Security fail: weak passwords, strong crackers, social engineering

Credit: flickr/subcircle

Every week seems to bring a new warning about another hacked site exposing at least a million passwords. Is security possible anymore?

Ars Technica explores the problem in “Why passwords have never been weaker—and crackers have never been stronger.” Average user: 25 accounts, but 6.5 passwords. Sites demand email addresses as usernames, so crackers of one site immediately have user credentials for many more sites.

Graphic processors create cheap cracking machines, and about 100 million passwords were published online last year. Salting passwords by appending unique characters before encrypting makes things much safer, but many hacked sites, and many more current ones, don't salt. Then there's social engineering of password hints.

Make it harder

Okay, so it can try 8.2 billion per second. All a website had to do to foil that is to deny an more tries after 10 or so, no?

ewelch on arstechnica.com

What a lame story. Brute force attacks are easily thwarted with a delay after an unsuccessful login.

Bill Johnson on yahoo.com

A 4-digit PIN with a 3 attempt lock-out (and no further information) is more secure than a 10 character password encrypted with MD5.

casca on news.ycombinator.com

What seems to work best is to slow logins down rather than lock them out completely. Still lets users in, but slows down bulk attacks enough so that the risk is low.

adrianhoward on news.ycombinator.com

Lock-outs are tricky to manage. I can flood 50 login requests and have the legitimate user quickly locked out.

casca on news.ycombinator.com

More technical

There is a difference between an algorithm being cryptographically secure and being brute force resistant. They exist for different purposes (and adaptive hash algorithms build upon the foundation of a cryptographically secure hash).

xoa on arstechnica.com

Use a professional grade password generator and create new ones every month, or sooner if called for.

Manuel Garcia O'Kelly on yahoo.com

More and more I feel like passwords are a fundamentally broken system. We need a better system of locks and keys. What is is, I don't know. I just know that it's not "passwords".

eqypturnash on news.ycombinator.com

Less technical

Surely the bigger issue is Mom & Dad - are we really expecting them to use Password Managers or a different, random phrase password for every single website that they use?

deadlock on arstechnica.com

I still believe hacking is 80% social engineering, 10% software and 10% brut force

C on yahoo.com

Come clean: do you or “a friend” use the same password for every site?

For the latest IT news, analysis and how-tos, follow ITworld on Twitter, Facebook, and Google+.

Now read this:

Developer declares 'I am done with the Freemium Business Model'

Khan Academy offers JavaScript as their first computer language

Study says Facebook profile can predict job performance

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies