PDA

View Full Version : Computer password security: How the pros hack passwords.



Paul
19th July 2013, 11:01
Here is the most informative (and rather technical) article I've seen on how the security pros hack passwords, getting from the encrypted password stored on most web servers (such as Avalon and your bank), to your original password. It shows well what kinds of passwords are more resistant to such attacks.

To be safer, passwords that are on limited character sets, such as all upper case, or all lower case, or all one case plus numbers, as well as passwords that contain any common words or l33t speak (https://en.wikipedia.org/wiki/Leet) variants of common words, ... all such passwords would need to be longer. One such password, qeadzcwrsfxv1331, with 12 lower case letters plus 4 following numbers, was among those cracked in less than a day by one pro.

Passwords using purely randomly selected characters, with a mix of upper, lower, numeric and special symbol characters, would be quite resistant to such attacks with as few as perhaps a dozen characters.

Any hacker with one good programmable graphics card can quickly crack any password, no matter how insanely random and how well mixed the upper and lower cases, numbers and special symbols, if that password is only six characters long.

Several experts comment in the article on what they personally do to secure passwords. Each expert has their own take on it, and their own favorite way of handling it.

The three methods I've used in the last few years:

Send myself an encrypted email, with a growing list of my passwords. One needs to use strong encryption to get away with this, and to know what one is doing.
For several years, I used http://passwordmaker.org/.
In the last year, I've switched to using https://lastpass.com/, which has a more refined interface.

For my important accounts, I don't use the builtin (and likely quite excellent) password generators from passwordmaker or lastpass, but rather I have coded my own password generator that takes several sources for random numbers, both local to my computer and off the Internet, and blends them together, taking their SHA512 sum and converting to a mixed upper/lower case plus numbers Base 64 character set.

Here is one such password generated by my custom tool:

mRrzM7k2WxzE2wOyi/YGeTWi42OeZdp9ktFIeAiveVV5Z/EzjmPytVbypFluu64MU497GfhfKwmPNG0lJetbJ
(To be clear, I don't expect any sane person to replicate such a password generator tool, nor need they. I'm just showing off with the above long password example.)

None of these methods are guaranteed. If the NSA decides I am public enemy number one (or, more likely, illuminati enemy number one), then all my secrets will be compromised, including what is only in my mind and never written down, about 5 seconds after the water boarding begins.

Here is the first part of the three part article: Anatomy of a hack: How crackers ransack passwords like qeadzcwrsfxv1331 -- ArsTechnica (http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/)

The article begins:




In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

Robert J. Niewiadomski
19th July 2013, 11:53
But the password hash list needs to be obtained in the first place... Means one needs to find a hole to get in and steal the hash list. And use it immediately before anyone manages to change their password. Right? Cracking passwords is the desert. After main course of getting hash list out. And some meals are tough to chew (or even indigestible) while others are of one bite size :(

PA better be of that 1st kind meal :)

Paul
19th July 2013, 11:56
But the password hash list needs to be obtained in the first place... Means one needs to find a hole to get in and steal the hash list. And use it immediately before anyone manages to change their password. Right? Cracking passwords is the desert. After main course of getting hash list out. And some meals are tough to chew (or even indigestible) while others are of one bite size :(

PA better be of that 1st kind meal :)
Project Avalon relies on vBulletin for most of its key server software. vBulletin is a widely used web forum software package, with frequent security updates. But nothing is perfect (and too many users use the same password on multiple sites.)

northstar
19th July 2013, 12:00
My Skype was hacked last year and the hacker tried to use my credit card to make calls. Luckily I had previously cancelled the credit card registered with Skype so there was nothing there for them to steal!
It made me a bit scared about all the personal information I have stored online in various accounts, especially places in which I purchase things and where they have my credit card stored.
I changed my password to one which has upper and lower case, numbers and characters.

