Jump to content

Anyone who has visited my site in the last 48 hours.

keira

By keira
in General

 Share

Recommended Posts

keira
Easygoing Eyebeast

keira

Posted
Posted

Attention anyone who has wandered across my website (http://calref.co.cc) in the last 48 hours: A little prick passwordguesser got into the domain registrar and changed all of my A records to some site in Russia. Unfortunately, I have been having severe connectivity issues lately and just assumed it was something with my lovely ISP. It wasn't.

 

Thankfully, the bot or w/e didn't change my password so I have been able to reverse the damage. I've replaced the ages-old password with one with significantly more entropy and whatnot. This won't happen again.

 

However, to anyone who has visited my site or any subdomains (read: rpwiki.calref), I strongly recommend you run a quick virus check just in case, especially if you ended up redirected to a .ru website at any point.

 

My deepest apologies, I feel horrible for this happening :(

 

(for those interested, the IP was 91.204.72.72 when it should've been 65.254.248.133, i strongly recommend blacklisting if you know how)

Link to comment
Share on other sites
Dantius
Easygoing Eyebeast

Dantius

Posted
Posted
Originally Posted By: Master1
Just a note about entropy in passwords. Length is better than random characters when computers are doing the hacking.


Yeah, a password like mmmmmmmmmmkmmmmmmmmmm6 (10m k 10 m 6) is for all intents impossible to brute-force and it reay quite easy to memorize.

No, that's not my SW password, and my password isn't even of that form, so you can stop trying before you even start.
Link to comment
Share on other sites
Aran
Magnificent Ornk

Aran

Posted
Posted
Originally Posted By: Sylae
I actually generated new passwords for all my important stuff when I first saw that comic...sadly I never implemented any of them until now.

It reminds me of my insistence on pgp-signing all my messages...it's all there ready to go, but people I email ∩ people who know/care about message security is nonexistent


I've been signing all emails for years, but have only met about three people who cared enough to exchange key signatures with me.
Link to comment
Share on other sites
  • 4 weeks later...
The Mystic
Easygoing Eyebeast

The Mystic

Posted
Posted
Originally Posted By: Dantius
Originally Posted By: Master1
Just a note about entropy in passwords. Length is better than random characters when computers are doing the hacking.

Yeah, a password like mmmmmmmmmmkmmmmmmmmmm6 (10m k 10 m 6) is for all intents impossible to brute-force and it reay quite easy to memorize.
And yet I've had Hotmail tell me that such a password is very weak, and then tell me that a 6-character password full of garbage was very strong.

Originally Posted By: Mistb0rn
What really aggravates me is the websites that put a limit on the number of characters; (6-8, usually.) It feels so insecure. My passwords are generally long, and having to use only 8 characters is irritating.
Yeah, it sucks. I prefer passwords that are 10-12 characters, minimum; I've actually had one or two shorter passwords hacked. However, I will say this about sites that force you to have shorter passwords: Some of them will also force you to change your password on a regular (usually monthly) basis; and some of those won't let you use the same password more than once.
Link to comment
Share on other sites
Dantius
Easygoing Eyebeast

Dantius

Posted
Posted
Originally Posted By: The Mystic
And yet I've had Hotmail tell me that such a password is very weak, and then tell me that a 6-character password full of garbage was very strong.


In addition to being a terrible email service, Hotmail also apparently lies.

The algorithm to generate "password strength" probably counts characters and repetitions, but that's not how algorithms to break passwords work. For a better analysis of password "strength", try this.
Link to comment
Share on other sites
Dikiyoba
Magnificent Ornk

Dikiyoba

Posted
Posted
Originally Posted By: The Mystic
However, I will say this about sites that force you to have shorter passwords: Some of them will also force you to change your password on a regular (usually monthly) basis; and some of those won't let you use the same password more than once.

Any system that forces you to change your password on a regular basis sucks.

