Alright; this is my current knowledge base:
1) I know (roughly) how brute-force dictionary password attacks work.
2) I know (roughly) how MySQL injection attacks work.
3) I know that preventing either of the above things is pretty trivial.
Twice this last year I've had a password from a service I use (one on Steam, one on League of Legends) broken, resulting a short-lived account hijack (attackers on both occasions were based in China, so it was obvious to whomever handles account oversight on both services that it wasn't actually me doing crazy shit trying to game the Team Fortress or Riot Points store). I've never before had any of passwords broken or accounts compromised.
...I guess I'm just wondering how in
the fuck this happens? I usually use a 10 digit long password with a random array of numbers and letters, mixing uppercase & lowercase where I'm allowed to. A dictionary attack just won't work, and according to the brute-force applications I know of, it should take
thousands of years - even on some ASIC beast - to finally brute force your way in.
I'm using Steam's verification app now (League doesn't have anything like that
), but I feel annoyed that this is even necessary. I have pretty good passwords. How does this happen?
Posts
As you say, brute forcing well made passwords, while doable, is hardly cost/time effective for something like Steam/LoL accounts.
Passwords for things like that are typically stolen through the use of malware/phishing sites/social engineering as it's much faster and easier to simply record the keystrokes then crack the password. In short, you should probably scan your system for malware and be mindful of your browsing habits, as those are the common attack vectors for these types of things.
Be wary of the sites you're visiting, the things you download, and run regular scans with up to date programs.
I'm not sure what all programs are best, and I'm certainly not an expert, but I believe that regular scans with Malwarebytes is a good place to start.
But yes, the other way people often get passwords is to break into somewhere less secure and try those passwords out on more secure sites/services, hoping that someone used the same password in more than one place. If you can manage to make your passwords different for most things, that's a good way to make it harder for people to hit your important accounts.
The biggest is a sister site being compromised. If you use the same password on multiple sites, this is likely how it happens. So let's say you signed up for a LoL message board, similar to penny-arcade, or maybe an account "showoff" service where you enter details and it lets you set up an account. These sites are often compromised, and the databases stolen. So if the password is unencrypted, and you have the person's email... well you might be able to hack into multiple sites that the person uses. Doubly so if they use an email that you can log into because the password is the same. This is usually just called ID theft.
The next biggest is phishing. Send someone a "hey you might be doing something bad" link and mimic the official page and hide the URL of the page to look somewhat legitimate. The person, who is gullible enough to think that any email they receive is legitimate, will click the link and enter in their account details. Credit cards, passwords, username, CD-key.
The last biggest that is starting to get a lot more common today is tabnabbing. They use techniques to gain a hold of tabs in your browser and redirect them and modify the page. Then it works somewhat like phishing.
SQL Injection is not really a thing on big websites anymore. At least it shouldn't be. Avoid websites that don't look really officially, that's usually the biggest giveaway. (Those 'deal' websites for instance)
Brute force is only really an applicable method for password theft on systems that don't rate limit and are offline. Most web services rate limit how often an account can be tried to log into from a specific IP. Which, can somewhat be circumvented by a botnet, but with limited success.
If you're using a two factor authentication, the only way for that to be compromised is what we call a man in the middle attack. And that's usually built into a trojan. What happens is the trojan or other virus software sits on the person's computer, waits for a certain action to be done (log into steam account) and when you go to put in your password it lets you. And then, when you need to use the 2-factor authentication, it blocks your ability to do so, captures what you put in, and uses it itself.
So long as you're pretty vigilant about not downloading shit onto your PC ever (no addons or programs) and run AV scans on your computer every few days, man in the middle is highly unlikely.
Trojans are pretty uncommon nowadays, the people who you want to go after are usually really weary of them in general. Usually the people who get them are old folks, and when you do that, it's to get credit card information. Phishing brings in more results.
You get what you pay for. They don't really pay well!
The problem being is you need to have IT support staff and engineers that know about it in order to fix it. A programmer that doesn't know about SQL Injection? Probably won't use prepared statements.
IT Staff that doesn't know about brute force? Probably won't know how to rate limit login attempts.
That's why you usually see these sites compromised, even encrypted data not handled properly can be used to access other sites. So a webservice like adobe gets compromised, people use those passwords, gain access to huge amounts of data and financials because people use the same password because of weird ass password requirements.
6-8 characters, special character. That makes a password easy to brute force. Super easy. 1-8 characters is more "secure". 6-8 changes the depth of that system immensely downwards. Banks are most often the culprits of this tactic, and it baffles my mind.
Secure passwords should be a "minimum of characters" requirement only, and higher than 10. This eliminates dictionary attacks, and brute force. hashing with a salt pretty much fucks rainbow tables for the most part.
These are all just basic security guidelines any website should follow.
So adobe's or sony's system being compromised likely gave these people hugggggge amounts of data.
They sell it, and post it on the shadier parts of the web for others to use and exploit.
The best thing you can do is never use the same password twice. Even small variations increase your security exponentially.
If you use "pass1" for adobe and "passw0rd" for your gmail and "p4ss" for your steam account, sure those aren't really secure passwords, but if someone gains access to adobe's information, that gets them nowhere. Especially if it's hashed and they find the right key in their rainbow table. All that gets them is your adobe account.
6-8 characters wth a required special character is slightly more secure than 6-8 characters, sure. But that's less secure than 1-8 character password. Assuming the person can formulate a good password.
Specifically the number of passwords excluded for a character set of size C is sum(C^k for k=1->5) while the total keyspace is sum(C^k for k=1->8). Even for an unreasonably small value of C like 26 the restricted portion of the keyspace in our example is only 1/17576 of the total keyspace, and that ratio gets closer to 0 the larger C is.
That's why it's less secure, not that it isn't still secure. But it also removes the possibility someone's going to try to brute force your system, especially if they've got the system in their hands and a better way to brute it.
Hence my suggestion for minimum length as your only criteria.
In such a case your password is getting intercepted somehow.
They do.
It's likely one of the three main methods.
There is a lot of words, and a lot of possible combinations of words.
I have a "common" password that I use for any site that I don't care about if it is compromised or not, or that I log into frequently. I actually need to break this up.
For anything work-related, or anything financial related, or even anything that I know can be a gateway to bigger things, I've got KeePass. And I'll use whatever limits the website will let me. I hate how Office 365 has a max character length of 16, for instance. On the other hand, there's Steam and Mint...
Here's a password derived from the same settings I used to make my current steam password (no, this is not a password I am using): ;9{0Ek 2CpXL>Gq?)e;Bx4r|^|cDyXVV
To put it mildly, only if the database is compromised will someone be hacking that one. On top of that, I use two-factor authentication wherever I can. Google, Steam, and Blizzard all have two-factor authentication, which is set up on my (password locked) phone.
My keepass database travels with me in Dropbox, with a portable version of KeePass in the same directory and a mobile version of KeePass and Dropbox set up on my phone. My Keepass at work is set to lock after a certain timeframe as well, in case I stupidly forget to lock my PC.
I'd recommend a service like that. Mine's pretty labor intensive, but there are other options like LastPass that could also be right up your alley. Just be sure that in case of emergency, someone else can get into your file. A friend of mine keeps a hard-printed copy of his password list, as well as a backup copy of the database and the master unlock password in a safety deposit box.
Yep, especially when you factor in slang and foreign languages that use the same alphabet, not to mention contractions, plurals or conjugations.
I got an infection, very probably by ad driveby, about a year ago, and the scary thing is that I never noticed until someone logged into my battle.net. Luckily I had no funds/tied creditcard, and they somehow didnt pick up the CC I entered manually in the same period on another website. (I got a new CC anyway) Really woke me up with no real harm done.
Not really. Let's assume that you know with 100% certainty (which you don't) that a password is a string of 5 words. The trick is that while that makes the password really short in length in a sense, the keyspace for each piece very large. Let's look at the English language for now.
According to Oxford Dictionaries, there are probably somewhere between 7k and 50k words in commonly used (not everyday English, but you can and should use words you don't use everyday for your password) English. Unfortunately data on vocabulary size of the average person is all over the place but something like 15000 seems to be consistently within estimates for adults.
A quick Google search shows a brute force speed of 350 billion passwords a second at a conference in December of last year.
8 random characters given a 95 character keyboard(26 upper/lower case + numbers + space and special characters) gives us ((95^8)/350,000,000 seconds) or about 5 hours. Now according to the article, they claimed to take less than 6 hours to try all 8 character passwords so this sounds reasonable.
On the other hand picking four random words in that case would be somewhere in the neighborhood of ((15,000^4)/350,000,000 seconds) or about 40 hours but simply adding a 5th word quickly brings that to 68 years. Now this assumes that you actually pick random words within your vocabulary as opposed to sticking with words you use every day, but you get the point. You can also increase that complexity a little more without really making it harder to remember by capitalizing things (camelCase, ALLCAPS) or using.a.delimiter.
I'm thinking a keylogger or web mail hack. Steam is pretty damn secure. Were you using the same password for both services? Had you changed your password recently? If so then you may want to check your settings on any web mail clients you run. I got hacked in WoW a few years back and discovered that somehow someone hacked my hotmail account and changed the settings about where notification emails get sent, so instead of just my alternate email, they were getting the mails with the links after changing a password and some stupid places put your new password in clear text in the responding email.
Yeah if you break it down for a simple password in each system:
36 combinations (5 letters) vs 50-100k combinations (5 words). That's a huge difference.
And then there's language differences, non-ascii text... it's just you'd never be able to do it at this point in time.
A password vault solution like Keepass is probably better than this, I guess?
Typically my password starts with the same characters everytime (which includes some numbers and uppercase characters to fufill some strict password requirements), then I mutate the service's name in a way known only to me, then I finish up with another set of characters.
Now as long as I remember the beginning and ending characters and I know the name of the place i'm trying to log in to I can get the password everytime.
Hmm OK. But I did say "3 or 4 words" and the xkcd example was with 4 very common words, all lower case, no special characters or numbers (to make it as easy to memorize as possible). Obviously you can make it harder to crack, but it comes at the cost of being harder to memorize/type, otherwise we'd just memorize random 256 character strings.
If I did a password of 3 random words using your numbers, that would be (15,000^3/350,000,000,000) = 9.64 seconds. Crap. And even the 40 hours it would take to guess a 4 word password isn't all that great, especially when you consider that that's to guess *every* possibility, so the *average* would only be around 20 hours.
I guess the practical takeaway from this is that word passwords can work, but you really do want to either pick at least 5 words or mix in some special characters or non-English words.
(side note, I noticed you wrote 350,000,000 instead of 350,000,000,000 but I think your math is right anyway.)
Special characters add less than MORE characters when it comes to difficulty of brute forcing a password.
If your program is combining strings of 4 random words to guess passwords making the words longer doesn't matter. "door" is as easy to guess as "elevator" if you know the password is an existing word and nothing else. The only things the program tries are dictionary words.
But if one of those words isn't correctly spelled you of course make it far harder for the program. Just remember that you spell it "hrse" instead of "horse" for your password or add a random letter or use a name or something.
XKCD's example uses 2^11 as a dictionary size, which is 2048, which is also a really really conservative estimate. There are at most 256 total letters you can use in a password, though, which is 2^7. That means that if you use a passphrase, each word is over 1.5x as strong as each letter in a password. And if you limit it to just the letters basically anyone ever will use, it's only 2^6.
Going by the assumption of a word's difficulty being 2^11: A 3 word passphrase is about as strong as a 5-6 letter password. In order to get the strength of an 8 letter password (48 bits), you need a 4 word passphrase (44 bits). Five words causes this to jump to 9 letters, and six words causes it to jump to 11 letters.
If you go by the 15000 word dictionary, now your words are worth 14 bits, more than 2 words apiece. Now your 8 letter password is beaten by a 4 word passphrase, and your 5 word passphrase is equivalent to an 11.5 letter password.
The real advantage to this is that in this case the passphrase can be LITERALLY ANY combination of words, and the password MUST be completely random. So, when comparing:
A: õ{ylg2ºõ )
B: what's the fuss about gentlemen?
B is the stronger password.
You're also assuming that someone trying to guess random words knows how many you used.
Security through obscurity is not just a useless paradigm, it's a dangerous one.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
As somebody who hacks web applications for a living Firefox is less secure than Chrome or IE. Chrome is the browser I use least often for proof of concepts, I use it when I'm not working.
We can't assume that a brute force or dictionary attack is being launched against the login system.
Orogogus was on the right track:
Many (most?) major security breaches involve an attacker getting direct file-level access to the password database, copying it, taking it offline and cracking it on a home computer.
They could do this via a vulnerability in the website host's network configuration, or by cracking an administrator's password first... or, most likely, simply by getting a job there.
A company like Blizzard or Riot Games only purchases so much silicon directly. Much of their infrastructure is outsourced. Much of their user support is also outsourced. And they're going to have contractors going in and out of their organization for any number of reasons. Most of these contractors should be denied file-level access to critical systems, but some won't even in the best of times, and all it takes is a system admin to walk away from his computer with it unlocked or to type in his password on a keyboard with somebody watching over his shoulder for a contractor to gain access long enough to copy files to a flash drive. (Assuming your system admins are themselves trustworthy. See: Snowden, Edward.)
If the developer practices good basic password storage security - hashing and salting - then the damage can be contained. As the article points out, it is remarkably more difficult to crack salted strong passwords than unsalted strong passwords. (If you don't know what I mean by hashing and salting, then read Orogogus's article.) But you, as the user, don't have any direct control over that. Still, the basic guidelines of "use a strong password" and "don't re-use passwords" apply. If your password is strong, and the database is salted, then your password is much much harder to crack. If the database isn't salted, then your password might be cracked, but as long as you're not reusing passwords then at least your other accounts are safe.
the "no true scotch man" fallacy.