Defending Against Hackers of the Future
Moderator: Global Moderator
- MachineGhost
- Executive Member 
- Posts: 10054
- Joined: Sat Nov 12, 2011 9:31 am
Defending Against Hackers of the Future
Reminder: To protect against current and near-future quantum crytopgraphy attacks you MUST use at least 44 uppercase, lowercase and numbers in your password so it is at least 256-bits in strength.  Symbols cause too many potential problems on the other end.
[quote=http://www.bloomberg.com/bw/articles/20 ... reproofing]Fully functioning quantum computers don’t exist yet, but a lot of really smart scientists think they soon will. A two-year-old startup’s 12 employees spend their days trying to figure out what to do if the bad guys get there first.
And now, a quick physics lesson. A guiding principle of quantum mechanics, the study of the universe’s subatomic building blocks, has been that matter and light, at their most basic levels, exist in multiple states at once. An electron in a hydrogen atom doesn’t have a well-defined position, but rather it exists as a fuzzy cloud around the proton, simultaneously existing everywhere in the cloud. Quantum computing applies that principle to bits (binary digits), the computer’s units of information, which are either in a state of 1 (on, alive) or 0 (off, dead). Your PC performs calculations using 1’s and 0’s, which can be combined to represent other numbers and letters, including those that make up passwords. A quantum computer uses quantum bits (qubits), which are simultaneously positioned as 1’s, 0’s, or a series of muddled states in between, making number crunching—and blasting through passwords—a whole lot easier. A quantum computer could perform some mind-numbingly complex calculations in no time at all. And that would mean that most cybersecurity as we know it could be as permeable as tissue paper.[/quote]
			
			
													[quote=http://www.bloomberg.com/bw/articles/20 ... reproofing]Fully functioning quantum computers don’t exist yet, but a lot of really smart scientists think they soon will. A two-year-old startup’s 12 employees spend their days trying to figure out what to do if the bad guys get there first.
And now, a quick physics lesson. A guiding principle of quantum mechanics, the study of the universe’s subatomic building blocks, has been that matter and light, at their most basic levels, exist in multiple states at once. An electron in a hydrogen atom doesn’t have a well-defined position, but rather it exists as a fuzzy cloud around the proton, simultaneously existing everywhere in the cloud. Quantum computing applies that principle to bits (binary digits), the computer’s units of information, which are either in a state of 1 (on, alive) or 0 (off, dead). Your PC performs calculations using 1’s and 0’s, which can be combined to represent other numbers and letters, including those that make up passwords. A quantum computer uses quantum bits (qubits), which are simultaneously positioned as 1’s, 0’s, or a series of muddled states in between, making number crunching—and blasting through passwords—a whole lot easier. A quantum computer could perform some mind-numbingly complex calculations in no time at all. And that would mean that most cybersecurity as we know it could be as permeable as tissue paper.[/quote]
					Last edited by MachineGhost on Sun Feb 22, 2015 9:12 am, edited 1 time in total.
									
			
						
							"All generous minds have a horror of what are commonly called 'Facts'. They are the brute beasts of the intellectual domain." -- Thomas Hobbes
Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet. I should not be considered as legally permitted to render such advice!
			
						Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet. I should not be considered as legally permitted to render such advice!
Re: Defending Against Hackers of the Future
All to many people have weak passwords, or even worse, use the same password for multiple web pages.  The problem with that is a hacker only needs to compromise one and now they have your password for all of them.
In addition to using long upper/lower/number passwords, another option is to use a passphrase made up of normal words (all lower case is fine) as long as it is at least four randomly chosen common words. See XKCD for details.
			
