2023 Security Check-up Reminder

[Looney Troons]

Just for fun, I tried to see if "mypasswordistotalshit!!" was a secure passphrase (it's not mine, I just came up with it off the top of my head) to see how long it would take a computer to crack. And this is why passphrases are better.

View attachment 4732582


Throw in a couple of dashes between the words (i.e. "my-password-is-total-shit!!") and it becomes:

View attachment 4732588

My password would have (probably) outliven me by a factor of 9x10^16. You know, I like those odds. And it's one you can easily remember without having your browser remember it. I never use the auto-login feature.

These sites are neat, but they don’t provide much value. There’s no information provided as to the true measurement and mathematics behind these supposed claims. Think about the number of calculations GPUs are able to do these days. The phrase as password you bit you mention in the vein of that ancient xkcd comic is on the money though.

Realistically speaking, most (emphasis on most) services you log into externally have measures that will temporarily lock your account down for an amount of time before you’re able to log in again. This halts the majority of brute force and dictionary attacks. Emphasis again on the majority. People to this day, since most organizations and services disallow usages of “password123” will find other amalgamations of this syntax to use for their personal information, and then wonder how their shit keeps getting compromised. Most credential breaches come form social engineering attempts.

Fat retards like WingsofRedemption have had their PlayStation Network accounts compromised multiple times over a short period of time because they will literally rehash a password they’ve already used, only capitalizing some letters, adding an additional symbol, etc. It doesn’t even take a machine to “crack” this shit, just minor knowledge of the target.

 

[quackrock]

Remember, friends, KF had a database breach a few years ago (iirc it was mostly a dump of emails, IP addresses, and usernames from the last several hundred people who connected to the site). Someone tried to breach late last year. It can happen again.

Privacy Tool's website endorses SurfShark VPN, but I don't trust a company that YouTubers shill.

This is why I only browse KF using Tor. It's fast enough and I have zero privacy concerns. I don't use Tor for anything but KF. Account email is a burner with a privacy-focused email service.

The only thing more secure than using Tor is using Tor on someone else's WiFi.

 

[Saint Agustin]

I stopped reading at "nudes"

 

[SomethingProblematic]

Wait so did Byuu get banned for linking the download?

 

[AnOminous]

Even if most people get very little benefit from it, it only takes someone clicking the wrong link on something like Twitter without one to ruin their day.

I've seen boomers get malware from shit in malicious ads on Facebook so many times I've lost count. Usually it's just dumb bullshit like browser hijackers or fake malware warnings that phish you to some sketchy site, but I've also known a few to get their bank accounts emptied. In every case they've gotten the money back at least, but it's still some fucked up shit.

Facebook should really get a nice fat class action on all this shit, but having more money than God, they've insulated themselves from this with all sorts of legal mumbo-jumbo in their TOS and other disclaimers. One hopes a judge with some cojones finds their TOS unconscionable at some point and opens the floodgates though.

Wait so did Byuu get banned for linking the download?

That's what nool said. It was lulzy as hell but probably completely illegal to deliberately distribute malware.

Byuu did nothing wrong.

I mean other than commit a probable felony. Granted, a really funny felony but I can't blame nool.

 

[Aidan]

Wait so did Byuu get banned for linking the download?

Yes even though he did literally nothing wrong except break some laws.

 

[SomethingProblematic]

I've seen boomers get malware from shit in malicious ads on Facebook so many times I've lost count. Usually it's just dumb bullshit like browser hijackers or fake malware warnings that phish you to some sketchy site, but I've also known a few to get their bank accounts emptied. In every case they've gotten the money back at least, but it's still some fucked up shit.

Facebook should really get a nice fat class action on all this shit, but having more money than God, they've insulated themselves from this with all sorts of legal mumbo-jumbo in their TOS and other disclaimers. One hopes a judge with some cojones finds their TOS unconscionable at some point and opens the floodgates though.

That's what nool said. It was lulzy as hell but probably completely illegal to deliberately distribute malware.

I wonder who will take up the mantle next.

 

[Happy Fish]

The funny thing is that the admin is actually a confirmed real woman unlike most websites

 

[quackrock]

Isn't "Correct Horse Battery Staple" far easier to guess than an 8 character random password, if the hacker guesses you're doing that and uses a dictionary attack instead of bruteforcing random characters?

Yes. The XKCD strip pedantically examines only bits of entropy (length), disregarding how crackers are typically configured to use dictionary attacks. This includes permutations of common English words, i.e. passphrases. A password with random characters including numbers, punctuation, weird Unicode, etc. will always be more secure than a password of equivalent length composed of words in common use.

 

[Quote Cursor]

On the mods question (and other software), a good rule of thumb is to see whether it's open source.

Most mods (and other software) nowadays have their source code available (plus if you're a wizard, you can customize it and build it to your liking).

The problem with reliance on proprietary projects is that's it's harder to find issues; whereas a (free) open source has it's code audited (provided it has an active community) plus you can fork it if you have something radical to the main app, the project has been abandoned the main developer made a dumb decision like changing the license or making the project worse.

Keep in mind that it's a rule of thumb, so still practice caution with everything on the World Wide (soon to be plural) Web.

 

[SomethingProblematic]

Well at least the newfag learned a valuable lesson. I hope he manages to come out okay, poor little retard.

