"AL" wrote
| I use Yahoo's Two-step verification. Even if the perp knows my simple | password he won't be able to bring up my account on a strange machine. |
Isn't that for when you change your password? I assume you don't answer a security question every time you log on.
The issue here is that passwords were stolen and Yahoo didn't know or didn't tell people. So the thieves could have been logging into any Yahoo account over the past two years without being noticed.
No. It has nothing to do with changing the password.
When I log into Yahoo from a strange (unknown to Yahoo) computer, Yahoo verifies it's me by texting me a code on my cell phone. When I enter that code on the strange machine it becomes a known machine and from that point on there is no more Two-step verification necessary to access my account on *that particular computer*.
Anyone trying to log in to my account from a strange computer will be unsuccessful even if they know my password because they don't have my cell phone for the verification code.
Correct.
I agree that's bad. But the issue here is also how to protect yourself now. I suggest activating Two-step verification.
With Two-step verification I would notice an *attempt* to log on to my account because I would get an unasked for text code.
You might want to re-read the article. You seem a bit confused on what cracking algorithms can/can't do here.
That's only going to semi protect you against a basic dictionary attack, a brute force one is going to get it once it reaches that amount of characters. Just a matter of time. Cracking 'algorithms' vary you see. simple Dictionary only attacks aren't very effective against such passwords, but the one you used for an example is ripe for a Brute force attack. The only thing that would save you in this case is the amount of times yahoo will let you get it wrong before it temp disables the account, etc.
See above. your example is only a-z and nothing else; 20 characters long. IE: NOT secure.
Is it stored in an encrypted password manager program or the web browser for auto login purposes? If the latter, nirsoft utils are your friend. If the former, you'd have to login to your password manager to recover the current password so you can change it to something else...
Oh, one more thing, stop having your web browser store login/passwords for you, if that's something you do.
As you'll learn by using the utils I mentioned, it's obviously, NOT secure. Anyone who has access to your computer with a brain (read: knows how to pull up the passwords using Nirsoft or a variety of other tools) can recover them, with ease.
The author doesn't seem to understand/grasp the different ways one can accomplish cracking passwords, OR, you misunderstood what they wrote. I didn't check your url, so can't confirm.
No example you've provided so far is any threat to brute force. You aren't even trying. lol. If the site will let me keep trying until I get it right, I need nothing more than a quick and dirty character generator that continues to increase the amount of characters until I get it. Yes, it's that simple. Yes, I can write one to generate ALL possible 20 character combinations you can possibly think of, in say.. 10-15 minutes. Likely, less. Honestly. The time required to go and test them will depend on how quickly I can issue the new password to be tested to the host/program asking for it. And, that's about the only real limit there is with your examples.
IE: your advice isn't sound and should be ignored because it's only useful for SIMPLE dictionary based attacks that rely on common words. A modified dictionary attack that can link various words and maintain upper/lower case caps, etc, won't be fooled by your suggestions, either.
The only possible defense your advise offers against either of the aforementioned algorithms is a limit by the host/program that's asking for the password. If it will let me try until I get it, you're f***ed two ways from sunday. Especially with the samples you've provided so far.
Stick to what you actually seem to know about.. ok? leave the hacking stuff for those of us who've been there and done it.
"AL" wrote
| When I log into Yahoo from a strange (unknown to Yahoo) computer, Yahoo | verifies it's me by texting me a code on my cell phone. When I enter | that code on the strange machine it becomes a known machine and from | that point on there is no more Two-step verification necessary to access | my account on *that particular computer*. |
That's a clever idea. I had no idea that webmail companies were now tagging devices. I guess that makes sense, since many people are now checking their email mainly from a phone, rather than from constantly changing desktops in hotels and workplaces.
"Diesel" wrote
| The author doesn't seem to understand/grasp the different ways one | can accomplish cracking passwords, OR, you misunderstood what they | wrote. I didn't check your url, so can't confirm. |
Maybe it would make sense to read it before commenting on it? What is it about passwords that suddenly turns people into world-class experts?
| No example you've provided so far is any threat to brute force. You | aren't even trying. lol. If the site will let me keep trying until I | get it right, I need nothing more than a quick and dirty character | generator that continues to increase the amount of characters until I | get it. Yes, it's that simple. Yes, I can write one to generate ALL | possible 20 character combinations you can possibly think of, in | say.. 10-15 minutes.
Then no password is of any value unless the testing entity introduces a pause between entries. Then again, there is at least a brief pause across a network. Hmm.
| Likely, less. Honestly.
I have no doubt that you most heartily agree with everything you say. :) By my calculations, figuring about 80 possible characters (a-z, A-Z, 0-9, !@#, etc) you'll need to test each character in each position, against all other possibilities. There would be 10 pentillion possible combinations if it were only numbers. Given the character options it would be more.... I guess something like 80 pentillion times 80, 20 times? It's a base-80 number with 20 places. Darned big, I'd say, in any case. Even for a CPU doing
3 billion operations per second it seems it would take a very long time to just walk those numbers.
The time required to go and test them will depend on how quickly I can issue the new password to be tested to the host/program asking for it. And, that's about the only real limit there is with your examples.
Obviously. That's why it's a password. Each check takes time, even if it's only a little time. Simply making computer code walk through a series of numbers has no relevance to actually testing passwords.
That seems to be the main point of the article. (The one I linked to, which you're too smart to read.) A long password you can remember, that avoids predictable patterns, is stronger and also more practical than a shorter, seemingly arcane series of punctuation marks.
Actually, it's not the devices they are "tagging", it's the IP address which you are using. If I log in from either home or office where I have static IP addresses, I don't get the verification. If I log in from any other location, a pass code is sent to my smart phone and I have to enter it on the computer before my regular log in credentials are accepted.
Some systems look for a specific IP address while other will allow for a certain range (in the case of a dynamic IP address assignment by your provider).
It's not solely the IP address. They also use the User-Agent string provided by the browser, and other fingerprinting techniques to identify the connection as uniquely as possible. There are fields in the TCP packet whose usage can identify the operating system, for example.
"Unquestionably Confused" wrote
| Actually, it's not the devices they are "tagging", it's the IP address | which you are using. If I log in from either home or office where I | have static IP addresses, I don't get the verification. If I log in | from any other location, a pass code is sent to my smart phone and I | have to enter it on the computer before my regular log in credentials | are accepted. |
This makes me feel old. I don't use webmail to begin with. My cellphone, such as it is, is a Tracphone that I turn on occasionally when I need a phone booth. The system you're describing seems like a great idea, but it also assumes that you own and constantly use a computer phone. But of course, these days most people fit that profile. :)
Most such verification systems are set up to use either a text message or email, so no worries. Some, like several of the financial institutions I deal with will also confirm by voice to a designated phone number.
On 9/26/2016 7:08 AM, Scott Lurndal wrote: > Unquestionably Confused writes: >> On 9/26/2016 8:14 AM, Mayayana wrote: >>> "AL" wrote
Two-step verification is used by many organizations From Internet companies to financial institutions. I use it wherever it's offered. It's not perfect but it does add another layer of security to your accounts.
I can log on from any IP (public or private WiFi for example) using my phone (trusted device) without a challenge.
As close as I could find, a cookie or token is placed on the trusted device. But I couldn't find any links to verify that. Most was from forums/groups and you know how reliable that is... ;)
Probably. And some I think some are time stamped. When I was imaging/restoring my system frequently I made sure I left my banks's cookie on the system I imaging. That avoided the 2-step. But if I wait too long (maybe a couple months) before restoring the image I have to do the 2-step.
There's no need for a "computer phone" just a phone that can receive phone calls or texts.
When I try to log into my bank from a "strange computer" it offers me
3 options:Call me at xxx-xxx-dddd (the d's are the last 4 digits of my cell phone) Text me at xxx-xxx-dddd Email me at snipped-for-privacy@xxxx.com
Within seconds I get a 6 digit code via the method I chose.
Obviously you have to register the phone number and/or email address with them.
Mayayana has brought this to us :
Maybe because passwords are such simple things.
[...]
It isn't actually necessary to submit the same password that you created, but that is a minor 'aside' point and you have already indicated to me that you don't like those. To you it might just be 'picking a nit'. :)
I don't know why he even went there. Maybe I missed something about how far the topic has drifted since the initial drift from the OP's actual question. This 'keep knocking on the front door until it opens' method can lead to trouble.
I think you are looking at this from the wrong perspective. It doesn't matter at all how much time it takes for the server's algorithm to check that you sent the right password, or to enforce a lockout timeout after so many tries. The 'password strength' or perhaps more to the point, the computational complexity of brute forcing it (length and symbol range) or modified dictionary attacking it by commonly used password list(Fluffy, Fido, GOD, etc) only helps to avoid the password you use from appearing in the hash-to-password table the attacker is using.
If your password is weak, the 'two step verification' idea works for better Yahoo security, but you better not have used the same password for another weaker site because it and your email or username on Yahoo are now possibly known to the attacker(s).
passwords by themselves really aren't that complex to understand...
You really are in way over your head with this...
ROFL. Actually, that's not what's going on here. I'm going by first hand knowledge.
You're wrong.
Heh. the problem is with the passwords you suggested, actually.
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.