The Usability of Passwords Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones. So let's dive into the world of passwords, and look at what makes a password secure in practical terms. Update: Read the FAQ (updated January 2011) Update - April 21, 2011: This article was "featured" on Security Now, here is my reply! How to hack a password The work involved in hacking passwords is very simple. Asking: Amazingly the most common way to gain access to someone's password is simply to ask for it (often in relation with something else). When is a password secure? You cannot protect against "asking" and "guessing", but you can protect yourself from the other forms of attacks. The measure of security must then be "how many password requests can the automated program make - e.g. per second". Like these: It takes:
Authentication News: Passwords Found in the Wild for January 2013 Studying the passwords dumped on the Internet by hackers back in December provided a good opportunity for me to measure the scope of the problem. Following that experience I decided to collect and correlate some new information when analyzing password dumps from January. Overview of Password Dumps Last month I found 110 password dumps which met my criteria* for analysis, down from 154 in December. A few of the dumps contained data from multiple sites. There were 90 specific organizations or domains named as the source of the passwords. From this collection, 40 dumps consisted primarily of plaintext passwords, exposing roughly 61,000 passwords (36% of the monthly total). Compared to 450,000 passwords dumped in December, this month's total of 170,000 passwords was significantly lower. I wasn't really surprised to see this result. There were 40 different hackers or hacker groups claiming credit for January's password dumps, and more hackers that chose to dump their data anonymously.
Shamir's Secret Sharing Shamir's Secret Sharing is an algorithm in cryptography created by Adi Shamir. It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret. Counting on all participants to combine together the secret might be impractical, and therefore sometimes the threshold scheme is used where any of the parts are sufficient to reconstruct the original secret. Mathematical definition The goal is to divide secret (e.g., a safe combination) into pieces of data in such a way that: Knowledge of any or more pieces makes easily computable.Knowledge of any or fewer pieces leaves completely undetermined (in the sense that all its possible values are equally likely). This scheme is called threshold scheme. then all participants are required to reconstruct the secret. Shamir's secret-sharing scheme points to define a polynomial of degree Suppose we want to use a where
Le piratage du fichier STIC rappelle l'efficacité des attaques par ingénierie sociale Ce Système de Traitement des Infractions Constatées rassemble des informations sur un peu plus de 36 millions de citoyens, soit parce qu'ils sont victimes, soit parce qu'ils sont mis en cause (mais pas nécessairement condamnés) dans une affaire de police. Il s'agit donc, bien entendu, d'informations dont l'accès est contrôlé. Pour déjouer ces contrôles, les pirates se sont fait passer, par téléphone, pour des policiers afin de se faire transmettre les données STIC relatives à plusieurs chanteurs de rap français. Comment ? Là encore, ils n'ont rien inventé : Kevin Mitnick disait déjà exploiter "le mensonge, la manipulation, l’influence et la politesse naturelle des gens". L'affaire vient d'être révélée par le site PC INpact, mais il ne s'agit pas d'un cas isolé. Et ce n'est pas une légende. Les conséquences d'une telle attaque peuvent être sévères. Comment se protéger face à de telles attaques ?
Why does the government disallow dynamic languages? This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users at Stack Exchange, a free, community-powered network of 100+ Q&A sites. Patrick asks: I know some people who are currently working on a project for the US military (low security level, non-combat, human resources type data). An initial state of the project code was submitted to the military for review, and they ran the program through some sort of security analyzer tool. One of the items that needed to be resolved was removal of part of the project that was written in Ruby as it is a dynamic language. What is the background/reason for not allowing a dynamic language to be used in a secure setting? See the full, original question here. It's the interpreter Thomas Owens♦ answers (22 votes): Dynamic languages can be used in defense and military applications. The fact that these languages are dynamic most likely isn't the problem. Dangerous tricks The trouble's in the tools
Le viol vocal ou comment pirater le fichier STIC par un simple coup de fil Exclusif PC INpact : « Bonjour collègue, on vient de procéder à une interpellation sur l’A86, on voudrait que tu nous sortes deux STIC (…) on ne sait pas si tu es capable de le faire ». Des internautes ont visiblement réussi à récupérer les données STIC (Système de Traitement des Infractions Constatées) de plusieurs personnalités du rap… par simple coup de fil. Le Parquet a ouvert plusieurs enquêtes et l'IGS est saisie. Explications. Le principe fait appel à une technique bien connue en informatique. C’est l'ingénierie sociale (ou social engineering en anglais) qui, rappelle Wikipedia « est une forme d'acquisition déloyale d'information » qui « exploite les failles humaines et sociales de la structure cible, à laquelle est lié le système informatique visé » ici le STIC. STIC ? Exploiter le maillon faible de la chaîne de sécurité du STIC Selon les bruits ambiants, les appels semblent passer via Skype. Les recommandations de la CNIL Quatre enquêtes du Parquet à Paris, l'IGS saisie
Philips Smart TVs wide open to Gmail cookie theft, other serious hacks Internet-connected TVs manufactured by Philips running the latest firmware update are wide open to browser cookie theft and other serious attacks by hackers within radio range, a security researcher has warned. The hacks work against Philips Smart televisions that have a feature known as Miracast enabled, Luigi Auriemma, a researcher with Malta-based ReVuln (Twitter handle @revuln), told Ars. Miracast allows TVs to act as Wi-Fi access points that nearby computers and smartphones can connect to so their screen output can be displayed on the larger set. The hacking vulnerability is the result of a recent firmware update that allows anyone within range to connect to the TV, as long as they know the hard-coded authentication password "Miracast." Once someone has connected to the Miracast-enabled Wi-Fi network, they can use publicly available software to download any personal files that may be contained on USB drives plugged in to the Philips Smart TV.
PIN number analysis Ian’s messages made me chuckle. Then, later the same day, I read this XKCD cartoon. The merging of these two humorous topics created the seed for this article. What is the least common PIN number? If you had to make predication about what the least commonly used 4-digit PIN is, what would be your guess? This tangentially relates to the XKCD cartoon. This article is not intended to be a hacker bible, or to be used as a utility, resource, or tool to help would-be thieves perform nefarious actions. Source Obviously, I don’t have access to a credit card PIN number database. Soap Box – Password Database Exposures Bottom line Security strengthens with layers, and the simple application of encryption on your database table can help protect your customer’s data if this table is exposed. Back to the data Given that users have a free choice for their password, if users select a four digit password to their online account, it’s not a stretch to use this as a proxy for four digit PIN codes.