Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Password Problesm on some sites.  (Read 4977 times)

0 Members and 1 Guest are viewing this topic.

Geek-9pm

    Topic Starter

    Mastermind
  • Geek After Dark
  • Thanked: 1026
    • Gekk9pm bnlog
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Password Problesm on some sites.
« on: July 12, 2017, 12:19:03 PM »
For some time I have had trouble with passwords and I have thought it was alwasy my fault. Now I am starting to wonder if it is just me.

I like to use FireFox and I let it remember my passwords. But if I have not been toa site for a long time, like two months, the password may flop.  Why?

And when I try to reset the password, it does not alwasy'take' the new password. Is theer some kind of inherent trouble  wtih password reset?

And why do some places ay you shoyuld change yur passwords often. Why?
Ddo they wear out?
Do they collect dust?
Does changingh a password make it better?
Why does it have to be so hard?
Example: Say I have a password like this:
dfX(jr37&^0
What are trhe odds of any bot ever guessing that? Now if I chang it to
fdX(jr37&0^
is taht somehow better?
I only transposde the first two and last two chars.
I think they call that jux·ta·po·si·tion.

This madness is driving me almost crazy.
Why can I not just keep my passwords forever?

DaveLembke



    Sage
  • Thanked: 662
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Password Problesm on some sites.
« Reply #1 on: July 12, 2017, 03:46:10 PM »
I feel the urge to get people to change passwords on a regular basis is mainly to keep changing it up in case its been compromised. If it was compromised somehow but not targeted yet, then it would be a time bomb. But if it changes on a regular basis, the window of opportunity for someone to do anything with it is limited.

In the corporate world passwords are changed regularly and there is a timer that after say 90 days you have to change it, and 14 day before it expires your warned to change it. They also require passwords to conform to a specific type of complexity to harden the network access.

On my home computer I have been using the same password for local system access for the last 8 years. There is no need to change that on a regular basis. I use complex passwords everywhere, but only change my banking and credit card access passwords and security questions on a quarterly basis. Additionally with security questions the answers I gave have absolutely nothing to do with the question choices such as if the choice is whats your favorite color I might use something like Neptune1984$ and your first car, I would use something like TitanicSunk@1912 this way common dictionary attacks wont work its too abstract to conform to any known list.

For websites that arent critical, I rarely if ever change my password and security info. If its compromised the worst they would be able to do is play my video game online and remove items from the character etc.

As far as browser deleting passwords that are set to remember, i haven't run into that with Firefox yet. Do you think that you may have dumped your history and cookies etc during that time at all? Paypal for example I had not used for quite some time, and the other day I went to buy an item at amazon and it remembered me and I didnt have to logon to paypal, I was in and just needed to specify what account to pay from etc.

As far as if changing your password makes it better.... I would say it makes it better at keeping people out if they have access to your account and havent already acted on doing something bad. Their opportunity is gone unless they get the new password or know your security reset questions to gain access no matter what your password changes to. So they should really have to change security reset info too and have it to where you can specify the question and answer to eliminate dictionary attacks to try to gain access to peoples accounts or at least prompt people to change their security info regularly. BUT with this comes the risk of locking yourself out of an account and unable to prove your the owner losing access to it forever, so this info should be stored in a book in safe keep that no one has access to but yourself.

A password like dfX(jr37&^0 , someone would have to really want access to your account and I would think only if a keylogger or some other means of gaining access to your actual password would anyone or any automated authentication process be able to get in. You have 11 characters, and I would think that they would need to hit it with an alpha-numeric with special character counter that starts at say aaaaaaaaaaa and runs all the way to say ########### with every combination of upper and lower case and all that. With a properly configured authentication service I would think that hopefully they have a counter that after say 5 failed attempts it places the account access into a 15 minute time out process or longer to keep hackers from trying to brute force access through use of every combination until access is granted.

I am thinking your password to be guessed is around 11 to the power of 72 and it could take quite a while if the authentication is set up properly to lock out after x-many failed attempts.

