How internet security conscious are you?

[Reedy]

Yay for social engineering.

That and with some physical access all bets are pretty much off

How does requesting your password tell you if it's stored securely or not?

The password can/will still be hashed. The script knows it's only sending the password to the registered email address; so it will automatically look up your record, decrypt it, and send it. It's not a human on the other side that gets your password and types it up in an email to you.


Though this type of plain text password emailing is a problem if your email account is compromised, just as much as other methods of password resetting.

Passwords shouldn't be stored with 2 way encryption. Machine or otherwise, there shouldn't be a way to say decode hashed password and get the plain text equivalent. It's little more secure than saving it in the database in plain text. Chances are if you've got that level of access, you can probably decompile the program and find out how to get from a to b to use said password elsewhere

The only way to know if the user entered the right password is to hash the entered password, and see if it matches the stored hash.

Getting your password back in plain text means they are not saving it securely.

Obviously, it should be salted, yada yada..

Emailing it in plain text is obviously also asking for trouble.

It goes some way to stopping people breaking in remotely from china, but all you have to do is walk in dressed as a cleaner just after work hours and read them. Good pen testing firms will do this

Or find an employee to hand them it on a plate http://www.guardian.co.uk/commentisfree/2013/jan/17/sacked-model-modern-employee-outsourcing

Would a password like this be secure then?

DOnk3yf4c3#!#!5432

Or would it be easy to hack?

Easy is subjective. That's got a real world obviously built into it, it's also got repeating patterns.

Brute forcing it would generally take a while purely with it being longer and not completely alphanumeric, going A-Z, 0-9, everything else...

 

[StriderX]

When I realised just how little I got viruses after a while (0 for the last few years, do a scan every so often, then delete it for being bloated crap), I just stopped bothering with such a paranoid view of using a PC.

A simple bit of sense is much better than dealing with the hassle of usually pointless AV, paying for it as well is even more stupid...then it starts messing with completely legit programs and you have to start turning on exceptions for them.

It isnt worth the hassle for perhaps 1 sneaky little virus, especially since I don't have anything important on my computer.

 

[dfarrall]

^^^^
I used to think AV was pointless till I got I to this area, but it's actually vital in protecting you from 0days embedded into banners and such. Without it you have no protection at all.

 

[chriscubed]

https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx

That site thinks that the following password offers the "best" strength:

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

 

[mrk]

Well it is a secure password^^

Also bad grammar use in passwords is more secure than a standard password

 

[chriscubed]

Well it is a secure password^^

It's a long password, but quite likely to be in a wordlist used for cracking hashes.

Edit: Just seen ^^, not sure if serious

 

[DaleTheWhale]

so password123 isn't secure...

 

[Judgeneo]

^Not in the slightest

 

[Russinating]

Number plates and postcodes stringed together are good for passwords.

 

[Ev0]

I'm very aware but am guilty of not always practicing what I preach (as I work in 'security' ).

It's all about risk for me, if I deem something has sufficient risk I'll take more care.

The password can/will still be hashed. The script knows it's only sending the password to the registered email address; so it will automatically look up your record, decrypt it, and send it. It's not a human on the other side that gets your password and types it up in an email to you.

As has been said, crypto hashing is one way, you hash it then there's no way to go back to the original value.

http://en.wikipedia.org/wiki/Cryptographic_hash_function

What should happen in a best practice kind of way is the password is stored salted and hashed, then when you type it in to login and hit send it's the salt+hash that's sent to the web app to authenticate you not the password itself.

As in theory only your correct salt+password would create that particular hash value the web app knows it's you and lets you in.

All this assumes you are using a sufficiently strong hashing algorithm.

At no time should the app need to know your actual password.

By receiving your password back in plain text when requesting a password reset it means the site is not hashing your credentials in any way. Ok they may be encrypting and decrypting it in some fashion, but then the fact remains that someone can/could access it.

 

[Freefaller]

I'm fairly conscious, but don't practice what I'd preach to others. I do a monthly reconciliation of my accounts anyway so would quickly spot if something was amiss. I did create a list of passwords for every site I visited, but it's often a pain having to remember all the different passwords. So often create random ones, and then just "reset the password" when I can't remember it.

I generally use credit cards to buy stuff online - and use complex passwords for important online accounts - like email accounts, and so on.

I'm sure there will come a time where we have to use a similar device to the banking random number generator to authenticate ourselves for purchases.

Despite a slightly more relaxed attitude, I do also believe internet security and exploits have been locked down a lot more than they used to be many years ago, even with plain text passwords and information transmission was fairly common.

 

[caz32]

Yay for social engineering.

