Lyrics & Knowledge Personal Pages Record Shop Auction Links Radio & Media Kids Membership Help
The Mudcat Cafemuddy

Post to this Thread - Sort Descending - Printer Friendly - Home


Tech: Viruses and passwords

pavane 15 Feb 09 - 05:03 AM
GUEST,.gargoyle 15 Feb 09 - 05:31 AM
pavane 15 Feb 09 - 06:56 AM
pavane 15 Feb 09 - 07:01 AM
Acorn4 15 Feb 09 - 08:24 AM
olddude 15 Feb 09 - 10:12 AM
pavane 15 Feb 09 - 11:09 AM
JohnInKansas 15 Feb 09 - 11:19 AM
JohnInKansas 15 Feb 09 - 11:30 AM
GUEST, topsie 15 Feb 09 - 11:34 AM
Acme 15 Feb 09 - 11:41 AM
Richard Bridge 15 Feb 09 - 11:42 AM
olddude 15 Feb 09 - 12:28 PM
pavane 16 Feb 09 - 02:03 AM
JohnInKansas 16 Feb 09 - 03:06 AM
pavane 16 Feb 09 - 05:02 AM
GUEST,Jim Martin 16 Feb 09 - 06:02 AM
BK Lick 16 Feb 09 - 07:59 AM
Acme 16 Feb 09 - 10:25 AM
Jack Campin 16 Feb 09 - 11:45 AM
Newport Boy 16 Feb 09 - 12:15 PM
JohnInKansas 16 Feb 09 - 12:20 PM
GUEST,ETC Etc etc 16 Feb 09 - 08:11 PM
Jack Campin 16 Feb 09 - 08:59 PM
Acme 16 Feb 09 - 09:54 PM
GUEST,ETC Etc etc 16 Feb 09 - 10:28 PM
GUEST,.gargoyle 16 Feb 09 - 10:40 PM
pavane 17 Feb 09 - 02:10 AM
Acme 17 Feb 09 - 09:54 AM
pavane 17 Feb 09 - 10:59 AM
Share Thread
more
Lyrics & Knowledge Search [Advanced]
DT  Forum
Sort (Forum) by:relevance date
DT Lyrics:









Subject: Tech: Viruses and passwords
From: pavane
Date: 15 Feb 09 - 05:03 AM

One often sees notes about new viruses/trojans etc which have algorithms to guess passwords.

One solution to this seems obvious to me: Every account should require TWO passwords.

The virus would have a huge job even checking all combinations of two 'Obvious' passwords.

This could be done without too much trouble. Web sites could easily add a second password which is initially set the same as the first one, and which must be reset (to something DIFFERENT from the first) as soom as you log in.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: GUEST,.gargoyle
Date: 15 Feb 09 - 05:31 AM

Ms. pavane

Passwords are encouaged to have upper and lower case sensisitivity and numbers also included within them.

It is up to YOU ... to create PW's of mass deception.

Sincerely,
Gargoyle

GMail - does a good job of indicating the strength of your intended PW. Banking sites - such as E-Trade are using a random syncronized secondary key "Digital Security ID Token" to assure strong encryption.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: pavane
Date: 15 Feb 09 - 06:56 AM

Ms?

Mr!


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: pavane
Date: 15 Feb 09 - 07:01 AM

I am trying to save people from themselves. We KNOW that most passwords are too weak.

Two weak passwords in my scheme would be better than one strong password in the standard method. The virus relies on trying passwords sequentially until one fits. Trying all combinations of one against the other is hugely more time-consuming (though little more difficult to code). It could take hundreds of years to run through all possibilies.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: Acorn4
Date: 15 Feb 09 - 08:24 AM

There seem to be two kinds of password. The first is too straightforward so that a hacker can get it, the second is so complicated that the person who owns it can't remember it. When you add the fact that you're not supposed to write them down, you've got a bit of an impasse.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: olddude
Date: 15 Feb 09 - 10:12 AM

Most passwords are too weak for sure, get in the habit of using something you will remember but Put in Special Characters in it
for example D!A!N$ instead of dan and add a number maybe at the end

this will give fits to the CRACK progran normally used to get passwords


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: pavane
Date: 15 Feb 09 - 11:09 AM

But they will soon add special characters to the list they use.
My suggestion allows you to use two passwords which are each easy to remember, but still have strong protection.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: JohnInKansas
Date: 15 Feb 09 - 11:19 AM

pavane -

What you propose is basically the "challenge-response" method already in use by many "secure sites."