Aurelius
19th July 2013, 13:41
we should look at enabling SSL on Avalon .. making it a little more difficult for sniffers / taps to "read" the information people are sending / receiving when on the forum ..

if i switch to SSL, and accept the self signed cert .. the whole UI changes and is unusable.

risveglio
19th July 2013, 13:49
The three methods I've used in the last few years:

In the last year, I've switched to using https://lastpass.com/, which has a more refined interface.




Paul, have you researched Last Pass vs Firefox's built in password manager if you have no need for multiple computers or browsers?



Here is one such password generated by my custom tool:

mRrzM7k2WxzE2wOyi/YGeTWi42OeZdp9ktFIeAiveVV5Z/EzjmPytVbypFluu64MU497GfhfKwmPNG0lJetbJw
(To be clear, I don't expect any sane person to replicate such a password generator tool, nor need they. I'm just showing off with the above long password example.)



So you are saying I should do this. :thinking:

seeingterra
19th July 2013, 13:54
Cool post Paul, thanks :)

The example password you created reminds me of MD5 hash sequences, similar to how it is stored in the DB.

One thing I found funny with the MD5 "encryption" is how easy it is to crack once you get the string. As I am sure you know there are multiple generators and decryption tools available online. Never understood this, one could might as well just have the entire password without MD5 in the table as it is so easy.

Have you ever considered SSL protection? I use it for certain things, but a lot of CMS/boards generate strange issues with it.. Plus it costs some money getting it signed as "trusted".

Avalonians should be glad the people in charge here knows so much about this stuff :)

Cheers

Carmody
19th July 2013, 14:12
But the password hash list needs to be obtained in the first place... Means one needs to find a hole to get in and steal the hash list. And use it immediately before anyone manages to change their password. Right? Cracking passwords is the desert. After main course of getting hash list out. And some meals are tough to chew (or even indigestible) while others are of one bite size :(

PA better be of that 1st kind meal :)


The most successful form of (extremely difficult cases) hacking has always (IMO and IME) revolved round hacking the person connected to the keyboard. The weak spot in the equation.

My best answer to all of this, is that I make sure there is nothing on the other side of the given wall - to steal.

DeDukshyn
19th July 2013, 15:38
My Skype was hacked last year and the hacker tried to use my credit card to make calls. Luckily I had previously cancelled the credit card registered with Skype so there was nothing there for them to steal!
It made me a bit scared about all the personal information I have stored online in various accounts, especially places in which I purchase things and where they have my credit card stored.
I changed my password to one which has upper and lower case, numbers and characters.

Last year Skype was discovered to have a particularly easy way to get into others accounts by only getting their email address, and utilizing a loophole in their password recovery process. They've since fixed this, but it is likely this is how your account was compromised.

Flash
19th July 2013, 15:39
I have given a seminar once (on how to handle their demanding internal customers) to the computer security personnel of a bank. What I heard there and what they told me convinced me not do banking on the internet lol Not kidding.

also:
have a credit card with a low limit so that not much can be stolen and use this card on the web
never give your credit card number for promotional stuff, I have been hacked on this
Gaz stations and bars are particularly sensitive to theft, give low level credit card there
Never ever use your debit card for payment everywhere, it is a major link to most of your personal history and most of your money.
Put credit/debit cards with chips (Canada and Europe) in a special small wallet to avoid being picked up by passer by with electronic devices and hacked.





My Skype was hacked last year and the hacker tried to use my credit card to make calls. Luckily I had previously cancelled the credit card registered with Skype so there was nothing there for them to steal!
It made me a bit scared about all the personal information I have stored online in various accounts, especially places in which I purchase things and where they have my credit card stored.
I changed my password to one which has upper and lower case, numbers and characters.

Paul
19th July 2013, 18:48
One thing I found funny with the MD5 "encryption" is how easy it is to crack once you get the string. As I am sure you know there are multiple generators and decryption tools available online. Never understood this, one could might as well just have the entire password without MD5 in the table as it is so easy.
MD5 isn't -that- easy. It is an almost reliable one-way message digest (http://en.wikipedia.org/wiki/Cryptographic_hash_function), not a two-way encryption/decryption method. It's main problem when used to store passwords is that it is too fast to compute, enabling brute force attacks if the encrypted material is short (such as a short password.) In other words, if you have a 6 character password, encoded using MD5, then I can generate MD5 encodings for -all- possible 6 character passwords and compare them to your encoded password, to see which one generates your encoding.

