Password Cracking

RickCunn
RickCunn
Community Member

I just read Jeff's piece on secure PWs. Something comes to mind. How is a bad guy going to get access to my local copy of 1Password to work on it? Is he going to remote in without my knowing it, and spend mega years brute forcing it? Or is he going to have to physically steal my Mac and extract the HD to get to work on it? If I come home and the Mac is gone the first thing I do is call the bank, brokerage, etc and start changing things. Presumably if I have a halfway decent passphrase I've got a few hours anyway.

Another PW question. When it comes to online accounts it seems to me just about any 'ole easy-to-guess PW will be fine. The reason is every account I have (at least where the money is ... I really don't care if one of my myriad email accounts gets hacked, nor do I care if my various online car forums, etc. get hacked ... or should I? Please explain, if I should care about those types of accounts.) gives me three tries and the account is locked. Surely it will take a bad guy more than three tries to guess even the lamest PW.

Lastly, not to promote a particular website, but Steve Gibson's Haystack methodology seems spot on. His basic thesis is simply length matters more than anything. The evil doers never know word nor character sequence, so they're always forced into a brute force attack. Comments?

Comments

  • danco
    danco
    Volunteer Moderator

    Your first situation is why many users won't use Dropbox or iCloud or any non-local storage. The databases might be stolen from there, though the Agile people convincingly claim that the database could not be hacked even if stolen.

    As to issues with local database, it depends on what you are worried about. Someone (a work colleague, a family member) might be able to access your machine and copy the database without you knowing.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    @RickCunn‌ asked:

    How is a bad guy going to get access to my local copy of 1Password to work on it? Is he going to remote in without my knowing it, and spend mega years brute forcing it? Or is he going to have to physically steal my Mac and extract the HD to get to work on it?

    From our design point of view it doesn't actually matter how a bad guy gets hold of your 1Password data, only that it is possible to. You've already mentioned the possibility of someone stealing your computer; that kind of thing does happen.

    There has even been some Mac malware (fortunately not very widespread) that collected 1Password data (along with a lot of other data, including OS X keychains) and sent those off silently to the bad guys. As others have mentioned, data can also be stolen from a sync service.

    "But I've got nothing of value"

    I really don't care if one of my myriad email accounts gets hacked, nor do I care if my various online car forums, etc. get hacked ... or should I?

    If your passwords are unique for each one of these then the damage is limited. But if you are reusing passwords, than a breach of one becomes a breach of all.

    But what a lot of people don't realize is that a compromise of a low security account can (and often is) used to launch an attack against others. In a typical case, if someone gets your password to an online forum, they would post things in your name that direct people to sites that may contain dangerous malware.

    Most commonly they may might just be posting obvious link spam. Almost everyone who sees it will probably recognize it as spam, but when Google indexes that forum, it will just see another link to what seems (to Google) to be a relatively "popular" site.

    Although those may not seem like a big deal, these are cases where an attacker is using your lax security to commit crimes against others. And, of course, there are cases where the attacks are more serious.

    The Stratfor breach in 2011 started with a breach of a "low security" account that was used to then obtain more slightly important things through fake request to a colleague. That led eventually to them gaining access to much of the email between between this "security firm" and their clients.

    The breach of RSA Inc's seeds for their SecureID cards had far greater consequences, and it too started with a low level account being compromised and then used to send a dangerous email attachment to someone who worked (low level in RSA.)

    So maybe you will be the one who pays the price for lax security of "unimportant" accounts, but quite possibly others will.

    How passwords are guessed

    Please explain, if I should care about those types of accounts.) gives me three tries and the account is locked. Surely it will take a bad guy more than three tries to guess even the lamest PW.

    This is not how they attack (and often they can by-pass that throttling even if they do attack through the front door.) Again, it is password reuse. Suppose some site is broken into and the attackers get a copy of the hashed passwords of that site's users. This kind of thing happens all of the time. Most such breaches go undetected and unreported. But there are plenty of high profile publicly reported breaches as well.

    Crackers then have the password hashes, and they can run automated guesses against those on their own machines. Often being able to run tens of millions of guesses per second. If people have not changed their passwords for the breached site (perhaps because the breach went undetected) those will be directly useable there. But as people often reuse the same password on multiple sites, then these can be used elsewhere.

    Indeed, this happened to Best Buy customers. Their Best Buy accounts were compromised not because of any security failure at Best Buy, but because of compromises at other places.

    Anyway, this takes us back full circle. We have to assume that some people will have their data captured, and so we design 1Password to resist the kinds of off-line attacks.

    A Kantian approach

    Steve Gibson's Haystack methodology seems spot on.

    Ask yourself this. What would happen if lots of people followed the haystack advice? Suppose 10 percent of passwords were created using that system. The attackers would modify their guessing system to go for exactly those. They wouldn't have to do a naive brute forcing, instead they would make their guessing rules follow the instructions that people follow.

    Haystack works as long as only a few people follow the advice. It's like what I heard someone way at a conference. "If you want passwords that I can't crack, then use UTF8 characters outside of US ASCII. My software doesn't deal with that."

    I asked, "if you found lots of people following that advice, what would you do."

    "I'd modify my software to handle UTF8."

    Anyway, I want my advice to remain good advice even if lots of people follow it.

This discussion has been closed.