			
									
						
										
						In addition to using long upper/lower/number passwords, another option is to use a passphrase made up of normal words (all lower case is fine) as long as it is at least four randomly chosen common words. See XKCD for details.
- Mark Leavy
- Executive Member 
- Posts: 1950
- Joined: Thu Mar 01, 2012 10:20 pm
- Location: US Citizen, Permanent Traveler
Re: Defending Against Hackers of the Future
By now, you have should have had more than one relationship. Perhaps one or more have been memorable? Memory science has demonstrated that the more personal, pornographic, sensual, visual and audible you can make a memory, the better you will retain it. Use your imagination.Desert wrote: Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?
It's science folks. Get over it.
- MachineGhost
- Executive Member 
- Posts: 10054
- Joined: Sat Nov 12, 2011 9:31 am
Re: Defending Against Hackers of the Future
A dictionary attack won't guess four random whole words that are in the dictionary?  I'm skeptical.  4^4?
			
			
									
						
							"All generous minds have a horror of what are commonly called 'Facts'. They are the brute beasts of the intellectual domain." -- Thomas Hobbes
Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet. I should not be considered as legally permitted to render such advice!
			
						Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet. I should not be considered as legally permitted to render such advice!
Re: Defending Against Hackers of the Future
There are a lot of words in the dictionary - the combinations are astronomical.MachineGhost wrote:A dictionary attack won't guess four random whole words that are in the dictionary? I'm skeptical. 4^4?
I have a nice little leather book I write them down in.Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?
You can also use stuff like 1Password.
- Mountaineer
- Executive Member 
- Posts: 5107
- Joined: Tue Feb 07, 2012 10:54 am
Re: Defending Against Hackers of the Future
1Password is the best password manager and complex password generator I've used. I have previously tried Last Pass and RoboForm. 1Password works with iOS, OS X, Windows. It does cost money but it is worth every cent in my opinion. It keeps passwords, credit card info, secure notes, etc.Desert wrote: Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?
https://agilebits.com/onepassword
Google for several reviews.
... Mountaineer
“For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.”
Romans 6:23
			
						Romans 6:23
- dualstow
- Executive Member 
- Posts: 15529
- Joined: Wed Oct 27, 2010 10:18 am
- Location: searching for the lost Xanadu
- Contact:
Re: Defending Against Hackers of the Future
I think it would take a very long time.MachineGhost wrote: A dictionary attack won't guess four random whole words that are in the dictionary? I'm skeptical. 4^4?
 .  . Gold is savings
			
						- I Shrugged
- Executive Member 
- Posts: 2200
- Joined: Tue Dec 18, 2012 6:35 pm
Re: Defending Against Hackers of the Future
Is that because the attacks aren't looking for words, but rather for letters? Or are there true dictionary attacks being used? If so, I feel the same way MG does, that should not be so hard. Let's say I'm hoping I'm wrong but I need further convincing.dualstow wrote:I think it would take a very long time.MachineGhost wrote: A dictionary attack won't guess four random whole words that are in the dictionary? I'm skeptical. 4^4?
Stay free, my friends.
			
						- dualstow
- Executive Member 
- Posts: 15529
- Joined: Wed Oct 27, 2010 10:18 am
- Location: searching for the lost Xanadu
- Contact:
Re: Defending Against Hackers of the Future
I have no doubt that different hackers employ different cracking programs. But you can't search for everything first, if this sentence makes any sense. I think the main point of the XKCD guy's technique is the sheer length of the password.I Shrugged wrote: Is that because the attacks aren't looking for words, but rather for letters? Or are there true dictionary attacks being used? If so, I feel the same way MG does, that should not be so hard. Let's say I'm hoping I'm wrong but I need further convincing.
And if you're worried that hackers are going to spend their time on dictionary word combos first when probably only a small % of the population uses them for passwords, then just misspell each of the four words or add a letter to each. That should still be easy enough.
 .  . Gold is savings
			
						- I Shrugged
- Executive Member 
- Posts: 2200
- Joined: Tue Dec 18, 2012 6:35 pm
Re: Defending Against Hackers of the Future
Do they stick to English dictionaries for American accounts?  Mixing a couple of languages ought to help.
			
			
									
						
							Stay free, my friends.
			