On a project I was working on with 89 characters trying to find a value to which the input and output comes out the same, I ran it 1 Billion times on an 8-core 4.0Ghz AMD FX-8350 CPU which each of the 8 cores processing 125 Million attempts each to find where in a shuffle of 89 characters, where every shuffle is unique from the prior, searching for the iteration in which the end result ends up being the same as the initial input and it took 7 days and no match found. I deemed it not worth running this test further as for it would take a month to run 4 Billion attempts at finding this which I believe exists mathematically, but its out there somewhere and its not within the first Billion tries. And 48 Billion attempts could be achieved in a year with one system running non stop. The temptation is there to find this, but I dont want the electric bill that comes with finding that value.  ;D  When running this search, I removed the gaming GTX video card and removed the HDD to run only on the SSD, so it was the bare minimum to run it and lowest power consumption state that I could get this system to without detracting from performance. *I suppose if I knew of a way to tap into the GPU for processing I could make more use of this system to test for more values in the same amount of time, but that is way beyond what I know in C++ programming. With the farming for coins etc using GPUs, I know it could be done, but I doubt it can be done easily to specify for it to be executed on the GPU and not the CPU.

Geek-9pm

    Topic Starter

    Mastermind
  • Geek After Dark
  • Thanked: 1026
    • Gekk9pm bnlog
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Password Problesm on some sites.
« Reply #2 on: July 13, 2017, 10:14:11 PM »
DaveLembke,
Thansk for the reply and detailed answer.
By the way, I can not get the spell cheker to work. So bear with me.

I think my problem is not with having a weak password. There seems to be some kind of problem with my connection, as if there is some kind of thing messing up my security. I did finally get into my WordPress  account ansd then they tell me I don't have a web site. Hun?  An I had to sgin in with my email, not my user name. strange.  But for the reset I only gave the user name, not the e-mail. Something strange about how they handel a passwordn reset.

About passwords being hard to ctack. In theory, yes, you can make a tough password. In practice, it is never stronger than the weak link. The weak link is rvertything else. The people runnig aservice, the security certificates, the  myriad hubs and switches taht router hyour trafic.

Let my clarify. Imagine a crime sydicate alled "Ruthless" and their business is to thwarrt Internet security for a profit.
"Ruthless" has found that to crack the password of one user might take maybe 1000 hours of brut force password attacks.  OK. N ow they also find that a major servie can be ctracked in about 10,000 horce of inovative exploits. Just one good hit will get into the accounts of hundreds, even thusands of users. That fact that the user might have tough passwords does not matter. With the administer creditials "Ruthless" gets into every user that has some money. Yes, there might be a trail, but all that "Ruthless" wants is the money.
That above is fictional. But does it represent thebigger picture?
Look here:

35% of Users Have Weak Passwords; the Other 65% can be Cracked
Posted by Eran Cohen on Mar 13, 2017
Link to his post on prêempt
After making his case, he doe not address the issue of the lack of securiy in many data centers.
Here is a post seven years ol and nobody has ever really changed anyghin. Data centers are still very weak.
http://www.consumerreports.org/cro/news/2014/08/the-problem-with-passwords/index.htm
Quote
For Baykan, passwords represent just a layer of security on the Internet, which is embedded with other security protocols that may also be compromised, as was the case with the Heartbleed bug. Alternate methods of authentication—such as using biometrics including fingerprint or retinal scanning—are available, but implementing them on a large scale would require a serious commitment by companies.
Put another way, you can not make it secure with passwords alone.The has to be a better way for all users to have private accese to valuable  stuff on a remotre server.  Acutjully, fignerprint technology has now come of age. Maye we will sign in with our thumbs.  ::)


DaveLembke



    Sage
  • Thanked: 662
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Password Problesm on some sites.
« Reply #3 on: July 14, 2017, 09:14:09 AM »
Quote
OK. Now they also find that a major server can be cracked in about 10,000 hours of innovative exploits. Just one good hit will get into the accounts of hundreds, even thousands of users.


