Did anyone else read "NSA recommended"...
... I can't help but think of them as the bad guys.
I always knew stuff would be monitored, this isn't surprising but the scale was far FAR beyond my expectations and some of the levels they went to...
L0phtCrack's back! Crack hack app whacks Windows 10 trash hashes
Ancient famed Windows cracker L0phtCrack has been updated after seven years, with the release of the "fully revamped" version seven. The password cracker was first released 19 years ago gaining much popularity in hacker circles and leading Microsoft to change the way it handled password security at the time. No new versions …
-
-
Thursday 1st September 2016 03:35 GMT Anonymous Coward
Re: Did anyone else read "NSA recommended"...
Same AC here (promise, totally should have included like a hash of a phrase in my earlier post)
Not saying "DON'T TRUST SHA512" and co, they're known, old, good, so forth, what I meant was if the NSA was like "use this software" I'd be dubious.
I bet you those failed fighter jets that need regular rebooting will be Cloud powered BTW. Different TLA I know.
-
Thursday 1st September 2016 04:21 GMT Grifter
Re: Did anyone else read "NSA recommended"...
>> them as the bad guys.
But see that's the beauty of their statement, they know you'd be suspicious of anything they champion, so in order to try to get people not to use sha512, they'll say do use it. This inception goes many levels deep. I bought tinfoil cheap in bulk, everyone's welcome to a hat!
-
Thursday 1st September 2016 05:56 GMT Geoffrey W
Re: Did anyone else read "NSA recommended"...
RE "I bought tinfoil cheap in bulk, everyone's welcome to a hat!"
Yes please! I cant get mine to work properly and the voices just get amplified. Send it to :-
Me,
The little shack in the woods,
Raccoon Hollow,
On a mountain,
20 Minutes into the future,
USA
Ta!
-
-
Saturday 10th September 2016 02:40 GMT Geoffrey W
Re: Did anyone else read "NSA recommended"...
RE: "If I deliver there, will I be menaced by glorious AKM?"
I'm British, I don't do AKM, glorious or otherwise. I chase people away by droning on and on about the weather and seeing if they can outrun my pet whippet (I AM a Northerner) before it licks them to death, and before my ferret runs up their trouser leg.
-
-
-
-
-
Thursday 1st September 2016 13:31 GMT Joe Montana
Re: Did anyone else read "NSA recommended"...
NTLMv1 is no longer used as a network authentication scheme, but the underlying passwords are still stored using the NTLM hashing scheme.
Two different (although related) things.
The reason microsoft can't change the hashing scheme as easily as Linux can is because the network authentication protocols are tied to the hashing method, so you would need to update all the clients too.
-
-
-
-
Thursday 1st September 2016 08:00 GMT MonkeyCee
Re: Nope
Another trick for a stand alone windows 7 box is booting off a live linux USB, and do the following:
- pick an input utility to bugger with. In this case, the on screen keyboard
- rename that utility (osk.exe to osk.old)
- rename cmd.exe to osk.exe
- reboot into windows
Now you can call the osk from the login screen, which will in fact run cmd.exe with full admin rights.
Then resetting the password is a simple command: net user *username* *newpassword*
-
Thursday 1st September 2016 17:13 GMT Jonathan Richards 1
Re: Nope
> booting off a live linux {CD, USB}
All BIOSes allow one to define allowable boot devices, and I haven't seen one for decades that doesn't have a degree of password protection for the BIOS setup [1]. If you care enough, you can forbid the possibility of booting from a CD.
Having said that, I used regularly to use a live CD on a secure network for which I had *my own* Windows credentials: the tools available were just so much more powerful than the ones I could get installed for Windows.
[1] The BIOS password will also be crackable, of course. Mantra: "If the geezer in the Black Hat has unfettered access to the physical device, you're screwed."
-
-
Thursday 1st September 2016 07:46 GMT Olius
Good password selection
I'm curious to know if I'm the only person who recommends people use memorable songs to generate passwords - either by taking the first character of each word in a line from the song to generate a seemingly random but very memorable password, or better (if the system in question allows) by using a whole line/lyric as a very long passphrase ?
-
Thursday 1st September 2016 08:03 GMT Destroy All Monsters
Re: Good password selection
No, this is likely to be caught by extensive dictionary tries.
Use shocking nonsense instead:
but:
passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices
And also:
how-linkedins-password-sloppiness-hurts-us-all
where a commenter says:
Now the fine prints:
Use a different randomly generated password for each service.
