Bitcoin Forum
March 28, 2024, 11:42:28 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: 7 simple rules to mitigate most threats related to passwords  (Read 4897 times)
Vladimir (OP)
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1001


-


View Profile
June 20, 2011, 12:42:24 PM
 #1

1. Do not use the same password in more than one place.
2. If you can remember your password, it is probably weak.
3. If your password is less than 12 character long it is probably weak.
4. If your password does not contain numbers, upper-case letters and some weird symbols, it is probably weak.
5. Use password management software to store and generate passwords, such as firefox's password manager, keepass etc...
6. Use long mnemonic pass phrases as master passwords for password managers and and other accounts which you need to be able to access without using password management software (like gmail account and truecrypt containers, for example)
7. Consider writing some important passwords down on paper and storing it in secure location.

Your mileage may vary.

-
1711626148
Hero Member
*
Offline Offline

Posts: 1711626148

View Profile Personal Message (Offline)

Ignore
1711626148
Reply with quote  #2

1711626148
Report to moderator
1711626148
Hero Member
*
Offline Offline

Posts: 1711626148

View Profile Personal Message (Offline)

Ignore
1711626148
Reply with quote  #2

1711626148
Report to moderator
1711626148
Hero Member
*
Offline Offline

Posts: 1711626148

View Profile Personal Message (Offline)

Ignore
1711626148
Reply with quote  #2

1711626148
Report to moderator
"Bitcoin: the cutting edge of begging technology." -- Giraffe.BTC
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711626148
Hero Member
*
Offline Offline

Posts: 1711626148

View Profile Personal Message (Offline)

Ignore
1711626148
Reply with quote  #2

1711626148
Report to moderator
1711626148
Hero Member
*
Offline Offline

Posts: 1711626148

View Profile Personal Message (Offline)

Ignore
1711626148
Reply with quote  #2

1711626148
Report to moderator
1711626148
Hero Member
*
Offline Offline

Posts: 1711626148

View Profile Personal Message (Offline)

Ignore
1711626148
Reply with quote  #2

1711626148
Report to moderator
killer2021
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
June 20, 2011, 12:49:25 PM
 #2

1. Do not use the same password in more than one place.
2. If you can remember your password, it is probably weak.
3. If your password is less than 12 character long it is probably weak.
4. If your password does not contain numbers, upper-case letters and some weird symbols, it is probably weak.
5. Use password management software to store and generate passwords, such as firefox's password manager, keepass etc...
6. Use long mnemonic pass phrases as master passwords for password managers and and other accounts which you need to be able to access without using password management software (like gmail account and truecrypt containers, for example)
7. Consider writing some important passwords down on paper and storing it in secure location.

Your mileage may vary.


You also have to realize that the complexity of your password doesn't really matter. Why? Because hackers these days get the passwords through other methods (ie. stealing the database and cracking the passwords).

The only real thing a complex password protects you from is bruteforce attack. Bruteforce attack only works if your password is insanely simple or the webserver doesn't ban your ip after 3-4 failed login attempts.

Now I am not saying that your rules are bad. They are good rules to follow. What I am saying is that people need to take more precautions than just making a complex password and thinking they are safe. You need to make it so that even IF a hacker gets into your account that they can't do much damage and that you always have the upper hand.

Anonymous Cash-By-Mail Exchange: https://www.bitcoin2cash.com
1H6mqgB6UcqKt2SrCmhjxUp9np1Xrbkdj7
freetx
Newbie
*
Offline Offline

Activity: 48
Merit: 0


View Profile
June 20, 2011, 12:51:34 PM
 #3

Those are good tips, however, I think we need a 'best practices'  for web developers. I would say:
  • Use Sha512 - not MD5 for hashes
  • Salt passwords with at least 20 characters - DO NOT STORE SALT WITH HASHES
  • Do not store email addresses as plain text, store encrypted
  • Use parameterized input for SQL to avoid SQL injection attacks
  • Use form tokens to prevent CSRF attacks
aral
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
June 20, 2011, 12:52:05 PM
 #4

1.  Do not use mt.gox
2.  Do not use mt.gox
shady financier
Member
**
Offline Offline

Activity: 84
Merit: 10


etcetera


View Profile
June 20, 2011, 12:57:32 PM
 #5

1.  Do not use mt.gox
2.  Do not use mt.gox

Yes, if you are using bitcoin7.com instead, then you're probably alright. Roll Eyes

1G8AUgSTAw8hfatNnDHuYEqBAUzC3qvAAL

Bitcoin news: http://thebitcoinsun.com/

Rapidlybuybitcoin here.

The value of goods, expressed in money, is called “price”, while the value of money, expressed in goods, is called “value”. C. Quigley
killer2021
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
June 20, 2011, 12:59:13 PM
 #6

Those are good tips, however, I think we need a 'best practices'  for web developers. I would say:
  • Use Sha512 - not MD5 for hashes
  • Salt passwords with at least 20 characters - DO NOT STORE SALT WITH HASHES
  • Do not store email addresses as plain text, store encrypted
  • Use parameterized input for SQL to avoid SQL injection attacks
  • Use form tokens to prevent CSRF attacks


Yea web server security is 100x more important.

You could have the most complex password ever, but if the website is not secure then your screwed.

Anonymous Cash-By-Mail Exchange: https://www.bitcoin2cash.com
1H6mqgB6UcqKt2SrCmhjxUp9np1Xrbkdj7
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1024



View Profile
June 20, 2011, 01:00:17 PM
 #7

Those are good tips, however, I think we need a 'best practices'  for web developers. I would say:
  • Use Sha512 - not MD5 for hashes
  • Salt passwords with at least 20 characters - DO NOT STORE SALT WITH HASHES
  • Do not store email addresses as plain text, store encrypted
  • Use parameterized input for SQL to avoid SQL injection attacks
  • Use form tokens to prevent CSRF attacks

3, 4 and 5 are good, but I don't think you understand how password hash systems work.

1) MD5 is fine for passwords, when used in a salted iterated hashing system.
2) Passwords are salted with a set number of bits, that depends on the system you are using, not some number of characters.  And the salt must be stored with the password, otherwise you don't know how to compare them.  Unless you are talking about a having a secret that you append to all passwords before sending them through the salt and hash procedure.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
freetx
Newbie
*
Offline Offline

Activity: 48
Merit: 0


View Profile
June 20, 2011, 01:48:37 PM
 #8



3, 4 and 5 are good, but I don't think you understand how password hash systems work.

1) MD5 is fine for passwords, when used in a salted iterated hashing system.
2) Passwords are salted with a set number of bits, that depends on the system you are using, not some number of characters.  And the salt must be stored with the password, otherwise you don't know how to compare them.  Unless you are talking about a having a secret that you append to all passwords before sending them through the salt and hash procedure.

Ideally, using a different salt for each password is good - but storing the salt in plaintext inside the database defeats the purpose (only means that attackers can't rely on pre generated hash databases).

At the bare minimum, they could've salted the passwords inside the source code and only stored the resulting hash to the database.

So that, password "12345" becomes "12345lkj3409ruflk30rjfsldk4lkljflkj234%%#$4324", which is then hashed and stored in plaintext.

This simple step would've prevented the entire MtGox issue that we've seen yesterday.

Vladimir (OP)
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1001


-


View Profile
June 20, 2011, 01:52:33 PM
 #9

Guys, this thread was not intended as educational resource for PHP programmers. It is and the password handling rules are for regular users. How this could not be obvious?

Please continue your "how to develop secure web apps" discussion elsewhere.

-
Klestin
Hero Member
*****
Offline Offline

Activity: 493
Merit: 500


View Profile
June 20, 2011, 01:54:47 PM
 #10

You also have to realize that the complexity of your password doesn't really matter. Why? Because hackers these days get the passwords through other methods (ie. stealing the database and cracking the passwords).
Not entirely true, as the recent issue confirms. If an attacker gets access to a list of password hashes, the complexity of the password is a huge factor in how long it takes to determine your password.
gst
Newbie
*
Offline Offline

Activity: 38
Merit: 0


View Profile
June 20, 2011, 01:59:56 PM
 #11

Those are good tips, however, I think we need a 'best practices'  for web developers. I would say:
  • Use Sha512 - not MD5 for hashes
  • Salt passwords with at least 20 characters - DO NOT STORE SALT WITH HASHES
  • Do not store email addresses as plain text, store encrypted
  • Use parameterized input for SQL to avoid SQL injection attacks
  • Use form tokens to prevent CSRF attacks

Using Sha512 instead of MD5 will change nothing.

If possible, I'd suggest to use scrypt (http://www.tarsnap.com/scrypt.html). If there's no available scrypt implementation for the language your using use bcrypt (http://en.wikipedia.org/wiki/Bcrypt).
foo
Sr. Member
****
Offline Offline

Activity: 409
Merit: 250



View Profile
June 20, 2011, 02:06:32 PM
 #12

2. If you can remember your password, it is probably weak.
This actually isn't true, though one might think so. See new reasearch by Steve Gibson: https://www.grc.com/haystack.htm

I know this because Tyler knows this.
Vladimir (OP)
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1001


-


View Profile
June 20, 2011, 02:22:25 PM
Last edit: June 20, 2011, 04:45:37 PM by Vladimir
 #13

2. If you can remember your password, it is probably weak.
This actually isn't true, though one might think so. See new reasearch by Steve Gibson: https://www.grc.com/haystack.htm

"research"? That is more like a very weak and naive claim. Old man seems to be getting way behind the curve.

With all due respect, to Steve Gibson and his cute idea of easy to remember passwords, I am going to have to disagree with him on this. He claims that 'D0g.....................' is stronger password than 'PrXyc.N(n4k77#L!eVdAfp9'. He should know better.

It might be the case when stupid brute force is employed, but these days attackers use much much more effective ways to reduce the key space than simply iterating over all permutations, as Steve seems to believe. These include permutations of dictionary words with common replacements of letters by numbers with various uppercase/lowercase scenarios in combination with sets of same symbols repeating as well as other methods of reducing keyspace by emulating various patterns people use to create passwords they can remember. These techniques often reduce keyspace by many orders of magnitude.




