|
Vladimir (OP)
|
 |
June 20, 2011, 12:42:24 PM |
|
1. Do not use the same password in more than one place.
2. If you can remember your password, it is probably weak.
3. If your password is less than 12 character long it is probably weak.
4. If your password does not contain numbers, upper-case letters and some weird symbols, it is probably weak.
5. Use password management software to store and generate passwords, such as firefox's password manager, keepass etc...
6. Use long mnemonic pass phrases as master passwords for password managers and and other accounts which you need to be able to access without using password management software (like gmail account and truecrypt containers, for example)
7. Consider writing some important passwords down on paper and storing it in secure location.
Your mileage may vary.
|
-
|
|
|
killer2021
Member
 Offline
Activity: 84
Merit: 10
|
|
June 20, 2011, 12:49:25 PM |
|
1. Do not use the same password in more than one place.
2. If you can remember your password, it is probably weak.
3. If your password is less than 12 character long it is probably weak.
4. If your password does not contain numbers, upper-case letters and some weird symbols, it is probably weak.
5. Use password management software to store and generate passwords, such as firefox's password manager, keepass etc...
6. Use long mnemonic pass phrases as master passwords for password managers and and other accounts which you need to be able to access without using password management software (like gmail account and truecrypt containers, for example)
7. Consider writing some important passwords down on paper and storing it in secure location.
Your mileage may vary.
You also have to realize that the complexity of your password doesn't really matter. Why? Because hackers these days get the passwords through other methods (ie. stealing the database and cracking the passwords). The only real thing a complex password protects you from is bruteforce attack. Bruteforce attack only works if your password is insanely simple or the webserver doesn't ban your ip after 3-4 failed login attempts. Now I am not saying that your rules are bad. They are good rules to follow. What I am saying is that people need to take more precautions than just making a complex password and thinking they are safe. You need to make it so that even IF a hacker gets into your account that they can't do much damage and that you always have the upper hand. |
|
|
|
freetx
Newbie
Offline
Activity: 48
Merit: 0
|
|
June 20, 2011, 12:51:34 PM |
|
Those are good tips, however, I think we need a 'best practices' for web developers. I would say: - Use Sha512 - not MD5 for hashes
- Salt passwords with at least 20 characters - DO NOT STORE SALT WITH HASHES
- Do not store email addresses as plain text, store encrypted
- Use parameterized input for SQL to avoid SQL injection attacks
- Use form tokens to prevent CSRF attacks
|
|
|
|
|
aral
Newbie
Offline
Activity: 42
Merit: 0
|
|
June 20, 2011, 12:52:05 PM |
|
1. Do not use mt.gox
2. Do not use mt.gox
|
|
|
|
|
shady financier
Member
Offline
Activity: 84
Merit: 10
etcetera
|
|
June 20, 2011, 12:57:32 PM |
|
1. Do not use mt.gox
2. Do not use mt.gox
Yes, if you are using bitcoin7.com instead, then you're probably alright.  |
1G8AUgSTAw8hfatNnDHuYEqBAUzC3qvAAL Bitcoin news: http://thebitcoinsun.com/Rapidlybuybitcoin here.The value of goods, expressed in money, is called “price”, while the value of money, expressed in goods, is called “value”. C. Quigley |
|
|
killer2021
Member
Offline
Activity: 84
Merit: 10
|
|
June 20, 2011, 12:59:13 PM |
|
Those are good tips, however, I think we need a 'best practices' for web developers. I would say: - Use Sha512 - not MD5 for hashes
- Salt passwords with at least 20 characters - DO NOT STORE SALT WITH HASHES
- Do not store email addresses as plain text, store encrypted
- Use parameterized input for SQL to avoid SQL injection attacks
- Use form tokens to prevent CSRF attacks
Yea web server security is 100x more important. You could have the most complex password ever, but if the website is not secure then your screwed. |
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1026
|
|
June 20, 2011, 01:00:17 PM |
|
Those are good tips, however, I think we need a 'best practices' for web developers. I would say: - Use Sha512 - not MD5 for hashes
- Salt passwords with at least 20 characters - DO NOT STORE SALT WITH HASHES
- Do not store email addresses as plain text, store encrypted
- Use parameterized input for SQL to avoid SQL injection attacks
- Use form tokens to prevent CSRF attacks
3, 4 and 5 are good, but I don't think you understand how password hash systems work. 1) MD5 is fine for passwords, when used in a salted iterated hashing system. 2) Passwords are salted with a set number of bits, that depends on the system you are using, not some number of characters. And the salt must be stored with the password, otherwise you don't know how to compare them. Unless you are talking about a having a secret that you append to all passwords before sending them through the salt and hash procedure. |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
freetx
Newbie
Offline
Activity: 48
Merit: 0
|
|
June 20, 2011, 01:48:37 PM |
|
3, 4 and 5 are good, but I don't think you understand how password hash systems work.
