Aetles + passwords   22

Have I Been Pwned tells the world about security breaches
Troy Hunt’s Have I Been Pwned is a one-stop shop for learning if you’re among the millions affected by security breaches. And he’s trying to do it the responsible way.
passwords  security  hacking 
24 days ago by Aetles
Let them paste passwords - NCSC Site
This is why we think SPP is bad, and allowing password pasting is good. The pros outweigh the cons, and by a lot.
forms  javascript  passwords  security  webdevelopment 
may 2017 by Aetles
Theft and Loss Recovery for iOS Users — Fraser Speirs
Let's say, for the sake of argument, that I'm walking down the street in a large city somewhere abroad and I'm approached and forcibly relieved of all the valuable possessions on my person. In a typical tech conference scenario, that would be my iPhone, iPad and Apple Watch all gone.

What now? Well, there are two phases to this: damage limitation and disaster recovery.
security  ios  backup  passwords  icloud  apple  twostepverification 
april 2017 by Aetles
GRC's | Password Haystacks: How Well Hidden is Your Needle?  
Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered.

If every possible password is tried, sooner or later yours will be found.
The question is: Will that be too soon . . . or enough later?

This interactive brute force search space calculator allows you to experiment with password length and composition to develop an accurate and quantified sense for the safety of using passwords that can only be found through exhaustive search. Please see the discussion below for additional information.
passwords  security  privacy  tools 
april 2015 by Aetles
Setting up firmware password protection in OS X | Cocktail Blog
Mac users in higher security risk situations may wish to enable an optional firmware password on their machines, which offers an advanced level of protection. In short, a firmware password is a lower level layer of security that is set on the actual Mac logicboards firmware, rather than at the software layer like FileVault encryption or the standard login password.
mac  osx  mactips  security  passwords 
june 2014 by Aetles
RaiderSec: How Browsers Store Your Passwords (and Why You Shouldn't Let Them)
In a previous post, I introduced a Twitter bot called dumpmon which monitors paste sites for account dumps, configuration files, and other information. Since then, I've been monitoring the information that is detected. While you can expect a follow-up post with more dumpmon-filled data soon, this post is about how browsers store passwords.

I mention dumpmon because I have started to run across quite a few pastes like this that appear to be credential logs from malware on infected computers. It got me thinking - I've always considered it best to not have browsers store passwords directly, but why? How easy can it be for malware to pull these passwords off of infected computers? Since sources are a bit tough to find in one place, I've decided to post the results here, as well as show some simple code to extract passwords from each browser's password manager.
security  browsers  passwords 
june 2013 by Aetles
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica
In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user.
passwords  security  privacy  cryptography 
may 2013 by Aetles
[1304.6584] When Privacy meets Security: Leveraging personal information for password cracking
Passwords are widely used for user authentication and, despite their weaknesses, will likely remain in use in the foreseeable future. Human-generated passwords typically have a rich structure, which makes them susceptible to guessing attacks. In this paper, we study the effectiveness of guessing attacks based on Markov models. Our contributions are two-fold. First, we propose a novel password cracker based on Markov models, which builds upon and extends ideas used by Narayanan and Shmatikov (CCS 2005). In extensive experiments we show that it can crack up to 69% of passwords at 10 billion guesses, more than all probabilistic password crackers we compared again t. Second, we systematically analyze the idea that additional personal information about a user helps in speeding up password guessing. We find that, on average and by carefully choosing parameters, we can guess up to 5% more passwords, especially when the number of attempts is low. Furthermore, we show that the gain can go up to 30% for passwords that are actually based on personal attributes. These passwords are clearly weaker and should be avoided. Our cracker could be used by an organization to detect and reject them. To the best of our knowledge, we are the first to systematically study the relationship between chosen passwords and users' personal information. We test and validate our results over a wide collection of leaked password databases.
passwords  security  research 
april 2013 by Aetles
On hashcat and strong Master Passwords as your best protection | Agile Blog
You may have heard some news going around about hashcat, a password cracking tool, that recently increased its ability to guess Master Passwords for 1Password data files. It’s an impressive achievement for hashcat, and it is important to understand what this does and doesn’t mean for 1Password.
passwords  security  1password  encryption 
april 2013 by Aetles
John Resig - Keeping Passwords in Source Control
It has to deal with the eternal question: How do you store sensitive configuration options (such as usernames, passwords, etc.) in source control? Typically what I’ve done is to just punt on the problem entirely. I create a dummy configuration file, such as conf/sample-settings.json which has the basic structure but none of the details filled out.

If someone else needed the details I would just email it to them, or some such (not ideal). Especially when it came time to add additional information to the file or make other changes.

The technique I picked up from Craig was to, instead, keep an encrypted version of the configuration file in source control and then provide a means through which the user can encrypt and decrypt that data.
git  passwords  encryption  sourcecontrol  versioncontrol 
february 2013 by Aetles
Muffett on Passwords | dropsafe
TL;DR Summary

don’t let users choose guessable passwords; achieve this by…
encouraging/forcing users to use good password management software, and then…
protect the hashes on the backend by using something decent, ie: bcrypt()
passwords  security 
january 2013 by Aetles
Regrettably @Mat Honan is Entirely Wrong about “Killing Passwords” /cc @Wired | dropsafe
The reason to cling onto passwords is that they are a distributed, non-hierarchical technology.

