[CS-FSLUG] New 25-GPU Monster Devours Strong Passwords In Minutes

Yama Ploskonka yamaplos at gmail.com
Fri Dec 7 10:29:37 CST 2012 

Could we put together some Real World suggestions / Best Practices, at 
least for the very few that do care?
I am sure that crackers would leave us mostly alone with some basic 
precautions, as there are so many lower hanging fruit available all over 
the place...

That article in Wired was OK, but very thin about what to do better

some suggestions: (please do correct me, especially when something is dumb)

  * Build SEVERAL sets of items, like "city born in *hopE of redeMption
    1952*", "Mother's maiden name *McJarowitzsson*" to use in websites.
    OF COURSE different passwords, doh.

  * Set up at least one fake "personna", and  a gmail or other safe
    account to have password recovery point to. Keep access to that
    account minimal and separate from all other (certainly do not have
    it poit to your Thunderbird)

  * Keep such information as if it were cash or negotiable securities,
    printed, not in hackable memory, and/or in encrypted flash fobs or
    PGP encrypted stuff - redundancy is important, but it is vital that
    one cracked password does not allow immediate access to///en clair/
    passwords




On 12/07/2012 10:18 AM, Tim Young wrote:
> This is often used when a virus or something hits your computer, grabs 
> the hashed password, and sends it off to someone.
>
> In the Linux world, it is when someone grabs the password/shadow files 
> and takes them off-site.
>
> I once managed a bunch of Unix computers (Sun, Dec, Linux, and others) 
> and had one that I was not monitoring.  Somewhere along the line I 
> logged into it to find that a hacker had gotten into it and was 
> running password breaking tools on it.  The hacker had downloaded some 
> 30 different password files and was hammering on them one after the 
> other.  This was from a bunch of different sites around the world that 
> he had managed to snag the password file from.  Anyway.  I have seen 
> it in action.  It works... (that was before the shadow file needed 
> root privs to be able to read. It is easy to snag the whole password 
> file if you use NIS on your system.)
>
>     - Tim Young
>
> On 12/7/2012 7:59 AM, dcolburn at bibleseven.com wrote:
>>
>> BTW: I am not sure how this gets around a Try -3 then Wait 3-Hours
>> limit + a Warning when multiple attempts are made.
>>
>
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ofb.biz/pipermail/christiansource_ofb.biz/attachments/20121207/3f2d0a00/attachment.htm>

More information about the Christiansource mailing list