						- MachineGhost
- Executive Member 
- Posts: 10054
- Joined: Sat Nov 12, 2011 9:31 am
Re: Defending Against Hackers of the Future
Why do you like it better than RoboForm?Mountaineer wrote: 1Password is the best password manager and complex password generator I've used. I have previously tried Last Pass and RoboForm. 1Password works with iOS, OS X, Windows. It does cost money but it is worth every cent in my opinion. It keeps passwords, credit card info, secure notes, etc.
"All generous minds have a horror of what are commonly called 'Facts'. They are the brute beasts of the intellectual domain." -- Thomas Hobbes
Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet. I should not be considered as legally permitted to render such advice!
			
						Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet. I should not be considered as legally permitted to render such advice!
- sixdollars
- Full Member 
- Posts: 76
- Joined: Sun Jan 18, 2015 10:50 am
Re: Defending Against Hackers of the Future
I'm a big fan of good password managers as well. I've been using KeePass 2 now for a while and like the results.Mountaineer wrote:1Password is the best password manager and complex password generator I've used. I have previously tried Last Pass and RoboForm. 1Password works with iOS, OS X, Windows. It does cost money but it is worth every cent in my opinion. It keeps passwords, credit card info, secure notes, etc.Desert wrote: Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?
https://agilebits.com/onepassword
Google for several reviews.
... Mountaineer
"There’s nothing wrong with Harry’s portfolio—nothing at all—but there’s everything wrong with his followers, who seem, on average, to chase performance the way dogs chase cars." 
-William J. Bernstein
			
						-William J. Bernstein
- dualstow
- Executive Member 
- Posts: 15529
- Joined: Wed Oct 27, 2010 10:18 am
- Location: searching for the lost Xanadu
- Contact:
Re: Defending Against Hackers of the Future
Seems like a good idea if you can remember it easily. I really don't know anything about what they use, except that they have superfast programs that search letter by letter. I wouldn't be suprised if they prefaced that with pet names, "password", select dictionary words, and "123456". I would. It's common sense.I Shrugged wrote: Do they stick to English dictionaries for American accounts? Mixing a couple of languages ought to help.
But, after that first dictionary word, I wonder how many people out there are using multiple English words. I feel pretty safe with a nice long password that I can remember.
Honestly, for non-critical sites like yelp, I always forget my password anyway and get a new one whenever I find myself logged out. I don't want those to have anything to do with financial or medical ones, where I put in all my real effort.
 .  . Gold is savings
			
						- MachineGhost
- Executive Member 
- Posts: 10054
- Joined: Sat Nov 12, 2011 9:31 am
Re: Defending Against Hackers of the Future
The implication being that no one uses sentences for passwords, rather just one dictionary word or one short "word" of random upper/lower letters and numbers (and symbols)?  
What really sucks is sites that need high security but don't accept 44 characters or longer. Especially financial sites. They all seem relatively weak in their requirements, probably because they don't go one inch beyond Federal mandates. I love it when they use the last four digits of your SSN or member ID for a username you can't change and restrict your password to 6-8 characters. Idiots.
  Idiots.
			
			
													What really sucks is sites that need high security but don't accept 44 characters or longer. Especially financial sites. They all seem relatively weak in their requirements, probably because they don't go one inch beyond Federal mandates. I love it when they use the last four digits of your SSN or member ID for a username you can't change and restrict your password to 6-8 characters.
 Idiots.
  Idiots.
					Last edited by MachineGhost on Sun Feb 22, 2015 2:33 pm, edited 1 time in total.
									
			
						
							"All generous minds have a horror of what are commonly called 'Facts'. They are the brute beasts of the intellectual domain." -- Thomas Hobbes
Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet. I should not be considered as legally permitted to render such advice!
			
						Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet. I should not be considered as legally permitted to render such advice!
- dualstow
- Executive Member 
- Posts: 15529
- Joined: Wed Oct 27, 2010 10:18 am
- Location: searching for the lost Xanadu
- Contact:
Re: Defending Against Hackers of the Future
I used to use sentences, but only the 1st letter (or 2) of each word.
I guess that's still good for the sites you mentioned (MG above) that don't allow anything very long.
I guess it should be mentioned: when I did have financial info compromised, it was because some third party threw financial records into a dumpster without shredding. I had one of those millions of credit cards that was hacked ~ 2002. Had to run home from a Japanese restaurant to get another card while my wife waited in shame. Now I carry plenty of backups.
Point being, I guess I don't worry too much about this, because there's only so much you can do. If Al Shabaab wants to shoot you in the face at a shopping mall, you're going to get shot in the face. (Anticipating Reub thread on that so I can jump in).
			
			
													I guess that's still good for the sites you mentioned (MG above) that don't allow anything very long.
I guess it should be mentioned: when I did have financial info compromised, it was because some third party threw financial records into a dumpster without shredding. I had one of those millions of credit cards that was hacked ~ 2002. Had to run home from a Japanese restaurant to get another card while my wife waited in shame. Now I carry plenty of backups.
Point being, I guess I don't worry too much about this, because there's only so much you can do. If Al Shabaab wants to shoot you in the face at a shopping mall, you're going to get shot in the face. (Anticipating Reub thread on that so I can jump in).
					Last edited by dualstow on Sun Feb 22, 2015 10:48 am, edited 1 time in total.
									
			
						
							 .  . Gold is savings
			
						Re: Defending Against Hackers of the Future
A faster computer would only have an advantage over a slower one in mounting a brute force attack. Online websites aren't susceptible to those so I wouldn't worry about a quantum computer being able to guess your online passwords.
If you store all your passwords in a vault on your computer however and a hacker with a quantum computer gets his hands on it that's another story. So I would definitely make sure I had a very strong password on a vault if I was using one. Personally, I have 3 or 4 different passwords that I keep in my head so I won't have to worry until the quantum computer can read my thoughts.
(And on second thought, I would think a good vault program would have built-in resistance to brute force attacks thus rendering a faster computer no better than a slow one. Never looked into this however).
			
			
													If you store all your passwords in a vault on your computer however and a hacker with a quantum computer gets his hands on it that's another story. So I would definitely make sure I had a very strong password on a vault if I was using one. Personally, I have 3 or 4 different passwords that I keep in my head so I won't have to worry until the quantum computer can read my thoughts.
(And on second thought, I would think a good vault program would have built-in resistance to brute force attacks thus rendering a faster computer no better than a slow one. Never looked into this however).
					Last edited by madbean on Sun Feb 22, 2015 11:31 am, edited 1 time in total.
									
			
						
										
						- MachineGhost
- Executive Member 
- Posts: 10054
- Joined: Sat Nov 12, 2011 9:31 am
Re: Defending Against Hackers of the Future
With a high end graphics card and a regular PC, you can guess 2.8 million passwords per second. So a 10-character single-case password would take one day to try 241.92 trillion passwords in total. And that was as of four years ago; imagine the speed now on, say, the latest generation NVIDIA Tesla K80. 12 characters isn't going to cut it. When I want to use a minimum length without the fuss of figuring out what the maximum allowed is when 44 is rejected, I always use 15 and that should be no good after another year or so.MangoMan wrote: I have read in multiple places that a 12 character password of mixed upper and lower case letters plus numbers and symbols would take over 2 days to crack by brute force. Lastpass is my favorite password manager, and with its random password generator and a strong 12+ character master password, unless you are worried about the NSA, no one is going to waste that much time trying to hack you. There are much bigger fish to fry.
Another real problem here seems to be that the other end is so weak in security that would make brute force attacks like this problematic. Idiots.
EDIT: 44 characters or 259-bits of password strength would take 2^259 attempts. That is: 9.263367138985295633885678800695e+77! By contrast, 10-characters only has 56-bit strength. That would take only 72.05 quadrillion attempts, or 30 days as of four years ago. The latest K80 is about twice as fast as the GPU four years ago, so now 15 days and shrinking.
EDIT EDIT: 10-character single-case is only 47-bits strength, so 140,737,488,355,328 attempts. Also, it only takes about doing 50% of all possible attempts before you get the password.
					Last edited by MachineGhost on Sun Feb 22, 2015 3:24 pm, edited 1 time in total.
									
