Virgil Showlion
Distinguished Associate
Moderator
[b]leones potest resistere[/b]
Joined: Dec 20, 2010 15:19:33 GMT -5
Posts: 27,448
|
Post by Virgil Showlion on Apr 25, 2018 19:35:52 GMT -5
I happened across this report on Proboards Support this morning: support.proboards.com/thread/649786/sos-forum-hijacked"SOS! Forum Hijacked!" A malefactor either guessed or was given the superadmin's password, got into his/her account, and went to town on the forum. Deleting, vandalizing, and otherwise wreaking havoc. In the gaming world, this is called " griefing". It is regrettably popular. What can we take away from this? - For the love of sweet snowy leopards, choose a secure password. You 60+ -year-olds in particular are terrible for this. You'll take a five letter word, maybe attach a couple digits to it, and boy howdy you're done.
No, you are not done, grandma.
I don't care how bad your memory is. A password like this has got maybe 14 bits of entropy in it. Even if a cracker is limited to one attempt per hour (many sites allow 1 attempt every 15 minutes) and knows jack about you, he'll have this cracked in under a year on average.
The word has some special significance to you? The number has some special significance? He can crack it in a under a month.
But you shouldn't assume the attacker is limited as to number of attempts. If he gets hold of your password hash (usually by hacking into a secure server, but there are many ways), depending on the hashing algorithm used, he can attempt anywhere from hundreds to trillions of potential passwords per second. If your password doesn't have at least 50-60 bits of entropy, you're screwed. He's got your password. Why is this a big problem for you when he's already hacked the server? Because like pretty much everybody, you ignored security experts when they told you...
- DO NOT use the same password for your public e-mail account as for any other account. Your public e-mail account is the one you specify when signing up for public services, such as Proboards. This includes sites where your global user ID is your e-mail address (e.g. Proboards). Some people get the wrongheaded idea that since the ID is the e-mail address, the password must be the same as the password used to access the e-mail.
No, Uncle Pete.
Different passwords. Totally different passwords. If your password on Proboards is all_uStupidgriefersCan'ttouch44This, your password for your e-mail account should not be all_uStupidgriefersCan'ttouch44This2, all_uStupidgriefersCan'ttouch44That, or anything that can be realized with handful of substitutions, additions, and deletions from the original password.
Let me emphasize the risk: Every site you go to where certain members/users are able to execute arbitrary code in your browser (this includes anyone with admin privileges on any Proboards forum where you're a member) has a decent shot at poaching your password. You've used that same password for your e-mail account? Congratulations. Joe the Griefer now owns your e-mail account too.
- DO NOT give your password to anyone except i) verbally in person, or ii) a professional in a service transaction you initiate. Don't give it out in your reply to the e-mail from your best friend "Bill". Don't give it out when your bank, or the FBI, or the Secretary General of the UN contacts you and insists you'll go to jail unless you LOG ON HERE! Don't give it to the nice tech service people at Amazon, Microsoft, Hewlett Packard, etc. sending you those helpful warnings about your account being hacked; rescue your account by LOGGING ON HERE!
If at all possible, limit your disclosure of a password to people you can scream at and/or give wedgies to when they accidentally let it slip to Aunt Bev, who shares it with her bridge club, who post in it their weekly newsletter because one of them forgets why it's written on a sticky stuck on the computer monitor.
howsecureismypassword.net/Don't type your actual password in, but put in something of comparable length, with roughly the same ratio of letters, digits, and other characters. If it comes back with anything less than "this can be cracked in 10 years": change your password. Take a memory improvement course if you must.
|
|
Tennesseer
Member Emeritus
Joined: Dec 20, 2010 21:58:42 GMT -5
Posts: 63,500
|
Post by Tennesseer on Apr 25, 2018 19:43:47 GMT -5
Surely Tenn (capitalized) is safe enough.
|
|
ken a.k.a OMK
Senior Associate
They killed Kenny, the bastards.
Joined: Dec 21, 2010 14:39:20 GMT -5
Posts: 14,109
Location: Maryland
|
Post by ken a.k.a OMK on Apr 25, 2018 19:46:48 GMT -5
Good advice. I once used that site to play with some hypothetical passwords and discovered this with adding characters.
