General Password Query

[thejungle]

Hi!

I run a few sites and also a few for some clients and my main problem is I tend to use the same passwords for cPanel and WP Installs (the clients don't get to access the admin but of course if one gets hacked they all can!).

A couple have been (I know who knew) so I am in the process of changing all the passwords and was wondering what the opinion was on creating new ones.

eg is:

LK9I800GH#K*

anymore secure than something like

planet+orange

(I would have thought the first one but then the site howsecureismypassword suggests the two words are.

Or if anyone can suggest another way to devise a good password that doesn't involve hunting around on the keyboard.

Ernie

[HunkyLuke]

Ernie,

passwords that contain actual words are easily hacked, as hackers use what is called a dictionary attack where they use bot computer networks (infected computers from around the world) to go through the dictionary of hundreds of thousands of known words. Similarly, hackers keep lists of known good passwords (passwords that they discovered people have used in the past). Using bot nets of hundreds of thousands of computers, going thru all the dictionary and known good passwords can take only minutes. If these attempts don't work, most hackers will stop and move on to the next target, however, if they continue the next step is to start attempting random password combos.

I found a great article written in April this year that was hacking NTFS (Windows) passwords using a hacking script called CAIN that could do 9.8 million passwords/sec. They gave this info on how long it would take to hack passwords of various lengths:
5 characters, 24 seconds
6 characters, 90 minutes
7 characters, 4 days
8 characters, 1 year
9 characters, 43 years

Now, here's the scary part, the article was about a new password cracking method that uses GPU (graphics processor) instead, called Ighashgpu. It can crack an 8 character password in 18 hours and 30 minutes, and a 9 character password would take 48 days.

The above 9-character stats is for cracking a password "kfU64FdB8". They then looked at cracking the password "H<k7$6fVJ". Using the new method, it would take almost 7 years, because this password contains a good mix of upper & lower case letters, numbers and characters.

There is a big difference between local password cracking and online as online takes longer due to network speeds, but you can see how this plays out. Lesson here is the longer, more complex password you make, the better - and, don't forget, make sure its unique!

In case you want more info, here is the link to the article I found: http://gay.gl/hE

[raymor]

Think passphrase, not password. Length is far more important than anything else.

is:
LK9I800GH#K*

anymore secure than something like

planet+orange

The two are just about the same. Punctuation marks add very little. Of the following two, the first password is more secure:

hdso8ul3i
_\=Aw4~#

The ninth character in the first choice adds far more entropy than the punctuation marks in the second. Much better than either choice is:

Gore-Blocks-Military-Voting

It's easier to remember and type than either of the above, but the 27 character length makes it FAR harder to guess.

That said, some silly people, including major payment processors, are stuck in 1972 and only count the first eight characters. That was probably OK in 1972 when the DES standard was approved, It's really not at all OK now.

[thejungle]

Hi

Thanks for the replies.

Luke: I think that was what may have happened, I use(d) 2 or 3 passwords most of the time, so if they got one then they had a heads up into others (I know I'm stupid).

If it's one word from a dictionary (assuming a language has 250 000 words [according to the OED]) then they'd could guess it in 1/250000 (just from a dictionary).

But then id there are 2 words or 3 words the chances drop significantly as there would 250000 x 250000 x 250000 x 4 x 4 (eg: word delimiter word delimiter word) [eg: orange+planet=sugar) or 2.5 E17

If just brute-force using the characters there'd be 5.70899077 × 10^45 (assuming 19 characters and 256 choices for each).

Of course until they cracked the whole password they wouldn't know they had cracked any of it. On the other hand the words are not obscure so would probably be checked first as one of the top 5-10000 words.

But I still have a nagging feeling as you suggest that randomised passwords of a certain length is better - but I dunno - if I set it up as too complicated for my clients they will probably change it themselves to something like pa55word :frow34:

Ray: I like the idea of passphrase not password

Ernie

[raymor]

I use(d) 2 or 3 passwords most of the time, so if they got one then they had a heads up into others (I know I'm stupid).

One thing you can to avoid having to remember many, many passwords is to have about three to four very different ones, used for different security levels. For logging in to a chat board like this one, you might use your lowest security password. That way a breach here doesn't reveal your bank password.

Of course it's better to have each password different and have a good way to manage them. If you're not going to have each one different, three or four security levels with different passwords is better than having them all the same.

