Attention - Password and Security Update - Page 5
Page 5 of 5 FirstFirst ... 345
Results 41 to 47 of 47

Thread: Attention - Password and Security Update

  1. #41
    Member
    Join Date
    Sep 2015
    Location
    Manitoba
    Posts
    91

    Password Difficulty

    An excellent article on password strength is http://www.metafilter.com/160582/6Password9-DNA1970 . After reading it, I still do not understand the point of making passwords very difficult to remember when (as it appears to me), my info was divulged in this case (CMF), whether my password as 6 or 6o characters in length.

  2. #42
    Senior Member humble_pie's Avatar
    Join Date
    Jun 2009
    Posts
    11,304
    ^^

    maybe i read the admins' messages wrong but they gave me the impresson that mostly it was the simplistic 6-character all-alphabetic-lower-case passwords that were hacked ...
    ''bonté gracieuse et toute cette sorte de chose" - Astérix chez les bretons]

  3. #43
    Senior Member
    Join Date
    Nov 2012
    Location
    Pacific
    Posts
    7,349
    Quote Originally Posted by stantistic View Post
    I still do not understand the point of making passwords very difficult to remember when (as it appears to me), my info was divulged in this case (CMF), whether my password as 6 or 6o characters in length.
    It makes a difference. In these attacks, hackers don't steal the password directly. Password are stored in web sites with a scheme like this, where the password is "hashed" into a numerical value

    "mypassword" --> d84c7934a7a786d26da3d34d5f7c6c86
    "thepassword" --> b25bc8c9efabdd0837bb7d9deace1308

    What the hacker steals are those hash values on the right. When programmers created all these web sites, they believed that this is very safe. It is considered to be very difficult to take those right hand sides and reverse them back to the original passwords.

    But what hackers actually have built are large databases of huge numbers of passwords on the left, and they compute the hashes on the right. Any common combination of words and numbers (like "mypassword") are put into their tables and the right hand side hashes are known. Many millions of combinations!

    This means that when the hacker steals d84c7934a7a786d26da3d34d5f7c6c86, they look it up in their database and instantly know that it's "mypassword". What makes this possible is that it's a relatively simple combination of words.

    So it's still important to create complex passwords to make it difficult for the hackers to reverse the hashes back to the actual passwords. Hackers have built entire tables consisting of all possible character combinations up to N characters.

    For example even if your password is garbage characters like

    "xss%2T" --> b390d2e8ebbc9da92692143fef1e8449

    The hacker has a table of all possible 6-character combinations. Thus, given the right hand side hash, they can look up what your password was.

    However if your password is 15 characters and complex, the hackers have not been able to "brute force" and try all possible combinations. For a complex 15 character password, when the hacker gets the hash, they can't figure out what the left hand side password was.

  4. Remove Advertisements
    CanadianMoneyForum.com
    Advertisements
     

  5. #44
    Senior Member
    Join Date
    Feb 2011
    Location
    BC
    Posts
    565
    They definitely got my information... full name and email. Explains the scam emails I've been getting with my name on them.

  6. #45
    Administrator cmfadmin's Avatar
    Join Date
    Oct 2008
    Posts
    351
    hey all,

    let me know if you need any assistance with anything. im here to help.

    ~Shane

  7. #46
    Senior Member
    Join Date
    Oct 2011
    Posts
    217
    I just sort of popped on here for the first time in a while and sad to see that there was a security breach. James did a great job of explaining what was actually taken. Any reputable website should not be storing your password, but a hash of your password. A hash is an algorithm that when you put in your password you get out the jumbles like James mentioned. It's a one way conversion and there's no way to convert the hash back to your password.

    Your password will always produce the same hash and this is how a website is able to authenticate you. With that said, a cracker knows that they can use the algorithm too to produce hashes. So if they used the word 'password', they would get the hash for that and anyone that has that same hash would be easily identified.

    The way these hashing algorithms work is that they're designed to be time consuming and computer processing heavy. The idea is that it only takes a second for a regular user to have a hash created for their password, but someone trying every single combination (billions upon billions of combinations) it would take a long time.

    Since it takes along time, people have made rainbow tables. They've taken dictionary words and various combinations up to a certain password length and have created hashes that can be checked through for a variety of different hashing algorithms.

    This is why one should have more complex passwords. Though, more secure sites (say like your banking) would do a salted hash. A salted hash saves you from rainbow tables, but not from brute force attacks. So again the more complex the password the closer you drive the timeline on brute force attacks to infinite.

    I'm no expert or anything. I learned about it when I was doing a little website project and how to secure users properly. I'm not sure if anyone cares, but I find it interesting.

    Fun tip, if you have an account at some website, go to forget password and if they email you your exact password - they don't hash the password. They literally store the text of your password - which is bad.

    Edit:
    Also if you value an account greatly and it has two factor authentication available - use it. Banks in Canada don't have it (sucks), but I have it on my Paypal, Amazon, Facebook, Outlook, Office 365, Gmail, etc. Just keeps it safer.
    Last edited by eulogy; 2016-07-29 at 09:09 PM.

  8. #47
    Senior Member kcowan's Avatar
    Join Date
    Jul 2010
    Location
    Pacific latitude 20/49
    Posts
    4,648
    This from VerticalScope:
    On June 13, 2016, we became aware that February 2016 data stolen from VerticalScope was being made available online.
    because they run this forum.

Page 5 of 5 FirstFirst ... 345

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •