DailyDirt: Breaking Bad… Passwords

from the urls-we-dig-up dept

Passwords are everywhere. They get us access to our phones, computers, email, social media accounts, cloud storage accounts, banks accounts… just about everything important (and unimportant — which is part of the problem with passwords). You might think you’re clever by choosing a 4-digit PIN that doesn’t look like a birthday date or year, but if you’re using 2580 and think you’re smart, think again.

If you’d like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Filed Under: , , , , , , , ,
Companies: google, yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DailyDirt: Breaking Bad… Passwords”

Subscribe: RSS Leave a comment
Ninja (profile) says:

I like the idea of services/software like LastPass. This way you can make a single elaborate password (mine is above 15 digits) and leave the rest to the service. LastPass offers multi-factor authentication too so you can take even further steps to protect yourself (which I did). I think that the future will still see passwords but they will be coupled with other authentication factors.

John Fenderson (profile) says:


WEP is pretty much the same as nothing, WPA isn’t very secure, so I take an approach that avoids both of them while providing strong security: I turn the WiFi crypto off completely, then set up my router so that the only thing that can be reached through the access point is my VPN. Anybody can connect to the AP, but doing so won’t actually do them any good.

Anonymous Coward says:


“…WPA isn’t very secure…”
WTF??! WPA can be entirely secure, if you read the manual.

I could set up a WPA Radius server on my network (two Windows, one Apple, and three Linux boxes – there are more, but the rest are connected to the router via hard cables), but why f#$%ing bother? I use WPA2-PSK with a 63 character key comprised of upper and lower case alphabetics, numerals, and symbols.

I defy the NSA to own enough computing power to crack my wireless network during my lifetime, unless Mr. Technology performs one of those extra uber-wacky fast-forward things.

Today, and for the foreseeable future, WPA rulez (unless you’re too lazy to RTFM)!

Talk about something you know.

John Fenderson (profile) says:

Re: Re: WEP

“I defy the NSA to own enough computing power to crack my wireless network during my lifetime”

It doesn’t take the NSA. Anyone can do this with a normal computer if they can capture the radio traffic from enough instances of people connecting to the WiFi.

“Talk about something you know.”

I recommend the same to you.

Anonymous Coward says:

Re: Re: Re: WEP

This is my trade.

I can capture the 4-way handshake and set John (or some other tool) on the crack, but even with a cluster of processors, if it’s well-crafted, a password of 20 characters or more is pointlessly difficult to pursue (my 63 element password IS secure).

THE useful approach for cracking WPA, when the target has RTFM, is social engineering not outdated, kiddie tools like Reaver.

jilocasin (profile) says:

Biometrics aren't magic.

I do wish people wouldn’t think of ‘biometrics’ (ex: fingerprint, iris, etc.) as some kind of security magic. It isn’t.

Before _any_ biometric can be used it’s converted into a string of values. What we know of as a _PASSWORD_.

The only differences between a _biometric_ and a standard password are:

you can’t loose it (well, unless you loose an eye, or a finger)

you can’t forget it (see above caveats)

after being _processed_ it’s generally stronger than a typical password (nothing is stopping the finger print to password algorithm from doing something silly like counting the number of ridges and wholes)

you can’t change it (most people only have 2 eyes, 10 fingers, etc.)

you are leaving copies of it everywhere

the cops, or the _bad_guys (yes, sometimes that’s redundant) can easily force you to disclose it.

Currently most of the work in cracking biometric protected systems has focused on replicating the biometry (fake finger, picture of subject, etc.) Personally, I think that’s a fools errand.

Make a finger print reader, someone makes a fake finger. Add _life_ detection, someone makes a fake fingerprint and puts it on an actual finger, etc. Rinse lather repeat.

Alternatively, apply the algorithm the finger print reader uses to a copy of the fingerprint (or take a page from the Target credit card hackers and copy the actual generated code from the back end of the finger print reader itself.

Inject the computed code (a.k.a. password) into the system, BINGO you are in. Until they change the algorithm that generates the code it doesn’t matter HOW GOOD the reader gets at figuring out if it’s the real person, in the end it’s just computing a password based on the biometric seed.

Science fiction has figured this out awhile ago. In any book/movie/television show whenever you see the person pry open the iris scanner, fingerprint reader, etc. and connect a (usually hand held) computer directly to the innards, that’s just what they are doing. Skip the biometric to password generation to send the password directly to the system.

Biometrics aren’t _better_than_passwords_, they _ARE_ passwords.

John Fenderson (profile) says:

Re: Biometrics aren't magic.

“you can’t loose it (well, unless you loose an eye, or a finger)”

Actually, fingerprints are pretty easy to lose. It’s not that rare that they change (due to scars, etc.) and more people than you might think simply don’t have them. My wife, for example, routinely loses her fingerprints as a side-effect of certain work tasks.

Uriel-238 (profile) says:

My community has local wardrivers

And I’d happily share my internet if it wasn’t abused by the local piggybacks (e.g. streaming or peer-to-peer which hogs all the bandwidth) so we use the feature that checks the MAC addys of designated devices.

It means that guests have to get their device registered, but we don’t have enough wifi guests for it to be a serious bother.

Multi-factor Authentication. It’s the only way to fly.

John Fenderson (profile) says:

Re: My community has local wardrivers

There are two nicer ways to handle this (assuming that you are interested in providing some sort of public Wifi access but don’t want it abused.) The easiest way is to use a more modern Wifi device that allows you to run a “guest” AP that is independent of your private AP, and to restrict what people can do on the guest AP. There are numerous inexpensive consumer Wifi rigs that let you easily do this out of the box.

Or, if you don’t mind running a more complex router, you can set up your AP so that it runs with limited resources for everything but a VPN connection, then use the VPN connection for your own unlimited access.

Anonymous Coward says:


What utter nonsense. WPA is not even what Reaver attacks. Reaver goes after the 8-digit pin for the assisted setup of new devices to employ WPA (heck, it only needs to crack four of the eight). If you have that assisted setup “feature” turned off, or tightly constrained (as it is by default on modern routers), Reaver is useless. Use a good password with WPA and you can laugh at wardrivers.

Pointing to a scarey article as far out of date as the one given here is not worthy of TD.

macwintech (profile) says:


Processing Re-write Suggestions Done (Unique Article)
This is my trade.

I will capture the 4-way acknowledgment and set John (or another tool) on the crack, however even with a cluster of processors, if it’s well-crafted, a secret of twenty characters or additional is pointlessly tough to pursue (my sixty three component secret IS secure).

THE helpful approach for cracking WPA, once the target has RTFM, is social engineering not noncurrent, kiddie tools like Reaver.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...