DailyDirt: Breaking Bad... Passwords

from the urls-we-dig-up dept

Tue, Mar 24th 2015 5:00pm — Michael Ho

Passwords are everywhere. They get us access to our phones, computers, email, social media accounts, cloud storage accounts, banks accounts... just about everything important (and unimportant -- which is part of the problem with passwords). You might think you're clever by choosing a 4-digit PIN that doesn't look like a birthday date or year, but if you're using 2580 and think you're smart, think again.

The iPhone's 4-digit passcode can be broken by brute force in roughly 111 hours or less. Sure, you could use your fingerprint, but it might be better to just turn off the "simple passcode" default and use more digits. [url]
Plenty of password alternative schemes are springing up to move people away from passwords and towards other kinds of authentication. All the big tech companies are trying out various password alternatives. Google is experimenting with a dongle/token/USB key approach. Yahoo is trying out a password-free login. Passwords still seem to be the dominant method for logins, but that could change... someday. [url]
If you have an old wireless router and it only uses WEP passwords, should you use it? Well, even if you use a WPA password, it only takes a few hours to crack... so just stay paranoid. [url]

If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dongle, fingerprint, logins, passcode, password-free, passwords, pin, security, tokens
Companies: google, yahoo

18 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 24 Mar 2015 @ 6:14pm

i still use WEP key
I'd just leave it wide open if I didn't want to use the changing password as an incentive for my kids to do chores.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Mar 2015 @ 8:45pm
  
  Re: i still use WEP key
  Just beware that your kids could crack the WEP code in a few minutes, so if you want to keep them off when you dont want them on, WPA or WPA2 is better.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Mar 2015 @ 7:23am
    
    Re: Re: i still use WEP key
    If my kids did the research to learn what a WEP key is and learned to use the tools to crack them, I would be so proud that I'd happily do their chores that week.
    [ link to this | view in chronology ]
Anonymous Coward, 24 Mar 2015 @ 8:09pm

Ugh, Gawker media. Not even worth linking to.
[ link to this | view in chronology ]
heyidiot (profile), 24 Mar 2015 @ 10:19pm

SQRL
"We don' need no stinkin' PASSWORDS..."
[ link to this | view in chronology ]
Ninja (profile), 25 Mar 2015 @ 4:14am

I like the idea of services/software like LastPass. This way you can make a single elaborate password (mine is above 15 digits) and leave the rest to the service. LastPass offers multi-factor authentication too so you can take even further steps to protect yourself (which I did). I think that the future will still see passwords but they will be coupled with other authentication factors.
[ link to this | view in chronology ]
boomslang, 25 Mar 2015 @ 4:41am

Not quite
> Well, even if you use a WPA password, it only takes a few hours to crack

This depends on the password strength. Cracking a strong WPA password is computationally infeasible. Since WPA cracking typically uses a dictionary instead of brute force, cracking a WPA password like "password123" will take minutes.
[ link to this | view in chronology ]
John Fenderson (profile), 25 Mar 2015 @ 7:55am

WEP
WEP is pretty much the same as nothing, WPA isn't very secure, so I take an approach that avoids both of them while providing strong security: I turn the WiFi crypto off completely, then set up my router so that the only thing that can be reached through the access point is my VPN. Anybody can connect to the AP, but doing so won't actually do them any good.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Mar 2015 @ 8:43pm
  
  Re: WEP
  "...WPA isn't very secure..."
  WTF??! WPA *can be entirely secure*, if you read the manual.
  
  I *could* set up a WPA Radius server on my network (two Windows, one Apple, and three Linux boxes - there are more, but the rest are connected to the router via hard cables), but why f#$%ing bother? I use WPA2-PSK with a 63 character key comprised of upper and lower case alphabetics, numerals, and symbols.
  
  I defy the NSA to own enough computing power to crack my wireless network during my lifetime, unless Mr. Technology performs one of those extra uber-wacky fast-forward things.
  
  Today, and for the foreseeable future, WPA rulez (unless you're too lazy to RTFM)!
  
  Talk about something you know.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 26 Mar 2015 @ 8:01am
    
    Re: Re: WEP
    "I defy the NSA to own enough computing power to crack my wireless network during my lifetime"
    
    It doesn't take the NSA. Anyone can do this with a normal computer if they can capture the radio traffic from enough instances of people connecting to the WiFi.
    
    "Talk about something you know."
    
    I recommend the same to you.
    [ link to this | view in chronology ]
    - Anonymous Coward, 26 Mar 2015 @ 5:30pm
      
      Re: Re: Re: WEP
      This is my trade.
      
      I can capture the 4-way handshake and set John (or some other tool) on the crack, but even with a cluster of processors, if it's well-crafted, a password of 20 characters or more is pointlessly difficult to pursue (my 63 element password IS secure).
      