1) MD5 is fine for passwords, when used in a salted iterated hashing system.
2) Passwords are salted with a set number of bits, that depends on the system you are using, not some number of characters. And the salt must be stored with the password, otherwise you don't know how to compare them. Unless you are talking about a having a secret that you append to all passwords before sending them through the salt and hash procedure.
Ideally, using a different salt for each password is good - but storing the salt in plaintext inside the database defeats the purpose (only means that attackers can't rely on pre generated hash databases). At the bare minimum, they could've salted the passwords inside the source code and only stored the resulting hash to the database. So that, password "12345" becomes "12345lkj3409ruflk30rjfsldk4lkljflkj234%%#$4324", which is then hashed and stored in plaintext. This simple step would've prevented the entire MtGox issue that we've seen yesterday. |
|
|
|
|
|
Vladimir (OP)
|
|
June 20, 2011, 01:52:33 PM |
|
Guys, this thread was not intended as educational resource for PHP programmers. It is and the password handling rules are for regular users. How this could not be obvious?
Please continue your "how to develop secure web apps" discussion elsewhere.
|
-
|
|
|
|
Klestin
|
|
June 20, 2011, 01:54:47 PM |
|
You also have to realize that the complexity of your password doesn't really matter. Why? Because hackers these days get the passwords through other methods (ie. stealing the database and cracking the passwords). Not entirely true, as the recent issue confirms. If an attacker gets access to a list of password hashes, the complexity of the password is a huge factor in how long it takes to determine your password. |
|
|
|
|
gst
Newbie
Offline
Activity: 38
Merit: 0
|
|
June 20, 2011, 01:59:56 PM |
|
Those are good tips, however, I think we need a 'best practices' for web developers. I would say: - Use Sha512 - not MD5 for hashes
- Salt passwords with at least 20 characters - DO NOT STORE SALT WITH HASHES
- Do not store email addresses as plain text, store encrypted
- Use parameterized input for SQL to avoid SQL injection attacks
- Use form tokens to prevent CSRF attacks
Using Sha512 instead of MD5 will change nothing. If possible, I'd suggest to use scrypt ( http://www.tarsnap.com/scrypt.html). If there's no available scrypt implementation for the language your using use bcrypt ( http://en.wikipedia.org/wiki/Bcrypt). |
|
|
|
|
|
foo
|
|
June 20, 2011, 02:06:32 PM |
|
2. If you can remember your password, it is probably weak.
This actually isn't true, though one might think so. See new reasearch by Steve Gibson: https://www.grc.com/haystack.htm |
I know this because Tyler knows this.
|
|
|
|
Vladimir (OP)
|
|
June 20, 2011, 02:22:25 PM
Last edit: June 20, 2011, 04:45:37 PM by Vladimir |
|
2. If you can remember your password, it is probably weak.
This actually isn't true, though one might think so. See new reasearch by Steve Gibson: https://www.grc.com/haystack.htm"research"? That is more like a very weak and naive claim. Old man seems to be getting way behind the curve. With all due respect, to Steve Gibson and his cute idea of easy to remember passwords, I am going to have to disagree with him on this. He claims that 'D0g.....................' is stronger password than 'PrXyc.N(n4k77#L!eVdAfp9'. He should know better. It might be the case when stupid brute force is employed, but these days attackers use much much more effective ways to reduce the key space than simply iterating over all permutations, as Steve seems to believe. These include permutations of dictionary words with common replacements of letters by numbers with various uppercase/lowercase scenarios in combination with sets of same symbols repeating as well as other methods of reducing keyspace by emulating various patterns people use to create passwords they can remember. These techniques often reduce keyspace by many orders of magnitude. |
-
|
|
|
dukejer
Jr. Member
Offline
Activity: 42
Merit: 2
|
|
June 20, 2011, 02:30:24 PM |
|
Here is what I use to keep my passwords safe.
