[CS-FSLUG] New 25-GPU Monster Devours Strong Passwords In Minutes
Don Parris
parrisdc at gmail.com
Fri Dec 7 19:54:13 CST 2012
Steve Gibson's How Big is Your Haystack is a great tool for measuring
password strength:
https://www.grc.com/haystack.htm
I use the XKCD cartoon example for setting passwords, and they would
normally take a few billion years to break using current technology, but
obviously will suffer a shortened attack time under this tool.
Unfortunately, many web sites (including some banks) restrict password
lengths - can you believe that????
That said, how many people can afford the kind of rig they have setup?
Give a few more years though...
On Fri, Dec 7, 2012 at 11:29 AM, Yama Ploskonka <yamaplos at gmail.com> wrote:
> Could we put together some Real World suggestions / Best Practices, at
> least for the very few that do care?
> I am sure that crackers would leave us mostly alone with some basic
> precautions, as there are so many lower hanging fruit available all over
> the place...
>
> That article in Wired was OK, but very thin about what to do better
>
> some suggestions: (please do correct me, especially when something is dumb)
>
> - Build SEVERAL sets of items, like "city born in *hopE of redeMption
> 1952*", "Mother's maiden name *McJarowitzsson*" to use in websites. OF
> COURSE different passwords, doh.
>
> - Set up at least one fake "personna", and a gmail or other safe
> account to have password recovery point to. Keep access to that account
> minimal and separate from all other (certainly do not have it poit to your
> Thunderbird)
>
> - Keep such information as if it were cash or negotiable securities,
> printed, not in hackable memory, and/or in encrypted flash fobs or PGP
> encrypted stuff - redundancy is important, but it is vital that one cracked
> password does not allow immediate access to* **en clair* passwords
>
>
>
>
> On 12/07/2012 10:18 AM, Tim Young wrote:
>
> This is often used when a virus or something hits your computer, grabs the
> hashed password, and sends it off to someone.
>
> In the Linux world, it is when someone grabs the password/shadow files and
> takes them off-site.
>
> I once managed a bunch of Unix computers (Sun, Dec, Linux, and others) and
> had one that I was not monitoring. Somewhere along the line I logged into
> it to find that a hacker had gotten into it and was running password
> breaking tools on it. The hacker had downloaded some 30 different password
> files and was hammering on them one after the other. This was from a bunch
> of different sites around the world that he had managed to snag the
> password file from. Anyway. I have seen it in action. It works... (that
> was before the shadow file needed root privs to be able to read. It is
> easy to snag the whole password file if you use NIS on your system.)
>
> - Tim Young
>
> On 12/7/2012 7:59 AM, dcolburn at bibleseven.com wrote:
>
>
> BTW: I am not sure how this gets around a Try -3 then Wait 3-Hours
> limit + a Warning when multiple attempts are made.
>
>
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
>
>
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
>
--
D.C. Parris, FMP, Linux+, ESL Certificate
Minister, Security/FM Coordinator, Free Software Advocate
http://dcparris.net/
<https://www.xing.com/profile/Don_Parris><http://www.linkedin.com/in/dcparris>
GPG Key ID: F5E179BE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ofb.biz/pipermail/christiansource_ofb.biz/attachments/20121207/18dc27dc/attachment.htm>
More information about the Christiansource
mailing list