mytigio Posted August 5, 2016 Share Posted August 5, 2016 In response to post #41135935. jackienspy wrote: Let me see if i've gotten this right. If i've changed my password here on Nexus after the breach(i joined in 2012) and befor they decrypted the infomation, i'm in the clear? Or am i still in danger if anyother sites i use has the same password as i used here on Nexus befor the breach? If any of those is the case, then i've little to worry about, as the important sites and servies all have different passwords and are only used on that site and nowhere else.If you used the password that is in the decrypted database anywhere else, you should go change it in those other places.You should get a password manager so that you can make secure, unique passwords for each website without having to try and remember them all. Link to comment Share on other sites More sharing options...
erelde Posted August 5, 2016 Share Posted August 5, 2016 (edited) In response to post #41097055. #41098705, #41108050, #41131275, #41131535 are all replies on the same post.MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal eventxbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.jesusristus wrote: ...hae9dUve&eD...Too short.garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager. garbalen wrote: Got me looking at KeePass's built in generator.1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð^ one of the passwords it came up with. That one is pretty dang secure :)So secure I'm not sure some websites would accept it ^^I know for a fact that Google (gmail) doesn't want accentuated 'E' as of 6 six months ago.Facebook on the other hand will happily take anything. Edited August 5, 2016 by erelde Link to comment Share on other sites More sharing options...
jackienspy Posted August 5, 2016 Share Posted August 5, 2016 In response to post #41135935. #41138605 is also a reply to the same post.jackienspy wrote: Let me see if i've gotten this right. If i've changed my password here on Nexus after the breach(i joined in 2012) and befor they decrypted the infomation, i'm in the clear? Or am i still in danger if anyother sites i use has the same password as i used here on Nexus befor the breach? If any of those is the case, then i've little to worry about, as the important sites and servies all have different passwords and are only used on that site and nowhere else.mytigio wrote: If you used the password that is in the decrypted database anywhere else, you should go change it in those other places.You should get a password manager so that you can make secure, unique passwords for each website without having to try and remember them all.Alright, that clears things up for me. Link to comment Share on other sites More sharing options...
Thandal Posted August 5, 2016 Share Posted August 5, 2016 In response to post #41099430. Thandal wrote: Ummm... guys; As usual, xkcd got it right years ago: ...That's why troubador isn't that bad, it isn't very long but it uses a lot of different "class" of characters (number, letters both capitals and not, and symbols) So the entropy for the first password here would be closer to 2^616 assuming 20 symbols.26 letters + 10 digits + 20 symbols * 11 characters = 616 Point missed. It's the overall entropy of the password that's crucial. Obviously a complex (mixed-case, alphanumeric, +symbols, truly random) password OF THE SAME LENGTH would be more secure than one made up of all lower-case standard words. But what human can reliably REMEMBER such a 28-character password, much less consistently enter it correctly?!? And how much real-world difference does the complexity make? Today's easily available (meaning "cheap") CPU horsepower and (essentially) infinite RAM via cloud service providers means that a dictionary attack and a brute force attack on short, (6-15 character) equal length passwords are functionally equivalent. No attacker is sitting around watching as the cracking progresses and giving-up in frustration after a little while. S/he's setting a job to run on a server cluster (or botnet) and returning hours-or-days later to see if anything useful was obtained. So the real protection is in the length-limit that the cracking tool is set to use. As every additional increase in the number of characters has an extraordinary impact on the number of iterations the program attempts for EACH target record, (the number of possible permutations increases factorially as length increases) the attacker selects some "reasonable" max password length for the tool. See this article for a more expert summary, but I quote the heart of the matter: Character-for-character, password length is more important for security than complexity. Requiring complexity but allowing passwords to remain short makes passwords more vulnerable to attack than simply requiring easier-to-remember, longer passwords. For everyone using six- to nine-character passwords with “complexity,” I appreciate it. I get paid to break in to systems for a living, and you make my job easier.Strength is provided by increasing the number of possible passwords the attacker has to guess (let’s call this the keyspace even though it really isn’t appropriate in this context). The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X. Link to comment Share on other sites More sharing options...
Deleted82156User Posted August 5, 2016 Share Posted August 5, 2016 Lol!!! Rolodex. I haven't heard or seen that word used in like 20 years. Amazon sells them, got mine about one month ago. Link to comment Share on other sites More sharing options...
Miles00x Posted August 6, 2016 Share Posted August 6, 2016 In response to post #41141910. Thandal wrote: In response to post #41099430. Thandal wrote: Ummm... guys; As usual, xkcd got it right years ago: ...That's why troubador isn't that bad, it isn't very long but it uses a lot of different "class" of characters (number, letters both capitals and not, and symbols) So the entropy for the first password here would be closer to 2^616 assuming 20 symbols.26 letters + 10 digits + 20 symbols * 11 characters = 616 Point missed. It's the overall entropy of the password that's crucial. Obviously a complex (mixed-case, alphanumeric, +symbols, truly random) password OF THE SAME LENGTH would be more secure than one made up of all lower-case standard words. But what human can reliably REMEMBER such a 28-character password, much less consistently enter it correctly?!? And how much real-world difference does the complexity make? Today's easily available (meaning "cheap") CPU horsepower and (essentially) infinite RAM via cloud service providers means that a dictionary attack and a brute force attack on short, (6-15 character) equal length passwords are functionally equivalent. No attacker is sitting around watching as the cracking progresses and giving-up in frustration after a little while. S/he's setting a job to run on a server cluster (or botnet) and returning hours-or-days later to see if anything useful was obtained. So the real protection is in the length-limit that the cracking tool is set to use. As every additional increase in the number of characters has an extraordinary impact on the number of iterations the program attempts for EACH target record, (the number of possible permutations increases factorially as length increases) the attacker selects some "reasonable" max password length for the tool. See this article for a more expert summary, but I quote the heart of the matter: Character-for-character, password length is more important for security than complexity. Requiring complexity but allowing passwords to remain short makes passwords more vulnerable to attack than simply requiring easier-to-remember, longer passwords. For everyone using six- to nine-character passwords with “complexity,” I appreciate it. I get paid to break in to systems for a living, and you make my job easier.Strength is provided by increasing the number of possible passwords the attacker has to guess (let’s call this the keyspace even though it really isn’t appropriate in this context). The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X. I used to know my wifi router's 26-digit alphanumeric WEP key off by heart, though i'll be damned if I'm typing anything that long in every single time I want to login! Useful information though thanks! Link to comment Share on other sites More sharing options...