Dikiyoba.
Link to comment
Share on other sites
keira
Easygoing Eyebeast

keira

Posted
  • Author
Posted
Originally Posted By: The Mystic
some of those won't let you use the same password more than once.
In these cases, I usually change my password to "Abc$123" or something like that, then change it right back. That'll usually trick it the right way, and if a website keeps track of your past passwords then it's not a website anyone should ever use.
Link to comment
Share on other sites
The Mystic
Easygoing Eyebeast

The Mystic

Posted
Posted
Originally Posted By: Dainty Us
if a website keeps track of your past passwords then it's not a website anyone should ever use.
That actually did happen, and I had to use it for my job at the time. Then again, it was a corporate website with a lot of sensitive information, so it needed to be a bit paranoid. The site kept a list of every password you've ever used on the site (even temporary ones given out if you forgot your password), and checked all your new passwords against the list; if the new password matched, it was rejected.
Link to comment
Share on other sites
Lilith
Hatchling Cockatrice

Lilith

Posted
Posted
Originally Posted By: The Mystic
That actually did happen, and I had to use it for my job at the time. Then again, it was a corporate website with a lot of sensitive information, so it needed to be a bit paranoid. The site kept a list of every password you've ever used on the site (even temporary ones given out if you forgot your password), and checked all your new passwords against the list; if the new password matched, it was rejected.


please tell me it didn't store that list of all your passwords in a cleartext file somewhere because that would be a hilarious security hole
Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted

I've had passwords tracked for at least two years. While on vacation I missed my password change deadline and discovered a friendly automated process for setting a new password that just required the answer to a security question.

 

There are two problems with this. One, that makes the password only as secure as the question, and most of the questions were likely to have dictionary lookup answers. Two, the reset didn't check against the password list, so I used that to keep the same password.

 

—Alorael, whose passwords tend to be long and meaningless. Some he remembers. Many for websites used rarely are just stored by his computer, and in a pinch he can always use the "Forgot your password?" link to replace all passwords with the one password for his email.

Link to comment
Share on other sites
Dintiradan
Easygoing Eyebeast

Dintiradan

Posted
Posted

What sets warning bells off for me are services that require you to change your password on a regular basis and stipulate that your new password cannot share a substring with any previous passwords. I've don't think I've seen this restriction actually enforced though, which is a good thing; while you can use hashes to see if two strings match exactly, I don't think you can to see if two strings share a substring.

Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted

Actually, there's a really easy way to test that. Go with the most basic substring: a single character. Read off each character from the old password and check to see that the new one doesn't contain it.

 

—Alorael, who can see an immediate downside. You can easily run out of characters and have no legal passwords left. Maybe by "substring" they meant "substantial portion" or even "don't just increment or decrement a number at the end of your password, please."

Link to comment
Share on other sites
Mod.
Kyshakk Koan

Mod.

Posted
Posted
Originally Posted By: Dantius
Originally Posted By: The Mystic
And yet I've had Hotmail tell me that such a password is very weak, and then tell me that a 6-character password full of garbage was very strong.


In addition to being a terrible email service, Hotmail also apparently lies.

The algorithm to generate "password strength" probably counts characters and repetitions, but that's not how algorithms to break passwords work. For a better analysis of password "strength", try this.


Weird how adding a j at the end can make a password go from 1 hour to 21 thousand years.
Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted

If you have a very simple pattern, it's easily predicted, apparently. A single character that breaks the pattern increases the security immensely.

 

—Alorael, who has realized that it would be most efficient to remember sentences and use them. "This is an excellent password!" is, in fact, an excellent password.

Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted
Originally Posted By: Lilith
Originally Posted By: Mod.
Weird how adding a j at the end can make a password go from 1 hour to 21 thousand years.


it's not that surprising when you think about it. the difficulty of randomly guessing a password increases exponentially with its length, cet. par.

The problem is the magnitude of the change. It requires the password to be quite weak without the j and very strong with it. Something like a number repeated 11 times followed by a letter produces that pattern.

Oh, and I think my favorite part of the analysis is the fact that it writes out, in letters, numbers into the vigintillions. That puts it 30 orders of magnitude larger than the next largest number I've actually seen written out anywhere but in a list of large numbers' names.

—Alorael, who has determined that his passwords are actually relatively easy to brute force. He just doesn't see anyone dedicating months of processing time to that task.
Link to comment
Share on other sites
Dintiradan
Easygoing Eyebeast

Dintiradan

Posted
Posted
Originally Posted By: Dintiradan
What sets warning bells off for me are services that require you to change your password on a regular basis and stipulate that your new password cannot share a substring with any previous passwords. I've don't think I've seen this restriction actually enforced though, which is a good thing; while you can use hashes to see if two strings match exactly, I don't think you can to see if two strings share a substring.
Originally Posted By: Alorael
Actually, there's a really easy way to test that. Go with the most basic substring: a single character. Read off each character from the old password and check to see that the new one doesn't contain it.
If you're storing passwords as hashes (basically the same concept as a checksum), you shouldn't be able to recover the individual characters. If the authentication software is able to remember each character in the password, that means that it's storing it somewhere as cleartext.

Again, I haven't seen anything that actually enforced the substring rule. They were just phrasing recommendations as requirements instead. Basically just "don't just enter your old password and stick a different number at the end", which everyone does anyway when forced to change on a regular basis.
Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted

You wouldn't need to store the password, just a list of characters used. Admittedly, that's also a huge security problem. Best case scenario for ten unique characters used in a ten character password is 3.6 million possible passwords. But with only 8 characters, the standard minimum, that's a mere 40,320 permutations. Start duplicating characters and it only gets worse.

 

—Alorael, who could see another odd, difficult, and interesting implementation: perform some simple encryption that replaces characters with different characters, them store the result as an image. Compare the new and old password images and reject the new one if visual similarity is too high. That couldn't find substrings very well, but it could compare total number of matching characters without involving any text, strictly speaking, and even access to the images won't give cleartext. A Unicode-friendly ROT# would work, but the images would still be easy to decrypt. There's probably not any good way to conceal the passwords except possibly converting the images into something not resembling passwords at all, achieving security through obscurity, which usually feeble security.

Link to comment
Share on other sites
The Mystic
Easygoing Eyebeast

The Mystic

Posted
Posted
Originally Posted By: Dantius
Originally Posted By: The Mystic
And yet I've had Hotmail tell me that such a password is very weak, and then tell me that a 6-character password full of garbage was very strong.

In addition to being a terrible email service, Hotmail also apparently lies.

The algorithm to generate "password strength" probably counts characters and repetitions, but that's not how algorithms to break passwords work. For a better analysis of password "strength", try this.
Hotmail isn't all that bad; I've used worse.

Anyway, cool link. I just discovered that one of my old passwords could be hacked in 8 seconds (and it was, indeed, hacked), and that its replacement could be hacked in a day. And oddly, one of my oldest passwords, which Hotmail claimed was extremely weak, would take 8000 years to hack. My best password by far was one I made recently; it would take 809,000 years.

Then I typed in "meanwhilebackatthetimeloopexperiment"; it checked out at 110 decillion years. grin

Originally Posted By: Lilith
Originally Posted By: The Mystic
That actually did happen, and I had to use it for my job at the time. Then again, it was a corporate website with a lot of sensitive information, so it needed to be a bit paranoid. The site kept a list of every password you've ever used on the site (even temporary ones given out if you forgot your password), and checked all your new passwords against the list; if the new password matched, it was rejected.

please tell me it didn't store that list of all your passwords in a cleartext file somewhere because that would be a hilarious security hole
I certainly hope not; I didn't work in their IT department, so I wouldn't have known anyway. And even if they did, I wouldn't care at this point, seeing as there was no love lost with the company when I left (I liked the people, but the pay (commission only) sucked; I actually lost money by working there).

Originally Posted By: Rowen
My school does not allow the reuse of passwords. And they suggest ones like ASDF760SAD&*^*-O*D&SFgo to be your password and then tell you to memories it, never writing it down. Sometimes I feel that security and stupidity are mistaken for the same thing here.
That sounds like a fairly accurate assessment. It also sounds like whoever wrote the password generator was rather lazy.
Link to comment
Share on other sites
keira
Easygoing Eyebeast

keira

Posted
  • Author
Posted
Originally Posted By: The (Armored) Ratt
I wonder if that link you gave is secure/remembers what people enter. If it does, it could be gathering passwords for one massive attack!


Nothing is uploaded anywhere, all calculations are done client-side. At least that's what Firebug and casually looking through the code says, I wouldn't test your bank passwords (just swap one part for something similar and the entropy should remain about the same).
Link to comment
Share on other sites
Niemand
Well-Actually War Trall

Niemand

Posted
Posted

Besides, unless they also had some idea who you were or your account names they would have no idea which of their vast database of passwords to use where. This would leave them the problem of needing to brute-force the username, as well as which password to pair with it, not knowing for certain whether the system being tested is even one for which they have any valid passwords.

Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted

Fun fact: my bank has just such a security system, and someone kept locking me out of my account. I would have suspected an attempt at brute forcing, but three tries every few weeks makes that a rather low payoff attempt. I think someone else's login was similar to mine and they were making some mistakes.

 

—Alorael, who changed his account name and stopped having problems. And by "changed his account name" he means "argued with the bank until they admitted that having to close and immediately open an account, getting all new cards and handling an enormous wad of cash, is an idiotic plan in which everyone loses."

Link to comment
Share on other sites
Aran
Magnificent Ornk

Aran

Posted
Posted
Originally Posted By: I made a vow with zombies in it.
—Alorael, who changed his account name and stopped having problems. And by "changed his account name" he means "argued with the bank until they admitted that having to close and immediately open an account, getting all new cards and handling an enormous wad of cash, is an idiotic plan in which everyone loses."


Mh; my login is my account number (and therefore likely the primary key in their database) which means it probably would be easier to open a new account than to get it changed.
Link to comment
Share on other sites
Dantius
Easygoing Eyebeast

Dantius

Posted
Posted

My bank wants me to come up with a 15 digit alphanumeric username that has no relationship with my actual name or account number and then a 20 digit alphanumeric passcode including at least one capital and a symbol.

 

My credit union, however, has the hyper-advanced security of "entering in my credit card number and identifying which one of these four pictures I selected when I signed up". Oh, and it needs my 4-digit PIN too. So I'm kind of concerned about that.

Link to comment
Share on other sites
Dintiradan
Easygoing Eyebeast

Dintiradan

Posted
Posted

My credit union requires me to enter my debit card number and a five digit code, so yeah, same boat. The site also asks me a random security question every time I log in from a new computer.

 

It also displays an image and caption once I log in, but that's an anti-phishing feature, not an authentication feature. Phishing sites won't know which image I picked and which caption I wrote. Of course, it's too late if you notice you're on the wrong site after you've entered your credentials...

 

EDIT: Huh, now that I think about it, a phishing site could send your credentials to the actual site and mirror all content dynamically, including your image and caption...

Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted

I'm trying to think of a workaround for the security image exploit, and I'm drawing a blank. Any brighter minds have a solution?

 

—Alorael, whose best ideas all revolve around replacing the simple image with something bandwidth-intensive and impossible to link to without downloading and re-uploading, like security movies. That still isn't perfectly secure, and it relies on customers' willingness to put up with loading large files for security. Better solution: check the URL!

Link to comment
Share on other sites
Dantius
Easygoing Eyebeast

Dantius

Posted
Posted
Originally Posted By: Present Ongoing Breakup
I'm trying to think of a workaround for the security image exploit, and I'm drawing a blank. Any brighter minds have a solution?


