OT Yahoo breach

Page 4 of 5  
On 9/25/2016 1:24 PM, Mayayana wrote:

I don't doubt that somebody wrote that about passwords, but I don't buy it and I don't take it as gospel just because somebody did.
I also didn't include a link to password checker simply because my suggestion was that you run it through any one that you might choose - and there are plenty.
Here's a couple, so go ahead and give it a try. If you find that these don't support your position, go ahead and find some more and try them. Good luck.
http://www.passwordmeter.com/
https://howsecureismypassword.net/
Depending upon which one you use - actually, make that REGARDLESS of which checker you use - you'll find that simply adding a space between the words of your pass phrase will dramatically increase the difficulty of solving.
Then, so long as you're out there trying, try running something like FU2&es&dye! and see what happens. Or, one of my favorites, something like "Hgb^7*?/,<dPoo" (with or without the quotation marks, tho if you use the quotes the time frame runs into the trillions of years<g>)
I use a pass phrase similar to what you suggest (but including some clinkers to increase difficulty) as a Master Password for my password manager. Trust me when I say that no matter how I check it, my Master PW will withstand a couple of billion years of hammering with a computer and the individual passwords for financial accounts and the like will withstand trillions. I feel that's adequate as I doubt that I'll be around much more than 15 or 20 years if I'm really lucky<g>
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"Unquestionably Confused" wrote
| I also didn't include a link to password checker simply because my | suggestion was that you run it through any one that you might choose - | and there are plenty. | | Here's a couple, so go ahead and give it a try. If you find that these | don't support your position, go ahead and find some more and try them. | Good luck. |
I did. If you'd bothered to check yourself you would have found that a 20 character password is considered very strong, no matter what the characters. Such password checkers are of little value for anything other than learning basic rules. They're just simple scripts that assign points based on unusual characters, length of password, etc. An OSS example that can be downloaded is here:
http://rumkin.com/tools/password/passchk.php
If you try that you'll find that anything over about 12-13 characters is rated strong, even if it's just 13 lower case alphabetic characters. As I noted before, it's been a long time since unusual characters were worth much. Many places now require upper and lower case, at least one number, and at least one unusual character. So any worthwhile cracker has already increased its check from 62 alphanumeric characters to include a dozen or so more. Those other characters, like #>1, may look exotic, but all characters are just numeric byte values.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 11:24 AM, Mayayana wrote:

I use Yahoo's Two-step verification. Even if the perp knows my simple password he won't be able to bring up my account on a strange machine.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"AL" wrote
| I use Yahoo's Two-step verification. Even if the perp knows my simple | password he won't be able to bring up my account on a strange machine. |
Isn't that for when you change your password? I assume you don't answer a security question every time you log on.
The issue here is that passwords were stolen and Yahoo didn't know or didn't tell people. So the thieves could have been logging into any Yahoo account over the past two years without being noticed.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 5:25 PM, Mayayana wrote:

No. It has nothing to do with changing the password.
When I log into Yahoo from a strange (unknown to Yahoo) computer, Yahoo verifies it's me by texting me a code on my cell phone. When I enter that code on the strange machine it becomes a known machine and from that point on there is no more Two-step verification necessary to access my account on *that particular computer*.
Anyone trying to log in to my account from a strange computer will be unsuccessful even if they know my password because they don't have my cell phone for the verification code.

Correct.

I agree that's bad. But the issue here is also how to protect yourself now. I suggest activating Two-step verification.

With Two-step verification I would notice an *attempt* to log on to my account because I would get an unasked for text code.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"AL" wrote
| When I log into Yahoo from a strange (unknown to Yahoo) computer, Yahoo | verifies it's me by texting me a code on my cell phone. When I enter | that code on the strange machine it becomes a known machine and from | that point on there is no more Two-step verification necessary to access | my account on *that particular computer*. |
That's a clever idea. I had no idea that webmail companies were now tagging devices. I guess that makes sense, since many people are now checking their email mainly from a phone, rather than from constantly changing desktops in hotels and workplaces.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/26/2016 8:14 AM, Mayayana wrote:

which you are using. If I log in from either home or office where I have static IP addresses, I don't get the verification. If I log in from any other location, a pass code is sent to my smart phone and I have to enter it on the computer before my regular log in credentials are accepted.
Some systems look for a specific IP address while other will allow for a certain range (in the case of a dynamic IP address assignment by your provider).
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