SimpleGlitch Posted August 6, 2016 Share Posted August 6, 2016 In response to post #41141910. #41154895 is also a reply to the same post.Thandal wrote: In response to post #41099430. Thandal wrote: Ummm... guys; As usual, xkcd got it right years ago: ...That's why troubador isn't that bad, it isn't very long but it uses a lot of different "class" of characters (number, letters both capitals and not, and symbols) So the entropy for the first password here would be closer to 2^616 assuming 20 symbols.26 letters + 10 digits + 20 symbols * 11 characters = 616 Point missed. It's the overall entropy of the password that's crucial. Obviously a complex (mixed-case, alphanumeric, +symbols, truly random) password OF THE SAME LENGTH would be more secure than one made up of all lower-case standard words. But what human can reliably REMEMBER such a 28-character password, much less consistently enter it correctly?!? And how much real-world difference does the complexity make? Today's easily available (meaning "cheap") CPU horsepower and (essentially) infinite RAM via cloud service providers means that a dictionary attack and a brute force attack on short, (6-15 character) equal length passwords are functionally equivalent. No attacker is sitting around watching as the cracking progresses and giving-up in frustration after a little while. S/he's setting a job to run on a server cluster (or botnet) and returning hours-or-days later to see if anything useful was obtained. So the real protection is in the length-limit that the cracking tool is set to use. As every additional increase in the number of characters has an extraordinary impact on the number of iterations the program attempts for EACH target record, (the number of possible permutations increases factorially as length increases) the attacker selects some "reasonable" max password length for the tool. See this article for a more expert summary, but I quote the heart of the matter: Character-for-character, password length is more important for security than complexity. Requiring complexity but allowing passwords to remain short makes passwords more vulnerable to attack than simply requiring easier-to-remember, longer passwords. For everyone using six- to nine-character passwords with “complexity,” I appreciate it. I get paid to break in to systems for a living, and you make my job easier.Strength is provided by increasing the number of possible passwords the attacker has to guess (let’s call this the keyspace even though it really isn’t appropriate in this context). The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X. Miles00x wrote: I used to know my wifi router's 26-digit alphanumeric WEP key off by heart, though i'll be damned if I'm typing anything that long in every single time I want to login! Useful information though thanks!My typical recommendation is use the 'XKCD method' for computer login and the password manager, then use the password manager to generate unique passwords for every thing else. The primary reason behind this it to minimize the number of accounts compromised should any site have a breach and they didn't follow best-practices for hashing password (or worse, didn't hash them at all).My other suggestion is using a non-sms based two-factor authentication where ever possible. Link to comment Share on other sites More sharing options...
osmiumbin Posted August 6, 2016 Share Posted August 6, 2016 In response to post #41058105. #41063005, #41063875, #41065105 are all replies on the same post.osmiumbin wrote: Hello Dark0ne, can you please let us know what hashing algorithm you are using to store the passwords? It matters for brute force attacks especially.More about that here: Cheers!lued123 wrote: Yeah because telling the hackers "THIS IS HOW WE ENCRYPT OUR PASSWORDS!" will totally help things. In all seriousness though, while it would be nice to know, it would also be very, very bad for security reasons.graymaybe wrote: Or, instead, everyone can go on ahead and watch the video about choosing passwords that's linked in the description of the video you've linked us to ( ), and just stop using terrible passwords.turulo wrote: Algorithms for encrypting passwords are well known and their strength comes from the algorithm itself and the quality of the password and not from keeping them a secret.@lued123 You clearly know nothing about password hashing and how it's done, take no offence! There are not that many algorithms out there and each one of them outputs a specific type of hash. That being said, you can easily know what hashing algorithm was used just by looking at the hash. This is not a secret, i was just asking out of curiosity as i really hope they didn't use MD5. Link to comment Share on other sites More sharing options...
xanderh2404 Posted August 6, 2016 Share Posted August 6, 2016 Were you using a reversible algorithm?! That's completely unacceptable and inexcusable. You should never, under any circumstances, use a reversible algorithm to store the passwords. Hash and salt passwords, and store the hash and salt in your database. Even if someone gets their hands on your database, it's going to take centuries to crack the passwords, as long as you use hashing with individual salts for each user. Doing anything else is a massive security hole. Thanks for letting us know, but this made me lose all trust in the security of this site. Link to comment Share on other sites More sharing options...
Thandal Posted August 6, 2016 Share Posted August 6, 2016 @xanderh2404; In addition to reading all of Dark0ne's original post in this topic, see his Network News annoucements about this breech here and here, from back when we became aware of it (Dec 2015). Note that it appears from the date of the latest entries that the dataset in question was actually taken over three years ago, (still not sure how). Yes the passwords were salted and hashed. And yes, after this long, someone may have simply brute-forced at least the simpler ones. Link to comment Share on other sites More sharing options...
Recommended Posts