# Think your passwords are secure enough?



## qubit (Aug 11, 2016)

Watch these two videos and learn why your password for important logins is likely too insecure and just how easy they are to crack with powerful PCs. By important logins I mean things like online banking, online stores like Amazon, PC login at work etc. Change it now.

It should be a minimum of 9 characters, have special characters in it and try not to use dictionary words. Upper and lower case mix really helps too.

Oh and _*NEVER*_ use the same password on more than one login.

It's all in the videos.


----------



## Ferrum Master (Aug 11, 2016)

Well... I will say just one - everything made by man can be broken....


----------



## Solaris17 (Aug 11, 2016)

Honestly alot of this stuff is irrelevant. I mean not in the way you think, absolutely you should be using stronger passwords changing them every few months and deff use different ones for different things. But that said no one is sitting in there basement brute forcing my TPU account with 4 titans. Most attacks with password theft usually involve a breach of the database itself. At least in high profile things.


----------



## qubit (Aug 11, 2016)

Solaris17 said:


> But that said no one is sitting in there basement brute forcing my TPU account with 4 titans.


Agreed, the TPU account isn't worth doing, along with most other forums, which is why I didn't list it in the examples. Only logins that would cause one real trouble if they were compromised.


----------



## silentbogo (Aug 11, 2016)

MD5 is a bad example. 
Many moons ago I could do collision cracking with my 74GB rainbow table collection on an old Dell laptop (even had it on DVDs ) .
That was sufficient enough for mixed-case alphanumeric passwords up to 13 symbols long.


----------



## verycharbroiled (Aug 11, 2016)

If possible, I prefer to use a half dozen or so dictionary words as a password.


----------



## Ferrum Master (Aug 11, 2016)

silentbogo said:


> Many moons ago I could do collision cracking with my 74GB rainbow table collection on an old Dell laptop



Aaaannndd.... what did you crack?


----------



## Dethroy (Aug 11, 2016)

I use keepass and its password creator. Would take 'em quite a while to brute force such passwords...


----------



## xorbe (Aug 11, 2016)

Don't reuse a password with a few characters changed at the end somewhere else.  If they crack one password, they can brute-force the last 4-5 characters, if they have only the hash, on a large list.  If they were to target you specifically ... and that's why practically every motorcycle forum moved to 10-char passwords last month.  They got badly owned (like one firm owns the large majority of m/c forums).  At this point, you should really, really should be using fully unique passwords.


----------



## silentbogo (Aug 11, 2016)

Ferrum Master said:


> Aaaannndd.... what did you crack?



My coursework in CS


----------



## Kursah (Aug 11, 2016)

Dethroy said:


> I use keepass and its password creator. Would take 'em quite a while to brute force such passwords...



Unless you're doing this, changing your passwords frequently could actually be a detrimental factor in your account(s) being easier to break into. Depends on how creative you are (or aren't rather...). 

http://arstechnica.com/security/201...-the-enemy-of-security-ftc-technologist-says/

http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf

Not that creating unique passwords is hard to do, but it is better to use something like Keepass that has a better random generator. Makes things a bitch if you don't have an effective way to access or sync your KP database. But if you use encrypted cloud storage and some best practice methods, it can get easier. Just depends on what devices you want to have access to certain services/accounts on, and if you can get used to copy & paste...which really isn't that hard to do..especially if you work in any kind of IT service provider position. 

Good to see this topic come up here on TPU!


----------



## Nabarun (Aug 12, 2016)

I painstakingly (manually) create very large and proper passwords that will take even supercomputers quite a while to break. Unfortunately, a proper password is not the only thing to protect the password. A good deal of knowledge and carefulness is also necessary to be actually (relatively) safe.


----------



## Recon-UK (Aug 12, 2016)

I use a password that uses upper case and numbers and is above 14 characters.
Now with that said it's a real thing and are real words but are not in the dictionary and are not slang.
Put it this way you would need a car enthusiast to know what it actually is even if strung together correctly on the screen in front of the hackers face. I use this password for everything and have remained safe for 8 years now.


But i may change it.


----------



## qubit (Aug 12, 2016)

Recon-UK said:


> I use a password that uses upper case and numbers and is above 14 characters.
> Now with that said it's a real thing and are real words but are not in the dictionary and are not slang.
> Put it this way you would need a car enthusiast to know what it actually is even if strung together correctly on the screen in front of the hackers face. I use this password for everything and have remained safe for 8 years now.
> 
> ...


Definitely change it. Just because it's something that a car enthusiast would have to understand doesn't mean it will stop it being in a hacker's dictionary. In fact, after 8 years, I guarantee you it is and lots of other car enthusiast words you may not have even heard of. These hackers really don't leave any stone unturned to get to our accounts.

Now, it sounds like it's quite a good password other than this, especially with the length. To make it a lot harder to crack, putting symbols in those words sounds like it would be sufficient.

Finally, *don't* use it on multiple sites and the video explains why. Basically it's to do with leaked password lists when websites get hacked and one day you might come a cropper because of this. This is advice from a password hacking expert at a university in the video, not just a random forum poster ie me, so I'd head it if you want to continue being safe.


----------



## xorbe (Aug 12, 2016)

These dictionaries are built from millions of stolen passwords.  Guess what, people seem to think alike a lot of the time ... so the passwords which they think are clever, are actually similar.


----------



## Frick (Aug 12, 2016)

Lastpass, 16 random characters (a shocking number of sites has that limitation) yo.

The best option for non technological minded people is probably to generate a bunch of random passwords, print them out as a table and keep it in a desk drawer. If at home I mean.


----------



## FordGT90Concept (Aug 12, 2016)

I use my own program:
https://www.techpowerup.com/forums/threads/random-password-generator.164777/

And relevant:









I hate how so many websites enforce weak passwords.  Two notable exceptions: Valve and Amazon.  They're like 60 characters long.  I have no idea how they're hashed though.  It could mean nothing.


----------



## cornemuse (Aug 12, 2016)

Inasmuchas ! have nothing on my computer(s) that is critical/important to me (< that I have not already backed up), no forums o/l where I would be concerned if someone used those passwords, I really do not need, (never needed), or want passwords. If one merely takes an hdd out of computer & connect it via usb etc. to another comp, one has access to lots of data there anyways, , , ,


----------



## Dethroy (Aug 12, 2016)

cornemuse said:


> If one merely takes an hdd out of computer & connect it via usb etc. to another comp, one has access to lots of data there anyways, , , ,


Encrypt the drive?


----------



## R-T-B (Aug 12, 2016)

The best thing you can do is quit worrying so much about your password, and just use some kind of secondary access token, like google auth.

Not that these guidelines aren't relevant, but given them on their own and a determined enough hacker, they won't save you.



Dethroy said:


> Encrypt the drive?



I used to work in a data sensitive field.  We used OPAL SED's from seagate (Self Encrypting drives).  Even if the drive was stolen, it was pretty much useless.


----------



## silentbogo (Aug 12, 2016)

FordGT90Concept said:


> I hate how so many websites enforce weak passwords.  Two notable exceptions: Valve and Amazon.  They're like 60 characters long.  I have no idea how they're hashed though.  It could mean nothing.


Imagine my anger and rage, when I encountered a 12-character max alphanumeric only limit on the online banking system of my previous bank (it was around 2010, so not too long ago)!
It's like they were deliberately trying to compromise their security...

My current bank has an annoying, but more secure multistage authentication: you log in, as usual, and then every time you enter your online banking, or every time you transfer money online - you have to reach for your cellphone to validate each transfer with a PIN number. Some local banks use a little easier, but more confusing system with QR code auth.


----------



## Ahhzz (Aug 12, 2016)

I use too few passwords myself, too many of mine are duplicated across low-concern areas (games forums, here, other similar, non-money accessible type things). But for my more secure areas,  I have 3 9-character random letter/number/special passwords, that I vary a little with uppercase/lowercase here and there. For my largest concern, I have a 25 character random letter/number password. Nothing special about it, but completely random, and no way to be guessed. They'd have to go the long way to get there, I hope...