When you log in, you input your password, but some sites also identify your computer, usually via a cookie they've put on your computer but sometimes via an "identity vault file" that's strongly encrypted. If you log in from a different computer, or if the computer id gets lost, or if you make an error in entering your password, or sometimes just at random, they ask you for your "challenge answers" to questions that you've given them your unique answers for.

The questions often are pretty obvious, and people often make the absurd assumption that they're supposed to answer them "right." A typical question might be "where were you born?" and you don't have to tell them you were born in "Bumf*ck Iowa" where you actually were born. You can make your answer be "C0nfu3ed 1n M1z1gan" or some other "cuteness."

Your credit card/ATM card/debit card probably uses a 4-digit "PIN number" which can only have numbers. This is a "trivially simple" password, with only 104 possible values, but the card itself contains an additional encrypted and randomly assigned "strong password" that has to match, unless your bank is in violation of new rules added last year. (Most major banks used the system some time before it was made mandatory.) The secondary strong password is no help if someone gets your card, but it does make it a lot harder for some one to forge a duplicate from the data they can get even by hacking your bank's data base.

Some secure sites impose the "three strikes" rule, and three unsuccessful attempts will "lock the account," usually for about 10 days, before anyone can log in. (There's usually a phone number you can call to get it unlocked immediately, where they should use at least challenge/response security checks before unlocking it for you.) This means that to try even the 10,000 "simple PIN" numbers a crook can only try 3 numbers every 10 days.

On your own computer, a "numbers only" password of at least 8 digits is generally considered "moderately secure," with some help from the criminal not knowing how many digits you've used (108 possibles to check). Adding just one letter character raises the barrier to 368 = ~3*1012 possibilites. This is the same "strength" you get with a pass"WORD" with a number in place of one or more letters. (like B33R for Beer).

Including letters and numbers, by making the password case-sensitive, a six-place password can require 626 combinations (~610 possibles, and an 8-place one is at ~2*1014 possibles.

On some Unix systems you can have the left-shifted A be a different char than a right-shift A, and a few allow a backspace as a password character so your password could include a character that must be present, but must be backspaced out as the next "stroke."

Any password can be broken, but unless you're an incredibly "high value" target you're probably safe enough with a six-place password that includes at least one Upper Case letter, one lower case letter, and one number. You can add "ANSI chars" like !$()/ and a few others on most systems for some additional complexity (and your system should tell you if it doesn't permit a char you try to use). An 8-place numbers-only is considered "acceptably strong" for most things that don't involve "all your money," but you can usually just use a longer number string if you're worried.

The best rule most frequently ignored is that you should change all your passwords at regular (or random) intervals to minimize the damage in case someone has discovered one you use. Most large orgs enforce password changes, usually about monthly but sometimes quarterly. Most individuals never change them, but probably should.

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: JohnInKansas
Date: 15 Feb 09 - 11:30 AM

pavane -

Your last post cross-posted while I was typing my brief preceding comment.

Using two passwords only doubles the complexity for the hacker if both passwords are of the same "strength." (The sme "crack" has to be run twice.) Adding just one digit or letter to the password multiplies the complexity by 10 (for numbers-only) or by 36 (if your using chars+nums) or by 62 with nums and both upper and lower case letters, or by up to about 70 if you add a !@#$/.

Challenge/Response gets some added complexity since it allows you to use a "fixed length" password, or one with a short range of permitted lengths, but once switched to the challenge system you have several (usually about five?) challenges, and the responses that you supply can have (usually) any length.

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: GUEST, topsie
Date: 15 Feb 09 - 11:34 AM

I was advised to include a password in an unrelated Word document, and then instead of keying it in you can just paste it into the password box. Is this really effective?
I have also tried putting the characters of the password in in the 'wrong' order - so that the order I type the characters is not the order in which they will appear. I have no idea whether this is effective, and it does require concentration.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: Acme
Date: 15 Feb 09 - 11:41 AM

Over the last couple of years I have upgraded many of my passwords to stronger levels. And when I log onto important secure sites such as my bank or my investment sites, they use an image passmark so I can be sure I haven't somehow arrived at a bogus site. Since I rebuilt the computer and their systems didn't "recognise" my computer, even though I had the passwords correct, they challenged me with one of our pre-programmed questions.