I said "almost" reliable because MD5 is not entirely collision resistant (https://en.wikipedia.org/wiki/Collision_resistant), though the constructed collisions are artificial and not a concern in many uses, such as verifying that one has a byte for byte correct copy, in the case where non-malicious errors (human or machine) are the risk, not a deliberately malicious attack.

Perhaps the similarity you noticed between my insane example and an example of MD5 you saw was in my use of Base 64 encoding (26 lower case letters, 26 upper case letters, 10 digits and 2 more characters, which are '/' and '+' in the program I'm using.) This encodes 6 bits per character (26 + 26 + 10 + 2 == 64 == 2 to the power of 6.) Hex encoding only encodes 4 bits per character (10 digits + 6 letters ('a' - 'f') == 16 == 2 to the power of 4.)

The differences between MD5 and the various SHA are in their length, and in their compute cost. ("Digest" below means to a one-way encoding.)

An MD5 digest is 128 bits long.
A SHA256 digest is 256 bits long.
A SHA512 digest is 512 bits long.

My insane password example is a SHA512 digest, displayed using a Base 64 string of 85 characters (which only displays 6 * 85 == 510 bits, the last 2 bits being dropped to avoid displaying a character that has less than 6 bits of entropy.)


Have you ever considered SSL protection? I use it for certain things, but a lot of CMS/boards generate strange issues with it.. Plus it costs some money getting it signed as "trusted".
We made a couple of attempts to add SSL (https) to the forum, but did not succeed. SSL protects from the garden variety criminals, which are not much of a problem for us, as we're not a bank or other transactor of money. So far as we know, it doesn't protect against the NSA, who I presume has the resources to crack SSL on the fly, in large quantity. Since it is the NSA and colleagues that are our main "threat", and since 90 per-cent of what people send up the wire to us is posted in public anyway, for Google to scrape usually within 10 or 20 minutes, the benefits that SSL would have for our forum don't appear that great, from what we can see.

Paul
19th July 2013, 19:02
Paul, have you researched Last Pass vs Firefox's built in password manager if you have no need for multiple computers or browsers?
I have not evaluated the security of Firefox's built-in password manager, and I do have multiple computers and browsers (some 15 different browsers, all but Mac Safari, available on my main system, most of which don't support any of these password managers ...)

Mulder
19th July 2013, 20:59
An easy way to get into your accounts is to hack your main email and find all your other accounts - e.g. skype, amazon, etc. Then do a "forgot password" and intercept the email link and change the password to a new one and you're hacked!

So you should delete all old emails and take special care of your main email. I expect email providers to start sending sms codes to your phone and you need to enter the code to log-on. It would be impossible to hack your email without cloning/stealing your mobile (but this is still do-able for a motivated thief).

AwakeInADream
19th July 2013, 21:14
Great advice Paul! Thanks!:)

I don't know much about hacking, but what I've read does frighten me and make me paranoid...I have a few questions:

You know that type of hacking where people can gain remote access to your computer?

How does that work? And is there a password that you can change to stop people from doing it?
(if so how do you change it)

Also does using a VPN stop this kind of thing?

P.S. For security, I have always kept an empty bank account that I only put money into when I want to use it for online shopping. They can't steal from an empty bank account.:thumb:

Paul
19th July 2013, 21:43
I don't know much about hacking, but what I've read does frighten me and make me paranoid...I have a few questions:

You know that type of hacking where people can gain remote access to your computer?

How does that work? And is there a password that you can change to stop people from doing it?
(if so how do you change it)
It's all kind of complex, and there's a variety of ways that various kinds of control can be obtained over various parts of your computer or various online accounts you might have.