But then id there are 2 words or 3 words the chances drop significantly as there would 250000 x 250000 x 250000 x 4 x 4 (eg: word delimiter word delimiter word) [eg: orange+planet=sugar) or 2.5 E17

And that only if they know it's composed of dictionary words. (Where WORDS, plural, is very different from a single dictionary word.)
If they don't already know it's dictionary words, orange+planet=sugar is long enough that it's quite secure. Even better is to include a made up "word" - planget=orange+planet

Since "planget" isn't in the dictionary, it won't be guessed from a dictionary and the whole thing is too long to brute force random characters. What I actually do is portmanteaus of three words. looking around the room, I pick three words. let's say phone, suitcase, and sanitizer. I put those together to make "phonuitcatizier". Nobody is going to guess phonuitcatizier, but because I can pronounce it, I can remember it. We actually have a free onlne tool that generates such passwords for you.

Of course until they cracked the whole password they wouldn't know they had cracked any of it.

True for Wordpress and many things. Others, including CCBill, Verotel, and Zombaio by default ignore anything after the first eight characters. Fixing that with strong encryption on the password file is the most cost effective we provide, I think. That's why I suggested:
planget=orange+planet
rather than:
orange+planet=planget

If they happen to only look at the first eight characters, planget= is what they'll get, which isn't in the dictionary.

On the other hand the words are not obscure so would probably be checked first as one of the top 5-10000 words

"orange" will be quickly cracked. "orange1" and "0range" will also be pretty quick. "orange+planet=sugar" will take a heck of a lot longer.

[HunkyLuke]

Following up on this, I use RoboForm for my passwords. Its a ~$30 program (one time fee) and it stores all my logins. It lets me have a unique random password for every site that I don't have to remember as it creates the passwords then auto-fills them.

There are also other free versions of this available. Maybe as part of the service to your clients, you can recommend these products to make their life easier & more secure.

[thejungle]

Hi!
Thanks for your replies, much appreciated and some great points!

I liked the idea of combining words - eg: planget=orange+planet

Do sites like CCBill warn you if they are only checking the first 8 or will they let you enter a 20 character phrase and then just use the first 8?

I did use Roboform for years and then moved to LastPass but maybe my licence for Roboform is still valid somewhere?

Ernie

[Kirkman]

I'm currently using LastPass for a lot of the sites I need to authenticate to (the mobile app is a definite plus). A single English word with numerals (i.e. British12) can be easily hacked. A "pass phrase" is preferable. For example: the password "Brent123" is much less secure than "BrentCorrigan_is1_hot_mother!" However, as has been mentioned above, it requires the site to allow a long password as opposed to a short one.

As much as a password with length 8 and requiring one lower case letter, one upper case letter, one special character, and one numeral sounds nice, it is less secure than allowing someone to enter a phrase of many characters. In fact, a 'short' password with a lot of restrictions, as mentioned previously, is less secure than simply allowing a password of 8 character that can be of any form. (If you want I can show the math. I'm a geeky gay guy.

[PFLJayden]

Being that we've been hacked and slammed hard, I feel that it's appropriate for me to put in input here...

1. Make sure all of your wordpress sites, CMS's, etc. are all updated!
2. Monitor your server, if at any time you ever see any folder named "paypal" immediately delete it. IMMEDIATELY. This opened a firewall for us and a hacker snuck in through the paypal directory and placed files in that directory which read all backend key strokes and reported it to him.

Now....
Use a different password for every site. We used the same. That's how the virus wiped us out costing us a shit load of money in damage.

We use 15 charactars consisting of uppercase, lowercase, numbers, and symbols.
Do not use numbers in a row. One of ours was 4321 in a password.

I would use what everyone else here has suggested.

[HunkyLuke]

2. Monitor your server, if at any time you ever see any folder named "paypal" immediately delete it. IMMEDIATELY. This opened a firewall for us and a hacker snuck in through the paypal directory and placed files in that directory which read all backend key strokes and reported it to him.

We host with NationalNet. When I have found strange files like this in the past, the first thing I do is open a ticket with NationalNet BEFORE touching or deleting the file, to see if they can check logs and find out HOW that file got there. When it comes to security breaches, you should always have your host involved. If your host does not want to be involved, I would suggest finding a new host!