DailyDirt: Breaking Bad... Passwords
from the urls-we-dig-up dept
Passwords are everywhere. They get us access to our phones, computers, email, social media accounts, cloud storage accounts, banks accounts... just about everything important (and unimportant -- which is part of the problem with passwords). You might think you're clever by choosing a 4-digit PIN that doesn't look like a birthday date or year, but if you're using 2580 and think you're smart, think again.- The iPhone's 4-digit passcode can be broken by brute force in roughly 111 hours or less. Sure, you could use your fingerprint, but it might be better to just turn off the "simple passcode" default and use more digits. [url]
- Plenty of password alternative schemes are springing up to move people away from passwords and towards other kinds of authentication. All the big tech companies are trying out various password alternatives. Google is experimenting with a dongle/token/USB key approach. Yahoo is trying out a password-free login. Passwords still seem to be the dominant method for logins, but that could change... someday. [url]
- If you have an old wireless router and it only uses WEP passwords, should you use it? Well, even if you use a WPA password, it only takes a few hours to crack... so just stay paranoid. [url]
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dongle, fingerprint, logins, passcode, password-free, passwords, pin, security, tokens
Companies: google, yahoo
Reader Comments
Subscribe: RSS
View by: Time | Thread
i still use WEP key
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: i still use WEP key
[ link to this | view in thread ]
SQRL
[ link to this | view in thread ]
[ link to this | view in thread ]
Not quite
This depends on the password strength. Cracking a strong WPA password is computationally infeasible. Since WPA cracking typically uses a dictionary instead of brute force, cracking a WPA password like "password123" will take minutes.
[ link to this | view in thread ]
Re: Re: i still use WEP key
[ link to this | view in thread ]
WEP
[ link to this | view in thread ]
Biometrics aren't magic.
Before _any_ biometric can be used it's converted into a string of values. What we know of as a _PASSWORD_.
The only differences between a _biometric_ and a standard password are:
you can't loose it (well, unless you loose an eye, or a finger)
you can't forget it (see above caveats)
after being _processed_ it's generally stronger than a typical password (nothing is stopping the finger print to password algorithm from doing something silly like counting the number of ridges and wholes)
you can't change it (most people only have 2 eyes, 10 fingers, etc.)
you are leaving copies of it everywhere
the cops, or the _bad_guys (yes, sometimes that's redundant) can easily force you to disclose it.
Currently most of the work in cracking biometric protected systems has focused on replicating the biometry (fake finger, picture of subject, etc.) Personally, I think that's a fools errand.
Make a finger print reader, someone makes a fake finger. Add _life_ detection, someone makes a fake fingerprint and puts it on an actual finger, etc. Rinse lather repeat.
Alternatively, apply the algorithm the finger print reader uses to a copy of the fingerprint (or take a page from the Target credit card hackers and copy the actual generated code from the back end of the finger print reader itself.
Inject the computed code (a.k.a. password) into the system, BINGO you are in. Until they change the algorithm that generates the code it doesn't matter HOW GOOD the reader gets at figuring out if it's the real person, in the end it's just computing a password based on the biometric seed.
Science fiction has figured this out awhile ago. In any book/movie/television show whenever you see the person pry open the iris scanner, fingerprint reader, etc. and connect a (usually hand held) computer directly to the innards, that's just what they are doing. Skip the biometric to password generation to send the password directly to the system.
Biometrics aren't _better_than_passwords_, they _ARE_ passwords.
[ link to this | view in thread ]
Re: Biometrics aren't magic.
Actually, fingerprints are pretty easy to lose. It's not that rare that they change (due to scars, etc.) and more people than you might think simply don't have them. My wife, for example, routinely loses her fingerprints as a side-effect of certain work tasks.
[ link to this | view in thread ]
My community has local wardrivers
It means that guests have to get their device registered, but we don't have enough wifi guests for it to be a serious bother.
Multi-factor Authentication. It's the only way to fly.
[ link to this | view in thread ]
Re: My community has local wardrivers
Or, if you don't mind running a more complex router, you can set up your AP so that it runs with limited resources for everything but a VPN connection, then use the VPN connection for your own unlimited access.
[ link to this | view in thread ]
While it is a fantasy of mine to provide public wifi to my block
But thank you, both your suggestions are useful.
[ link to this | view in thread ]
Fearmongery
Pointing to a scarey article as far out of date as the one given here is not worthy of TD.
[ link to this | view in thread ]
Re: WEP
WTF??! WPA *can be entirely secure*, if you read the manual.
I *could* set up a WPA Radius server on my network (two Windows, one Apple, and three Linux boxes - there are more, but the rest are connected to the router via hard cables), but why f#$%ing bother? I use WPA2-PSK with a 63 character key comprised of upper and lower case alphabetics, numerals, and symbols.
I defy the NSA to own enough computing power to crack my wireless network during my lifetime, unless Mr. Technology performs one of those extra uber-wacky fast-forward things.
Today, and for the foreseeable future, WPA rulez (unless you're too lazy to RTFM)!
Talk about something you know.
[ link to this | view in thread ]
Re: Re: WEP
It doesn't take the NSA. Anyone can do this with a normal computer if they can capture the radio traffic from enough instances of people connecting to the WiFi.
"Talk about something you know."
I recommend the same to you.
[ link to this | view in thread ]
Re: Re: Re: WEP
I can capture the 4-way handshake and set John (or some other tool) on the crack, but even with a cluster of processors, if it's well-crafted, a password of 20 characters or more is pointlessly difficult to pursue (my 63 element password IS secure).
THE useful approach for cracking WPA, when the target has RTFM, is social engineering not outdated, kiddie tools like Reaver.
[ link to this | view in thread ]
pass
This is my trade.
I will capture the 4-way acknowledgment and set John (or another tool) on the crack, however even with a cluster of processors, if it's well-crafted, a secret of twenty characters or additional is pointlessly tough to pursue (my sixty three component secret IS secure).
THE helpful approach for cracking WPA, once the target has RTFM, is social engineering not noncurrent, kiddie tools like Reaver.
[ link to this | view in thread ]