There's no simple password setting to keep it all out. VPN (virtual private networks) have their uses, but are only marginally relevant here.

Windows users have more of a problem with this than Mac or Linux users. Windows users claim this is because Windows is so popular, so that's where the hackers hack. Linux users claim this is because Windows is inherently insecure and poorly designed. Mac users ignore that controversy and blissfully use their Macs. (I'm joking a bit here, but only somewhat.)

... in other words, I don't have any easy answers for you ... sorry.

I can do a pretty good job of keeping a Linux or Unix box safe ... but that's in part because I have spent over 35 years up to my eyeballs in Linux and Unix systems.

write4change
19th July 2013, 21:47
You have no idea how much I needed this and how grateful I am that you posted it. Thanks so very much.

AwakeInADream
19th July 2013, 22:01
Thanks Paul!:)

Would you say that using Linux is safer for online shopping, banking etc...?(even if I don't really know what I'm doing)

I have Ubuntu installed on my laptop also, just for curiosity(I haven't used it much), but if it really is safer then I may start using it more. I guess having to type a password every time you make changes to the system makes things way more secure.

I've heard that it's safer to run Windows from a User account, rather than as Administrator. I guess this is a similar thing.

I don't have any anti-virus software on Ubuntu though, can you recommend a good free one?
(I read somewhere once that you don't need anti-virus on Linux, is that true?)

P.S. I've just made my PA password much more complex.:thumb:

Paul
19th July 2013, 22:12
Thanks Paul!:)

Would you say that using Linux is safer for online shopping, banking etc...?(even if I don't really know what I'm doing)

I have Ubuntu installed on my laptop also, just for curiosity(I haven't used it much), but if it really is safer then I may start using it more. I guess having to type a password every time you make changes to the system makes things way more secure.

I've heard that it's safer to run Windows from a User account, rather than as Administrator. I guess this is a similar thing.

I don't have any anti-virus software on Ubuntu though, can you recommend a good free one?
(I read somewhere once that you don't need anti-virus on Linux, is that true?)

P.S. I've just made my PA password much more complex.:thumb:

If you are comfortable using Linux, then yes, I'd say it's safer. When I have had relatives who didn't know one end of a computer from the other ask me to set them up so they could send email and browse the web, I usually set them up with Linux.

I don't know of any anti-virus program for Linux, and don't think that one is needed.

Yes, from what I recall from the days I dabbled in Windows, running from a user account rather than an admin account is one thing you can do to be safer (but I am no Windows guru.)

Carmody
20th July 2013, 16:36
Thanks Paul!:)

Would you say that using Linux is safer for online shopping, banking etc...?(even if I don't really know what I'm doing)

I have Ubuntu installed on my laptop also, just for curiosity(I haven't used it much), but if it really is safer then I may start using it more. I guess having to type a password every time you make changes to the system makes things way more secure.

I've heard that it's safer to run Windows from a User account, rather than as Administrator. I guess this is a similar thing.

I don't have any anti-virus software on Ubuntu though, can you recommend a good free one?
(I read somewhere once that you don't need anti-virus on Linux, is that true?)

P.S. I've just made my PA password much more complex.:thumb:

If you are comfortable using Linux, then yes, I'd say it's safer. When I have had relatives who didn't know one end of a computer from the other ask me to set them up so they could send email and browse the web, I usually set them up with Linux.

I don't know of any anti-virus program for Linux, and don't think that one is needed.

Yes, from what I recall from the days I dabbled in Windows, running from a user account rather than an admin account is one thing you can do to be safer (but I am no Windows guru.)

A general way for the average person to think of Linux vs mac vs windows:

Linux is a smaller, functional and modular, expandable house -with one door. It is a simple door, and it is easily closed.

Mac is a much larger house, with many rooms...and with four or five doors and a few windows to look through, some small windows, some big.

Windows is a gigantic mansion (most of the rooms - you've never even visited), a huge bloated glass house with 1000 windows, most of them size of a door, some of them are already smashed so the wind blows through the house.