----------



## 64K (Aug 12, 2016)

I don't know if this is the norm but I was shocked when an account was given to me to handle where I work. It involved purchases for around 80 locations where people made requests for materials. I was placed as administrator of the account and had access to everyone's account and their passwords. Most of the passwords were fine but there were quite a few that weren't. ie one person was using his name as a password. Another was using their location as a password and one joker was actually using 123456 as a password.  All of these people were college graduates. Some with masters and a couple with PhDs. 

I notified the IT department and they modified the login such that it had to be min 8 characters with at least 1 number and 1 of the shift 0-9 characters and they had to change it every 3 months.


----------



## P4-630 (Aug 12, 2016)

silentbogo said:


> Imagine my anger and rage, when I encountered a 12-character max alphanumeric only limit on the online banking system of my previous bank (it was around 2010, so not too long ago)!
> It's like they were deliberately trying to compromise their security...
> 
> My current bank has an annoying, but more secure multistage authentication: you log in, as usual, and then every time you enter your online banking, or every time you transfer money online - you have to reach for your cellphone to validate each transfer with a PIN number. Some local banks use a little easier, but more confusing system with QR code auth.



I use an "Edentifier" for my bank, to login I have to put my atm card in it and enter my pin, this generates a number code.
To transfer money or making an online purchase I must enter my pin code on the edentifier and then there is a code on the website which I must enter in the edentifier which generates another number code which I have to enter on the website.


----------



## silentbogo (Aug 12, 2016)

P4-630 said:


> use an "Edentifier" for my bank, to login I have to put my atm card in it and enter my pin, this generates a number code.
> To transfer money or making an online purchase I must enter my pin code on the edentifier and then there is a code on the website which I must enter in the edentifier which generates another number code which I have to enter on the website.


----------



## P4-630 (Aug 12, 2016)

silentbogo said:


>



Not sure why you need to laugh at that.
It's safe and it works!


----------



## lorraine walsh (Aug 23, 2016)

Previously I used to have my mobile number as my password and then my DOB (i know dumb right). Then got taught a lesson by my roommate as she had access to my private messages and all without m knowing. Anywho password are like the locks to your house doors so you gotta make them pretty tough and hard to break. My advise would be to use punctuation specially in the beginning, use both caps and small letters and include number.


----------



## Ferrum Master (Aug 23, 2016)

lorraine walsh said:


> my roommate as she had access to my private messages



Best solution is not to keep private messages at all... anywhere... read and delete. Thus no headache at all.


----------



## lorraine walsh (Aug 24, 2016)

Ferrum Master said:


> Best solution is not to keep private messages at all... anywhere... read and delete. Thus no headache at all.


Yes you are right but sometimes it becomes essential/necessity to store your files, photos, videos and other stuff that can not be deleted. So you got to protect that stuff.


----------



## Ferrum Master (Aug 24, 2016)

lorraine walsh said:


> Yes you are right but sometimes it becomes essential/necessity to store your files, photos, videos and other stuff that can not be deleted. So you got to protect that stuff.



You din't get the point.

If you have something that "private" that needs hiding from others then act properly. People are very irresponsible about their data. Deleting such things works always the best! Burning "those" letters is a good habit since dark ages. Leaving such data on social portals is like inviting to be robbed actually and sooner or later it will leak if someone really wants your dirty laundry. Just don't leave anything - purge. Nor in a phone (that eventually will die on you anyway) nor on the PC.

I am not talking about the sentimental rubbish like loads of the same meaningless media actually, nobody cares for that. I also don't hold anything from it on my PC, nor daily online accounts with cloud storage access etc. Everything is in order and stored on a separate account(zipped with a additional pass) and a double backup on encrypted hard drive lying in the shelf.

And I say it once again, don't create meaningless things wasting your time in the past... like having no memory at all...


----------



## Frick (Aug 25, 2016)

P4-630 said:


> Not sure why you need to laugh at that.
> It's safe and it works!



My bank uses the same thing, and it's not as cumbersome as you'd think. It's made obsolete by bank apps though.


----------



## Caring1 (Aug 25, 2016)

P4-630 said:


> Not sure why you need to laugh at that.
> It's safe and it works!


It seems a very roundabout way just to access your money online.
I do all my transactions online through my bank and they use a virtual keyboard that you click on with your mouse, that way no key strokes are recorded and hackers would have to have remote access to see what is happening.