Soccer25 36 minutes to crack #Soccer25 2 weeks #25Soccer25 200 years #25Soccer25$ 14,000 years
|
|
Opti
Community Leader
Joined: Dec 18, 2010 10:45:38 GMT -5
Posts: 39,716
Location: New Jersey
Mini-Profile Name Color: c28523
Mini-Profile Text Color: 990033
|
Post by Opti on Apr 25, 2018 19:49:47 GMT -5
Naw, it should be fun phrases such as Virgil666LovesSnowLeopards! 14bitsof entropy+ Don'tBavictim911
|
|
msventoux
Senior Member
Joined: Feb 12, 2011 22:32:37 GMT -5
Posts: 3,014
|
Post by msventoux on Apr 25, 2018 19:49:47 GMT -5
So you’re saying that your iLOVE-SnowLeopards! password should be changed now?
|
|
Virgil Showlion
Distinguished Associate
Moderator
[b]leones potest resistere[/b]
Joined: Dec 20, 2010 15:19:33 GMT -5
Posts: 27,448
|
Post by Virgil Showlion on Apr 25, 2018 19:51:27 GMT -5
Surely Tenn (capitalized) is safe enough. You jest, but if sites would let people get away with it, Jack the Cracker has a 95% chance of cracking the average user "tennesseer" 's account with "tenn", "tenn52" (assuming you were born in 1952), "tenn1952", "tenn1954" (assuming spouse was born in 1954), "mittens" (assuming your cat's name is "mittens"), "tennmittens", "mittens52", "mittenspookie" (assuming you have a second cat named "pookie"), and maybe 10-20 more permutations of the above. Do not let it be you.
|
|
Virgil Showlion
Distinguished Associate
Moderator
[b]leones potest resistere[/b]
Joined: Dec 20, 2010 15:19:33 GMT -5
Posts: 27,448
|
Post by Virgil Showlion on Apr 25, 2018 19:53:51 GMT -5
So you’re saying that your iLOVE-SnowLeopards! password should be changed now? Far too easy to guess, since it would be the last thing I'd ever put in there, meaning in reality I'd put it in there because how counterintuitive it is, and an astute cracker might figure this out.
|
|
Jaguar
Administrator
Fear does not stop death. It stops life.
Joined: Dec 20, 2011 6:07:45 GMT -5
Posts: 50,108
Mini-Profile Background: {"image":"https://cdn.nickpic.host/images/IZlZ65.jpg","color":""}
Mini-Profile Text Color: 290066
|
Post by Jaguar on Apr 25, 2018 19:55:09 GMT -5
I got 330 DUOVIGINTILLION YEARS to crack my password, is that good ? Seriously I change mine, it's different for every flipping thing I sign into.
|
|
Tennesseer
Member Emeritus
Joined: Dec 20, 2010 21:58:42 GMT -5
Posts: 63,500
|
Post by Tennesseer on Apr 25, 2018 20:00:12 GMT -5
Surely Tenn (capitalized) is safe enough. You jest, but if sites would let people get away with it, Jack the Cracker has a 95% chance of cracking the average user "tennesseer" 's account with "tenn", "tenn52" (assuming you were born in 1952), "tenn1952", "tenn1954" (assuming spouse was born in 1954), "mittens" (assuming your cat's name is "mittens"), "tennmittens", "mittens52", "mittenspookie" (assuming you have a second cat named "pookie"), and maybe 10-20 more permutations of the above. Do not let it be you. Probably not a good idea then to use my social security number. Some of my passwords are very long. I live alone so they are written down on paper and close to my computer.
|
|
Tennesseer
Member Emeritus
Joined: Dec 20, 2010 21:58:42 GMT -5
Posts: 63,500
|
Post by Tennesseer on Apr 25, 2018 20:05:32 GMT -5
514 OCTILLION YEARS for my main password. I'll worry about changing it in about 513 and a half octillion years to be on the safe side.
