Silk Road forums
Discussion => Security => Topic started by: yaosh on January 27, 2012, 07:37 am
-
Sure, there are many elite hackers out there who can steal your information with nothing but a spork and a condom... But these aren't the people to worry about since they are all busy building CNC robots and 3D printers. What you DO need to worry about is the other 99% who are running amok on the internet trying to scam anyone who isn't paying attention. "Do I need to learn to be a hacker to protect myself?" No. It would definitely help, but no. Try visiting hackforums.net and read everything. These guys are known as Skids (script kiddies) and are the lowest scum of the hacker world, completely retarded and incompetent but they manage to steal shit every day. They represent the 99% who couldn't hack out of a wet paper bag with a chainsaw and a manual, and what they do is what you need to be worried about. Obviously, you should also worry about LEO activities, but these dipshits are the ones who will driveby infect your computer via Java and steal your passwords and shit. As for LEO, they don't have Neo sitting in a dark NSA lab hacking the interwebz with his nutsack, they have guys at the local field office who can barely manage a PowerPoint presentation who took 80 hours of training on some overpriced tool designed by a third party contractor to exploit common weaknesses. Their enemies are full disk encryption, fully powered down RAM which has been kept warm for a bit by the heat inside your case, IronKey USB devices, and multifactor authentication. Multifactor authentication refers to having more than one thing needed to access something. Namely, they are 1) something you have 2) something you know 3) something you are. This could be a password, a yubikey or smartcard, and a biometric key. Forget biometrics, as they are basically glorified password entry tools which are generally full of vulnerabilities and you can be compelled by law to grant access this way. passwords and tokens are the way to go. A token can be confiscated and used by LEOs, but if you use a secure smartcard, you can simply enter your pin wrong 3 times and permanently kill it. This happens to US Army soldiers with their ID cards all the damned time. They never use their pin, forget it, enter it wrong, and then they have to have a new one activated. They can force you to type in numbers, they can't force you to type the right ones.
Now passwords... Password cracking is something you should understand so you know how to select one that doesn't suck. Passwords in most cases are stored as hashes, essentially one-way encrypted copies. You type password, its hashed, if the hash of the entered password for login matches the stored hash, then access is granted. The most common method of discovering hashed passwords is by collision. You generate billions of random strings, words from dictionaries in various combinations and variations, etc... and compare the hashes for a match. This is called brute force, and dictionary attacks respectively. How long it takes is calculated by a formula incorporating several variables. character_set^length/(combinations per second) = time to crack. Example, a password of 7 lower case alpha characters in English offers 26 letters to the power of 7, 26^7. That's only 8,031,810,176 possible passwords. At 1M passwords per minute, it will take about 5.5 days to crack. Now assume we use lower case (26), upper case (26), numbers(10), and special characters(32 printable in ascii). We now have 26+26+10+32=94 characters. 94^7=64,847,759,419,264 or 64 trillion combinations, taking over 123 years to crack. Say you extend this to 12 characters in length, then it takes 905,480,051,016.464 years to crack. Yeah... not gonna happen. BUT: say those 12 characters contained 11 which belong to words in a dictionary "fuckth3pigs" (yes, th3 will be in any good dictionary list)... Say dictionary attacks, being far less cpu intensive, can run 200 million/minute. Now we can crack the first 11 characters in only a few minutes, and the final character can be brute forced in 0.000094 seconds. But how can you remember some 12 character random ass password? First, don't fucking write it down or save it anywhere... there's a trick for this. Take a phrase which is very memorable, take the first character of each word, any punctuation, numbers, etc. and combine them. "Back when I was five, I loved eating fried bacon!" now becomes "BwIw5,Ilefb!". just type the sentence out like normal but omit the letters not used. Now you have one random assed upper, lower, numeric, special character password you can't forget.
Do NOT use the same password in more than one place... You don't know how it is being stored or may be compromised. If you use your new uberleet password on some forum and on your SR account, some skid might exploit the forum software to get your password in plaintext, type in your forum username and plaintext password on SR and pwn your account. Pick different ones, and if you HAVE to remind yourself what they are, you can use vague reminders for the phrases like "Favorite food" to remember. "Favorite food" doesn't give anyone a fucking clue that your password is BwIw5,Ilefb!
Food for thought.
yaosh
-
Take a phrase which is very memorable, take the first character of each word, any punctuation, numbers, etc. and combine them. "Back when I was five, I loved eating fried bacon!" now becomes "BwIw5,Ilefb!". just type the sentence out like normal but omit the letters not used. Now you have one random assed upper, lower, numeric, special character password you can't forget.
You do realize that "Back when I was 5, I loved eating fried Bacon!" is stronger than BwIw5,Ilefb!, right ? ;)
http://howsecureismypassword.net/
BUT: say those 12 characters contained 11 which belong to words in a dictionary "fuckth3pigs" (yes, th3 will be in any good dictionary list)... Say dictionary attacks, being far less cpu intensive, can run 200 million/minute. Now we can crack the first 11 characters in only a few minutes, and the final character can be brute forced in 0.000094 seconds.
I'm pretty sure Steve Gibson said this was a myth. The password is either right or wrong. There are no 12 fields and cracking them one by one. All 12 or nothing meaning dictionary attack works only if the whole password is in the database not just 90% of it.
if you use a secure smartcard, you can simply enter your pin wrong 3 times and permanently kill it.
Do you have any links for this ? Sounds very interesting.
-
You do realize that "Back when I was 5, I loved eating fried Bacon!" is stronger than BwIw5,Ilefb!, right ? ;)
http://howsecureismypassword.net/
No, it is not. I'm speaking from 17 years experience, not some lame website.
I'm pretty sure Steve Gibson said this was a myth. The password is either right or wrong. There are no 12 fields and cracking them one by one. All 12 or nothing meaning dictionary attack works only if the whole password is in the database not just 90% of it.
In common approaches to combined brute force and mutated dictionary attacks, such as in cracking MD5 hashes, this is not true. Review the source code for "John the Ripper" and other open source applications for further information.
Do you have any links for this ? Sounds very interesting.
GEMPLUS cards issued by the US DoD as well as other solutions have onboard microprocessors with fuses which can be blown internally to prevent data access in the event of tampering or suspected brute force attacks.
-
You do realize that "Back when I was 5, I loved eating fried Bacon!" is stronger than BwIw5,Ilefb!, right ? ;)
http://howsecureismypassword.net/
No, it is not. I'm speaking from 17 years experience, not some lame website.
OK, can you back up your claim that "Back when I was 5, I loved eating fried Bacon!" is easier to crack than BwIw5,Ilefb! with any explanation ? Because your initial one, character_set^length/(combinations per second) = time to crack, shows that my version is superior.
Or are you implying brute force ", dictionary Back, brute force space, dictionary back, etc ? Actually can you run both passwords in a brute forcing program and share the results ? It would be a great thing to see.
http://security.stackexchange.com/questions/2687/how-reliable-is-a-password-strength-checker/2693#2693
http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase
http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so#2779020
GEMPLUS cards issued by the US DoD as well as other solutions have onboard microprocessors with fuses which can be blown internally to prevent data access in the event of tampering or suspected brute force attacks.
I was hoping for actual product links in the cards case since self destruction cards would come very handy for some people in this community. Or is this DoD only ?