What you describe is in place, perhaps you simply haven't encountered it yet.

I not only write down passwords, I make notes about the answers and date when I made the changes, so I can double check that they're asking me the right questions. But those pages live in a place that isn't next to the computer.

SRS


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: Richard Bridge
Date: 15 Feb 09 - 11:42 AM

If you have the sort of mind that remembers such things (as it happens I have) then telephone numbers that you used to have (30 years ago) or car registration numbers that you used to have (30 years ago) can be "beefed up" by switching case at places that are natural to you. The advantage is that the nearly-words in them are quite easy to remember, but quite hard to guess.

For some strange reason one of my bank cards is really hard for me to remember: it's only four digits but they get worrying after two mistakes with a queue behind you and an empty wallet!


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: olddude
Date: 15 Feb 09 - 12:28 PM

John In Kansas has it absolutely correct. You would have to be a very high valued target if you just follow that advice. Yes computers are very powerful even so adding special characters and numbers makes it not worth a hackers time, the longer a hacker stays online on your account trying to break in the higher his probablity of getting caught . Just use some common sense with any password put special chars in it. ON my servers with client info, the disk drive partition is encrypted using one of the many data encryption programs you can get freely, should my servers be compromised, the data won't be that is for dang sure , unless they have many years to try and crack that encrytion

just don't be stupid, husband, wife, kids names and pet names are the single most common passwords with birthdates, way way too easy


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: pavane
Date: 16 Feb 09 - 02:03 AM

JohninKansas,
I think you will find it more than doubles the complexity.
Remember that it cannot find one password in isolation, it must get them BOTH right before it knows it has succeeded. Therefore the number of possibilities to check is of the order of (N squared) where n is the password length, not just N

I was not talking about encryption, but the same principle can be applied, by re-encrypting the encryptedt data with a different key.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: JohnInKansas
Date: 16 Feb 09 - 03:06 AM

pavane -

If you have two passwords that both must be correct before you know either of them is correct, then you DON'T HAVE TWO PASSWORDS. You just have one password twice as long, since exactly the right character string consisting of both passwords must be entered. Putting an "Enter" in the middle just adds one more character to the character set you make the password from.

For two passwords each of length N, from a character set with K characters, the number of tries is K2N, exactly the same as if you had one password 2N characters long. If there's a mouse click in the middle, or an Enter, just add 1 to the K. All you really are proposing is that you should use passwords twice as long as the computer is going to be able to read, since anyone really paranoid is going to use all the characters accepted by the login to begin with.

And it's difficult to support the contention that the cracker won't know when the first password is entered correctly, since completing the first password likely would be the only way to open the input box for the second password. If both boxes are open and in view at the same time, then all you've really added is a "Tab" to move to the second box - and once again it's a single string to be typed - just a very long string.

It is true that the longer the password is, the more time it takes to crack it, and the more different characters in the set you draw your password characters from, the stronger the password.

So you could get a much stronger effect just by using the entire set of Unicode characters to select the characters in your password, including characters from at least a dozen different languages (including a few consecutive ones from right to left alphabets in the middle of the left to right ones, maybe with a top to bottom few on one end.)

Before proceeding to your ultimate password(s) remember that a very common way of breaking a system's security is by producing a few buffer overruns. How big is the "password buffer" on your computer? Does the program that reads it include overrun protection?

Only the programmer who wrote it knows for sure.

And (s)he probably put a backdoor in the login program that allows access to everything you (and everyone else) might be trying to protect just by typing "Hello Sucker!" ... .

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: pavane
Date: 16 Feb 09 - 05:02 AM

You are making assumptions about how it will be implemented. I had envisaged two boxes which would have to be filled at the same time.
You don't want to give the virus any unnecessary clues. That is why programs do not usually tell you whether it is the user name or password which is wrong.

And I believe two "easy" passwords would probably be longer than one difficult one. As I said, the objective is mainly to save people from themselves. We all know that a 16 character password with special characters is strong, but how many people use one? it is much easier to remember two simple ones. Therefore K**2n will be much bigger. Two five-character passwords will be as effective as one 11 character one.

Naturally, my suggestion does not cover implemention-dependant bugs like buffer overrun, nor the security flaws in specific programs! Also, not all hardware uses Unicode.