----------



## Nobody99 (Aug 25, 2016)

64K said:


> I notified the IT department and they modified the login such that it had to be min 8 characters with at least 1 number and 1 of the shift 0-9 characters and they had to change it every 3 months


Changing passwords periodically was proved to be detrimental and I have to agree, if I were a teacher in a school I would have that never-old password written in my notes on a smartphone.



Frick said:


> My bank uses the same thing, and it's not as cumbersome as you'd think. It's made obsolete by bank apps though.


I also use the same, you have to get that code from that electronic device two times, second time helps mitigate MITM attacks. I know some people still have the Identifier which shows you the code as soon as you turn it on without PIN enter which is really insecure. Bank apps are neat but I don't consider smartphone safe especially with the outdated Android, I never use SSH client on Android or similar because it is just to alien.

I have to criticize Mozzila for their way of handling password, if you use master password you have to enter it every time you want to access stored password which is really tiresome and it would be a lot better if it entered passwords automatically without entering master password every time. I think Keepass has this feature and this feature is the only feature that encourages me to store passwords securely (when I get around to it).

One thing to remember is that passwords won't save you from vulnerability in the system, all those jailbreaks, hacks on devices are usually done through an exploit which basically bypasses the encryption.


----------



## Easy Rhino (Aug 25, 2016)

uh, it is pretty hard to brute force a bank account because they are pretty much required to lock the account after a certain amount of failures. like solaris said, passwords are stolen not hacked.


----------



## Fx (Aug 25, 2016)

Dethroy said:


> I use keepass and its password creator. Would take 'em quite a while to brute force such passwords...



Roboform is awesome. I have been using it for 6+ years. It integrates into all major browsers and still has a way to manually view and edit account information like Keepass. It also does many more convenient tasks such as auto-filling your home address and other such information like for website registration.


----------



## BiggieShady (Aug 25, 2016)

Frick said:


> It's made obsolete by bank apps though.


This ^^ 
Also, I'll leave this here related to password complexity


----------



## Vayra86 (Aug 25, 2016)

qubit said:


> Watch these two videos and learn why your password for important logins is likely too insecure and just how easy they are to crack with powerful PCs. By important logins I mean things like online banking, online stores like Amazon, PC login at work etc. Change it now.
> 
> It should be a minimum of 9 characters, have special characters in it and try not to use dictionary words. Upper and lower case mix really helps too.
> 
> ...



I look at this differently.

I expect my bank to have sufficient failsafes and redundancy, and in case of a breach, to compensate for damages. It's not like I have a responsibility here to be 'in the loop' with regards to the latest developments in cracking and hacking techniques.

I pay for this responsibility to be taken by the service provider. And wherever I am not paying, losing the account would not be important enough to warrant a complicated login procedure every time I use it.

End of story


----------



## Ahhzz (Aug 25, 2016)

BiggieShady said:


> This ^^
> Also, I'll leave this here related to password complexity
> View attachment 78266


I've seen this before, and it amused the hell out of me, but I never really got the math they used. I redid it just now, and by my logic (52 letters, upper and lower, 10 numbers, and 10 spec characters, assuming an 11-place password, random anywhere), brute forcing at 3000 guesses per sec would come to 3.85e+63 days, or 1e +61 years....  Even with an i7 2600k running John the Ripper, at almost 2mill keys a sec, you're at 520,000 years....  

Nice site here, to make yourself feel a little more secure if you're going total random on your passwords..

http://calc.opensecurityresearch.com/


----------



## Ahhzz (Aug 25, 2016)

Vayra86 said:


> I look at this differently.
> 
> I expect my bank to have sufficient failsafes and redundancy, and in case of a breach, to compensate for damages. It's not like I have a responsibility here to be 'in the loop' with regards to the latest developments in cracking and hacking techniques.
> 
> ...


I understand, and agree, that the bank or whomever you're storing your goods and info, should be required to maintain some level of security standards. But, I think we could all agree that there's no reasonable way that any one institution could be expected, to stay on top of all the little nightmarish games that are played in the security hell we digitally exist in. 