True if they gain access into server side, they have "the keys for the kingdom" and even though each person has a different key some more complex to crack than others for their doors, the imitation king can just walk right on in and take everyones money.  :P 

This is one reason why I dont have all my eggs in one basket and dont have my computer save my passwords to my browser etc. I dont want automatic logon etc. Accounts with the highest risk for theft have the smallest amount of money in them. My ATM account for example never contains more than $500. My account I use for paypal I keep about $200 in it and as I spend on paypal I add more to bring it back to $200. I only put money out there in the high risk accounts that I could afford to lose, or temporarily lose without losing the roof over my head. I have money spread across multiple banks in secure accounts that if anything happened I wouldnt get cleaned out and I will still be able to pay my mortgage. They would have to target and gain access to 6 banks to clean me out. I'm not rich by any means but i have safety net accounts. 

The other thing is that I dont have the web based access to these accounts. The banks are all super eager to give me it, but i tell them i dont want that access because if I need to know my balance I will just visit a bank. I dont like that with those accounts wire transfers can occur etc, and so someone could get onto an account and transfer money out of my account into theirs etc. There is ability to shut that feature off, but i just have it to where there is no web access to my accounts. Also for my ATM account I specified that I wanted a maximum withdraw from that account of $300 vs the $1000 they wanted to give me for my debt card that goes along with that account. I told the bank that if I need more than $300, I will visit the bank and take the money out or move money then to another account. I had to sign to a special document to have them set my account to a $300 limit for debt card transactions.

I know people who have gotten cleaned out and its not fun at all. It takes a while to get your money back and in some situations you dont. So I have it spread out among multiple banks as secure as I can have them.

patio

  • Moderator


  • Genius
  • Maud' Dib
  • Thanked: 1769
    • Yes
  • Experience: Beginner
  • OS: Windows 7
Re: Password Problesm on some sites.
« Reply #4 on: July 14, 2017, 09:41:22 AM »
I do zero online banking...

When i do online purchases i either get Gift Cards...or disposable credit cards from the bank.

Works for me.
" Anyone who goes to a psychiatrist should have his head examined. "

Geek-9pm

    Topic Starter

    Mastermind
  • Geek After Dark
  • Thanked: 1026
    • Gekk9pm bnlog
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Password Problesm on some sites.
« Reply #5 on: July 14, 2017, 01:25:32 PM »
...
When i do online purchases i either get Gift Cards...or disposable credit cards from the bank.
Works for me.
That is what othes in my huse are now doing.
Even though these gift cards might have a 1 or 2 % fee, it can be worth the extra. Besides, the banks charges fees anyway unless you hava a$1000,000 in your account. It has been a long, long time ago when I once had that much money in one place.  :(

BC_Programmer


    Mastermind
  • Typing is no substitute for thinking.
  • Thanked: 1140
    • Yes
    • Yes
    • BC-Programming.com
  • Certifications: List
  • Computer: Specs
  • Experience: Beginner
  • OS: Windows 11
Re: Password Problesm on some sites.
« Reply #6 on: July 15, 2017, 03:50:15 PM »
I think using different passwords on different sites is more important than changing an otherwise secure password. Occasionally websites get compromised and sometimes they are doing stupid things to deal with security- like having the password in plain text. And if the password isn't in plain text, having a database with user information and a hashed password can still be attacked a lot faster and easier than brute forcing a login page.

A Few times I've learned of data breaches largely because of unauthorized attempts to log in to some of my accounts. Pretty much anything- my main Microsoft Account, The root account on my VPS, etc. Which all failed because I tend to use different passwords. This happens because some random forum I used for 10 minutes 20 years ago was compromised, for example, and the attackers managed to get the password I used and then used my username to find other accounts to try that password on. That password was effectively random text, so it was a strong password, buit if I had continued to use that password, it would have been compromised.

For example I use different passwords for my VPS Root account, my blog's admin account, my Microsoft Account, this forum account, my bank website, paypal, ebay, and Amazon. I have them written down in a few places as well as set to remember in Firefox which seems to have worked so far for me.

One interesting thing is that I can search through the logs of my blog's login and find attempts to login to my BC_Programming account and will occasionally find a password I've used elsewhere- I can look up where I used it and see exactly who has been compromised. I've done something sort of similar to determine of sites that say "We'll never share your E-mail address" do. For example, TIBCO Jaspersoft is the only thing I used my work E-mail for, and somehow now it is receiving spam messages.

I was trying to dereference Null Pointers before it was cool.