Defending Against Hackers of the Future

Other discussions not related to the Permanent Portfolio

Moderator: Global Moderator

Post Reply
User avatar
MachineGhost
Executive Member
Executive Member
Posts: 10054
Joined: Sat Nov 12, 2011 9:31 am

Defending Against Hackers of the Future

Post by MachineGhost » Sat Feb 21, 2015 2:56 pm

Reminder: To protect against current and near-future quantum crytopgraphy attacks you MUST use at least 44 uppercase, lowercase and numbers in your password so it is at least 256-bits in strength.  Symbols cause too many potential problems on the other end.

[quote=http://www.bloomberg.com/bw/articles/20 ... reproofing]Fully functioning quantum computers don’t exist yet, but a lot of really smart scientists think they soon will. A two-year-old startup’s 12 employees spend their days trying to figure out what to do if the bad guys get there first.

And now, a quick physics lesson. A guiding principle of quantum mechanics, the study of the universe’s subatomic building blocks, has been that matter and light, at their most basic levels, exist in multiple states at once. An electron in a hydrogen atom doesn’t have a well-defined position, but rather it exists as a fuzzy cloud around the proton, simultaneously existing everywhere in the cloud. Quantum computing applies that principle to bits (binary digits), the computer’s units of information, which are either in a state of 1 (on, alive) or 0 (off, dead). Your PC performs calculations using 1’s and 0’s, which can be combined to represent other numbers and letters, including those that make up passwords. A quantum computer uses quantum bits (qubits), which are simultaneously positioned as 1’s, 0’s, or a series of muddled states in between, making number crunching—and blasting through passwords—a whole lot easier. A quantum computer could perform some mind-numbingly complex calculations in no time at all. And that would mean that most cybersecurity as we know it could be as permeable as tissue paper.[/quote]
Last edited by MachineGhost on Sun Feb 22, 2015 9:12 am, edited 1 time in total.
"All generous minds have a horror of what are commonly called 'Facts'. They are the brute beasts of the intellectual domain." -- Thomas Hobbes

Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet.  I should not be considered as legally permitted to render such advice!
fnord123
Executive Member
Executive Member
Posts: 233
Joined: Sun Apr 25, 2010 9:33 pm

Re: Defending Against Hackers of the Future

Post by fnord123 » Sat Feb 21, 2015 9:23 pm

All to many people have weak passwords, or even worse, use the same password for multiple web pages.  The problem with that is a hacker only needs to compromise one and now they have your password for all of them.

In addition to using long upper/lower/number passwords, another option is to use a passphrase made up of normal words (all lower case is fine) as long as it is at least four randomly chosen common words. See XKCD for details. 
User avatar
Mark Leavy
Executive Member
Executive Member
Posts: 1950
Joined: Thu Mar 01, 2012 10:20 pm
Location: US Citizen, Permanent Traveler

Re: Defending Against Hackers of the Future

Post by Mark Leavy » Sat Feb 21, 2015 10:05 pm

Desert wrote: Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?
By now, you have should have had more than one relationship.  Perhaps one or more have been memorable?  Memory science has demonstrated that the more personal, pornographic, sensual, visual and audible you can make a memory, the better you will retain it.  Use your imagination.

It's science folks.  Get over it.
User avatar
MachineGhost
Executive Member
Executive Member
Posts: 10054
Joined: Sat Nov 12, 2011 9:31 am

Re: Defending Against Hackers of the Future

Post by MachineGhost » Sat Feb 21, 2015 11:44 pm

A dictionary attack won't guess four random whole words that are in the dictionary?  I'm skeptical.  4^4?
"All generous minds have a horror of what are commonly called 'Facts'. They are the brute beasts of the intellectual domain." -- Thomas Hobbes

Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet.  I should not be considered as legally permitted to render such advice!
fnord123
Executive Member
Executive Member
Posts: 233
Joined: Sun Apr 25, 2010 9:33 pm

Re: Defending Against Hackers of the Future

Post by fnord123 » Sat Feb 21, 2015 11:59 pm

MachineGhost wrote:A dictionary attack won't guess four random whole words that are in the dictionary?  I'm skeptical.  4^4?
There are a lot of words in the dictionary - the combinations are astronomical.
Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?
I have a nice little leather book I write them down in.
You can also use stuff like 1Password.
User avatar
Mountaineer
Executive Member
Executive Member
Posts: 4959
Joined: Tue Feb 07, 2012 10:54 am

Re: Defending Against Hackers of the Future

Post by Mountaineer » Sun Feb 22, 2015 5:38 am

Desert wrote: Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?
1Password is the best password manager and complex password generator I've used.  I have previously tried Last Pass and RoboForm.  1Password works with iOS, OS X, Windows.  It does cost money but it is worth every cent in my opinion.  It keeps passwords, credit card info, secure notes, etc.

https://agilebits.com/onepassword

Google for several reviews.