However, it's on me if I'm logging into their site without taking some modicum of protective measures from my end. If they get hacked? It's on them for not protecting my data, even if my password is "qwerty123" (reminds me to change that....), but if they're not hacked, and my info gets stolen on the way, sniffed from my keyboard to their front door? That's on me.


----------



## BiggieShady (Aug 25, 2016)

Ahhzz said:


> but I never really got the math they used.


Low total number of bits of entropy for the first case is a result of password guessing algorithm using a dictionary of non gibberish uncommon words, varying replacement characters and adding different suffixes


----------



## qubit (Aug 25, 2016)

Vayra86 said:


> I look at this differently.
> 
> I expect my bank to have sufficient failsafes and redundancy, and in case of a breach, to compensate for damages. It's not like I have a responsibility here to be 'in the loop' with regards to the latest developments in cracking and hacking techniques.
> 
> ...



You can't abdicate responsibility like that. Saying this suggests to me that you don't understand how computer security works. There's no silver bullet and everyone has to play their part to keep safe from attackers.

@Ahhzz +1 nicely said.


----------



## Frick (Aug 26, 2016)

Banks using just password logins were never proper. I don't think any bank here (Sweden) ever used that system, they went for card readers from the start.

Anyway, phones and tablets are definitely part of the problem. That 16 character random phrase with numbers/letters/symbols might be fine on a keyboard, but not on a phone. And password managers are fine, but at least Laspasd costs money on mobile, and you're bound to always be logged in anyway so if your device gets stolen/lost you're screwed. My next phone will definitely have biometrics.


----------



## qubit (Aug 26, 2016)

Frick said:


> Banks using just password logins were never proper. I don't think any bank here (Sweden) ever used that system, they went for card readers from the start.
> 
> Anyway, phones and tablets are definitely part of the problem. That 16 character random phrase with numbers/letters/symbols might be fine on a keyboard, but not on a phone. And password managers are fine, but at least Laspasd costs money on mobile, and you're bound to always be logged in anyway so if your device gets stolen/lost you're screwed. My next phone will definitely have biometrics.


Agreed, a bank login must have a one time pad 2 factor device or I don't bank online, end of story. A while back I considered changing my current account to a better one, but none of the other banks with decent offers had a one time pad device, so I passed. Identity theft and financial loss would be nightmares that overshadow any potential better offers on a bank account.

My bank offers a "convenient" password entry only mode for read only access, which I would have to enable in order to use it. I haven't and I won't.

I wouldn't trust an Android device of any type, even the purest Nexus devices with my bank login credentials. iPhones and iPads seem to be more secure, with Apple's walled garden paying off here, but I'm still not sure how much I'd trust them.


----------



## Ubersonic (Aug 26, 2016)

qubit said:


> It should be a minimum of 9 characters, have special characters in it and try not to use dictionary words. Upper and lower case mix really helps too.



Lol.

From 1997-2014 my Yahoo Mail password was sonysony, and I only added the second sony because they raised the minimum character count.  Brute forcing of passwords simply isn't a thing and hasn't been for decades.

Seriously, "purplefartpants" is just as secure as "AwEs0m3!" and much easier to remember.  When people get their Twitter/Facebook hacked it's due to malware or social engineering, not because somebody wrote a script to spam the login server with their email address and passwords randomly generated from every possible character combination.


----------



## Ahhzz (Aug 26, 2016)

Ubersonic said:


> Lol.
> 
> From 1997-2014 my Yahoo Mail password was sonysony, and I only added the second sony because they raised the minimum character count.  *Brute forcing of passwords simply isn't a thing and hasn't been for decades*.
> 
> Seriously, "purplefartpants" is just as secure as "AwEs0m3!" and much easier to remember.  When people get their Twitter/Facebook hacked it's due to malware or social engineering, not because somebody wrote a script to *spam the login server with their email address and passwords randomly generated from every possible character combination.*



There's so much fail in that statement, especially since the second one highlighted is a basic definition of brute force cracking. I had to deal with a server most of yesterday morning that had been brute forced on the RDP port. 

"Seriously?" The adults are talking here.


----------



## Ubersonic (Aug 26, 2016)

Ahhzz said:


> There's so much fail in that statement



Care to point out what you disagree with instead of just trash talking the post?