It's not solely the IP address. They also use the User-Agent string provided by the browser, and other fingerprinting techniques to identify the connection as uniquely as possible. There are fields in the TCP packet whose usage can identify the operating system, for example.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"Unquestionably Confused" wrote
| Actually, it's not the devices they are "tagging", it's the IP address | which you are using. If I log in from either home or office where I | have static IP addresses, I don't get the verification. If I log in | from any other location, a pass code is sent to my smart phone and I | have to enter it on the computer before my regular log in credentials | are accepted. |
This makes me feel old. I don't use webmail to begin with. My cellphone, such as it is, is a Tracphone that I turn on occasionally when I need a phone booth. The system you're describing seems like a great idea, but it also assumes that you own and constantly use a computer phone. But of course, these days most people fit that profile. :)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/26/2016 9:21 AM, Mayayana wrote:

Most such verification systems are set up to use either a text message or email, so no worries. Some, like several of the financial institutions I deal with will also confirm by voice to a designated phone number.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Monday, September 26, 2016 at 10:22:48 AM UTC-4, Mayayana wrote:

There's no need for a "computer phone" just a phone that can receive phone calls or texts.
When I try to log into my bank from a "strange computer" it offers me 3 options:
Call me at xxx-xxx-dddd (the d's are the last 4 digits of my cell phone) Text me at xxx-xxx-dddd Email me at snipped-for-privacy@xxxx.com
Within seconds I get a 6 digit code via the method I chose.
Obviously you have to register the phone number and/or email address with them.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Sun, 25 Sep 2016 18:24:29 GMT in alt.home.repair, wrote:

The author doesn't seem to understand/grasp the different ways one can accomplish cracking passwords, OR, you misunderstood what they wrote. I didn't check your url, so can't confirm.

No example you've provided so far is any threat to brute force. You aren't even trying. lol. If the site will let me keep trying until I get it right, I need nothing more than a quick and dirty character generator that continues to increase the amount of characters until I get it. Yes, it's that simple. Yes, I can write one to generate ALL possible 20 character combinations you can possibly think of, in say.. 10-15 minutes. Likely, less. Honestly. The time required to go and test them will depend on how quickly I can issue the new password to be tested to the host/program asking for it. And, that's about the only real limit there is with your examples.
IE: your advice isn't sound and should be ignored because it's only useful for SIMPLE dictionary based attacks that rely on common words. A modified dictionary attack that can link various words and maintain upper/lower case caps, etc, won't be fooled by your suggestions, either.
The only possible defense your advise offers against either of the aforementioned algorithms is a limit by the host/program that's asking for the password. If it will let me try until I get it, you're fucked two ways from sunday. Especially with the samples you've provided so far.
Stick to what you actually seem to know about.. ok? leave the hacking stuff for those of us who've been there and done it.
--
MID: <nb7u27$crn$ snipped-for-privacy@boaterdave.dont-email.me>
Hmmm. I most certainly don't understand how I can access a copy of a
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"Diesel" wrote
| The author doesn't seem to understand/grasp the different ways one | can accomplish cracking passwords, OR, you misunderstood what they | wrote. I didn't check your url, so can't confirm. |
Maybe it would make sense to read it before commenting on it? What is it about passwords that suddenly turns people into world-class experts?
| No example you've provided so far is any threat to brute force. You | aren't even trying. lol. If the site will let me keep trying until I | get it right, I need nothing more than a quick and dirty character | generator that continues to increase the amount of characters until I | get it. Yes, it's that simple. Yes, I can write one to generate ALL | possible 20 character combinations you can possibly think of, in | say.. 10-15 minutes.
Then no password is of any value unless the testing entity introduces a pause between entries. Then again, there is at least a brief pause across a network. Hmm.
| Likely, less. Honestly.
I have no doubt that you most heartily agree with everything you say. :) By my calculations, figuring about 80 possible characters (a-z, A-Z, 0-9, !@#, etc) you'll need to test each character in each position, against all other possibilities. There would be 10 pentillion possible combinations if it were only numbers. Given the character options it would be more.... I guess something like 80 pentillion times 80, 20 times? It's a base-80 number with 20 places. Darned big, I'd say, in any case. Even for a CPU doing 3 billion operations per second it seems it would take a very long time to just walk those numbers.

and test them will depend on how quickly I can issue the new password to be tested to the host/program asking for it. And, that's about the only real limit there is with your examples.

