Kill The Password

[labbe5]

http://www.wired.com/2012/11/ff-mat-hon ... newsletter

An interesting read about passwords and hacking.

[8Geee]

Apple has got it right. 10 chances then all of the files vanish. Dirt stupid simple. Even a 4-digit password becomes strong.

[Burn_IT]

Well he fell for the very worst thing(s) you can do about passwords.

I have a different password (when I have to have one) for every site.
They are NOT stored (by me) anywhere and even I could not tell you what it is until I actually visit the site.

I physically secure my machine when I need to - which I don't at home.

[Lobster]

Interesting article. Cloud IMHO is part of the problem ...

Apple has got it right. 10 chances then all of the files vanish. Dirt stupid simple. Even a 4-digit password becomes strong.

Apple got it right? Que?
I have just updated to IOS9.3 and the two stage authentication has stopped at stage 2. Can not change my password. I have been locked out. Completely. Can not access my own machine.

[musher0]

Hi, Lobster.

Yeah. That's the problem with physical computer BIOS-type passwords. Forget them
and you've lost your investment.

Remember "dongles"? Back in the day, maybe 15 years ago, a very expensive CAT
(Computer Assisted Translation program) came with a dongle. If you wanted to run it, you
needed to insert the dongle in a computer port before booting the computer. It came with
two dongles in case you lost one.

Since every computer now has God-knows-how-many USB ports, maybe USB-stick
dongles should make a come-back, to use as a lock for your machine.

Or make yourself one, if you're on PC. Remove all grub, etc., booting capacity from your
machine and put it instead on a bootable mini-DVD or USB stick that you carry with you.
No "dongle", no boot. Simple.

Of course you'll still need regular passwords for your forums, webmails, etc. Which you
jot down in a little notebook (the type with paper pages) that fits in your pocket, right?
Never on your box.

My 2 ¢. BFN.

[gcmartin]

New technology is on the horizon. But, it will become universally used. It involves your handheld, your voice, a biometric, its camera and it is foolproof. And, encryption allows all handheld contents to be off-line to anyone other than you. Your use of your handheld is now daily and what it can do to maintain your identity and to protect your personal access is incredible. YOU, then, become your password. Even your twin cannot be you.

The ONLY reason "THEY" may not provide this is that it would defeat anyone other than you to access the contents of your handheld for ANY reason.

Unfortunately, we dont control the development or release of this technology. But, we are extremely close to this being accessible to the public, at large.

This changes the landscape for what is yours and the ability to access what is yours.

[Burn_IT]

You are involved in a crash and smash you face and break your arms.
No PC access until you are well and hope you have no scar tissue!!

[bark_bark_bark]

You are involved in a crash and smash you face and break your arms.
No PC access until you are well and hope you have no scar tissue!!

+1

This is the problem with using body parts to gain access to technology. Nothing still beats the good old fashioned password, as long is the password is a good one.

[kjdixo]

A spring loaded, hinged telephone index is fast and easy and great fun to use.
You slide the tab to the correct alphabetical category and press the button.
Quick as a mouse trap - due to the spring.
Preferable to a shopping bag full of scraps of paper with jotted passwords.
Talking of which . . .
Have you seen what a mouse can do to scraps of paper?
Answer . . . shred them !!
But can a mouse open a spring loaded telephone index?

I think I have been watching too much "Columbo" and need to get out more.

[kjdixo]

Interesting web page about security flaws of fingerprint unlocking.
3d printing or similar can be used to thwart it.
http://www.theverge.com/2016/5/2/115409 ... k-security

At the CCC conference in 2014, a security researcher called Starbug used those techniques to construct a working model of the German defense minister’s fingerprint, based on a high-res photograph of the minister’s hand.

[drunkjedi]

Remember "dongles"? Back in the day, maybe 15 years ago, a very expensive CAT
(Computer Assisted Translation program) came with a dongle. If you wanted to run it, you
needed to insert the dongle in a computer port before booting the computer. It came with
two dongles in case you lost one.

Funny incident.
At my company's QA department we have a CMM (coordinate Measuring machine).
It uses a dongle lock. You can't use it till the dongle is inserted.