Ahhzz said:


> the second one highlighted is a basic definition of brute force cracking.



Yeah, that's why I wrote it lol.


----------



## Ahhzz (Aug 26, 2016)

Ubersonic said:


> Care to point out what you disagree with instead of just trash talking the post?



I already did.

"_I had to deal with a server most of yesterday morning that had been brute forced on the RDP port. _" Just because you used a pitiful password for years and didn't get busted doesn't mean that the reality is any different. There's a reason that tools like Brutus, Cain and Abel, and John the Ripper are still in use: brute forcing is still effective.



Ubersonic said:


> Yeah, that's why I wrote it lol.


I wrote something longer, just dumped it. The reason I quoted the second part, is I gave you the benefit of the doubt, assuming you didn't know what brute forcing was, and yet still put the definition later in your statement. The fact that you know what it is, and still made the statement... just makes it worse....


----------



## qubit (Aug 26, 2016)

Ubersonic said:


> Lol.
> 
> From 1997-2014 my Yahoo Mail password was sonysony, and I only added the second sony because they raised the minimum character count.  Brute forcing of passwords simply isn't a thing and hasn't been for decades.
> 
> Seriously, "purplefartpants" is just as secure as "AwEs0m3!" and much easier to remember.  When people get their Twitter/Facebook hacked it's due to malware or social engineering, not because somebody wrote a script to spam the login server with their email address and passwords randomly generated from every possible character combination.


I see you like to live dangerously. 

There are two videos in my OP made by experts on computer security where I got that statement from, but I'm really glad that you know better and are educating everyone to use weak, easily hackable passwords. Nice one.


----------



## Ubersonic (Aug 26, 2016)

Ahhzz said:


> I already did.
> 
> "_I had to deal with a server most of yesterday morning that had been brute forced on the RDP port. _"



Fine I will rephrase, Brute forcing of passwords simply isn't a thing anymore and hasn't been for decades, with the obvious exception of random unsecured servers that the general public won't be accessing anyway.

Your argument is like saying everyone should wear asbestos fire suits because you know a guy who jumped in a volcano.

I'm not saying there's no need to have a long password on a server admin account, just that complex passwords for email, Facebook, shopping sites, etc are pointless and the sites simply ask for them because it's become "the way" due to the fear of brute forcing vastly outliving the threat of it.




qubit said:


> I see you like to live dangerously.



It's not really living dangerously when the danger is negated, Yahoo's servers have been immune to brute force since before Playstation was a word.  Filling passwords with random characters just makes them harder to remember and in many cases easier to break (if breaking them was a viable option).

Like I said, almost all hacking these days is done by acquiring passwords either using social engineering or malware/spyware.  If an account is compromised due to a brute force attack that is 100% the fault of the two bit organisation who got brute forced, not the user who gave them more credit than they deserved.




qubit said:


> I'm really glad that you know better and are educating everyone to use weak, easily hackable passwords. Nice one.



Random note, in my example ("purplefartpants" is just as secure as "AwEs0m3!") the one with the numbers/capitals/! is actually significantly weaker.


----------



## droopyRO (Aug 26, 2016)

Frick said:


> My next phone will definitely have biometrics


About this, i never used that tehnology do they for instance rememebr the prints from multiple digits of your hand or just one ? What if you are in an accident and you get your fingers burned and that is the only authentication method that you can access that phone tablet whatever ?


----------



## qubit (Aug 26, 2016)

droopyRO said:


> About this, i never used that tehnology do they for instance rememebr the prints from multiple digits of your hand or just one. What if you are in an accident and you get your fingers burned and that is the only authentication method that you can access that phone tablet whatever ?


An iPhone or iPad will store up to 5 prints and also let you set an optional passcode as a backup.


----------



## P4-630 (Aug 26, 2016)

droopyRO said:


> About this, i never used that tehnology do they for instance rememebr the prints from multiple digits of your hand or just one. What if you are in an accident and you get your fingers burned and that is the only authentication method that you can access that phone tablet whatever ?



My mom had this on her previous Acer laptop and it's on her new Asus laptop (didn't buy it because of it).
I tried it on her previous Acer laptop, could login with a finger scan, never used it permanently.
Nice feature but she doesn't use it.

