HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »
HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »

DailyDirt: Breaking Bad... Passwords

from the urls-we-dig-up dept

Passwords are everywhere. They get us access to our phones, computers, email, social media accounts, cloud storage accounts, banks accounts... just about everything important (and unimportant -- which is part of the problem with passwords). You might think you're clever by choosing a 4-digit PIN that doesn't look like a birthday date or year, but if you're using 2580 and think you're smart, think again. If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 24 Mar 2015 @ 6:14pm

    i still use WEP key

    I'd just leave it wide open if I didn't want to use the changing password as an incentive for my kids to do chores.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Mar 2015 @ 8:45pm

      Re: i still use WEP key

      Just beware that your kids could crack the WEP code in a few minutes, so if you want to keep them off when you dont want them on, WPA or WPA2 is better.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Mar 2015 @ 7:23am

        Re: Re: i still use WEP key

        If my kids did the research to learn what a WEP key is and learned to use the tools to crack them, I would be so proud that I'd happily do their chores that week.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Mar 2015 @ 8:09pm

    Ugh, Gawker media. Not even worth linking to.

    reply to this | link to this | view in chronology ]

  • icon
    heyidiot (profile), 24 Mar 2015 @ 10:19pm

    SQRL

    "We don' need no stinkin' PASSWORDS..."

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 25 Mar 2015 @ 4:14am

    I like the idea of services/software like LastPass. This way you can make a single elaborate password (mine is above 15 digits) and leave the rest to the service. LastPass offers multi-factor authentication too so you can take even further steps to protect yourself (which I did). I think that the future will still see passwords but they will be coupled with other authentication factors.

    reply to this | link to this | view in chronology ]

  • identicon
    boomslang, 25 Mar 2015 @ 4:41am

    Not quite

    > Well, even if you use a WPA password, it only takes a few hours to crack

    This depends on the password strength. Cracking a strong WPA password is computationally infeasible. Since WPA cracking typically uses a dictionary instead of brute force, cracking a WPA password like "password123" will take minutes.

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 25 Mar 2015 @ 7:55am

    WEP

    WEP is pretty much the same as nothing, WPA isn't very secure, so I take an approach that avoids both of them while providing strong security: I turn the WiFi crypto off completely, then set up my router so that the only thing that can be reached through the access point is my VPN. Anybody can connect to the AP, but doing so won't actually do them any good.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Mar 2015 @ 8:43pm

      Re: WEP

      "...WPA isn't very secure..."
      WTF??! WPA *can be entirely secure*, if you read the manual.

      I *could* set up a WPA Radius server on my network (two Windows, one Apple, and three Linux boxes - there are more, but the rest are connected to the router via hard cables), but why f#$%ing bother? I use WPA2-PSK with a 63 character key comprised of upper and lower case alphabetics, numerals, and symbols.

      I defy the NSA to own enough computing power to crack my wireless network during my lifetime, unless Mr. Technology performs one of those extra uber-wacky fast-forward things.

      Today, and for the foreseeable future, WPA rulez (unless you're too lazy to RTFM)!

      Talk about something you know.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 26 Mar 2015 @ 8:01am

        Re: Re: WEP

        "I defy the NSA to own enough computing power to crack my wireless network during my lifetime"

        It doesn't take the NSA. Anyone can do this with a normal computer if they can capture the radio traffic from enough instances of people connecting to the WiFi.

        "Talk about something you know."

        I recommend the same to you.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 Mar 2015 @ 5:30pm

          Re: Re: Re: WEP

          This is my trade.

          I can capture the 4-way handshake and set John (or some other tool) on the crack, but even with a cluster of processors, if it's well-crafted, a password of 20 characters or more is pointlessly difficult to pursue (my 63 element password IS secure).

          THE useful approach for cracking WPA, when the target has RTFM, is social engineering not outdated, kiddie tools like Reaver.

          reply to this | link to this | view in chronology ]

  • icon
    jilocasin (profile), 25 Mar 2015 @ 8:00am

    Biometrics aren't magic.

    I do wish people wouldn't think of 'biometrics' (ex: fingerprint, iris, etc.) as some kind of security magic. It isn't.

    Before _any_ biometric can be used it's converted into a string of values. What we know of as a _PASSWORD_.