There is no database other than the essential database of passwords
There is no certificate authority to be spoofed
There is no token database to be stolen
There is no monetisable identity linkage and hence no selective disclosure bunfighting
The likelihood of catastrophic centralised identity mistakes is small
In short: there’s a lot less that can go wrong when the identities are discrete and thinly spread.

So, sorry Mat. You’re wrong all the way up to this point
passwords  security  mathonan 
january 2013 by Aetles
Secure Yourself by Using Two-Step Verification on These 16 Web Services - How-To Geek
Two-factor authentication, also known as 2-step verification, provides additional security for your online accounts. Even if someone discovers your password, they’ll need a special one-time code to log in after you enable two-factor authentication on these services.

Notably absent from this list are banks and other financial institutions. It’s a shame that you can use two-factor authentication to protect your in-game currency in an MMORPG, but not the real money in your bank account.
security  twostepverification  passwords 
december 2012 by Aetles
Most web sites ask for a password when you register. After logging in, you can access the site until your session expires. When you forget your password, you can request an email with a link to a password change form. NoPassword factors out the password from this process. You register with an email address and receive a link that gives you a session on that browser until you log out. If you ever need to log in from somewhere else, you can request another email with a link that will log you in wherever you are.
email  passwords  security  tools  authentication 
september 2012 by Aetles
Eikon Mini, the Compact, Low-cost USB Fingerprint Reader for Today’s PCs and Macs
Passwords On the Go
Almost invisible, keep it plugged-in or carry it with you and use your fingerprint as your master password. The Eikon Mini is the most user friendly, ultra-portable fingerprint reader available.
security  passwords  osx  fingerprints 
july 2012 by Aetles
Red Sweater Blog – Keychain Password Search
Update: As luck would have it, mere moments after publishing this, I got word from the 1Password folks about another write-up that achieves something different (exporting for 1Password), but makes use of the very same approach of automating the clicking of that allow button.
passwords  security  osx  keychain  1password 
june 2012 by Aetles
Coding Horror: Speed Hashing
I'm too busy to read all this.
If you are a user:

Make sure all your passwords are 12 characters or more, ideally a lot more. I recommend adopting pass phrases, which are not only a lot easier to remember than passwords (if not type) but also ridiculously secure against brute forcing purely due to their length.

If you are a developer:

Use bcrypt or PBKDF2 exclusively to hash anything you need to be secure. These new hashes were specifically designed to be difficult to implement on GPUs. Do not use any other form of hash. Almost every other popular hashing scheme is vulnerable to brute forcing by arrays of commodity GPUs, which only get faster and more parallel and easier to program for every year.
encryption  hash  hashing  passwords  security 
april 2012 by Aetles
juuso/BozoCrack - GitHub
BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.

It works way better than it ever should.
hack  md5  passwords  security 
november 2011 by Aetles
Htaccess Authentication - Password protect directory
Password protect one or more directories with Basic HTTP Authentication using .htaccess. A .htpasswd file will be used to store login details. Use the .htpassswd generator to create entries in the .htpasswd file.
htaccess  passwords 
march 2011 by Aetles
Anonymous speaks: the inside story of the HBGary hack
It has been an embarrassing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.

When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.

Over the last week, I've talked to some of those who participated in the HBGary hack to learn in detail how they penetrated HBGary's defenses and gave the company such a stunning black eye—and what the HBGary example means for the rest of us mere mortals who use the Internet.
hack  security  sqlinjection  md5  hashing  passwords 
february 2011 by Aetles
Amazon EC2 Enables Cheap Brute-Force Attacks - Slashdot
Also fun to realize: for every character less than 20, you lose 100x your security. A 19-character password could be cracked in just 1% of the time of a 20-character password. A 10-character password would take .000000000000000001% of the time.
passwords  security 
january 2011 by Aetles
Vincent Gable » Pass Phrases, Not Passwords
People feel that if security system A is harder for them to use then system B, then A must be harder for an attacker to bypass. But the facts don’t always match this intuition.

What authentication code do you think is harder for a bad guy to hack, the 7 character strong password “1Ea.$]/”, or the mnemonic for the first 3 characters, “One Elvis Amazon”? Certainly “1Ea.$]/” is harder for a person to remember. It feels like it should be harder to break. But a computer, not a person, is going to be doing the guessing, and all it cares about is how big the search space is. There are 937 possible 7 character passwords. Let’s say there are 250,000 possible English words (more on that figure later). Then there are 250,0003 3 word combinations — meaning an attacker would have to do 260 times more work to guess “One Elvis Amazon” than to guess “1Ea.$]/”.
security  passwords 
june 2009 by Aetles

Copy this bookmark: