case: (Default)
Case ([personal profile] case) wrote in [community profile] fandomsecrets2014-10-13 07:03 pm
  • Add Memory
  • Share This Entry

[ SECRET POST #2841 ]


⌈ Secret Post #2841 ⌋

Warning: Some secrets are NOT worksafe and may contain SPOILERS.

01.


__________________________________________________



02.


__________________________________________________



03.


__________________________________________________



04.


__________________________________________________



05.


__________________________________________________



06.


__________________________________________________



07.


__________________________________________________



08.


__________________________________________________



09.

















Notes:

Secrets Left to Post: 02 pages, 039 secrets from Secret Submission Post #406.
Secrets Not Posted: [ 1 - broken links ], [ 0 - not!secrets ], [ 0 - not!fandom ], [ 0 - too big ], [ 0 - repeat ].
Current Secret Submissions Post: here.
Suggestions, comments, and concerns should go here.
Flat | Top-Level Comments Only

[personal profile] cbrachyrhynchos 2014-10-14 12:40 am (UTC)(link)
No, hashcat has a module for all of those variations. Your only safe bet is to:

1. use a password safe like LastPass or KeePass
2. use random passwords for just about everything
3. use long random phrases for everything you can't put into a password safe.

If it's in a dictionary or on a wiki or BBS, it's crackable.
kippi: My FFXIV character looking at a distant sunset (Default)

[personal profile] kippi 2014-10-14 02:39 am (UTC)(link)
But most sites will choke out brute forcing. And if they don't, I don't trust them to not lose the password in some other way. Also, a lot of sites aren't worth the effort. I wouldn't really care if I lost say, my Twitter or my Tumblr. But I would care if I lost my Paypal or my email address.

[personal profile] cbrachyrhynchos 2014-10-14 05:08 am (UTC)(link)
But most sites will choke out brute forcing.

The biggest data breaches of the last five years have involved the publication of entire password databases through a backdoor: Adobe, Gawker, Sony PSN, Microsoft, Linkedin, etc., etc.. Once the database is made public, crackers can run parallel brute-force attacks. (Heck, AT&T just revealed that a disgruntled employee walked out the door with a bunch of information.) Front-door timeouts are meaningless as of five years ago. At this point, you shouldn't trust any site not to lose their password database.

I wouldn't really care if I lost say, my Twitter or my Tumblr. But I would care if I lost my Paypal or my email address.

Unless you reuse passwords, which most people do, including a Gawker employee who used the same password for commenting and site administration.
kippi: My FFXIV character looking at a distant sunset (Default)

[personal profile] kippi 2014-10-14 06:31 am (UTC)(link)
At that point, does it really matter? You've already lost. Protecting against that was never your job, either. It rested on the shoulders of the site you were signed up at.

The fact that I give a shit about my email is why is has a decently complex and unique password, and the fact that I don't give a shit about my tumblr is why the password isn't that complex and is shared across a couple sites I also care equally as much about. That's what I meant, unless you use a password manager don't sweat having difficult passwords for shit that doesn't personally matter to you. Of course with a password manager you can just use unique random 30 character passwords for everything from your random virusy pornsites to your bank account, but password managers make me jumpy.

[personal profile] cbrachyrhynchos 2014-10-14 11:45 am (UTC)(link)
At that point, does it really matter? You've already lost. Protecting against that was never your job, either. It rested on the shoulders of the site you were signed up at.

Yes, because password databases (assuming that the administrator is not completely incompetent) are obfuscated using a one-way cryptographic function. "pikachu" will fall in seconds to a dictionary attack or a bit longer to alphabetic brute force (7 characters). A randomly generated password like "VxfrFAH0pPqU4t" cannot be discovered via dictionary attacks and is unlikely to be brute-forced.

Now of course if you don't care, you don't care. But the use of a password safe is much less of a security risk than trusting a site with a weak password. All of the software I'm familiar with uses stronger functions that make them more difficult to crack than those used by most web sites. And since LastPass takes seconds to install and demands less time to login than trying to remember exactly which password I used for a service, there are few usability issues.

(Anonymous) 2014-10-14 11:16 am (UTC)(link)
I don't know anything about password safes, but wouldn't exchanging certain characters for others already make the password much more secure? Like, instead of Pokemon the password would be P0#em0n, Pickachu could be Pi#a(hu. Put another random rule in ("Every third letter is upper case" - "Pi#A(hu"), and the password should be complicated enough to not be easily crackable, shouldn't it?

Given the huge amount of passwords one has, I find it easier to use memorable passwords, but make certain substitutions to make them safe.

[personal profile] cbrachyrhynchos 2014-10-14 12:24 pm (UTC)(link)
Slightly more secure. But the most memorable methods of inserting "random" characters into words are not random at all, and have already been programmed into password-cracking software. o=0 and c=( are already variants used in dictionary attacks. "Every third letter" isn't random at all. Never mind that 7-character passwords are within the brute-force realm where it's possible to try every combination of ascii characters with a current graphics card.

If you want memorable, you're better off going long with nonsense phrases that have no meaning except to yourself and have not appeared in print or on wikipedia. (The "correct horse battery staple" method.) Have your music player spit out four random song titles and pick a word from each "mothra lust mirror coffee," or scan your bookshelves and pick four words from different books "india effect stones goblin." Adding two characters gives you more bang for your buck than *randomly* (with dice) substituting one. Non-random l33t substitutions don't help much at all.

(Anonymous) 2014-10-14 04:55 pm (UTC)(link)
You really seem to know this stuff, so I'm curios what you think of my "technique". Truly random passwords/phrases are really hard for me to remember, while substitution rules are easy for me.

So I assigned certain characters substitutions, where the substitutions can be numbers, letters, special characters or any combination of the three. P, for example, could be !o?, c could be 26 and u could be y, so Pikachu would be !o?ika26hy.

The substitutions make sense for me, for one reason or another, but should appear random for people who are not me, or at least not common enough to be in the libraries of password-cracking software. Plus, even short phrases can become up to three times as long, depending on the original letters and punctuation involved. Using my actual system, Pikachu would be 13 characters long.

[personal profile] cbrachyrhynchos 2014-10-14 05:14 pm (UTC)(link)
You really seem to know this stuff, so I'm curios what you think of my "technique". Truly random passwords/phrases are really hard for me to remember, while substitution rules are easy for me.

Well, the best answer is a password safe. But if you're subbing out characters using a truely unique system that's not been documented anywhere else, it's probably good enough. (Assuming you don't reuse passwords via a very weak system.)

(Anonymous) 2014-10-14 05:48 pm (UTC)(link)
nyart wondering if you recommend any password safe in particular?

[personal profile] cbrachyrhynchos 2014-10-14 10:53 pm (UTC)(link)
I like LastPass.

(Anonymous) 2014-10-16 06:37 pm (UTC)(link)
Thank you!
Flat | Top-Level Comments Only