-
dukejer
Jr. Member
*
Offline Offline

Activity: 42
Merit: 2


View Profile
June 20, 2011, 02:30:24 PM
 #14

Here is what I use to keep my passwords safe.

1) KeyPass and KeypassX:  I have it on my Windows systems, Linux Systems and my Android phone.  The database can be synced and used by all 3 Operating Systems.

2) Every site I visit has a randomly generated password using the maximum amount of characters and symbols the site would let me use.

3) Master passwords I use for the databases are a place in the world and I memorize the latitude and longitude to create my master password.  I use Google maps to find the latitude and longitude and I do not click on the most obvious place at the location.

For Example:

If I want to use the Eiffel Tower for my password at 48.8583N, 02.2945E my password would be similar to this.  I never capitalize the first letter but some letter in the middle.  I also replace some of the letters with leet speak.  Now if I need my password before I memorize it I can just think of the Eiffel Tower and then use that to remember my master passwords.

3iff3lt0W3r488583N022945E

GRC rates the above password 2.09 trillion trillion centuries to break.

-Dukejer
fergalish
Sr. Member
****
Offline Offline

Activity: 440
Merit: 250


View Profile
June 20, 2011, 02:49:33 PM
 #15

This actually isn't true, though one might think so. See new reasearch by Steve Gibson: https://www.grc.com/haystack.htm
This page contains a serious flaw.  It may well be true that padding increases the strength of your password, but if an attacker cracks one of your passwords, he will know what padding to use for your other passwords.
BinaryMage
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


Ad astra.


View Profile
June 20, 2011, 02:57:31 PM
 #16

No matter how complex your password is, it can still be easily hacked if the attackers gain access to the database. A much more secure way to login that I wish more sites would implement is Gmail's two-step verification process, where you must enter your password and enter a verification code sent to your phone in order to login. I think that the time where a complicated password that would be impossible to brute force being sufficient has passed. Newer, multiple-step verification processes are necessary. Maybe MtGox can consider implementing something like that. It would sure make their users feel safer.

-- BinaryMage -- | OTC | PGP
MikesMechanix
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 20, 2011, 04:28:57 PM
 #17

One way to construct a somewhat easily remembered long password is to think of a song, poem or somesuch, which you could remember in your sleep, and then apply some algorithm on the words.

As an example, pick the first three letters of each word from the first line of Paranoid:

Finished with my woman 'cause she couldn't help me with my mind

Then pick some characters to delimit the letters and maybe start or end the password. Make up some rule by which you make some of letters uppercase. For example:

3Fin.wIt.my.Wom.'Ca.she.Cou.hEl.me.Wit.mY.min%

That's 46 characters fairly easily remembered. Half of that would be enough, and in fact 3 letters may be a bit much since I ended up with a couple of dictionary words in there.

(You want the brute-force search space be large: use 1 or more characters from each group: uppercase, lowercase, numbers, symbols.)

Please send your extra Bitcoins to 17miTorGDBUh3yNTYJtodJPw9wzrcNcf6y. Thank you!

Sign up on TradeHill Instant Bitcoin Exchange using this link to get a lifetime 10 % discount on trades!
MikesMechanix
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 20, 2011, 04:42:13 PM
 #18

No matter how complex your password is, it can still be easily hacked if the attackers gain access to the database.

This is not true. A properly hashed strong password would take millions of trillions of trillions of trillions of trillions of trillions centuries to break even with the most ridiculous hashing cluster you can imagine. See the link in foo's post above.

Even the Unix MD5 crypt scheme is really strong as long as you stay away from dictionary words and make sure the "search space" is large enough.

Also, once an attacker has gained access to a database, the game is pretty much over, and the passwords are only a nice bonus...

Please send your extra Bitcoins to 17miTorGDBUh3yNTYJtodJPw9wzrcNcf6y. Thank you!

Sign up on TradeHill Instant Bitcoin Exchange using this link to get a lifetime 10 % discount on trades!
BinaryMage
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


Ad astra.


View Profile
June 20, 2011, 11:39:18 PM
 #19


This is not true. A properly hashed strong password would take millions of trillions of trillions of trillions of trillions of trillions centuries to break even with the most ridiculous hashing cluster you can imagine. See the link in foo's post above.

Even the Unix MD5 crypt scheme is really strong as long as you stay away from dictionary words and make sure the "search space" is large enough.

Also, once an attacker has gained access to a database, the game is pretty much over, and the passwords are only a nice bonus...

I stand corrected. Nonetheless, as you say, once the database is hacked, you're screwed anyway.

-- BinaryMage -- | OTC | PGP
phenom
Newbie
*
Offline Offline

Activity: 35
Merit: 0


View Profile
June 21, 2011, 12:00:17 AM
 #20

Does anyone use PasswordMaker ?

https://addons.mozilla.org/en-us/firefox/addon/passwordmaker/

I'm thinking of using this system.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!