... Mountaineer
DNA has its own language (code), and language requires intelligence. There is no known mechanism by which matter can give birth to information, let alone language. It is unreasonable to believe the world could have happened by chance.
User avatar
dualstow
Executive Member
Executive Member
Posts: 14232
Joined: Wed Oct 27, 2010 10:18 am
Location: synagogue of Satan
Contact:

Re: Defending Against Hackers of the Future

Post by dualstow » Sun Feb 22, 2015 6:53 am

MachineGhost wrote: A dictionary attack won't guess four random whole words that are in the dictionary?  I'm skeptical.  4^4?
I think it would take a very long time.
Sam Bankman-Fried sentenced to 25 years
User avatar
I Shrugged
Executive Member
Executive Member
Posts: 2062
Joined: Tue Dec 18, 2012 6:35 pm

Re: Defending Against Hackers of the Future

Post by I Shrugged » Sun Feb 22, 2015 7:07 am

dualstow wrote:
MachineGhost wrote: A dictionary attack won't guess four random whole words that are in the dictionary?  I'm skeptical.  4^4?
I think it would take a very long time.
Is that because the attacks aren't looking for words, but rather for letters?  Or are there true dictionary attacks being used?  If so, I feel the same way MG does, that should not be so hard. Let's say I'm hoping I'm wrong but I need further convincing.
Stay free, my friends.
User avatar
dualstow
Executive Member
Executive Member
Posts: 14232
Joined: Wed Oct 27, 2010 10:18 am
Location: synagogue of Satan
Contact:

Re: Defending Against Hackers of the Future

Post by dualstow » Sun Feb 22, 2015 8:11 am

I Shrugged wrote: Is that because the attacks aren't looking for words, but rather for letters?  Or are there true dictionary attacks being used?  If so, I feel the same way MG does, that should not be so hard. Let's say I'm hoping I'm wrong but I need further convincing.
I have no doubt that different hackers employ different cracking programs. But you can't search for everything first, if this sentence makes any sense. I think the main point of the XKCD guy's technique is the sheer length of the password.

And if you're worried that hackers are going to spend their time on dictionary word combos first when probably only a small % of the population uses them for passwords, then just misspell each of the four words or add a letter to each. That should still be easy enough.
Sam Bankman-Fried sentenced to 25 years
User avatar
I Shrugged
Executive Member
Executive Member
Posts: 2062
Joined: Tue Dec 18, 2012 6:35 pm

Re: Defending Against Hackers of the Future

Post by I Shrugged » Sun Feb 22, 2015 8:44 am

Do they stick to English dictionaries for American accounts?  Mixing a couple of languages ought to help.
Stay free, my friends.
User avatar
MachineGhost
Executive Member
Executive Member
Posts: 10054
Joined: Sat Nov 12, 2011 9:31 am

Re: Defending Against Hackers of the Future

Post by MachineGhost » Sun Feb 22, 2015 8:58 am

Mountaineer wrote: 1Password is the best password manager and complex password generator I've used.  I have previously tried Last Pass and RoboForm.  1Password works with iOS, OS X, Windows.  It does cost money but it is worth every cent in my opinion.  It keeps passwords, credit card info, secure notes, etc.
Why do you like it better than RoboForm?
"All generous minds have a horror of what are commonly called 'Facts'. They are the brute beasts of the intellectual domain." -- Thomas Hobbes

Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet.  I should not be considered as legally permitted to render such advice!
User avatar
sixdollars
Full Member
Full Member
Posts: 76
Joined: Sun Jan 18, 2015 10:50 am

Re: Defending Against Hackers of the Future

Post by sixdollars » Sun Feb 22, 2015 9:00 am

Mountaineer wrote:
Desert wrote: Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?
1Password is the best password manager and complex password generator I've used.  I have previously tried Last Pass and RoboForm.  1Password works with iOS, OS X, Windows.  It does cost money but it is worth every cent in my opinion.  It keeps passwords, credit card info, secure notes, etc.

https://agilebits.com/onepassword

Google for several reviews.