 

[AnOminous]

Just for fun, I tried to see if "mypasswordistotalshit!!" was a secure passphrase (it's not mine, I just came up with it off the top of my head) to see how long it would take a computer to crack. And this is why passphrases are better.

The question is whether anyone else has done that and had it cracked already.

If anyone ever has ever used that password to the point it's in a rainbow table, if your sha1 hashed password gets captured, and it's already in such a table, you're fucked.

A password with random characters (including numbers, punctuation, weird Unicode, whatever) will always be more secure than a password of equivalent length composed of words in common use.

And then you have some retarded shit for every site that you can't possibly remember unless you're Rain Man and have to use crutches like post-it notes under your keyboard and password managers. These passphrases usually also use more characters so the fact you're getting less entropy per character is outweighed by the fact you're probably using more characters in the first place.

The xkcd cartoon just isn't wrong. Even if the attacker knows you're using exactly this as a technique, it only slightly shortens their time to crack your passphrase, which is probably in the quadrillions of years anyway, especially if you just smush a bunch of dictionaries together into a giant file and generate randomly from that.

 

[quackrock]

On the mods question (and other software), a good rule of thumb is to see whether It's open source.

Most mods (and other software) nowadays have their source code available (plus if you're a wizard, you can customize it and build it to your liking).

The problem with reliance on proprietary projects that's harder to find issues, whereas a (free) open source has it's code audited (provided it has an active community) plus you can fork it if you have something radical to the main app, the project has been abandoned the main developer made a dumb decision like changing the license or making the project worse.

Keep in mind that it's a rule of thumb, so still practice caution with everything on the World Wide (soon to be plural) Web.

Just because something is open source doesn't mean it won't fuck up your computer:

Sabotage: Code added to popular NPM package wiped files in Russia and Belarus

When code with millions of downloads nukes user files, bad things can happen.

arstechnica.com

 

[veritarded]

was literally murdering byuu once not enough for you?

 

[SomethingProblematic]

Yes. The XKCD strip pedantically refers to only bits of entropy i.e. length, disregarding how crackers are typically configured to use dictionary attacks. This includes permutations of common English words, also known as passphrases. A password with random characters (including numbers, punctuation, weird Unicode, whatever) will always be more secure than a password of equivalent length composed of words in common use.

This is the problem specifically with things like Quantum Programming which is rapidly accelerated the progress of bruteforce password guessing. In all likelihood things will have to move to only 2factor authentication with passwords completely phased out of use within the next 20 years.

You negrate me only because I speak the truth.

 

[TheBigZee]

Facebook should really get a nice fat class action on all this shit, but having more money than God, they've insulated themselves from this with all sorts of legal mumbo-jumbo in their TOS and other disclaimers. One hopes a judge with some cojones finds their TOS unconscionable at some point and opens the floodgates though.

That's the root of why the password management advice is so pointless. The services that should have liability for unauthorized access don't, they're insulated from liability, and passwords are a cheap way to foist responsibility off on the end user.

I can use a set of rules for generating passphrases from the bible based on the domain name like a paranoid schizophrenic and people can still get access to my accounts.

 

[quackrock]

This is the problem specifically with things like Quantum Programming which is rapidly accelerated the progress of brakeforce password guessing. In all likelihood things will have to move to only 2factor authentication with passwords completely phased out of use.

Passwords will never go away, since unlike 2FA tokens they can't be physically stolen if you keep them in your head. Even in the age of quantum computing, an account secured by both authentication methods is more secure than an account secured by just one.

There's an old security saying for authentication: use something you have, something you know, and something you are. (Though the last one is questionable, as biometrics are easily stolen and can't be rotated.)

 

[Aidan]

That's the root of why the password management advice is so pointless. The services that should have liability for unauthorized access don't, they're insulated from liability, and passwords are a cheap way to foist responsibility off on the end user.

I can use a set of rules for generating passphrases from the bible based on the domain name like a paranoid schizophrenic and people can still get access to my accounts.

Offline password managers exist and would have helped Claire a lot but instead she used her browser to store critical information.

----
Sort of a PSA I suppose - this tactic is on the rise and extremely lucrative for bad actors, never allow your browsers to store any information you input into forms on a website. Nothing.

This is the problem specifically with things like Quantum Programming which is rapidly accelerated the progress of bruteforce password guessing. In all likelihood things will have to move to only 2factor authentication with passwords completely phased out of use within the next 20 years.

Brute forcing isn't the main way passwords are cracked, it's combined alongside other techniques. Realistically, if you have a good password that is hashed using a decent algorithm, no one is going to bruteforce it anytime soon.
The problem is, people use abysmal passwords and as more and more passwords are leaked they are added to massive lists which mean each newly discovered password is effectively burned forever.

This is why unique passwords are important along with 2FA.

 

[WelperHelper99]

Wait so did Byuu get banned for linking the download?

He literally bricked a newbies computer and distributed malware, a actual crime. Yes.

 

[SomethingProblematic]

There's an old security saying for authentication: use something you have, something you know, and something you are. (Though the last one is questionable, as biometrics are easily stolen and can't be rotated.)

I'm curious if in the future vibrational frequencies could ever be a verification measure, since every living creature has a unique frequency.

(It's schizo science don't worry about it, it will be normified later.)