It was intended to be more general in application than simply Windows.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: GUEST,Jim Martin
Date: 16 Feb 09 - 06:02 AM

I keep on getting requests, supposedly from Google, asking me to key in code words which are displayed in an odd fashion (letters are joined together).

Should I respond or just reboot the PC and start all over again? Could this be a virus or trojan? How am I to know it's genuine?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: BK Lick
Date: 16 Feb 09 - 07:59 AM

What's wanted, ideally, is a way to generate passwords that are both
strong and easy to remember. I use a system devised by my son-in-law
(a professional violinist with not much formal training in math or
computers) that makes use of a very clever variation on that goal --
it generates passwords that are both strong and easy to compute from
an easy to remember number.

Starting with a phone number -- say 557-6420 -- for example, one can
easily and mindlessly translate those seven digits at the keyboard
into the string "qzwxedcrfth7j" which makes for a fairly strong
password. (Adding the area code would make it even stronger, of
course, as would starting from a SS number.)

The method can easily be adapted to periodically change the password.
For example, after using that password for three months the same
phone number could just as easily be translated quarterly into the
strings "wxecrfvtgyj8k", "ecrvtgbyhuk9l", and "rvtbyhnujil0;" -- and
in successive years different phone numbers could be used.

You can probably suss out the method from this example, I betcha.
—BK


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: Acme
Date: 16 Feb 09 - 10:25 AM

Puzzle masters around the world probably LOVE setting up new passwords. :)

Richard has a good point--I don't use mnemonic devices that are current, I draw on my own ancient history. I've lived and worked in many places, so at any given time I can revisit an old location and memorable circumstances to generate new passwords. Names and dates and a couple of other strong characters work very well.

SRS


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: Jack Campin
Date: 16 Feb 09 - 11:45 AM

I wonder if I could patent a bionic hand that reponds to Masonic handshakes?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: Newport Boy
Date: 16 Feb 09 - 12:15 PM

One other thing worth mentioning - if you are substituting digits or symbols for letters, don't substitute 4 for A, 5 for S, ( for C, $ for S or any similarly obvious and easy to remember choices. Most cracking programs have these covered.

Phil


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: JohnInKansas
Date: 16 Feb 09 - 12:20 PM

GUEST, Jim M -

The scrambled pictures with numbers or letters in them are a method that is intended to prevent someone from setting up a machine to automatically enter passwords until the right one is found. It is difficult for a computer to recognize characters in a picture and "read them back" correctly, and the picture can be changed each time so "learning the answer" doesn't help since the answer keeps changing.

Existng optical character recoginition (OCR) programs need nice crisp characters, with sharp outlines, all in straight lines, to be even marginally accurate, which is why the pictures are in pastel colors, with odd shapes and in sort of a "splatter" rather than in line with each other.

Some months ago there was a complaint (with criminal charges) about scalpers who had "broken this system" in order to buy large blocks of tickets for a few concerts. Since at about that time there was a noticeable increase in spam emails of the form "You have just won a (insert name of precious prize). Enter the letters from the box and click 'send me my prize'" - my guess is that the scalpers were just copying the pictures and spamming them to a few thousand people, waiting for some fool to reply, and copying the answers back into the ticket order site - although I've seen no confirmation - or any other good "theories" - about how the method was defeated.

I can't think of a reason why Google would be sending these to you. Unless you have initiated a request to log in to a site that you know for purposes that are important to you I'd say they definitely should be ignored.

Never reply to anything that doesn't come from a source that you can identify, and that doesn't have a clear "purpose" in an understandable process for doing what you have asked to have done.

And never respond to any unsolicited offer of anyting "free" or "too good to be true."

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: GUEST,ETC Etc etc
Date: 16 Feb 09 - 08:11 PM

I will pretend to be anonymous on this....but the clones know. Paranoia is a gift...fear is good.

I am sure you mean well. However, stupid people will still use stupid TWO word PW's like "pussy kat" or "laughing dog," or "monkey boots."

The weakest link is the user. I do not want to go into much detail but do you imagine there are "catters" who use the same PW for mud-cookies and PM as they use for other accounts? Of Course !

You can phish google with some of the following phrases - they are great fun for adolescents.

