Overclock.net banner

1 - 8 of 8 Posts

·
Just Lift Bro
Joined
·
3,234 Posts
Discussion Starter #1
Twitter is telling its 330 million users to change their passwords after discovering a glitch that stored passwords unmasked in an internal log. The company says it fixed the bug and that there's no indication of a breach or misuse, but it's encouraging the password update as a precaution.
Source


>Saving passwords in clear text form
>"glitch"

Sure lad

hahaha
 

·
Old to Overclock.net
Joined
·
2,091 Posts
Worth a look for anybody interested in security... I'd recommend anybody on this site look up the section on how passwords actually work, they don't work the way you think they do.

http://plaintextoffenders.com/

If your website is setup so that it "knows" passwords or the staff behind it can access/recover it somehow, it's doing it wrong. Quickest way to test this is if when you hit the "I forgot my password" button, it resets it for you or it emails you back the actual password, if it's the later then your website is not setup properly. If the password is properly hashed/salted the algorithm is irreversible and cannot ever be turned back into plain text.

Unfortunately if there was indeed a breech, as usual people probably used the same password across multiple sites, they'll end up getting their creds sold on the darknet, credential stuffed and then be surprised why their bank accounts evaporate, they have multiple credit cards they didn't know about and why life lock didn't do anything.


Two rules of thumb for passwords, if you can remember it it's not good, and never re-use it.
 

·
Registered
Joined
·
1,292 Posts
"If you can remember it it's not good."

Completely wrong. You should make long, memorable passwords. Like IL0v3Int3l1234 easy to remember, hard as hell to guess/brute. Plus you don't have to write it down.

Aside from that, stupid Twitter.....
 

·
Robotic Chemist
Joined
·
3,014 Posts
"If you can remember it it's not good."

Completely wrong.
I agree, if you cannot remember it you have to have it stored in plain text somewhere, recoverable as plain text anyway.

You should make long, memorable passwords. Like IL0v3Int3l1234 easy to remember, hard as hell to guess/brute. Plus you don't have to write it down.
Swapping letters for numbers is not a very good method if it is too short, good cracking dictionaries include all known substitutions. :p

Diceware is a good option and you do not need to use lots of numbers and/or symbols, only remember a sequence of random words. You do need to be able to use very long passwords though, I have some passwords over 40 characters long. Use the physical dice method to be as secure as possible. :)
 

·
Registered
Joined
·
3,390 Posts
All my passwords are unique random characters
 

·
Old to Overclock.net
Joined
·
2,091 Posts
Completely wrong. You should make long, memorable passwords. Like IL0v3Int3l1234 easy to remember, hard as hell to guess/brute. Plus you don't have to write it down.
That's actually a horrible password.

You gotta remember, some of the brute force rigs they're using now with quad SLI GPU's can try billions of combinations in relatively short order. With hackers it's getting to the point that they brute force so many passwords that when they steal 10 million credential sets and in the first week of running a brute force attack they crack 6 million they just call it a day and steal data/identity/money from those 6 million people and give up on the rest out of contentment. I was reading an article about password security that basically said, some of those home brew PC brute force rigs can brute force every single combination of 10 character passwords in less than 30 minutes. State actors are another story altogether, I wouldn't be surprised if they could brute force anything around the 20-25 completely random character range which would be equivalent or greater than most pass phrases in use.


The long answer is yes, you can use long memorable sentences or pass phrases, but it's easy to make a mistake that will fall right into the password dictionaries and if you use passphrases they need to be EXTREMELY long, to the point where not all websites support it even high security applications like online banking. Somebody somewhere might have the numbers, but me just ball parking it, to get the equivalent of a 20 character random upper case, lower case, alphanumeric and special character password you would need a fairly long pass phrase.

I agree, if you cannot remember it you have to have it stored in plain text somewhere, recoverable as plain text anyway.
That's not necessarily a bad thing, really once you start weighing the risks/attack surface of an online vs offline attack, most people would probably be better off with passwords stored in plain text on a physical ledger, provided they are good passwords.

That actually brings up the elephant in the room about passwords, that is that passwords are an outdated/inefficient authentication model. When the concept was first popularized with computers they never figured "brute forcing" would ever really be a thing or that users would have to remember dozens upon dozens of password for all sorts of different applications and services that didn't even exist at the time. At some point if you use strong passwords for everything you will have to use a password manager, passwords written in plaintext and/or a combination of both.


My best advice is a cascading/compartmentalizing approach. Use easily remembered pass phrases for stuff you need to remember/access remotely away from your home computer. Use random passwords stored in a password manager that you then secure with a memorable pass phrase for important but not life altering/mission critical stuff and finally 25+ character completely random diceware passwords written on a physical ledger for your defcon 5 stuff only to be used at your home terminal.
 

·
Premium Member
Joined
·
6,627 Posts
>Saving passwords in clear text form
>"glitch"

Sure lad

hahaha
Did you not read the source you posted? Their story sounds plausible. Some dev might've been logging passwords before and after hashing to verify that everything worked and accidentally committed that to the production code. Sure, it's still a big mistake, but no need to don your tinfoil hat.

You gotta remember, some of the brute force rigs they're using now with quad SLI GPU's can try billions of combinations in relatively short order. With hackers it's getting to the point that they brute force so many passwords that when they steal 10 million credential sets and in the first week of running a brute force attack they crack 6 million they just call it a day and steal data/identity/money from those 6 million people and give up on the rest out of contentment. I was reading an article about password security that basically said, some of those home brew PC brute force rigs can brute force every single combination of 10 character passwords in less than 30 minutes. State actors are another story altogether, I wouldn't be surprised if they could brute force anything around the 20-25 completely random character range which would be equivalent or greater than most pass phrases in use.

The long answer is yes, you can use long memorable sentences or pass phrases, but it's easy to make a mistake that will fall right into the password dictionaries and if you use passphrases they need to be EXTREMELY long, to the point where not all websites support it even high security applications like online banking. Somebody somewhere might have the numbers, but me just ball parking it, to get the equivalent of a 20 character random upper case, lower case, alphanumeric and special character password you would need a fairly long pass phrase.
Assuming that you only words from a 5000-word dictionary, a four word passphrase is roughly equivalent to a random 7 or 8-character password with alphanumeric and special characters. In practice passphrases are often stronger than that, the likelihood that the attacker uses a dictionary exactly the right size is very small. Most would probably not bother with four-word combinations at all, it's a lot easier to use known compromised passwords.
 

·
Old to Overclock.net
Joined
·
2,091 Posts
Most would probably not bother with four-word combinations at all, it's a lot easier to use known compromised passwords.
Very true, but those password dictionaries are getting more sophisticated by the day, they comprise multiple languages and every time a database is compromised they do things like take peoples passwords and make password dictionaries out of them, those password dictionaries then in turn have pass phrases in them. You might think "hey but they won't have my pass phrase", but as has been shown time and time again, whenever people think they are making something "random" or that nobody else ever thought of they turn out to be not so random after all over a large enough distribution, humans suck at picking random things, so do computers too but that's for another topic.

Your password might be something like IAmTheBestSteak3aterMcDonald$85


"i am"

&

"the best"

in any shape is not random at all, likely seen millions of times over in countless passwords, password dictionaries/brute force attacks will try this in every conceivable uppercase/lowercase/special character/number substitution.

You might think that "Steak" and "McDonalds" are fairly random and they are, but to a computer which can attempt billions of guesses, it isn't random enough and will likely be able to crack that.


If I was going for pass phrases I'd be rolling dice for numbers of pages in various different languages dictionaries.
 
1 - 8 of 8 Posts
Top