    The only differences between a _biometric_ and a standard password are:

    you can't loose it (well, unless you loose an eye, or a finger)

    you can't forget it (see above caveats)

    after being _processed_ it's generally stronger than a typical password (nothing is stopping the finger print to password algorithm from doing something silly like counting the number of ridges and wholes)

    you can't change it (most people only have 2 eyes, 10 fingers, etc.)

    you are leaving copies of it everywhere

    the cops, or the _bad_guys (yes, sometimes that's redundant) can easily force you to disclose it.


    Currently most of the work in cracking biometric protected systems has focused on replicating the biometry (fake finger, picture of subject, etc.) Personally, I think that's a fools errand.

    Make a finger print reader, someone makes a fake finger. Add _life_ detection, someone makes a fake fingerprint and puts it on an actual finger, etc. Rinse lather repeat.

    Alternatively, apply the algorithm the finger print reader uses to a copy of the fingerprint (or take a page from the Target credit card hackers and copy the actual generated code from the back end of the finger print reader itself.

    Inject the computed code (a.k.a. password) into the system, BINGO you are in. Until they change the algorithm that generates the code it doesn't matter HOW GOOD the reader gets at figuring out if it's the real person, in the end it's just computing a password based on the biometric seed.

    Science fiction has figured this out awhile ago. In any book/movie/television show whenever you see the person pry open the iris scanner, fingerprint reader, etc. and connect a (usually hand held) computer directly to the innards, that's just what they are doing. Skip the biometric to password generation to send the password directly to the system.

    Biometrics aren't _better_than_passwords_, they _ARE_ passwords.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 25 Mar 2015 @ 9:26am

      Re: Biometrics aren't magic.

      "you can't loose it (well, unless you loose an eye, or a finger)"

      Actually, fingerprints are pretty easy to lose. It's not that rare that they change (due to scars, etc.) and more people than you might think simply don't have them. My wife, for example, routinely loses her fingerprints as a side-effect of certain work tasks.

      reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 25 Mar 2015 @ 10:59am

    My community has local wardrivers

    And I'd happily share my internet if it wasn't abused by the local piggybacks (e.g. streaming or peer-to-peer which hogs all the bandwidth) so we use the feature that checks the MAC addys of designated devices.

    It means that guests have to get their device registered, but we don't have enough wifi guests for it to be a serious bother.

    Multi-factor Authentication. It's the only way to fly.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 25 Mar 2015 @ 1:10pm

      Re: My community has local wardrivers

      There are two nicer ways to handle this (assuming that you are interested in providing some sort of public Wifi access but don't want it abused.) The easiest way is to use a more modern Wifi device that allows you to run a "guest" AP that is independent of your private AP, and to restrict what people can do on the guest AP. There are numerous inexpensive consumer Wifi rigs that let you easily do this out of the box.

      Or, if you don't mind running a more complex router, you can set up your AP so that it runs with limited resources for everything but a VPN connection, then use the VPN connection for your own unlimited access.

      reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 25 Mar 2015 @ 2:07pm

        While it is a fantasy of mine to provide public wifi to my block

        My bandwidth really isn't enough to be worth it, and there are some local alternatives.

        But thank you, both your suggestions are useful.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Mar 2015 @ 3:30pm

    Fearmongery

    What utter nonsense. WPA is not even what Reaver attacks. Reaver goes after the 8-digit pin for the assisted setup of new devices to employ WPA (heck, it only needs to crack four of the eight). If you have that assisted setup "feature" turned off, or tightly constrained (as it is by default on modern routers), Reaver is useless. Use a good password with WPA and you can laugh at wardrivers.

    Pointing to a scarey article as far out of date as the one given here is not worthy of TD.

    reply to this | link to this | view in chronology ]

  • identicon
    macwintech, 13 Nov 2017 @ 12:49am

    pass

    Processing Re-write Suggestions Done (Unique Article)
    This is my trade.

    I will capture the 4-way acknowledgment and set John (or another tool) on the crack, however even with a cluster of processors, if it's well-crafted, a secret of twenty characters or additional is pointlessly tough to pursue (my sixty three component secret IS secure).

    THE helpful approach for cracking WPA, once the target has RTFM, is social engineering not noncurrent, kiddie tools like Reaver.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.