Use a password manager for most of your password.
For the handful of important services (banking, main e-mail...) use:
-> unique passwords
-> use systems with limited number of trials (timers and so on)
-> use multifactor authentification
-
Thursday 1st September 2016 10:03 GMT thondwe
Re: Good password selection
Trouble with many publicly stated algorithms for generating passwords, is that...
a) Hackers will know these and be able to generate them - add a bit of social engineering - e.g. facebook + favorited bands + "I use song lyrics...", who's family/friends copy the idea...
b) More people use the same method to generate the same passwords which then end up in the hackers database from a breach...
OK some of these ideas can generate large numbers of variants, but you need to keep the method secret - so your per service password is unique to you AND the service.
I'm not saying I use Latin phases from Aeneid
-
-
Thursday 1st September 2016 08:24 GMT Area52
Pronounceable Passwords
"Microsoft and Google boffins reckon passwords should be pronounceable, rather than set to the typical recommended jumble of numbers, special characters, and letters, which are difficult for users to recall."
Another option is Orthographic Passwords
https://nousrandom.net/passwordmaker/orthgraphicpasswords.html
or password creators that uses a most all words, not just a few thousand words like some sites use.
https://nousrandom.net/passwordmaker/wordpasswords.html
-
Thursday 1st September 2016 12:27 GMT alain williams
Re: Pronounceable Passwords
These might generate good passwords, but should you use them: No.
A password is something that should only be known to you; someone telling you a password means that that someone knows your password. If I were NSA/GCHQ/BlackHatCracker I would create a web site like this and wait until someone who I wanted to infiltrate used it ...
If the source were available and I could download and run it (privately) on my own machine, I might use it.
-
-
Thursday 1st September 2016 09:15 GMT Duncan Macdonald
Car reg + serial number
In the UK at least the combination of a neighbours car number and the model number on a bit of equipment is likely to be secure and yet still easy to use.
An example (not one that I use!!!)
S357HGKAOA110Ab where S357HGK is a car registration number and AOA110Ab is the model number of a netbook.
(The car reg number above is a made up number - I do not know if it is still in use.)
-
Thursday 1st September 2016 10:45 GMT chuckufarley
On my notebook...
...which runs LinuxMint 18 I set up session based two factor authentication with Google Authenticator. It was very simple: just install GA and edit two files in /etc/pam.d and then scan the QR code with my phone. I even use it on my home server as part of my SSH authentication. In fact I use 2FA on every website and online service that supports it. Which is not nearly enough.
I can't help but wonder why there are not more FOSS 2FA solutions for windows and the Internet as a whole. It would solve a lot of problems. So many that El Reg might have a significant drop in stories about security breaches.
-
-
Thursday 1st September 2016 14:46 GMT TheVogon
"A 4 digit PIN will have no chance against a brute force."
The 4 digit PIN only protects the basic local PC login - not your online account Microsoft account, etc.
The idea being that a basic password protection level, but only giving minimal access is better than slightly better password protection level, but giving you the keys to the kingdom...
-
-
-
-
Friday 2nd September 2016 13:02 GMT Jonathan 27
What did I say about Linux? But since you brought it up, I might as well pick apart that man page. Salting is industry standard practice, if it wasn't salting the password it would be an issue. You don't get extra points for doing things that are standard practice, you lose them for not doing them.
So, to follow that up. SHA512 is better than NTLM, but if Microsoft is going to change to a new hash, they should go for best in class and not just the trailing edge of what's considered passable today.
-
-
-
-
Saturday 3rd September 2016 01:06 GMT Wensleydale Cheese
Re: Yep, vehicle reg works for me too
"I can remember my dad's registration on car he used to have until about 1960"
I can remember that and those of the next two.
Beware someone digitising old family photos and putting them online. Details of more recent vehicles may be lurking in insurance or similar databases.
-
Friday 2nd September 2016 22:44 GMT JeffyPoooh
Please pass the self-salt...
What if the input script accepted the new password (PW$), and then created a salted repeated-password string like this:
SaltedPW$ = Salt0$ + PW$ + Salt1$ + PW$ + Salt2$ + PW$ + Salt3$ + PW$ + Salt4$
Then send that away for hashing and storage.
The human user only needs to remember their wee little PW$.
Signing In uses the same concatenation technique, before the hash comparison.
But the Crackers with the stolen hash file need to de-hash these SaltedPW$ monsters. Yeah, good luck.
I hope that this helps.