Obviously. That's why it's a password. Each check takes time, even if it's only a little time. Simply making computer code walk through a series of numbers has no relevance to actually testing passwords.
That seems to be the main point of the article. (The one I linked to, which you're too smart to read.) A long password you can remember, that avoids predictable patterns, is stronger and also more practical than a shorter, seemingly arcane series of punctuation marks.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Mayayana has brought this to us :

Maybe because passwords are such simple things.
[...]

It isn't actually necessary to submit the same password that you created, but that is a minor 'aside' point and you have already indicated to me that you don't like those. To you it might just be 'picking a nit'. :)

I don't know why he even went there. Maybe I missed something about how far the topic has drifted since the initial drift from the OP's actual question. This 'keep knocking on the front door until it opens' method can lead to trouble.
I think you are looking at this from the wrong perspective. It doesn't matter at all how much time it takes for the server's algorithm to check that you sent the right password, or to enforce a lockout timeout after so many tries. The 'password strength' or perhaps more to the point, the computational complexity of brute forcing it (length and symbol range) or modified dictionary attacking it by commonly used password list(Fluffy, Fido, GOD, etc) only helps to avoid the password you use from appearing in the hash-to-password table the attacker is using.
If your password is weak, the 'two step verification' idea works for better Yahoo security, but you better not have used the same password for another weaker site because it and your email or username on Yahoo are now possibly known to the attacker(s).
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Mon, 26 Sep 2016 13:49:33 GMT in alt.home.repair, wrote:

passwords by themselves really aren't that complex to understand...

You really are in way over your head with this...

ROFL. Actually, that's not what's going on here. I'm going by first hand knowledge.

You're wrong.

Heh. the problem is with the passwords you suggested, actually.
--
MID: <nb7u27$crn$ snipped-for-privacy@boaterdave.dont-email.me>
Hmmm. I most certainly don't understand how I can access a copy of a
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Sun, 25 Sep 2016 17:25:50 GMT in alt.home.repair, wrote:

You might want to re-read the article. You seem a bit confused on what cracking algorithms can/can't do here.

That's only going to semi protect you against a basic dictionary attack, a brute force one is going to get it once it reaches that amount of characters. Just a matter of time. Cracking 'algorithms' vary you see. simple Dictionary only attacks aren't very effective against such passwords, but the one you used for an example is ripe for a Brute force attack. The only thing that would save you in this case is the amount of times yahoo will let you get it wrong before it temp disables the account, etc.

See above. your example is only a-z and nothing else; 20 characters long. IE: NOT secure.
--
MID: <nb7u27$crn$ snipped-for-privacy@boaterdave.dont-email.me>
Hmmm. I most certainly don't understand how I can access a copy of a
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Ed Pawlowski explained on 9/25/2016 :

Given the exhaustive search or dictionary attack scenario, changing the password would make the already tried and failed passwords viable again, so the attacker would have to start over again.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 1:35 PM, FromTheRafters wrote:

And your "new" password may be the next one tried and thus cracked. Not so sure it improves the odds.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Ed Pawlowski wrote on 9/25/2016 :

Sure, but the idea behind exhaustive search is not the same as behind random tries, it reduces the effective keyspace after each try. If the entire keyspace can be searched in a year, the average time to break is six months. If you change the password every three months they may never hit the mark. This definitely does improve your odds.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 9/25/2016 10:35 AM, FromTheRafters wrote:

I use Yahoo's Two-step verification. It makes a dictionary attack useless on a strange machine.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Related Threads

    HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.