Gyroscopic Investing

Reminder: To protect against current and near-future quantum crytopgraphy attacks you MUST use at least 44 uppercase, lowercase and numbers in your password so it is at least 256-bits in strength.  Symbols cause too many potential problems on the other end.

[quote=http://www.bloomberg.com/bw/articles/20 ... reproofing]Fully functioning quantum computers don’t exist yet, but a lot of really smart scientists think they soon will. A two-year-old startup’s 12 employees spend their days trying to figure out what to do if the bad guys get there first.

And now, a quick physics lesson. A guiding principle of quantum mechanics, the study of the universe’s subatomic building blocks, has been that matter and light, at their most basic levels, exist in multiple states at once. An electron in a hydrogen atom doesn’t have a well-defined position, but rather it exists as a fuzzy cloud around the proton, simultaneously existing everywhere in the cloud. Quantum computing applies that principle to bits (binary digits), the computer’s units of information, which are either in a state of 1 (on, alive) or 0 (off, dead). Your PC performs calculations using 1’s and 0’s, which can be combined to represent other numbers and letters, including those that make up passwords. A quantum computer uses quantum bits (qubits), which are simultaneously positioned as 1’s, 0’s, or a series of muddled states in between, making number crunching—and blasting through passwords—a whole lot easier. A quantum computer could perform some mind-numbingly complex calculations in no time at all. And that would mean that most cybersecurity as we know it could be as permeable as tissue paper.[/quote]

All to many people have weak passwords, or even worse, use the same password for multiple web pages.  The problem with that is a hacker only needs to compromise one and now they have your password for all of them.

In addition to using long upper/lower/number passwords, another option is to use a passphrase made up of normal words (all lower case is fine) as long as it is at least four randomly chosen common words. See XKCD for details. 

Desert wrote: Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?

By now, you have should have had more than one relationship.  Perhaps one or more have been memorable?  Memory science has demonstrated that the more personal, pornographic, sensual, visual and audible you can make a memory, the better you will retain it.  Use your imagination.

It's science folks.  Get over it.

A dictionary attack won't guess four random whole words that are in the dictionary?  I'm skeptical.  4^4?

MachineGhost wrote:A dictionary attack won't guess four random whole words that are in the dictionary?  I'm skeptical.  4^4?

There are a lot of words in the dictionary - the combinations are astronomical.

Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?

I have a nice little leather book I write them down in.
You can also use stuff like 1Password.

Desert wrote: Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?

1Password is the best password manager and complex password generator I've used.  I have previously tried Last Pass and RoboForm.  1Password works with iOS, OS X, Windows.  It does cost money but it is worth every cent in my opinion.  It keeps passwords, credit card info, secure notes, etc.

https://agilebits.com/onepassword

Google for several reviews.

... Mountaineer

MachineGhost wrote: A dictionary attack won't guess four random whole words that are in the dictionary?  I'm skeptical.  4^4?

I think it would take a very long time.

dualstow wrote:

MachineGhost wrote: A dictionary attack won't guess four random whole words that are in the dictionary?  I'm skeptical.  4^4?

I think it would take a very long time.

Is that because the attacks aren't looking for words, but rather for letters?  Or are there true dictionary attacks being used?  If so, I feel the same way MG does, that should not be so hard. Let's say I'm hoping I'm wrong but I need further convincing.

I Shrugged wrote: Is that because the attacks aren't looking for words, but rather for letters?  Or are there true dictionary attacks being used?  If so, I feel the same way MG does, that should not be so hard. Let's say I'm hoping I'm wrong but I need further convincing.

I have no doubt that different hackers employ different cracking programs. But you can't search for everything first, if this sentence makes any sense. I think the main point of the XKCD guy's technique is the sheer length of the password.

And if you're worried that hackers are going to spend their time on dictionary word combos first when probably only a small % of the population uses them for passwords, then just misspell each of the four words or add a letter to each. That should still be easy enough.

Do they stick to English dictionaries for American accounts?  Mixing a couple of languages ought to help.

Mountaineer wrote: 1Password is the best password manager and complex password generator I've used.  I have previously tried Last Pass and RoboForm.  1Password works with iOS, OS X, Windows.  It does cost money but it is worth every cent in my opinion.  It keeps passwords, credit card info, secure notes, etc.

Why do you like it better than RoboForm?

Mountaineer wrote:

Desert wrote: Maybe a silly question, but how do you keep track of all these unique, complex passwords for your various accounts?

1Password is the best password manager and complex password generator I've used.  I have previously tried Last Pass and RoboForm.  1Password works with iOS, OS X, Windows.  It does cost money but it is worth every cent in my opinion.  It keeps passwords, credit card info, secure notes, etc.

https://agilebits.com/onepassword

Google for several reviews.

... Mountaineer

I'm a big fan of good password managers as well.  I've been using KeePass 2 now for a while and like the results.

I Shrugged wrote: Do they stick to English dictionaries for American accounts?  Mixing a couple of languages ought to help.

Seems like a good idea if you can remember it easily. I really don't know anything about what they use, except that they have superfast programs that search letter by letter. I wouldn't be suprised if they prefaced that with pet names, "password", select dictionary words, and "123456". I would. It's common sense.

But, after that first dictionary word, I wonder how many people out there are using multiple English words. I feel pretty safe with a nice long password that I can remember.