... Mountaineer
I'm a big fan of good password managers as well.  I've been using KeePass 2 now for a while and like the results.
"There’s nothing wrong with Harry’s portfolio—nothing at all—but there’s everything wrong with his followers, who seem, on average, to chase performance the way dogs chase cars."

-William J. Bernstein
User avatar
dualstow
Executive Member
Executive Member
Posts: 14232
Joined: Wed Oct 27, 2010 10:18 am
Location: synagogue of Satan
Contact:

Re: Defending Against Hackers of the Future

Post by dualstow » Sun Feb 22, 2015 9:01 am

I Shrugged wrote: Do they stick to English dictionaries for American accounts?  Mixing a couple of languages ought to help.
Seems like a good idea if you can remember it easily. I really don't know anything about what they use, except that they have superfast programs that search letter by letter. I wouldn't be suprised if they prefaced that with pet names, "password", select dictionary words, and "123456". I would. It's common sense.

But, after that first dictionary word, I wonder how many people out there are using multiple English words. I feel pretty safe with a nice long password that I can remember.

Honestly, for non-critical sites like yelp, I always forget my password anyway and get a new one whenever I find myself logged out. I don't want those to have anything to do with financial or medical ones, where I put in all my real effort.
Sam Bankman-Fried sentenced to 25 years
User avatar
MachineGhost
Executive Member
Executive Member
Posts: 10054
Joined: Sat Nov 12, 2011 9:31 am

Re: Defending Against Hackers of the Future

Post by MachineGhost » Sun Feb 22, 2015 9:10 am

The implication being that no one uses sentences for passwords, rather just one dictionary word or one short "word" of random upper/lower letters and numbers (and symbols)? 

What really sucks is sites that need high security but don't accept 44 characters or longer.  Especially financial sites.  They all seem relatively weak in their requirements, probably because they don't go one inch beyond Federal mandates.  I love it when they use the last four digits of your SSN or member ID for a username you can't change and restrict your password to 6-8 characters. ::)  Idiots.
Last edited by MachineGhost on Sun Feb 22, 2015 2:33 pm, edited 1 time in total.
"All generous minds have a horror of what are commonly called 'Facts'. They are the brute beasts of the intellectual domain." -- Thomas Hobbes

Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet.  I should not be considered as legally permitted to render such advice!
User avatar
dualstow
Executive Member
Executive Member
Posts: 14232
Joined: Wed Oct 27, 2010 10:18 am
Location: synagogue of Satan
Contact:

Re: Defending Against Hackers of the Future

Post by dualstow » Sun Feb 22, 2015 10:45 am

I used to use sentences, but only the 1st letter (or 2) of each word.
I guess that's still good for the sites you mentioned (MG above) that don't allow anything very long.

I guess it should be mentioned: when I did have financial info compromised, it was because some third party threw financial records into a dumpster without shredding. I had one of those millions of credit cards that was hacked ~ 2002. Had to run home from a Japanese restaurant to get another card while my wife waited in shame. Now I carry plenty of backups.

Point being, I guess I don't worry too much about this, because there's only so much you can do. If Al Shabaab wants to shoot you in the face at a shopping mall, you're going to get shot in the face. (Anticipating Reub thread on that so I can jump in).
Last edited by dualstow on Sun Feb 22, 2015 10:48 am, edited 1 time in total.
Sam Bankman-Fried sentenced to 25 years
User avatar
madbean
Executive Member
Executive Member
Posts: 193
Joined: Thu Dec 11, 2014 4:58 pm

Re: Defending Against Hackers of the Future

Post by madbean » Sun Feb 22, 2015 10:52 am

A faster computer would only have an advantage over a slower one in mounting a brute force attack. Online websites aren't susceptible to those so I wouldn't worry about a quantum computer being able to guess your online passwords.

If you store all your passwords in a vault on your computer however and a hacker with a quantum computer gets his hands on it that's another story. So I would definitely make sure I had a very strong password on a vault if I was using one. Personally, I have 3 or 4 different passwords that I keep in my head so I won't have to worry until the quantum computer can read my thoughts.

