ok lets continue from were we stopped..computer security( part 1)
....The hacker could try to just guess your password, attempting to log in again and again, hoping to get lucky. They might know the username and just guess the password, or more likely they are guessing both. There are 86400 seconds in a day, and suppose your bank permits 1 login attempt per second. The bad guy could just go through the list of 100000 common passwords ("password", "password123", "janexyz", ...) trying to get lucky. This works, since they only need to guess correctly for a few accounts, and they can do the attack in bulk.
Clearly, the bank or whatever should detect thousands of bad logins and slow down or freeze the account. This can cause problems for the legitimate user however, so it's a balance. One simple policy is that the Bank can process login attempts at a slowish rate, such one every second to prevent the bad guys from trying 100 billion different passwords.
Dictionary Attack ExampleHere's a real "log file" from my codingbat.com server where it routinely records what happens each day. What you see here is the attacker is trying guess both the username and password on the account. It happens that the username for each attempt is printed in the log file but the password is not. No doubt they are trying common passwords, such as "secret" "password12" etc. It's funny to me that you can see that their list of usernames to try is sort of alphabetical order, and they are just running through it in the most obvious way. So what you need to understand is .. this sort of attack is clicking along, every second of every day aimed at basically all the servers on the internet. They just need to succeed with a few accounts here and there, even though they fail 99.99% of the time. This is why you should not have a password which is close to a dictionary word or someone's name, or is a password people often choose. The good news is .. with just 4 random letters added to your password .. suddenly this dictionary attack is not going to work -- there's not enough seconds in the day.
- Do not need to be super elaborate (some sites go crazy with this)
- List of common passwords - do not use these!
-Common passwords- password password1 123456789 12345678 1234567890 abc123 computer tigger 1234 qwerty
- Avoid a password that thousands of others out there have also chosen
- What I do for secure passwords, e.g a bank site
- Start with a word, add misspelling, then add some random letters
- Could add some digits and/or punctuation and maybe some upper case letters
mottens,erx -- fine
Mottens,9erx -- better
MotenX,97erx -- probably more complex than necessary
- Important that the "erx" is truly nonsense, not like "xyz" that someone else on earth might tend to pick.
- Other problem: what if the site itself is compromised, so the bad-guy possibly gets your password that way? Therefore, do not re-use your passwords across important sites like banks.
- Consider writing down important passwords on a slip of paper at home. Otherwise it's hard to keep it all straight in your head.
- The list of common passwords contains passwords that are just a word or a word plus a tiny variation, like "jane" or "secret1" or "mittens123", or two words like "catmittens", so it's vital that your password does not look like that.
- It's ok to have a word fragment, but it should also include significant nonsense letters. Personally, I like starting with a word, since it is easy to remember and fast to type, but then random junk needs to be added in and around it.
- Some sites go crazy, requiring many upper case letters, and digits, and punctuation letters. I think that's not necessary. It's "security theater": adding more complexity and the appearance of action but without actually adding to security.
Email is tricky -- once they have your email password, then they may be able to do a password reset and get into your account. In that sense, your email password is the most important
stayed tuned for the third part tomorrow....