|
|
Virgil Showlion
Distinguished Associate
Moderator
[b]leones potest resistere[/b]
Joined: Dec 20, 2010 15:19:33 GMT -5
Posts: 27,448
|
Post by Virgil Showlion on Apr 25, 2018 20:10:40 GMT -5
I got 330 DUOVIGINTILLION YEARS to crack my password, is that good ? Seriously I change mine, it's different for every flipping thing I sign into. That means it would take 3.3 x 10 71 years to crack using a classical computer. If one snow leopard was born every 320 milliseconds with 10% less evilness than the previous snow leopard, it would take roughly this amount of time until the first snow leopard less evil than Hitler was born. Math does not lie.
|
|
Opti
Community Leader
Joined: Dec 18, 2010 10:45:38 GMT -5
Posts: 39,716
Location: New Jersey
Mini-Profile Name Color: c28523
Mini-Profile Text Color: 990033
|
Post by Opti on Apr 25, 2018 20:13:37 GMT -5
How long to crack using a hip hop or rock computer?
|
|
Jaguar
Administrator
Fear does not stop death. It stops life.
Joined: Dec 20, 2011 6:07:45 GMT -5
Posts: 50,108
Mini-Profile Background: {"image":"https://cdn.nickpic.host/images/IZlZ65.jpg","color":""}
Mini-Profile Text Color: 290066
|
Post by Jaguar on Apr 25, 2018 20:13:54 GMT -5
I got 330 DUOVIGINTILLION YEARS to crack my password, is that good ? Seriously I change mine, it's different for every flipping thing I sign into. That means it would take 3.3 x 10 71 years to crack using a classical computer. If one snow leopard was born every 320 milliseconds with 10% less evilness than the previous snow leopard, it would take roughly this amount of time until the first snow leopard less evil than Hitler was born. Math does not lie. I know I'm good, and just for shits and giggles I change it all the time.
|
|
wyouser
Senior Associate
Joined: Dec 20, 2010 16:35:20 GMT -5
Posts: 12,126
|
Post by wyouser on Apr 26, 2018 6:32:07 GMT -5
"you 60 + year olds are terrible for this"....... Virgil Showlion I resemble that remark !!!!! And being "left-handed", I've been a victim my whole life too When it comes to multiple passwords, I can't remember $h!+ !! Maybe I should do something in ancient Sanskrit? Or better yet, maybe I need a couple cases of brewskis an a lawn chair to go meditate on this the rest of the day? (Damn computer age!!)
|
|
Virgil Showlion
Distinguished Associate
Moderator
[b]leones potest resistere[/b]
Joined: Dec 20, 2010 15:19:33 GMT -5
Posts: 27,448
|
Post by Virgil Showlion on Apr 26, 2018 7:10:00 GMT -5
"you 60 + year olds are terrible for this"....... Virgil Showlion I resemble that remark !!!!! And being "left-handed", I've been a victim my whole life too When it comes to multiple passwords, I can't remember $h!+ !! Maybe I should do something in ancient Sanskrit? Or better yet, maybe I need a couple cases of brewskis an a lawn chair to go meditate on this the rest of the day? (Damn computer age!!)
|
|
Bluerobin
Senior Associate
Joined: Dec 20, 2010 14:24:30 GMT -5
Posts: 17,345
Location: NEPA
|
Post by Bluerobin on Apr 26, 2018 8:38:22 GMT -5
You mean that my pw: "Virgilism27" isn't any good?
|
|
Virgil Showlion
Distinguished Associate
Moderator
[b]leones potest resistere[/b]
Joined: Dec 20, 2010 15:19:33 GMT -5
Posts: 27,448
|
Post by Virgil Showlion on Apr 26, 2018 8:43:00 GMT -5
You mean that my pw: "Virgilism27" isn't any good?
|
|
Artemis Windsong
Senior Associate
The love in me salutes the love in you. M. Williamson
Joined: Dec 18, 2010 19:32:12 GMT -5
Posts: 12,318
Today's Mood: Twinkling
Location: Wishing Star
Favorite Drink: Fresh, clean cold bottled water.
|
Post by Artemis Windsong on Apr 26, 2018 9:59:50 GMT -5
I hear you Virgil. The post is to help us.
I nearly have a meltdown at the movie theater trying to login to my moviepass account when they tell me I have to sign in again.
