background preloader

Passwords

Facebook Twitter

Worst passwords of 2014 are just as awful as you can imagine - CNET. Few smartwatches have so far resonated with consumers.

Worst passwords of 2014 are just as awful as you can imagine - CNET

Apple is trying to drag the entire category into the mainstream with what it calls "the most advanced timepiece ever created. " The consumer technology industry has spent the last 18 months hailing wearable devices as the next big thing. But who will want a smartwatch? And, more important, why do you need one? Apple on Monday set out to answer those questions with the Apple Watch, its entry into the burgeoning area of wearable technology. Customers in those nine countries can start going to Apple's retail stores and select department stores such as Selfridges in London and Galeries Lafayettes in Paris beginning April 10 to try them on and determine the right size.

"Apple Watch brings a whole new personal dimension to timekeeping that's never been done before," Apple CEO Tim Cook said at an event in San Francisco on Monday. Making the case for a watch An already crowded room Yet none of the devices have really broken out. Today I Am Releasing Ten Million Passwords. Frequently I get requests from students and security researchers to get a copy of my password research data.

Today I Am Releasing Ten Million Passwords

I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world. A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security. So I built a data set of ten million usernames and passwords that I am releasing to the public domain. But recent events have made me question the prudence of releasing this information, even for research purposes. The arrest and aggressive prosecution of Barrett Brown had a marked chilling effect on both journalists and security researchers. The Most Common and Least Used 4-Digit PIN Numbers [Security Analysis Report] How ‘secure’ is your 4-digit PIN number?

The Most Common and Least Used 4-Digit PIN Numbers [Security Analysis Report]

Is your PIN number a far too common one or is it a bit more unique in comparison to others? The folks over at the Data Genetics blog have put together an interesting analysis report that looks at the most common and least used 4-digit PIN numbers chosen by people. Numerically based (0-9) 4-digit PIN numbers only allow for a total of 10,000 possible combinations, so it stands to reason that some combinations are going to be far more common than others. The question is whether or not your personal PIN number choices are among the commonly used ones or ‘stand out’ as being more unique. Note 1: Data Genetics used data condensed from released, exposed, & discovered password tables and security breaches to generate the analysis report. Note 2: The updates section at the bottom has some interesting tidbits concerning peoples’ use of dates and certain words for PIN number generation. Dictionary attack. In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.

Dictionary attack

Password Reuse. Salt & Pepper, please: a note on password storage. Password Strength.  Password Haystacks: How Well Hidden is Your Needle?   ... and how well hidden is YOUR needle?

 Password Haystacks: How Well Hidden is Your Needle?  

Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered. If every possible password is tried, sooner or later yours will be found. The question is: Will that be too soon . . . or enough later? This interactive brute force search space calculator allows you to experiment with password length and composition to develop an accurate and quantified sense for the safety of using passwords that can only be found through exhaustive search. <! (The Haystack Calculator has been viewed 2,587,584 times since its publication.) Brute-force attack. The EFF's US$250,000 DEScracking machine contained over 1,800 custom chips and could brute-force a DES key in a matter of days.

Brute-force attack

The photograph shows a DES Cracker circuit board fitted on both sides with 64 Deep Crack chips. When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes. When key guessing, the key length used in the cipher determines the practical feasibility of performing a brute-force attack, with longer keys exponentially more difficult to crack than shorter ones. 25-GPU cluster cracks every standard Windows password in <6 hours. Prevention. Rainbow table. Rainbow tables are an application of an earlier, simpler algorithm by Martin Hellman.[1] Simplified rainbow table with 3 reduction functions Background[edit] Any computer system that requires password authentication must contain a database of passwords, either hashed or in plaintext, and various methods of password storage exist.

Rainbow table

Because the tables are vulnerable to theft, storing the plaintext password is dangerous. Birthday attack. Understanding the problem[edit] , about 7.9%.

Birthday attack

However, the probability that at least one student has the same birthday as any other student is around 70% for n = 30, from the formula Mathematics[edit] Given a function , the goal of the attack is to find two different inputs such that . Meet-in-the-middle attack. The Meet-in-the-Middle attack (MITM) is a generic space–time tradeoff cryptographic attack.

Meet-in-the-middle attack

Description[edit] MITM is a generic attack, applicable on several cryptographic systems. The internal structure of a specific system is therefore unimportant to this attack. An attacker requires the ability to encrypt and decrypt, and the possession of pairs of plaintexts and corresponding ciphertexts.