That and with some physical access all bets are pretty much off



Passwords shouldn't be stored with 2 way encryption. Machine or otherwise, there shouldn't be a way to say decode hashed password and get the plain text equivalent. It's little more secure than saving it in the database in plain text. Chances are if you've got that level of access, you can probably decompile the program and find out how to get from a to b to use said password elsewhere

The only way to know if the user entered the right password is to hash the entered password, and see if it matches the stored hash.

Getting your password back in plain text means they are not saving it securely.

Obviously, it should be salted, yada yada..

Emailing it in plain text is obviously also asking for trouble.



Or find an employee to hand them it on a plate http://www.guardian.co.uk/commentisfree/2013/jan/17/sacked-model-modern-employee-outsourcing



Easy is subjective. That's got a real world obviously built into it, it's also got repeating patterns.

Brute forcing it would generally take a while purely with it being longer and not completely alphanumeric, going A-Z, 0-9, everything else...

So what would be a more secure password? just randomly mashed letters, numbers & symbols that don't even make a word? Also would a password manager addon be safe?

 

[Judgeneo]

So what would be a more secure password? just randomly mashed letters, numbers & symbols that don't even make a word? Also would a password manager addon be safe?

Password managers mean that an attacker could access all of your accounts with a single 'hack', but are still safer than writing your passwords down. Its up to you whether you think its worth the risk, I use chromes password manager on my home machine, but don't use them anywhere else. I won't use them for particularly sensitive information either (such as bank accounts).


From a password crackers perspective, random letters numbers and symbols that don't make words are certainly the safest. However they are very hard to remember, which is in itself a security concern.
Someone suggested postcodes and license plate numbers earlier. These are a safer option, though will still fall foul to a blended attack.


Its worth noting that nothing is ever truly safe, you just have to be aware of what the level of risk is you are taking. Stored correctly, an XKCD style password will be safe enough for the majority of uses and is what I would recommend.

 

[caz32]

OK, one last question, if your the only person that uses your PC and say you stored passwords in a simple notepad .txt document is that safe?

 

[Admiral Huddy]

I'm so internet conscious i unplug the the CAT5 cable from the wall.

In fact, I have visited quite a few home where (mostly older) people do this even though there machine are switched off at the wall. Bless 'em.


I tend to have two email addresses for for all the junk and one for private.

As for the PC, i find the router does a good job along with Avast. I use CCleaner at least once a week... tough I rarely get problems. But then, If i make changes I'm not certain about i tend to to these on anothe PC or laptop.

Passwords, I use Keepass.. uploaded my personal webspace. Both areas are encrypted.

 

[pitchfork]

If a site compromised my details I wouldn't use them again.
But it's like anything, takeaways for instance, I could have been using a firm for years and years and had the best service ever, but if they mess it up once they've lost my business, simple as.

I have kapersky for workstations on all my PC's (because it's free on a site licence for me)

For forums and stuff I don't care, I use a simple password where possible because ultimately who wants to steal a forum account?
For online shopping/ anything which might affect me financially I use a secure password with capital and non capitals, numbers and where possible punctuation.
Or do I? You'll never know.

 

[C.R.A.Z.Y]

OK, one last question, if your the only person that uses your PC and say you stored passwords in a simple notepad .txt document is that safe?

No because if your computer gets compromised (trojan , pc stolen, burgled ..etc) then your passwords are no longer safe!
I always keep my passwords in an encrypted rar file using a strong 12 character password.

 

[caz32]

I'm just wondering, say if you haven't changed a password for an account in say a year or more is that safe? cause on another forum I browse my account didn't get hacked but it was in a leak of password and usernames so I changed my password ASAP.

It's when that lulzsec was hacking all them websites etc

No because if your computer gets compromised (trojan , pc stolen, burgled ..etc) then your passwords are no longer safe!
I always keep my passwords in an encrypted rar file using a strong 12 character password.

That's what I thought, But I haven't had a PC virus since like 1998

 

[doofer]

Living in North Wales and able to speak Welsh can give a distinct advantage whenever I need easy to remember but hard to crack Passwords

 

[Ev0]

Password managers mean that an attacker could access all of your accounts with a single 'hack', but are still safer than writing your passwords down.

Whilst true you do have to think of the different attack scenarios involved.

Using a weaker password for a website account opens you up to a remote attack, easy to do (as in easy to attempt).

Using a password manager, whilst yes leaving every account secured by a single password, would likely require an attacker to already have access to your machine to be able to attempt it.

In saying that though I'm not covering password managers that have some form of remote access.

Personally I'm happy to use a local install copy of a password manager (again I don't practice what I preach but am slowly starting to use it more) but wouldn't feel as comfortable using one linked up to a remote service.

I'm sure they are fine but I don't really have the requirement to use such a service, and being what they are they will be highly targeted anyway (whereas my machine not so much).