Hack and Cracks "2600 phracks" "social engineering" "shoulder surfing" (phracks being phone cracks noted for the famous 2600 tone of the Captain Crunch whistle - I heard from a friend about the blind kid in the dorm the previous year who could whistle the tone....he was very popular on Friday nights.)

keyloggers on public machines / flashdrive uploads

password "recovery tools"

frequency of passwords

Sarah Palin's yahoo account

Default Passwords are frequently packed with software that go unchanged by users and administrators - like the "current hidden tracks thread" a lot more than "hidden easter eggs" are packed with software CD's.
http://www.securiteam.com/securitynews/5RR080A1TS.html

Government Security LogIn Assisstance
http://www.governmentsecurity.org/default_logins_and_passwords_for_networked_devices

You would be astounded what is contained in YOUR own machine and available for viewing with the simple notepad.

There are "white hats" and "black caps" and "red hats" on the internet.

There are lists of the 100 most common PW's by country.

Own name
use username password
phone number
street address
license plate
girlfriend's name
121212
007
123123 administrator
admin123
godblessyou
pagen
satan666

ETC...Etc...etc


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: Jack Campin
Date: 16 Feb 09 - 08:59 PM

A call-out engineer for a major computer hardware company once told me he could get into about 90% of the systems he visited by noting the licence plates in the company car park, the local football team and the locally most popular brand of beer.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: Acme
Date: 16 Feb 09 - 09:54 PM

Hell, who knows their own license plate number? Not me. . .


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: GUEST,ETC Etc etc
Date: 16 Feb 09 - 10:28 PM

Some of the VERY best places to "mine for gold" is in the recent phenomenom of "Social Networking Forums."

For example..."YouTube," "FaceBook" "Monster" and "LinkedIn."

It is possible to "hack,crack,phrack,smaq,phlaq,flag,phish" based on a simple "triangulation" of "life points."

What are the lost password clues...Pet, Phone Number, Best Friend...

Many people make this a display of public knowledge...and yet... this is the "private information" that a "forgotten password site" requests for verification....(ever call the phone company?...who are you talking to?)

IF you are egocentric - (most humans are) you HAVE revealed "connecting data" to your

No longer the slave or ambition.
I laugh at the world and its shams.
As I think of my Pakistan position
Funded by U.S.A. clams.

FOLKS...be concerned...but... if you use common the sense and the regular changes....be is not a need to be paranoid...wghen stange free Ends cauhl 2 ax credit report.

Sincerely,
ETC, Etc, etc

Silly Riber Stage - if you no know - yo 1st automobile3 - yo neber lib in USAb


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: GUEST,.gargoyle
Date: 16 Feb 09 - 10:40 PM

Translation for the font impared.

Silly River Stage - if you do not know your first automobile you probably do not live in the USA.

Most male "coming of age" 16 year olds in the USA .... remember the make, model, year, license plate, stereo system, and the first date/kiss/etc associated with said vehicle.

SRS - I suggest you take the alshiemer's test somewhere, recently within this forum...the answere is....

Sincerely<
Gargoyle

Take a TABLE....place an APPPLE on it....thrust it through with a PENCIL....whooooaaa "william tell"

They need a better test for folky folks.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: pavane
Date: 17 Feb 09 - 02:10 AM

paranoid guest: (btw Just because you are paranoid doesn't mean they are NOT out to get you)

It is harder to crack if you have two easy passwords in different boxes. Just try it and see.

Maybe I should set up a challenge site to prove my point!


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: Acme
Date: 17 Feb 09 - 09:54 AM

I know what my first, second, third, fourth, and fifth vehicles were, and those of my spouse. The question was, do you know your LICENSE PLATE NUMBER. No.

It was changed last year (every six or seven years they give you a new set if you keep driving the same vehicle long enough). It didn't have any logical sets of numbers and letters so I could memorize it. I have it written down somewhere.

Go poke a pencil through your own apple and see where it comes out. Or whatever nonsense that was.

Cordially,

SRS


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Viruses and passwords
From: pavane
Date: 17 Feb 09 - 10:59 AM

I think I can remember the licence plates of all the cars I have ever owned (maybe 40), except for about three.


Post - Top - Home - Printer Friendly - Translate
  Share Thread:
More...

Reply to Thread
Subject:  Help
From:
Preview   Automatic Linebreaks   Make a link ("blue clicky")


Mudcat time: 21 June 10:47 AM EDT

[ Home ]

All original material is copyright © 1998 by the Mudcat Café Music Foundation, Inc. All photos, music, images, etc. are copyright © by their rightful owners. Every effort is taken to attribute appropriate copyright to images, content, music, etc. We are not a copyright resource.