(And on second thought, I would think a good vault program would have built-in resistance to brute force attacks thus rendering a faster computer no better than a slow one. Never looked into this however).
Last edited by madbean on Sun Feb 22, 2015 11:31 am, edited 1 time in total.
User avatar
MachineGhost
Executive Member
Executive Member
Posts: 10054
Joined: Sat Nov 12, 2011 9:31 am

Re: Defending Against Hackers of the Future

Post by MachineGhost » Sun Feb 22, 2015 2:44 pm

MangoMan wrote: I have read in multiple places that a 12 character password of mixed upper and lower case letters plus numbers and symbols would take over 2 days to crack by brute force. Lastpass is my favorite password manager, and with its random password generator and a strong 12+ character master password, unless you are worried about the NSA, no one is going to waste that much time trying to hack you. There are much bigger fish to fry.
With a high end graphics card and a regular PC, you can guess 2.8 million passwords per second.  So a 10-character single-case password would take one day to try 241.92 trillion passwords in totalAnd that was as of four years ago; imagine the speed now on, say, the latest generation NVIDIA Tesla K80.  12 characters isn't going to cut it.  When I want to use a minimum length without the fuss of figuring out what the maximum allowed is when 44 is rejected, I always use 15 and that should be no good after another year or so.

Another real problem here seems to be that the other end is so weak in security that would make brute force attacks like this problematic.  Idiots.

EDIT: 44 characters or 259-bits of password strength would take 2^259 attempts.  That is: 9.263367138985295633885678800695e+77!  By contrast, 10-characters only has 56-bit strength.  That would take only 72.05 quadrillion attempts, or 30 days as of four years ago.  The latest K80 is about twice as fast as the GPU four years ago, so now 15 days and shrinking.

EDIT EDIT: 10-character single-case is only 47-bits strength, so 140,737,488,355,328 attempts.  Also, it only takes about doing 50% of all possible attempts before you get the password.
Last edited by MachineGhost on Sun Feb 22, 2015 3:24 pm, edited 1 time in total.
"All generous minds have a horror of what are commonly called 'Facts'. They are the brute beasts of the intellectual domain." -- Thomas Hobbes

Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet.  I should not be considered as legally permitted to render such advice!
User avatar
craigr
Administrator
Administrator
Posts: 2540
Joined: Sun Apr 25, 2010 9:26 pm

Re: Defending Against Hackers of the Future

Post by craigr » Sun Feb 22, 2015 3:40 pm

I've been in the computer security industry my entire adult life. It's almost never the case that the crypto is broken that leads to a compromise of a network. It's almost always through things like bad passwords, etc.

Everything people know about picking a password is wrong. I hate seeing so many sites insisting on things like numbers, special characters, etc. in short passwords. You are better off picking a long sentence to use, or a series of several words that aren't related to each other to get some length. Throw in a number or two and the password will be extremely difficult to crack. Yet, most sites limit how long you can make a password and instead insist on these dumb special characters, etc. that make it hard to memorize. I don't understand what is so hard about allowing a 255 character field for a password which is then hashed on the backend to use for password security. The fact that sites limit password length to such short fields shows the developers do not understand the statistics of the problem.

Use of two-factor authentication today makes it even better. If you use Google services for instance, you should definitely enable their two-factor authentication as it would make a fully compromised password much less valuable to an attacker.

Finally, even with a good password there is a ton of malware that steals passwords and credentials today. So you are still at risk. Most crypto is broken with stolen credentials, not breaking the algorithms. This again is mitigated somewhat with two-factor authentication.

This XKCD cartoon nailed the problem years ago about short passwords w/special characters vs. longer easier to remember passwords of random words.

Image
Last edited by craigr on Sun Feb 22, 2015 3:46 pm, edited 1 time in total.
User avatar
Mountaineer
Executive Member
Executive Member
Posts: 4959
Joined: Tue Feb 07, 2012 10:54 am

Re: Defending Against Hackers of the Future

Post by Mountaineer » Sun Feb 22, 2015 4:30 pm

MachineGhost wrote:
Mountaineer wrote: 1Password is the best password manager and complex password generator I've used.  I have previously tried Last Pass and RoboForm.  1Password works with iOS, OS X, Windows.  It does cost money but it is worth every cent in my opinion.  It keeps passwords, credit card info, secure notes, etc.
Why do you like it better than RoboForm?
Cross platform.  I have not used RoboForm for a few of years so maybe it now does cross platform.  I use 1Password on Macbook, iPad, 2 iPhones and 1 old but still functional Windows computer.  Seemless.  Never crashes.  Also, I like the way 1Pwd has several customizable options for logins and other stuff you want to keep secure.  1Pwd also shows "security audit" info that shows age of your passwords, weak passwords, and informs you of security issues with sites that are not secure.  I did like RoboForm also, I used it for several years before I went to the light and got all the Apple hardware.  ;)

... Mountaineer
DNA has its own language (code), and language requires intelligence. There is no known mechanism by which matter can give birth to information, let alone language. It is unreasonable to believe the world could have happened by chance.
Post Reply