare their known passwords and hashes against the table they stole and immediately have password for any matches. This gets the most usernames & passwords with the least amount of work on the bad guy's part. Short and simple passwords and almost guaranteed to be in the list of potential passwords. You want a "strong" password to avoid being on that list.

A brute force attack is pretty much what it sounds - they keep trying to login and use the same list of potential passwords they would in a dictionary attack. This is way slower as they need to do it one at a time. Typically, "bots" are used to do it and they don't keep trying the same username on each try to prevent getting the account locked.

Phishing is the easiest way to get a password - just trick the user into giving it to you with a fake login screen or a phone call where they ask you for your password to "fix" your account.

Let me know if this makes sense...

Raptor · January 10, 2024, 10:32:22 PM

It makes a great deal of sense. Please do continue.

MacWa77ace · January 11, 2024, 08:07:10 AM

It still sounds like a lot of effort, this is for a company with a lot of employees? Or a member type website like a bank or online store? Not an individuals computer.

There's some YT videos of hackers hacking scammers and getting all their personal info and deleting all their files while the scammer is trying to get the 'victim' to give them access to their computer. Some are hilarious. Most have an Indian accent for some reason.

MacWa77ace · January 11, 2024, 09:35:29 AM

I think Sony or Playstation Network had an internal breach a couple years ago. They never sent a public notice that I received or could find.

But the weirdest thing happened to my account.

One day got a Charge alert from my Discover Card that I was buying a digital download video game from Playstation Store. So I just clicked on 'Its not me' so the charge didn't go thru, and went into my account and deleted that card from my saved cards [the only one saved there] and changed my password. Here's where it gets really weird.

I make/had made purchases in the PlayStation Store online in the past using my Discover Card and never got an alert like that. Thanks Discover. So why they flagged this one IDK.

One of my co-workers is also a PlayStation gamer and we played together online multiplayer a lot. When I went to work the next day and told him the story, his eyes widened and then he told me that he was also a victim of some sort of hack, and they bought TWO games. They were games he already had. But his card let them go thru no questions asked. So he had to deal with that too.

Now if it was just my account, I'd think it was against me. But since it was against me and my friend's accounts pretty much the same weekend, I thought it was more likely a backend hack.

I have gotten some PlayStation network alerts that someone in Asia was trying to log into my PlayStation account and Sony blocked them, and advised I change my password. I haven't gotten any of those in a really long time.

How would someone benefit from buying digital download games on someone's gaming account? On PlayStation the games you buy go into your library and are registered to your account. IDK if you login on once account on one console and then login on another account on the same console, if you have access to all games on that one shared console. I've never tried that.

I assumed it would only work on your logged in account on 'any' console. I can login on someone elses console using my account and access my game library. So I don't see how they can get it on their console to use. Plus, if they were in my account I have a ton of games they could download without buying any, they are in my library. Must be something with the purchase if they actually get ahold of the game. IDK.

Raptor · January 11, 2024, 09:41:04 AM

Quote from: Z.O.R.G. on January 10, 2024, 07:57:09 PMOK, Techno-babble up front.

Checksums are functions that take in an input of bytes (any length) and outputs a fixed length number. If any byte is changed, the output number changes drastically. The output number can be anywhere from 8 to 256 bits (each character or byte is 8 bits) depending on the chosen function. Longer checksums functions may also be called a hash or digest. Good systems use 256-bit hashes which have 1.7 x 10^77 possible values. That's a really, really big number - so the chance of a duplicate is pretty much zero.

This is important because good computer systems don't store your password - they store a hash of your password. This prevents an insider from stealing everyone's passwords. It also is why they can only "reset" your password - they don't have a clue what it actually is.

When you enter your password to login in, it's run thru the function and the hash of what you typed is compared to what the system has stored for it. If they match, you're in. When you create a password, the system may check the length and if it has numbers, caps, lower case and special characters in it to determine its strength.

There are three main ways bad guys get passwords: "Dictionary" attacks, "Brute Force" attacks and Phishing.

In a dictionary attack bad guys get access to the table of usernames and password hashes either thru an insider or by hacking into that part of the system. Offline they've already run millions of potential passwords thru the checksum function and calculated the hashes for them. They then compare their known passwords and hashes against the table they stole and immediately have password for any matches. This gets the most usernames & passwords with the least amount of work on the bad guy's part. Short and simple passwords and almost guaranteed to be in the list of potential passwords. You want a "strong" password to avoid being on that list.

A brute force attack is pretty much what it sounds - they keep trying to login and use the same list of potential passwords they would in a dictionary attack. This is way slower as they need to do it one at a time. Typically, "bots" are used to do it and they don't keep trying the same username on each try to prevent getting the account locked.

Phishing is the easiest way to get a password - just trick the user into giving it to you with a fake login screen or a phone call where they ask you for your password to "fix" your account.

Let me know if this makes sense...

This is an excellent and concise explanation of how passwords work in systems. Thank you for this!

This also explains why the time out function is less than useful to prevent attacks once a checksum has been obtained.

I had a client who lawfully had a phone and PC cloned with the intent of proving the owners of said equipment had improperly obtained and transmitted data in appropriately. The equipment had encrypted files on them and the task was to get the data unencrypted for use in a civil case.

In this case they used a dictionary attack with little success. BTW the article I linked describes the dictionary attacks the RCMP used in this matter.

However in the case in which I took part I looked through the contact files and searched for the term "PW" and "ID". It turned up a contact buried in the file that had a long list of old passwords and ID. None were the password needed but by using combinations of this password logic the software came up with the real password very quickly.

The human is always the weak link in the chain of security and this otherwise savvy person kept a log of old passwords and continued to use variations of the same password. Granted it was 25 characters long but the core password was the same. So he had to write it somewhere to assist him.