1) KeyPass and KeypassX: I have it on my Windows systems, Linux Systems and my Android phone. The database can be synced and used by all 3 Operating Systems.
2) Every site I visit has a randomly generated password using the maximum amount of characters and symbols the site would let me use.
3) Master passwords I use for the databases are a place in the world and I memorize the latitude and longitude to create my master password. I use Google maps to find the latitude and longitude and I do not click on the most obvious place at the location.
For Example:
If I want to use the Eiffel Tower for my password at 48.8583N, 02.2945E my password would be similar to this. I never capitalize the first letter but some letter in the middle. I also replace some of the letters with leet speak. Now if I need my password before I memorize it I can just think of the Eiffel Tower and then use that to remember my master passwords.
3iff3lt0W3r488583N022945E
GRC rates the above password 2.09 trillion trillion centuries to break.
-Dukejer
|
|
|
|
|
|
fergalish
|
|
June 20, 2011, 02:49:33 PM |
|
This page contains a serious flaw. It may well be true that padding increases the strength of your password, but if an attacker cracks one of your passwords, he will know what padding to use for your other passwords. |
|
|
|
|
|
BinaryMage
|
|
June 20, 2011, 02:57:31 PM |
|
No matter how complex your password is, it can still be easily hacked if the attackers gain access to the database. A much more secure way to login that I wish more sites would implement is Gmail's two-step verification process, where you must enter your password and enter a verification code sent to your phone in order to login. I think that the time where a complicated password that would be impossible to brute force being sufficient has passed. Newer, multiple-step verification processes are necessary. Maybe MtGox can consider implementing something like that. It would sure make their users feel safer.
|
|
|
|
MikesMechanix
Member
Offline
Activity: 70
Merit: 10
|
|
June 20, 2011, 04:28:57 PM |
|
One way to construct a somewhat easily remembered long password is to think of a song, poem or somesuch, which you could remember in your sleep, and then apply some algorithm on the words.
As an example, pick the first three letters of each word from the first line of Paranoid:
Finished with my woman 'cause she couldn't help me with my mind
Then pick some characters to delimit the letters and maybe start or end the password. Make up some rule by which you make some of letters uppercase. For example:
3Fin.wIt.my.Wom.'Ca.she.Cou.hEl.me.Wit.mY.min%
That's 46 characters fairly easily remembered. Half of that would be enough, and in fact 3 letters may be a bit much since I ended up with a couple of dictionary words in there.
(You want the brute-force search space be large: use 1 or more characters from each group: uppercase, lowercase, numbers, symbols.)
|
|
|
|
MikesMechanix
Member
Offline
Activity: 70
Merit: 10
|
|
June 20, 2011, 04:42:13 PM |
|
No matter how complex your password is, it can still be easily hacked if the attackers gain access to the database.
This is not true. A properly hashed strong password would take millions of trillions of trillions of trillions of trillions of trillions centuries to break even with the most ridiculous hashing cluster you can imagine. See the link in foo's post above. Even the Unix MD5 crypt scheme is really strong as long as you stay away from dictionary words and make sure the "search space" is large enough. Also, once an attacker has gained access to a database, the game is pretty much over, and the passwords are only a nice bonus... |
|
|
|
|
BinaryMage
|
|
June 20, 2011, 11:39:18 PM |
|
This is not true. A properly hashed strong password would take millions of trillions of trillions of trillions of trillions of trillions centuries to break even with the most ridiculous hashing cluster you can imagine. See the link in foo's post above.
Even the Unix MD5 crypt scheme is really strong as long as you stay away from dictionary words and make sure the "search space" is large enough.
Also, once an attacker has gained access to a database, the game is pretty much over, and the passwords are only a nice bonus...
I stand corrected. Nonetheless, as you say, once the database is hacked, you're screwed anyway. |
|
|
|
|
|
|