We keep the dongle always inserted as there were almost 6 people using that machine in 3 shifts daily.
We never thought someone will think that it's a pen drive and take it. We only thought what would someone use the machine for...
But it happened that someone took that dongle.
and we couldn't use that machine for a week as it came with only one.
We thought contacting the company of that machine we can get duplicate easily. We thought we will order 6 now.
We found out that we will need to pay them 5K$ for one duplicate.

Then we thought of posting on all notice boards.
We wrote that, It looks like a USB stick but it's not and you can't use it to data transfer. And it will cost heavily to get replaced. Cops will be called if it's not returned.
And magically the dongle appeared near entrance of Q.A. room next morning.

And no we don't have CCTVs all over the place.

[drunkjedi]

Interesting web page about security flaws of fingerprint unlocking.
3d printing or similar can be used to thwart it.
http://www.theverge.com/2016/5/2/115409 ... k-security

At the CCC conference in 2014, a security researcher called Starbug used those techniques to construct a working model of the German defense minister’s fingerprint, based on a high-res photograph of the minister’s hand.

Yes heard about that.
Finger prints, retinas, facial recog, they say can be fooled.
I think we are yet to reproduce human memories.
So passwords are still most secure, if we protect them from being copied from the point where we input them.

May be a headgear which will get password from brain waves..... no need to input something physically.

[Burn_IT]

Encephalograms?

[drunkjedi]

Yeh may be,
Just imagine a picture or memory and the PC will unlock.
Just keep away from the Alzheimer's Disease.
Or a accidental memory loss......

[Burn_IT]

I meant using them to crack memory based encryption.

[Moose On The Loose]

http://www.wired.com/2012/11/ff-mat-hon ... newsletter

An interesting read about passwords and hacking.

https://youtu.be/7U-RbOKanYs

The worst problem happens when someone gets a look at the hashes for the passwords of all the users on a system

One of the simplest easy to remember strong passwords is 3 ordinary shortish words with some digits between them and a special character somewhere. They have to be random words and not a common saying.

Physical security is also important. If someone can get hold of a computer for the long term, they will eventually get the files on it. An encryption system is only a delay in this. You can never really be sure how much delay it is. Next week someone may invent a machine that finds prime factors in one go. When that happens a lot of public encryption is broken. Someone may also prove that quantum computers will never work in which case, your data is safe.

[drunkjedi]

I meant using them to crack memory based encryption.

Hmm like physical key loggers for passwords.

[kjdixo]

@Moose On The Loose
Thanks for the YouTube link.
So MD5 and SHA1 are a waste of time nowadays?
And puppy1234linux is not a good password.

Graphics cards (being used to crack passwords), FPGAs (also used for bitcoin mining) etc. . . . how can we possibly hope to keep up with this constantly evolving technology.
There is probably technology being used today that is so secret that we will not find out about it for another 30 years . . . if at all.

Add to this, the hardware manufacturers are sometimes in cahoots with the governments and/or the criminals to design in 'back doors'.
The companies don't even need to be in cahoots as outside entities can plant very clever engineers and software programmers into a company to the dirty work.
Or those employees could themselves be criminally inclined for their own gain.
Anything is possible.

All very worrying.
So as a precaution it is best to over-engineer all security systems and make them 1000 times better than is currently advised.
And buy a faraday tent of the type allegedly used in foreign embassies.

[Burn_IT]

I think that all this fuss about passwords and security is way over the top.
The only thing I would worry about is access to my bank accounts.

If anyone wants to hack into anything else of mine online, they are pretty much welcome to waste their time.

My machine at home is not secured other than being in the house.

At the office; there is little personal stuff that is not already more easily accessible and any sensitive stuff is kept on the server and not my responsibility other than maintaining the software.

I do have a different password for every different site I visit, but those are not written down and I don't remember them until I actually visit the site - which sometimes screws me when the site is redesigned.

[kjdixo]

@Burn_IT

I do have a different password for every different site I visit, but those are not written down and I don't remember them until I actually visit the site - which sometimes screws me when the site is redesigned.

That's one good method provided your memory is sharp and you have excellent recall.
Many people are a bit slower and have very bad memory and even forget what day it is.
I suppose it is always possible to click the "forgot your password" button or contact the site admin and get a nice new password emailed to you.
Yes it is probably overkill to get too worried.
Just my 0.02$ worth.