BTW the phone was cloned remotely as was the PC when the person plugged the PC into the network. The client who was his employer owned both pieces of equipment and thus had a right to access anything on their network. The subject did not even know his data had been cloned.

Zed hunter · January 11, 2024, 12:12:09 PM

My password is based on chemical formulas.

Z.O.R.G. · January 11, 2024, 01:03:02 PM

Quote from: MacWa77ace on January 11, 2024, 08:07:10 AMIt still sounds like a lot of effort, this is for a company with a lot of employees? Or a member type website like a bank or online store? Not an individuals computer.

SW/Web developers are LAZY and reuse everything they can. All it takes is one developer to create the login screen & logic behind it, then you just keep reusing it. If I were to go out and buy at commercial prices a SW development suit and it DIDN'T have a configurable login library function, I'd never use that provider again. The code to manage the hashes and maintain user table is like Prego - It's in there.

As Raptor mentioned, variations on passwords can be dangerous, especially if you store them in the open. One thing hackers do is share new passwords they've found, so the list of "potential" passwords is always growing.

If you're going to store passwords on a computer that you're concerned about being compromised, I'd suggest something like TrueCrypt. It creates an encrypted file that when opened looks like a drive.

MacWa77ace · January 11, 2024, 03:23:52 PM

Quote from: Z.O.R.G. on January 11, 2024, 01:03:02 PMIf you're going to store passwords on a computer that you're concerned about being compromised, I'd suggest something like TrueCrypt. It creates an encrypted file that when opened looks like a drive.

But you probably have to password protect that file.

What about those password managers? I use them for my companies web based apps to autofill the passwords, or on other unimportant sites like UFoZS. But that's all I ever use those for, I'm worried about losing access to those managers.

There's a way to make an invisible folder on Windows to hide stuff. Lets see if i can remember how to do it.

1. Create a new folder on your desktop and after you do that windows puts you in the rename folder field automatically.
2. When in that field press hold ALT and then type 255 then Enter. That makes it a nameless folder.
3. Then move the folder to a spot on your desktop you can remember where it is without seeing it, and right click on the folder.
4. Then select Properties >> Customize >> CHANGE ICON
5. Then select the BLANK ICON
INVISIBLE

Then you can put secret files in there.
I don't think you can do that if your HDD is backed up/sync'd to a cloud server as they don't allow nameless folders.

Raptor · January 11, 2024, 04:48:48 PM

If you have data that you do not want anyone to find the best thing to do is keep it on an external device off of your equipment. I use an "air gap" server and external SSD for data that I do not want accessible to anyone. It is still subject to theft, loss, seizure and other physical damage but the bad actors need to find the physical media.
I have a file server that is must be plugged into the network when the data is needed, hence the air gap. It has no full time cat 6 cable connection to any network. That is a royal PITA and does not guarantee that some malware may not access the data when it is connected to the network but it does limit exposure time.

That and I use several SSD hard drives like this to store my work product while I work with it daily.

https://www.amazon.com/SAMSUNG-Portable-SSD-1TB-MU-PC1T0T/dp/B0874XN4D8/ref=sr_1_16?crid=8Q66P0A5SNPN&dib=eyJ2IjoiMSJ9.Eg4itTgRKqvI887S7KJynHaMf-mVIj7tZ_ntjoicOpj5n7yOXkwg-c9URHDem6ijTx4dxu0qYDlBMxoGJjSAkg.B1RES_ppOqcI6FF-WFz1IrA_QJPa-1HWrfdCja5kkH4&dib_tag=se&keywords=1%2Btb%2Bexternal%2Bhard%2Bdrive&qid=1705012778&sprefix=1%2Btb%2B%2Caps%2C132&sr=8-16&th=1

Still I need to encrypt the data stored and that requires a password. So... back to the OP a strong password can work.

Moab · January 19, 2024, 10:09:39 PM

Quote from: Z.O.R.G. on January 11, 2024, 01:03:02 PM
Quote from: MacWa77ace on January 11, 2024, 08:07:10 AMIt still sounds like a lot of effort, this is for a company with a lot of employees? Or a member type website like a bank or online store? Not an individuals computer.

SW/Web developers are LAZY and reuse everything they can. All it takes is one developer to create the login screen & logic behind it, then you just keep reusing it. If I were to go out and buy at commercial prices a SW development suit and it DIDN'T have a configurable login library function, I'd never use that provider again. The code to manage the hashes and maintain user table is like Prego - It's in there.

As Raptor mentioned, variations on passwords can be dangerous, especially if you store them in the open. One thing hackers do is share new passwords they've found, so the list of "potential" passwords is always growing.

If you're going to store passwords on a computer that you're concerned about being compromised, I'd suggest something like TrueCrypt. It creates an encrypted file that when opened looks like a drive.

I use truecrypt. Funny story. I had everything backed up to an external drive. Business and personal. With a 32 character password - encrypted with truecrypt. The best I could do at the time was write the password down. And hide the paper. I had just had surgery on my back. And was on painkillers.

It must have been a great hiding place. Because to this day I still have the external drive. And never found the paper. I've been waiting for a decryption method that was not incredibly expensive. Have not found one. (If anyone has any ideas I'm all ears! Lol!) I had just backed everything up a week or so prior. So I didnt lose alot. But I did lise some stuff I'd like to get back.

Currently I use external drives for everything. And an encrypted password manager. I was using LastPass. But I think even they got hacked awhile back iirc. You were able to download and print out a text file of all your passwords. I would print it out from time to time and keep it in my safe.

Anything super sensitive I keep encrypted in thumbdrives in a safe. But again. There is a password to deal with.