Etsy won't let me past the "get paid" page with all the sections filled in.
Mine should be $customer34service43sucks!
|
|
Deleted
Joined: May 3, 2024 15:34:21 GMT -5
Posts: 0
|
Post by Deleted on Apr 26, 2018 11:10:21 GMT -5
On the other hand, making people choose difficult passwords and making them change it often can make hacking easier.
For example, at a previous company I was involved with an audit of our procedures and IT was gushing over how awesome they were for making our password requirements nearly impossible to crack. The auditor asked where this particular group sat we were reviewing and walked over and found the passwords for nearly everyone for the group on their desk. One even had it posted on their cube wall.
Point being you need to have a well established password procedure all around, from the actual password requirements to building access to where people can store them.
|
|
Virgil Showlion
Distinguished Associate
Moderator
[b]leones potest resistere[/b]
Joined: Dec 20, 2010 15:19:33 GMT -5
Posts: 27,448
|
Post by Virgil Showlion on Apr 26, 2018 11:20:35 GMT -5
I hear you Virgil. The post is to help us. I nearly have a meltdown at the movie theater trying to login to my moviepass account when they tell me I have to sign in again. Etsy won't let me past the "get paid" page with all the sections filled in. Mine should be $customer34service43sucks! The worst sites are ones with esoteric password requirements, revealed one at a time, only in response to failed submissions. ... Actually, no. I take it back. The worst password flub I've ever encountered (it may still persist to this day) and is held by none other than Apple Computer Inc. Their iTunes software, to be specific. On their "Change Password" page, which you'll have to visit many times due to your password "expiring", and where you're unable to use the same password more than once, the password entry field will happily allow passwords containing spaces. The field into which you type your password to validate your iTunes purchases, however, does not accept spaces. Meaning that if the password you chose contained spaces, you won't be able to log into your iTunes account through the iTunes software. But that's not the best part. The iTunes password field doesn't alert you to the fact that it doesn't accept spaces. It simply does nothing when you hit the space bar. So unless you're very carefully counting the dots that appear as you type, you'll have no clue why the software isn't accepting your password. When you use emergency account recovery and change your password to something else, in all likelihood choosing another password containing a space, iTunes will happily accept the new choice of password and then inexplicably fail to recognize it in the iTunes software again... and again... and as many times as it takes for you to intuit what in fact is taking place. *clap* ... *clap* ... *clap* Proof that idiocy can be found even in the most idiot-proof places.
|
|
alabamagal
Junior Associate
Joined: Dec 23, 2010 11:30:29 GMT -5
Posts: 8,118
|
Post by alabamagal on Apr 26, 2018 12:43:08 GMT -5
How long does it take to hack if your password is password?
One site I went to made me answer security questions from a specific list they created, and I couldn’t answer any of the questions. I don’t remember who my first grade teacher was, that was 50 years ago!
|
|
Artemis Windsong
Senior Associate
The love in me salutes the love in you. M. Williamson
Joined: Dec 18, 2010 19:32:12 GMT -5
Posts: 12,318
Today's Mood: Twinkling
Location: Wishing Star
Favorite Drink: Fresh, clean cold bottled water.
|
Post by Artemis Windsong on Apr 26, 2018 12:44:49 GMT -5
Good thing there is a knot in the end of my rope. I will reach it at the theater check in this afternoon.
I need 12 "free" movies to pay for the annual subscription. The subscription is supposed to be good for one movie a day, everyday, for one year. 2D only.
|
|
Artemis Windsong
Senior Associate
The love in me salutes the love in you. M. Williamson
Joined: Dec 18, 2010 19:32:12 GMT -5
Posts: 12,318
Today's Mood: Twinkling
Location: Wishing Star
Favorite Drink: Fresh, clean cold bottled water.
|
Post by Artemis Windsong on Apr 26, 2018 12:46:04 GMT -5
How long does it take to hack if your password is password? One site I went to made me answer security questions from a specific list they created, and I couldn’t answer any of the questions. I don’t remember who my first grade teacher was, that was 50 years ago! I get that if I haven't logged in for a while. I usually pick security answers that I do know.
|
|
Jaguar
Administrator
Fear does not stop death. It stops life.