I also think it's risky to use it since your fingerprints can get "damaged" from work/household work, winters-summers etc.


----------



## CAPSLOCKSTUCK (Aug 26, 2016)

droopyRO said:


> About this, i never used that tehnology do they for instance rememebr the prints from multiple digits of your hand or just one ? What if you are in an accident and you get your fingers burned and that is the only authentication method that you can access that phone tablet whatever ?






Jealous wife busted Foreign Office diplomat hubby’s affair after unlocking phone using thumbprint while he was ASLEEP
https://www.thesun.co.uk/news/16109...g-phone-using-thumbprint-while-he-was-asleep/


----------



## Caring1 (Aug 26, 2016)

CAPSLOCKSTUCK said:


> Jealous wife busted Foreign Office diplomat hubby’s affair after unlocking phone using thumbprint while he was ASLEEP
> https://www.thesun.co.uk/news/16109...g-phone-using-thumbprint-while-he-was-asleep/


So what did she get charged with?
Surely that's not legal, accessing his finger prints while asleep, and his personal property.


----------



## qubit (Aug 26, 2016)

[QUOTE="P4-630, post: 3512315, member: 22154"I also think it's risky to use it since your fingerprints can get "damaged" from work/household work, winters-summers etc.[/QUOTE]
Yup, that happened to me a fair bit, making fingerprint authentication a little too "secure" for my liking. Had to fallback on the passcode.

@CAPSLOCKSTUCK the headline from our esteemed newspaper reads "green with envoy", lol. I wonder if they'll ever spot their cockup?


----------



## CAPSLOCKSTUCK (Aug 26, 2016)

i would be very, very surprised if she is charged with anything......her "punishment" didnt befit her crime.



Perhaps he should have used a strong password using a strange collection of ch&rEcters


----------



## Nobody99 (Aug 26, 2016)

But who would store their biometric prints on an unsecured device? It is better to just use NFC chip or something like that that autmatically unlocks the system in proximity.


----------



## silentbogo (Aug 26, 2016)

P4-630 said:


> My mom had this on her previous Acer laptop and it's on her new Asus laptop (didn't buy it because of it).
> I tried it on her previous Acer laptop, could login with a finger scan, never used it permanently.
> Nice feature but she doesn't use it.
> 
> I also think it's risky to use it since your fingerprints can get "damaged" from work/household work, winters-summers etc.


On laptops there is a failover in most cases. I had both Acer and LG laptops with fingerprint reader, and both were based on AuthenTek capacitive reader.
The built-in software makes multiple scans of all 10 fingers during the initialization process, and you can log-in with either one (tested - works). Basically, if you cut/burn/lose one fingertip, you can always use the other ones.
I am not 100% sure, but you may be able to log-in with your toes =)
There was also a crappy, but interesting fingerprint-based password manager.




Nobody99 said:


> But who would store their biometric prints on an unsecured device? It is better to just use NFC chip or something like that that autmatically unlocks the system in proximity.


I know that old laptops with capacitive readers work in conjunction with TPM to encrypt data. Not so sure about phones.

NFC and Bluetooth are vulnerable to spoofing.


----------



## dozenfury (Aug 26, 2016)

The main issue with pw and pw theft is that too many people take the bad approach of thinking up strong pw, but then using that same one everywhere.  You really have to create unique passwords everywhere you use.  Otherwise the security of it is only as strong as the weakest link, and there is always a weak security db/site out there getting hacked.  So where people get in trouble is re-using the same strong password everywhere they login, and then for example a hobby site or similar they login to gets hacked and the hacker then has their pw and usually also email.  Then it's simple for them to try those email/pw combos on big bank or shopping sites, etc. and far too often they are in.  This is usually what happens (or keylogging), not so much brute force 1980's style anymore.


----------



## Nobody99 (Aug 26, 2016)

The thing I was talking about, just used in another way: https://www.nextpowerup.com/news/30...or-grabbing-fingerprints-pictures-of-thieves/

Prints can be replicated.


----------



## BiggieShady (Aug 26, 2016)

Ubersonic said:


> Brute forcing of passwords simply isn't a thing anymore and hasn't been for decades, with the obvious exception of random unsecured servers that the general public won't be accessing anyway.


You are assuming malicious individual has more incentive to hack your mail account than to gain remote desktop access admin account on a server that has huge amounts of bandwidth available ... the important illegal activities ultimately have to originate from a zombie machine.
Even if the most common way of "hacking" someone's account is still by reading the content of a post-it note stuck on his monitor, it doesn't mean that brute force method is suddenly less viable ... with faster networks it gets more viable, fooling the router's or server's anti attack heuristics also gets less challenging with all free VPNs and global networks of zombie machines. Think about it.
It's not like everything is on virtual machines in the cloud (yet) and separated in restricted access subnets ... internet is a colorful place


----------



## silentbogo (Aug 26, 2016)

About bruteforce attacks: It is more viable now than it ever was. If a single machine cannot handle that kind of workload, you can always "employ" more compute power for cheap (or for free).
Few years ago there was an article on XAKEP.RU about using AWS for crypto-workload. Alternatively - botnets (a.k.a. multi-purpose supercomputer at your fingertips).
Since the OP has started with GPU applications in password hacking, then it is totally appropriate to mention fake BitCoin pools. 

Back in a day there was also a distributed service for RainbowTable "mining" and another one for "sharing" (you upload a partial table ~100MB in size, and they let you decrypt few MD5 hashes for free by using their extensive library of multilingual mixed password hashes). Can't remember website names, but I don't think they even exist now.


----------



## jboydgolfer (Aug 26, 2016)

i have always found that instead of substituting letters for symbols, it always worked for me to just take a password like ....

1234, and change it to.

1Two3Four
or 0ne2thr33Four, etc..


----------



## Frick (Aug 26, 2016)

qubit said:


> I wouldn't trust an Android device of any type, even the purest Nexus devices with my bank login credentials. iPhones and iPads seem to be more secure, with Apple's walled garden paying off here, but I'm still not sure how much I'd trust them.



*knocks on wood* We'll see if things break there. You can't do everything on the app, but most things. Six digit numerical code, the good thing is that the keypad is randomized (the numbers switch places, so you can't guess the code by looking at the entering of the code). And you need to authorize every device with your card. So far it's worked, but then I don't really know of the innee workings of the system.


----------



## Frick (Aug 26, 2016)

droopyRO said:


> About this, i never used that tehnology do they for instance rememebr the prints from multiple digits of your hand or just one ? What if you are in an accident and you get your fingers burned and that is the only authentication method that you can access that phone tablet whatever ?



Dunno bout that, but I do know it's a hassle if the scanner stops working. It has happened to a bunch of friends of mine, and they have to RMA it.


----------



## Ahhzz (Aug 26, 2016)

silentbogo said:


> .....
> 
> Back in a day there was also a distributed service for RainbowTable "mining" and another one for "sharing" (you upload a partial table ~100MB in size, and they let you decrypt few MD5 hashes for free by using their extensive library of multilingual mixed password hashes). Can't remember website names, but I don't think they even exist now.



I remember that!!!!


----------



## lorraine walsh (Aug 29, 2016)

I am using a password locking software to lock the y most folders. Like not the ones that have the daily pics, docs etc but  the ones like official transcripts, bank statements and other personal data. I first encrypt my files and then add them to the folder that has password lock. Do not need to lock again and again the folder, I just drag the files into it and it automatically locks them. And both of these features are in the same encryption software.


----------



## BiggieShady (Aug 29, 2016)

lorraine walsh said:


> I am using a password locking software to lock the y most folders. Like not the ones that have the daily pics, docs etc but  the ones like official transcripts, bank statements and other personal data. I first encrypt my files and then add them to the folder that has password lock. Do not need to lock again and again the folder, I just drag the files into it and it automatically locks them. And both of these features are in the same encryption software.


Since you like encrypting sensitive information, there are also email services like Proton Mail (https://protonmail.com/) that are completely encrypted: inbox is stored encrypted in the data center and communication is encrypted end-to-end through their web or mobile app ... in case you need a separate mail address for sensitive stuff (invoices, delivery statuses and such)
It uses (and maintains) Pretty Good Protection library for javascript


----------