      THE useful approach for cracking WPA, when the target has RTFM, is social engineering not outdated, kiddie tools like Reaver.
      [ link to this | view in chronology ]
jilocasin (profile), 25 Mar 2015 @ 8:00am

Biometrics aren't magic.
I do wish people wouldn't think of 'biometrics' (ex: fingerprint, iris, etc.) as some kind of security magic. It isn't.

Before _any_ biometric can be used it's converted into a string of values. What we know of as a _PASSWORD_.

The only differences between a _biometric_ and a standard password are:

you can't loose it (well, unless you loose an eye, or a finger)

you can't forget it (see above caveats)

after being _processed_ it's generally stronger than a typical password (nothing is stopping the finger print to password algorithm from doing something silly like counting the number of ridges and wholes)

you can't change it (most people only have 2 eyes, 10 fingers, etc.)

you are leaving copies of it everywhere

the cops, or the _bad_guys (yes, sometimes that's redundant) can easily force you to disclose it.

Currently most of the work in cracking biometric protected systems has focused on replicating the biometry (fake finger, picture of subject, etc.) Personally, I think that's a fools errand.

Make a finger print reader, someone makes a fake finger. Add _life_ detection, someone makes a fake fingerprint and puts it on an actual finger, etc. Rinse lather repeat.

Alternatively, apply the algorithm the finger print reader uses to a copy of the fingerprint (or take a page from the Target credit card hackers and copy the actual generated code from the back end of the finger print reader itself.

Inject the computed code (a.k.a. password) into the system, BINGO you are in. Until they change the algorithm that generates the code it doesn't matter HOW GOOD the reader gets at figuring out if it's the real person, in the end it's just computing a password based on the biometric seed.

Science fiction has figured this out awhile ago. In any book/movie/television show whenever you see the person pry open the iris scanner, fingerprint reader, etc. and connect a (usually hand held) computer directly to the innards, that's just what they are doing. Skip the biometric to password generation to send the password directly to the system.

Biometrics aren't _better_than_passwords_, they _ARE_ passwords.
[ link to this | view in chronology ]
- John Fenderson (profile), 25 Mar 2015 @ 9:26am
  
  Re: Biometrics aren't magic.
  "you can't loose it (well, unless you loose an eye, or a finger)"
  
  Actually, fingerprints are pretty easy to lose. It's not that rare that they change (due to scars, etc.) and more people than you might think simply don't have them. My wife, for example, routinely loses her fingerprints as a side-effect of certain work tasks.
  [ link to this | view in chronology ]
Uriel-238 (profile), 25 Mar 2015 @ 10:59am

My community has local wardrivers
And I'd happily share my internet if it wasn't abused by the local piggybacks (e.g. streaming or peer-to-peer which hogs all the bandwidth) so we use the feature that checks the MAC addys of designated devices.

It means that guests have to get their device registered, but we don't have enough wifi guests for it to be a serious bother.

Multi-factor Authentication. It's the only way to fly.
[ link to this | view in chronology ]
- John Fenderson (profile), 25 Mar 2015 @ 1:10pm
  
  Re: My community has local wardrivers
  There are two nicer ways to handle this (assuming that you are interested in providing some sort of public Wifi access but don't want it abused.) The easiest way is to use a more modern Wifi device that allows you to run a "guest" AP that is independent of your private AP, and to restrict what people can do on the guest AP. There are numerous inexpensive consumer Wifi rigs that let you easily do this out of the box.
  
  Or, if you don't mind running a more complex router, you can set up your AP so that it runs with limited resources for everything but a VPN connection, then use the VPN connection for your own unlimited access.
  [ link to this | view in chronology ]
  - Uriel-238 (profile), 25 Mar 2015 @ 2:07pm
    
    While it is a fantasy of mine to provide public wifi to my block
    My bandwidth really isn't enough to be worth it, and there are some local alternatives.
    
    But thank you, both your suggestions are useful.
    [ link to this | view in chronology ]
Anonymous Coward, 25 Mar 2015 @ 3:30pm

Fearmongery
What utter nonsense. WPA is not even what Reaver attacks. Reaver goes after the 8-digit pin for the assisted setup of new devices to employ WPA (heck, it only needs to crack four of the eight). If you have that assisted setup "feature" turned off, or tightly constrained (as it is by default on modern routers), Reaver is useless. Use a good password with WPA and you can laugh at wardrivers.

Pointing to a scarey article as far out of date as the one given here is not worthy of TD.
[ link to this | view in chronology ]
macwintech, 13 Nov 2017 @ 12:49am

pass
Processing Re-write Suggestions Done (Unique Article)
This is my trade.

I will capture the 4-way acknowledgment and set John (or another tool) on the crack, however even with a cluster of processors, if it's well-crafted, a secret of twenty characters or additional is pointlessly tough to pursue (my sixty three component secret IS secure).

THE helpful approach for cracking WPA, once the target has RTFM, is social engineering not noncurrent, kiddie tools like Reaver.
[ link to this | view in chronology ]