Joined: Dec 20, 2011 6:07:45 GMT -5
Posts: 50,108
Mini-Profile Background: {"image":"https://cdn.nickpic.host/images/IZlZ65.jpg","color":""}
Mini-Profile Text Color: 290066
|
Post by Jaguar on Apr 26, 2018 14:31:58 GMT -5
Okay anyone changing their Passwords for on ProBoards, you can use all upper and lower case Letters, Symbols and Numbers.
I also checked you can do the same for your Facebook account, just have a different Password then your ProBoards one.
Go to town!
|
|
weltschmerz
Community Leader
Joined: Jul 25, 2011 13:37:39 GMT -5
Posts: 38,962
|
Post by weltschmerz on Apr 26, 2018 14:44:19 GMT -5
"A malefactor either guessed or was given the superadmin's password, got into his/her account, and went to town on the forum. Deleting, vandalizing, and otherwise wreaking havoc. In the gaming world, this is called "griefing". It is regrettably popular." --------------- I thought it was only you who did that, Virgil. Changing words into other words when typed by posters, attributing peoples' posts to look like it was made by others, etc. In other words, wreaking havoc. It wasn't funny.
|
|
TTS
New Member
Joined: Apr 26, 2018 14:47:15 GMT -5
Posts: 5
|
Post by TTS on Apr 26, 2018 15:58:14 GMT -5
How long does it take to hack if your password is password? One site I went to made me answer security questions from a specific list they created, and I couldn’t answer any of the questions. I don’t remember who my first grade teacher was, that was 50 years ago! FYI - hope you all realize that when you set up the security questions that you don't have to give the correct answer, in fact it's more secure if you don't. All you need is a word (or words) that only you know. For instance you could put "carrot" as the answer for who was your first grade teacher. Think about it, it's not like the site you're on will know one way or another. If I'm a good friend (or relative) and know a lot about you, or you're one of those who like to fill out those questionnaires that floats around on Facebook, then most likely I already know the answers to those common security questions and I could get into your account without a password just based on those questions. The same applies to banks/credit card companies that ask for your mother's maiden name. I never give my mother's actual maiden name to keep on file, I just use a different name that only I know. This saved me once years ago when I had a friend try to tap into my account. Thought he was clever but failed because in the verification he answered the maiden name question with my mom's real maiden name not knowing that wasn't the "word" I had on file. Really all those security questions are supplemental passwords. They ask those types of questions so you'll easily remember the answer. Problem is now days that any one that knows you knows those answers too. So be creative, don't use the true answer, but just don't forget the answer you do use.
|
|
Jaguar
Administrator
Fear does not stop death. It stops life.
Joined: Dec 20, 2011 6:07:45 GMT -5
Posts: 50,108
Mini-Profile Background: {"image":"https://cdn.nickpic.host/images/IZlZ65.jpg","color":""}
Mini-Profile Text Color: 290066
|
Post by Jaguar on Apr 26, 2018 16:02:44 GMT -5
|
|
ken a.k.a OMK
Senior Associate
They killed Kenny, the bastards.
Joined: Dec 21, 2010 14:39:20 GMT -5
Posts: 14,109
Location: Maryland
|
Post by ken a.k.a OMK on Apr 26, 2018 16:06:28 GMT -5
How long does it take to hack if your password is password? One site I went to made me answer security questions from a specific list they created, and I couldn’t answer any of the questions. I don’t remember who my first grade teacher was, that was 50 years ago! My wife told me to answer all security questions with "stupid question".
|
|
ken a.k.a OMK
Senior Associate
They killed Kenny, the bastards.
Joined: Dec 21, 2010 14:39:20 GMT -5
Posts: 14,109
Location: Maryland
|
Post by ken a.k.a OMK on Apr 26, 2018 16:07:47 GMT -5
Welcome TTS. Good advice there.
|
|
moon/Laura
Administrator
Forum Owner
Joined: Dec 17, 2010 15:05:36 GMT -5
Posts: 10,043
Mini-Profile Text Color: f8fb10
|
Post by moon/Laura on Apr 26, 2018 16:09:01 GMT -5
TTS - killjoy. rofl
PS. welcome
|
|