Tesla_WTC_Solution
20th July 2013, 18:13
I used to go to sites that actually stored and cross referenced hashes.... Like Paul said, random is best ...

Also disable the browser master password list on your pc.... Lol

Anyone who manages to log into your desktop can access that list!

xthesurge0nx
22nd July 2013, 11:39
1. Always keep your operating system up to date, if it isn't then the hacker does not need a password, they simply exploit incorrectly written code in software or the operating system. Every piece of software/operating system has design flaws because the designers care more about getting software to market than the protection of the people. The Development Life Cycle is either not known, not followed, not followed correctly, misunderstood.

2. Research and use Antivirus, rootkit & spyware software which should always be up to date.

3. Use firewall software that protects both incoming and out going connections.

4. Switch off any services you are not using because each service running is a potential target into the operating system.

5. If you have a modem and connected directly to the internet then buy a router, a router that has a built in firewall, and NAT. Make sure your computer also has a firewall, don't just depend on NAT or the routers firewall.

6. Use port forwarding instead of DMZ, only use DMZ if you have to, if putting a computer into the DMZ then make sure rule 3 is strictly followed. If you do use DMZ host consider using two firewalls, an inner and outer firewall.

7. Never save passwords on your computer or in your browser, never use third party software or websites to store your passwords or write your passwords down.

8. Never use the same password more than once.

9. Make sure your password is a minimum of 8 characters containing Uppercase & Lowcase letters, numbers, symbols. As an example ((&!P4$$\/\/0rD2o12!&))

10. Never tell anyone else your password, if you fall out that can be used against you.

11. Uninstall any software you are not using.

12. Use encryption when ever possible, although this does not stop passwords from being sniffed from the network by a professional it does slow them down and stops the hacker in learning.

13. Never have one account for all users, create seperate accounts for each user.

14. Never browse the internet under an administrator account, create a standard user account for day to day tasks and use the administrator account for administrative tasks such as installing/uninstalling software.

15. Always use the latest encryption mechanism on wireless devices, never use WEP because you don't need to know the password to break in.

16. Consider using Linux instead of Windows or Mac, Microsoft & Apple work with the intelligence services and have backdoors into operating systems.

17. Understand Microsoft operating system is intentionally insecure, to get support it costs the end user 30 each time, good money making scheme, the exploitation of the uneducated.

18. Never save your password on someone elses computer.

19. Use in private browsing as well as a daisy chain/stepping stone of proxies, a Virtual Private Network and or Tor.

20. Security is not a place to be lazy, take the time to Plan, Research, Design, Develop and Evaluate. Try to - Keep It Simple Stupid - complexity can increase security flaws. In the context of the hacker think about Who, What, When, Where, Why and How. Who might want to break in, What do you have for them to steal, when is your computer switched on and when is it left alone while switched on, Where is your computer located (Public or private location), Why would someone want access to your computer (access your information, use your computer as a stepping stone to attack others), How can they gain access (what software do you have installed, what services are running, what services allow public access)...to give examples.

21. Hackers aren't just stupid kids, government, intelligence, law enforcement and military spend billions on cyber warfare.

22. A computer can be used as a Zombie host to attack computer networks as part of a Bot Net for performing Distributed Denial of Service attacks on target networks and systems.

23. Professional hackers use scientific methodology - ISECOM - Open Source Security Testing Methodology Manual (http://www.isecom.org/mirror/OSSTMM.3.pdf) - The Information Systems Security Assessment Framework (ISSAF) (http://www.oissg.org/files/issaf0.2.1.pdf), OWASP (https://www.owasp.org/index.php/Main_Page) - to give examples.