			
						
							"All generous minds have a horror of what are commonly called 'Facts'. They are the brute beasts of the intellectual domain." -- Thomas Hobbes
Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet. I should not be considered as legally permitted to render such advice!
			
						Disclaimer: I am not a broker, dealer, investment advisor, physician, theologian or prophet. I should not be considered as legally permitted to render such advice!
Re: Defending Against Hackers of the Future
I've been in the computer security industry my entire adult life. It's almost never the case that the crypto is broken that leads to a compromise of a network. It's almost always through things like bad passwords, etc. 
Everything people know about picking a password is wrong. I hate seeing so many sites insisting on things like numbers, special characters, etc. in short passwords. You are better off picking a long sentence to use, or a series of several words that aren't related to each other to get some length. Throw in a number or two and the password will be extremely difficult to crack. Yet, most sites limit how long you can make a password and instead insist on these dumb special characters, etc. that make it hard to memorize. I don't understand what is so hard about allowing a 255 character field for a password which is then hashed on the backend to use for password security. The fact that sites limit password length to such short fields shows the developers do not understand the statistics of the problem.
Use of two-factor authentication today makes it even better. If you use Google services for instance, you should definitely enable their two-factor authentication as it would make a fully compromised password much less valuable to an attacker.
Finally, even with a good password there is a ton of malware that steals passwords and credentials today. So you are still at risk. Most crypto is broken with stolen credentials, not breaking the algorithms. This again is mitigated somewhat with two-factor authentication.
This XKCD cartoon nailed the problem years ago about short passwords w/special characters vs. longer easier to remember passwords of random words.

			
			
													Everything people know about picking a password is wrong. I hate seeing so many sites insisting on things like numbers, special characters, etc. in short passwords. You are better off picking a long sentence to use, or a series of several words that aren't related to each other to get some length. Throw in a number or two and the password will be extremely difficult to crack. Yet, most sites limit how long you can make a password and instead insist on these dumb special characters, etc. that make it hard to memorize. I don't understand what is so hard about allowing a 255 character field for a password which is then hashed on the backend to use for password security. The fact that sites limit password length to such short fields shows the developers do not understand the statistics of the problem.
Use of two-factor authentication today makes it even better. If you use Google services for instance, you should definitely enable their two-factor authentication as it would make a fully compromised password much less valuable to an attacker.
Finally, even with a good password there is a ton of malware that steals passwords and credentials today. So you are still at risk. Most crypto is broken with stolen credentials, not breaking the algorithms. This again is mitigated somewhat with two-factor authentication.
This XKCD cartoon nailed the problem years ago about short passwords w/special characters vs. longer easier to remember passwords of random words.

					Last edited by craigr on Sun Feb 22, 2015 3:46 pm, edited 1 time in total.
									
			
						
										
						- Mountaineer
- Executive Member 
- Posts: 5107
- Joined: Tue Feb 07, 2012 10:54 am
Re: Defending Against Hackers of the Future
Cross platform. I have not used RoboForm for a few of years so maybe it now does cross platform. I use 1Password on Macbook, iPad, 2 iPhones and 1 old but still functional Windows computer. Seemless. Never crashes. Also, I like the way 1Pwd has several customizable options for logins and other stuff you want to keep secure. 1Pwd also shows "security audit" info that shows age of your passwords, weak passwords, and informs you of security issues with sites that are not secure. I did like RoboForm also, I used it for several years before I went to the light and got all the Apple hardware.MachineGhost wrote:Why do you like it better than RoboForm?Mountaineer wrote: 1Password is the best password manager and complex password generator I've used. I have previously tried Last Pass and RoboForm. 1Password works with iOS, OS X, Windows. It does cost money but it is worth every cent in my opinion. It keeps passwords, credit card info, secure notes, etc.

... Mountaineer
“For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.”
Romans 6:23
			
						Romans 6:23
 
				