Honestly, for non-critical sites like yelp, I always forget my password anyway and get a new one whenever I find myself logged out. I don't want those to have anything to do with financial or medical ones, where I put in all my real effort.

The implication being that no one uses sentences for passwords, rather just one dictionary word or one short "word" of random upper/lower letters and numbers (and symbols)? 

What really sucks is sites that need high security but don't accept 44 characters or longer.  Especially financial sites.  They all seem relatively weak in their requirements, probably because they don't go one inch beyond Federal mandates.  I love it when they use the last four digits of your SSN or member ID for a username you can't change and restrict your password to 6-8 characters.   Idiots.

I used to use sentences, but only the 1st letter (or 2) of each word.
I guess that's still good for the sites you mentioned (MG above) that don't allow anything very long.

I guess it should be mentioned: when I did have financial info compromised, it was because some third party threw financial records into a dumpster without shredding. I had one of those millions of credit cards that was hacked ~ 2002. Had to run home from a Japanese restaurant to get another card while my wife waited in shame. Now I carry plenty of backups.

Point being, I guess I don't worry too much about this, because there's only so much you can do. If Al Shabaab wants to shoot you in the face at a shopping mall, you're going to get shot in the face. (Anticipating Reub thread on that so I can jump in).

A faster computer would only have an advantage over a slower one in mounting a brute force attack. Online websites aren't susceptible to those so I wouldn't worry about a quantum computer being able to guess your online passwords.

If you store all your passwords in a vault on your computer however and a hacker with a quantum computer gets his hands on it that's another story. So I would definitely make sure I had a very strong password on a vault if I was using one. Personally, I have 3 or 4 different passwords that I keep in my head so I won't have to worry until the quantum computer can read my thoughts.

(And on second thought, I would think a good vault program would have built-in resistance to brute force attacks thus rendering a faster computer no better than a slow one. Never looked into this however).

MangoMan wrote: I have read in multiple places that a 12 character password of mixed upper and lower case letters plus numbers and symbols would take over 2 days to crack by brute force. Lastpass is my favorite password manager, and with its random password generator and a strong 12+ character master password, unless you are worried about the NSA, no one is going to waste that much time trying to hack you. There are much bigger fish to fry.

With a high end graphics card and a regular PC, you can guess 2.8 million passwords per second.  So a 10-character single-case password would take one day to try 241.92 trillion passwords in total.  And that was as of four years ago; imagine the speed now on, say, the latest generation NVIDIA Tesla K80.  12 characters isn't going to cut it.  When I want to use a minimum length without the fuss of figuring out what the maximum allowed is when 44 is rejected, I always use 15 and that should be no good after another year or so.

Another real problem here seems to be that the other end is so weak in security that would make brute force attacks like this problematic.  Idiots.

EDIT: 44 characters or 259-bits of password strength would take 2^259 attempts.  That is: 9.263367138985295633885678800695e+77!  By contrast, 10-characters only has 56-bit strength.  That would take only 72.05 quadrillion attempts, or 30 days as of four years ago.  The latest K80 is about twice as fast as the GPU four years ago, so now 15 days and shrinking.

EDIT EDIT: 10-character single-case is only 47-bits strength, so 140,737,488,355,328 attempts.  Also, it only takes about doing 50% of all possible attempts before you get the password.

I've been in the computer security industry my entire adult life. It's almost never the case that the crypto is broken that leads to a compromise of a network. It's almost always through things like bad passwords, etc.

Everything people know about picking a password is wrong. I hate seeing so many sites insisting on things like numbers, special characters, etc. in short passwords. You are better off picking a long sentence to use, or a series of several words that aren't related to each other to get some length. Throw in a number or two and the password will be extremely difficult to crack. Yet, most sites limit how long you can make a password and instead insist on these dumb special characters, etc. that make it hard to memorize. I don't understand what is so hard about allowing a 255 character field for a password which is then hashed on the backend to use for password security. The fact that sites limit password length to such short fields shows the developers do not understand the statistics of the problem.

Use of two-factor authentication today makes it even better. If you use Google services for instance, you should definitely enable their two-factor authentication as it would make a fully compromised password much less valuable to an attacker.

Finally, even with a good password there is a ton of malware that steals passwords and credentials today. So you are still at risk. Most crypto is broken with stolen credentials, not breaking the algorithms. This again is mitigated somewhat with two-factor authentication.

This XKCD cartoon nailed the problem years ago about short passwords w/special characters vs. longer easier to remember passwords of random words.

MachineGhost wrote:

Mountaineer wrote: 1Password is the best password manager and complex password generator I've used.  I have previously tried Last Pass and RoboForm.  1Password works with iOS, OS X, Windows.  It does cost money but it is worth every cent in my opinion.  It keeps passwords, credit card info, secure notes, etc.

Why do you like it better than RoboForm?

Cross platform.  I have not used RoboForm for a few of years so maybe it now does cross platform.  I use 1Password on Macbook, iPad, 2 iPhones and 1 old but still functional Windows computer.  Seemless.  Never crashes.  Also, I like the way 1Pwd has several customizable options for logins and other stuff you want to keep secure.  1Pwd also shows "security audit" info that shows age of your passwords, weak passwords, and informs you of security issues with sites that are not secure.  I did like RoboForm also, I used it for several years before I went to the light and got all the Apple hardware. 

... Mountaineer