24. Professional hackers use the best software on the market such as Metasploit (http://www.metasploit.com/), Nessus (http://www.tenable.com/products/nessus), OWASP (https://www.owasp.org/index.php/Main_Page), NMAP (http://nmap.org/), Backtrack (http://www.backtrack-linux.org/), Password Crackers such as John the Ripper, Medusa,Cain & Abel etc (http://sectools.org/tag/crackers/) & (http://www.oxid.it/cain.html) - to give examples

25. Hacking is about time, if we want to get in bad enough we will.

This is not an in depth guide, just a small bit of advice off the top of my head, hacking is a computer science.

Paul
24th July 2013, 12:34
Here is an example of what could happen here or at any other website.

The following example actually is happening now, as I type this, at another forum website that I belong to, the Ubuntu Forums (ubuntuforums.org) (http://ubuntuforums.org) website, which is a forum for discussing Ubuntu, a version of the Linux operating system.

The Ubuntu Forum website has been down for some 4 to 5 days as I write this, doing a complete rebuild of the server from scratch, in order to make sure that they have a clean system. Whoever hacked that website several days ago got away with a copy of the database, which contains the hashed password of every member and their email address. Any member (and no doubt there are many such) who used the same password on other accounts is now at increased risk for having their other accounts hacked.

No doubt various hackers of the world are now combing over that stolen database, decoding passwords. The easy passwords were likely decoded quickly; the better passwords are likely still being figured out; some of the best passwords might never be decoded.

Even worse than my bank account, I especially would not want my email account to have the same password, because (1) hacked email accounts can be read to figure out which banks a person uses, and then (2) often used to reset that person's bank account password. Be especially careful with the password on one's email account(s) to never use the same password for them as you use anywhere else.

If I were a "bad guy" with a copy of this database right now, I might well be trying the email accounts (listed in that stolen Ubuntu forum database) of any member of that Ubuntu forum whose password I cracked, to see if the same password worked on their email account. If it did, I'd glance at their email and see what banks they used, and see if I could login to their bank using the same password, or at least force a password reset on that bank account and login that way. If I could do that, then I could probably steal the money in their bank account.

From what I see in comments on other forums on the web regarding this hack of the Ubuntu forum server, Ubuntu has been sending out email warnings to all members for days now ... just sending out that many email messages takes time. I did not get my email warning until just a couple of hours ago, about 4 to 5 days after the hack. The same delays would likely apply in the case of our Avalon forum; we have fewer members than the Ubuntu forum, but we have fewer admins too.

Here is what the Ubuntu Forums (ubuntuforums.org) (http://ubuntuforums.org) website is currently displaying, instead of their usual forum webpage, while they continue working on restoring their server (4+ days now of little sleep for those admins):

============= Ubuntu Forums =============





Ubuntu Forums is down for maintenance

There has been a security breach on the Ubuntu Forums. The Canonical IS team is working hard as we speak to restore normal operations. This page will be updated with progress reports.

What we know

Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database.

The passwords are not stored in plain text, they are stored as salted hashes. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.

Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach.

Progress report


2013-07-20 2011UTC: Reports of defacement
2013-07-20 2015UTC: Site taken down, this splash page put in place while investigation continues.
2013-07-21: we believe the root cause of the breach has been identified. We are currently reinstalling the forums software from scratch. No data (posts, private messages etc.) will be lost as part of this process.
2013-07-22: work on reinstalling the forums continues.

If you're using Ubuntu and need technical support please see the following page for support:


Finding Help (http://community.ubuntu.com/help-information/finding-help/support).

If you're looking for a place to discuss Ubuntu, in the meantime we encourage you to check out these sites:


The Ubuntu subreddit (http://reddit.com/r/ubuntu)
The Ubuntu Community on Google+ (https://plus.google.com/communities/107299007624972266094)
Ubuntu Discourse (http://ubuntu-discourse.org/)


============= Ubuntu Forums =============

The above is not Project Avalon. It is the Ubuntu Forums home page, at present.

But the same sort of thing could happen to most any website, including Avalon. No website is guaranteed safe from hacking.

