DailyDirt: Breaking Bad… Passwords
from the urls-we-dig-up dept
Passwords are everywhere. They get us access to our phones, computers, email, social media accounts, cloud storage accounts, banks accounts… just about everything important (and unimportant — which is part of the problem with passwords). You might think you’re clever by choosing a 4-digit PIN that doesn’t look like a birthday date or year, but if you’re using 2580 and think you’re smart, think again.
- The iPhone’s 4-digit passcode can be broken by brute force in roughly 111 hours or less. Sure, you could use your fingerprint, but it might be better to just turn off the “simple passcode” default and use more digits. [url]
- Plenty of password alternative schemes are springing up to move people away from passwords and towards other kinds of authentication. All the big tech companies are trying out various password alternatives. Google is experimenting with a dongle/token/USB key approach. Yahoo is trying out a password-free login. Passwords still seem to be the dominant method for logins, but that could change… someday. [url]
- If you have an old wireless router and it only uses WEP passwords, should you use it? Well, even if you use a WPA password, it only takes a few hours to crack… so just stay paranoid. [url]
If you’d like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.
Filed Under: dongle, fingerprint, logins, passcode, password-free, passwords, pin, security, tokens
Companies: google, yahoo
Comments on “DailyDirt: Breaking Bad… Passwords”
i still use WEP key
I’d just leave it wide open if I didn’t want to use the changing password as an incentive for my kids to do chores.
Re: i still use WEP key
Just beware that your kids could crack the WEP code in a few minutes, so if you want to keep them off when you dont want them on, WPA or WPA2 is better.
Re: Re: i still use WEP key
If my kids did the research to learn what a WEP key is and learned to use the tools to crack them, I would be so proud that I’d happily do their chores that week.
Ugh, Gawker media. Not even worth linking to.
SQRL
“We don’ need no stinkin’ PASSWORDS…”
I like the idea of services/software like LastPass. This way you can make a single elaborate password (mine is above 15 digits) and leave the rest to the service. LastPass offers multi-factor authentication too so you can take even further steps to protect yourself (which I did). I think that the future will still see passwords but they will be coupled with other authentication factors.
Not quite
> Well, even if you use a WPA password, it only takes a few hours to crack
This depends on the password strength. Cracking a strong WPA password is computationally infeasible. Since WPA cracking typically uses a dictionary instead of brute force, cracking a WPA password like “password123” will take minutes.
WEP
WEP is pretty much the same as nothing, WPA isn’t very secure, so I take an approach that avoids both of them while providing strong security: I turn the WiFi crypto off completely, then set up my router so that the only thing that can be reached through the access point is my VPN. Anybody can connect to the AP, but doing so won’t actually do them any good.
Re: WEP
“…WPA isn’t very secure…”
WTF??! WPA can be entirely secure, if you read the manual.
I could set up a WPA Radius server on my network (two Windows, one Apple, and three Linux boxes – there are more, but the rest are connected to the router via hard cables), but why f#$%ing bother? I use WPA2-PSK with a 63 character key comprised of upper and lower case alphabetics, numerals, and symbols.
I defy the NSA to own enough computing power to crack my wireless network during my lifetime, unless Mr. Technology performs one of those extra uber-wacky fast-forward things.
Today, and for the foreseeable future, WPA rulez (unless you’re too lazy to RTFM)!
Talk about something you know.
Re: Re: WEP
“I defy the NSA to own enough computing power to crack my wireless network during my lifetime”
It doesn’t take the NSA. Anyone can do this with a normal computer if they can capture the radio traffic from enough instances of people connecting to the WiFi.
“Talk about something you know.”
I recommend the same to you.
Re: Re: Re: WEP
This is my trade.
I can capture the 4-way handshake and set John (or some other tool) on the crack, but even with a cluster of processors, if it’s well-crafted, a password of 20 characters or more is pointlessly difficult to pursue (my 63 element password IS secure).
THE useful approach for cracking WPA, when the target has RTFM, is social engineering not outdated, kiddie tools like Reaver.
Biometrics aren't magic.
