http://qs1969.pair.com?node_id=11133899


in reply to Reaped: Re^2: Replacing crypt() for password login via a digest - looking for stronger alternative
in thread Replacing crypt() for password login via a digest - looking for stronger alternative

"Passwords are usually harvested by keystroke scrapers."

my sources say no. Care to back up this claim?

Replies are listed 'Best First'.
Re^4: Replacing crypt() for password login via a digest - looking for stronger alternative
by cavac (Parson) on Jun 16, 2021 at 06:29 UTC

    From personal experience, passwords are mostly harvested in 3 ways: Data breaches, emails that redirect to fake "password change" forms and from just plainly asking people for their passwords.

    perl -e 'use Crypt::Digest::SHA256 qw[sha256_hex]; print substr(sha256_hex("the Answer To Life, The Universe And Everything"), 6, 2), "\n";'
      passwords are mostly harvested in 3 ways: [...] and from just plainly asking people for their passwords.

      Simply asking for credentials works shockingly well. You need one bar of chocolade per password: https://orbilu.uni.lu/handle/10993/26214 (via https://www.heise.de/hintergrund/Passwort-gegen-Schokolade-3245447.html).

      And it becomes much worse in an environment were people trust each other. Just today, a co-worker showed me a really old piece of paper with his/her current (Samba) Active Directory password, which would give me access to Windows, mails, calendar, vacation planner, and other systems. The account name is trivially firstname.lastname, so just handing out the password is sufficient to gain access. The password is really bad, it can be found in every dictionary, and just adds one non-alphanumeric character. To make things worse, we have just finished migrating our legacy Samba NT4 domain to Active Directory, including a mandatory password reset for all users. And people simply reuse their old, insecure passwords hidden under keyboards, desk pads, or in the top drawer. And the really, really worst part of that password: It was the default passwort for new accounts used for at least a decade.

      I'm a developer, but one day every two weeks is reserved for admin work. I can get root/Administrator access on all machines, and so I could bypass all ACLs and Unix permissions. I would not need anyone's password to get access to all data. So handing out a personal password to me technically does not make things worse. But just the fact that co-workers hand out their password at all is wrong. I don't want to know their passwords, I don't want access to their data.

      I would really like to hire a trustworthy friend to repeat the chocolade-for-password experiment at work. Followed by a mandatory password security training, after asking who has got a sweet present.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

        The password is really bad, it can be found in every dictionary, and just adds one non-alphanumeric character.

        A few years back i got into really hot water with some users. Instead of a fixed "3 numbers, 4 characters, one special character" type of passpord, the systems i developed started using a complexity score thing. Somewhat secure "random" passwords could get away with about 10 characters. Using things like part of the username, your real name and stuff like that would come with a steep penalty, requiring a much longer password.

        Needless to say, some users were pissed about the fact that i "required a 40 character password" and that they "can't use their favourite password and refuse to remember a new one". Shame it's not in my power to fire people or force them to sit through a three week class on basic computer security.

        perl -e 'use Crypt::Digest::SHA256 qw[sha256_hex]; print substr(sha256_hex("the Answer To Life, The Universe And Everything"), 6, 2), "\n";'
Re^4: Replacing crypt() for password login via a digest - looking for stronger alternative
by jdporter (Paladin) on Jun 15, 2021 at 19:33 UTC
    When has he ever?

      It's the kind of BS snake oil salespeople have been selling for literally decades. Some of them end up brainwashing convincing themselves that they know what they're talking about. You and I both understand why he's doing this, so for the sake of OP and future readers, challenging someone to back up such claims, while it takes a little time to do, isn't a complete waste of time.

      Update: As usual, interesting to see someone upvoting such shenanigans.