Paul
24th July 2013, 13:01
Here's a hint of the cause of the above Ubuntu Forum hack, from ubuntu-discourse.org (http://ubuntu-discourse.org/t/looks-like-ubu-forums-was-just-defaced/603/65?u=paulw2u) (see Post #65):





We now know what happened, it wasn't anything to do with a security hole in VB, all this came about via social engineering and legacy problems left over from when the previous owner was still running the forum.

For some reason, some of the loco mods had admin privileges, and it was one of those accounts that was compromised, along with quite a few hooks in pnp that allowed the attacker tp deface the site.

Canonical IS is in the process of rectifying the problems.

Among the very first things that Ilie Pandia and I did, when we became admins of our Avalon Forum in early 2011, was to scour the accounts with admin privilege to the web server, or super user privilege to the underlying operating system, to ensure that only the right people (Bill, Ilie and myself) had access.

That's no guarantee ... nothing is ... but if we get ever do hacked, it will probably be by some other vulnerability.

Paul
24th July 2013, 13:13
Here's a couple of news articles in the online technical press regarding the above hack of Ubuntu Forums:

Ubuntu forums hacked; 1.82M logins, email addresses stolen (ZDNet) (http://www.zdnet.com/ubuntu-forums-hacked-1-82m-logins-email-addresses-stolen-7000018336/)
Up to 1.82m Ubuntu Linux usernames and passwords stolen (Australian IT) (http://www.theaustralian.com.au/australian-it/personal-tech/up-to-18m-ubuntu-linux-usernames-and-passwords-stolen/story-e6frgazf-1226683373243)

Ilie Pandia
24th July 2013, 13:58
In case it was not clear, the moral of the story is to never use your email password anywhere else, or your risk exposing (via password reset) all accounts linked to your email account.

kanishk
25th July 2013, 12:23
If the description of MD5 or any other types of hashes can not be found on internet, can those be descripted using software? or are those hashes are incorrect hashes?

Ilie Pandia
25th July 2013, 18:40
Hashing is not the same as encryption, because you cannot reverse it.

However, if you have a powerful machine you can hash millions of passwords until eventually you get the hash you were looking for. You will then have a password that may or may NOT be the original password, but you know that it has the hash you want and so you can use that to log into some systems.

The math and theory behind hashing and encryption is pretty complex but it does not rely on being secret! In fact, as far as I know, the most strong encryption algorithms are public so lots of eyes have looked at them and improved on them. The power lies with the mathematics of it, and not the secrecy... and that's the beauty of it really :).

This is a worthy subject to study, but for our user base the main important thing to get is: do not use the same password everywhere and you *must* have a unique password for your email account.

Paul
19th August 2014, 08:33
In the last year, I've switched to using https://lastpass.com/, which has a more refined interface.
Well ... that was a year ago. A variety of annoying glitches in the Lastpass interface finally got to me, and I went on another hunt for a good password manager. I'm now trying out

Password Safe (http://passwordsafe.sourceforge.net/) (originally designed by Bruce Schneier (https://www.schneier.com/passsafe.html)) and
an apparent derivative of that, called KeePass.
Windows .net users will likely prefer KeePass (http://keepass.info/), and Linux users will perhaps prefer KeePassX (http://www.keepassx.org/). There is a direct port of the Windows centric KeePass to Linux, using Mono (a Linux port of Windows .net), but Mono in my view is the ignored, buggy and bloated step-child of Microsoft bloatware ... to be avoided. Several other ports of KeePass exist, as listed here (http://en.wikipedia.org/wiki/KeePass#Other_versions), here (http://passwordsafe.sourceforge.net/relatedprojects.shtml), or here (http://keepass.info/download.html).

The Qt based KeePassX (latest version 2.0 alpha 6) is looking to be the best of these for my Linux systems.

Ilie Pandia
19th August 2014, 08:49
I use KeePass for Windows and the good part is that it has an app for Android as well, meaning that I can carry my passwords with me.

On the Android device I have Keepass2Android. The password database is stored in my DrobBox account so that my mobile device can access it. The password database is encrypted so I don't worry to much about Drobbox having access to it.