I do wish people wouldn’t think of ‘biometrics’ (ex: fingerprint, iris, etc.) as some kind of security magic. It isn’t.
Before _any_ biometric can be used it’s converted into a string of values. What we know of as a _PASSWORD_.
The only differences between a _biometric_ and a standard password are:
you can’t loose it (well, unless you loose an eye, or a finger)
you can’t forget it (see above caveats)
after being _processed_ it’s generally stronger than a typical password (nothing is stopping the finger print to password algorithm from doing something silly like counting the number of ridges and wholes)
you can’t change it (most people only have 2 eyes, 10 fingers, etc.)
you are leaving copies of it everywhere
the cops, or the _bad_guys (yes, sometimes that’s redundant) can easily force you to disclose it.
Currently most of the work in cracking biometric protected systems has focused on replicating the biometry (fake finger, picture of subject, etc.) Personally, I think that’s a fools errand.
Make a finger print reader, someone makes a fake finger. Add _life_ detection, someone makes a fake fingerprint and puts it on an actual finger, etc. Rinse lather repeat.
Alternatively, apply the algorithm the finger print reader uses to a copy of the fingerprint (or take a page from the Target credit card hackers and copy the actual generated code from the back end of the finger print reader itself.
Inject the computed code (a.k.a. password) into the system, BINGO you are in. Until they change the algorithm that generates the code it doesn’t matter HOW GOOD the reader gets at figuring out if it’s the real person, in the end it’s just computing a password based on the biometric seed.
Science fiction has figured this out awhile ago. In any book/movie/television show whenever you see the person pry open the iris scanner, fingerprint reader, etc. and connect a (usually hand held) computer directly to the innards, that’s just what they are doing. Skip the biometric to password generation to send the password directly to the system.
Biometrics aren’t _better_than_passwords_, they _ARE_ passwords.
Re: Biometrics aren't magic.
“you can’t loose it (well, unless you loose an eye, or a finger)”
Actually, fingerprints are pretty easy to lose. It’s not that rare that they change (due to scars, etc.) and more people than you might think simply don’t have them. My wife, for example, routinely loses her fingerprints as a side-effect of certain work tasks.
My community has local wardrivers
And I’d happily share my internet if it wasn’t abused by the local piggybacks (e.g. streaming or peer-to-peer which hogs all the bandwidth) so we use the feature that checks the MAC addys of designated devices.
It means that guests have to get their device registered, but we don’t have enough wifi guests for it to be a serious bother.
Multi-factor Authentication. It’s the only way to fly.
Re: My community has local wardrivers
There are two nicer ways to handle this (assuming that you are interested in providing some sort of public Wifi access but don’t want it abused.) The easiest way is to use a more modern Wifi device that allows you to run a “guest” AP that is independent of your private AP, and to restrict what people can do on the guest AP. There are numerous inexpensive consumer Wifi rigs that let you easily do this out of the box.
Or, if you don’t mind running a more complex router, you can set up your AP so that it runs with limited resources for everything but a VPN connection, then use the VPN connection for your own unlimited access.
Re: Re: While it is a fantasy of mine to provide public wifi to my block
My bandwidth really isn’t enough to be worth it, and there are some local alternatives.
But thank you, both your suggestions are useful.
Fearmongery
What utter nonsense. WPA is not even what Reaver attacks. Reaver goes after the 8-digit pin for the assisted setup of new devices to employ WPA (heck, it only needs to crack four of the eight). If you have that assisted setup “feature” turned off, or tightly constrained (as it is by default on modern routers), Reaver is useless. Use a good password with WPA and you can laugh at wardrivers.
Pointing to a scarey article as far out of date as the one given here is not worthy of TD.
pass
Processing Re-write Suggestions Done (Unique Article)
This is my trade.
I will capture the 4-way acknowledgment and set John (or another tool) on the crack, however even with a cluster of processors, if it’s well-crafted, a secret of twenty characters or additional is pointlessly tough to pursue (my sixty three component secret IS secure).
THE helpful approach for cracking WPA, once the target has RTFM, is social engineering not noncurrent, kiddie tools like Reaver.