Yes, go to your bank in person to make all transactions, pay your bills by check instead of wire/telephone transfer, and don't register for online banking.

What? You didn't say it had to be practical!
Link to comment
Share on other sites
Aran
Magnificent Ornk

Aran

Posted
Posted
Originally Posted By: Present Ongoing Breakup
I'm trying to think of a workaround for the security image exploit, and I'm drawing a blank.


Well, instead of an entering credentials to see an image, you and the bank site could verify a shared secret without transmitting the secret. This would allow you and the server to verify each other's identity without leaking credentials.
Link to comment
Share on other sites
Harehunter
Well-Actually War Trall

Harehunter

Posted
Posted

Now you guys are making me feel like an old fuddy-duddy. My wife and I have resisted the urge to do on-line banking. I suppose being a DBA makes me more paranoid than most. I work too closely with computers to trust them. I have only one debit card, which I never use for online transactions. I have several other cards that I could use to get cash, but I always say no to the offer of enabling that feature. The only computerized transaction I do have is direct deposit. Any other services I need, I get in the car, drive the two miles to the bank, and take care of it.

 

I once tried to get my wife to try Quicken. That lasted all of about 15 seconds. She likes her accounting system; the Big Chief method. It doesn't involve learning any computer program; it's simple to use; if it crashes she just picks up the pad off the floor; to reboot, she just click more lead out of the pencil; it's portable; it works without electricity; and it works. Bills get paid by check, and I drop them off directly at the post office.

 

I have done a lot of online shoppinng, but it still gives me a mild anxiety when dealing with a new vendor. Paranoia is a healthy attribute for a DBA, but it hampers adaptation to new technologies.

Link to comment
Share on other sites
Balladeer
Well-Actually War Trall

Balladeer

Posted
Posted

'Unlimited' Bandwidth doesn't actually mean 'Unlimited' I guess. After a couple years of having a well used chat, FatCow has decided we're using too much of our 'Unlimited' bandwidth with it and demanded that it be deleted or no website.

 

...

 

Of course, they have the right to decide how much of 'Unlimited' is too much, since they gave it to themselves in their Terms of Service...

 

Who knew half a dozen people could talk so much?

Link to comment
Share on other sites
keira
Easygoing Eyebeast

keira

Posted
  • Author
Posted
Originally Posted By: Jewels in Black
Who knew half a dozen people could talk so much?
I wish there were that many...three on average if we ignore the times when nobody is on, we might get six or seven once every two weeks...

But this is just stupid. Chat was set to 5 seconds between requests...that 720 requests per person per hour (not mentioning that fact that every other request times out due to server "wonderfulness"). So, that's 2,160 for three people per hour. At an average of 512 B per request (most are lower because they aren't carrying any new messages, on the off chance someone talks this will go up, as it has to carry the message with it), that works out to 1,080 KiB per hour for three chatters.

So yes, by my math, Jewels's webhost is getting butthurt by one megabyte per hour.
Link to comment
Share on other sites
keira
Easygoing Eyebeast

keira

Posted
  • Author
Posted
Originally Posted By: Nioca
Ouch. So what's the plan? Are you guys going to remove the chat to comply, or is CalRef moving yet again?
For now, turning the chat off. May change it so the chat requests every ten seconds instead (this was the rate back when CalRef was on ProfuseHost). If that doesn't work, I'll start whoring myself out to pay for a VM with rackspace or something tongue
Link to comment
Share on other sites
Balladeer
Well-Actually War Trall

Balladeer

Posted
Posted

Well, my plan is to ultimately get them to give me a year of hosting free for even daring to suggest that my tiny little website is too much for their servers to handle.

 

Implementation is still a work in progress but the secret weapon is available and will be brought out if needed.

 

Edit: And really their complaint was the # of requests rather than the bandwidth. Shouldn't be too hard to fix, but still... We can't even be close to what a 'real' website is using.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...