Botnet Attack

By Shamus Posted Saturday Apr 13, 2013

Filed under: Notices 95 comments

splash_robots.jpg

For the last two days people have been sending me messages in email, Twitter, and Facebook. These messages invariably come in one of two forms:

  1. Hey Shamus! Did you know your website is down, or that it’s very slow?
  2. Shamus, I just wanted to let you know that there’s a massive brute-force attack of WordPress websites going on right now.

These messages are probably related.

Remember that a botnet is a bunch of hacked, trojan’d, malware-infected machines. The machines are in living rooms, in classrooms, in offices. Their owners probably have no idea they’re infected. Maybe they were on some skeezy porn site. Or torrenting things they shouldn’t. Or maybe they clicked on one of those “Optimize your PC” scams. Whatever. The owners shrug, “That machine is slow these days.”

This is a brute-force attack, which means thousands of different computers are going to thousands of different blogs and attempting to gain admin privileges using stupid, you-should-know-better credentials. My blog isn’t at any particular risk. While you can never say never, I shouldn’t be susceptible to brute-force over any kind of a reasonable timeframe. My password is what it should be: Long alphanumeric gibberish. It sucks to remember, but it ought to keep me safe for the next few hundred years or so.

This is a friendly reminder to encourage your less-savvy friends to keep their machine clean. Their ignorance and hapless surfing habits are now a danger to everyone. This attack wouldn’t be worth it if large numbers of people didn’t use horrible passwords, and it wouldn’t be possible if large numbers of people didn’t allow their machines to be compromised. The un-savvy are now providing the incentive and the means for their own undoing.

So yes. I know. Nothing I can do on my end. I could spend hours scouring logs and banning IP’s, but I’d just be banning individual members of an amorphous blob. The best solution is to complain until the whole thing blows over.

 


From The Archives:
 

95 thoughts on “Botnet Attack

  1. ENC says:

    Any relation to the DDOS occuring from the ISP towards the anti-spam group?

      1. Trix2000 says:

        They both do make for some concern though. Two different internet attacks of such large scale would imply that things are getting worse, and we’ll perhaps see more of them later on.

        Least we can still take effective measures against them.

  2. Shishberg says:

    You linked the wrong xkcd.

    1. Dragomok says:

      I’m glad I’m not the only one who thought of this.

    2. Aristabulus says:

      This isn’t a case of villians wanting to gain access to Shamus’ sooper sekrit stash of code experiments (and needing to torture him to gain access), it’s a bunch of 2-bit techno-thugs going on an active fishing trip… He linked the most relevant comic.

  3. X2-Eliah says:

    Ugh. I really dislike that xkcd “tip”. Modern passwordcracking tools *rely* on bruteforcing combinations formed from wordlists, not bruteforcing every alphanumeric permutation gibberish. There’s orders of magnitude of difference between cracking “correcthorsebatterystable” and, say, “ogutndpa*hr%w:[QlO#)kfosm”, especially when using wordlists as the base for cracking. Yes, length does help a lot, but if the password rule system we start to use relies entirely on dictionary words, then there’s no point in talking about the number of bits and the character-length of the password, because the bit is not the base element in ‘correcthorsebatterystable’ – the word is. And suggesting to move onto words entirely is, imo, a dangerous suggestion.

    Edit: Also, is there a decent guide on how a non-technicaly-minded person can verify their computer is not acting as a botnet part? All I’ve seen boil down to “start doing network monitoring and check your ip packet stuff” or “is your pc running slow? Then get a specialist to check” – where’s the middle-ground for checking by yourself without taking courses in compsec&networking?

    Edit2: Also also, that “tip” doesn’t mention the *biggest* issue, which is password reuse. Leaked password lists are, imo, the primary security issues, not bruteforcing. “Oh, his email is examplehumanoid@someplace ? Oh, that email is linked to ‘examplehumanpasswordthing’ [same entropy as that xkcd suggestion] in that leaked asian MMO user-base list? Oh, let’s use that password on his SomePlace account!“…
    And now we are back to having unique passwords for every meaningful login-place. Oh, sorry, “passphrases”. Thus -> “Okay, this is my secondary non-work hotmail account. Now, what was the passphrase… Horse battery staple? Stapled horse battered to death? No wait, this is hotmail, there’s no horses here. Um. Fireman hot burning thing? This Mail Is So Hot? “. It’s not like passphrases remove the problem of *remembering*. And if someone did, e.g. try to crack passphrases for, say, Hotmail, using xkcd’s 4-words system, don’t you think they’d try a filtered rule list with “one of those four words is probably [mail], [hot] or [hotmail], let’s try those!” – which goes from (words)^4 to (words)^3 * 12 or so.

    1. Endymion says:

      Well the whole point of that idea was that “correcthorsebatterystaple” is magnetudes better than the average everyday recommended password of 8 to 10 random characters/numbers/symbols. Even WITH dictionary hacks trying to brute force every combination of 4 words, you’ve got far more 4 word combinations then you do 10 character combinations.

      Besides, those short 10 character combinations are still the most common type, so why would you try to brute force the word combinations first? Any attempt to brute force stuff should test the common possibilities first.

      1. xulaus says:

        Really it all depends on the amount of words. Really people are only going to use the top x most popular words. If that x is 1000? That’s about 6 random characters (4*log(1000)/log(127)=5.7). Even the top 10,000 only gets you 8ish. Using words is useful, but only if you force the hacker to do a byte by byte brute force. Throw in random capitalisation and substitute every T for – or something, but then you are back to a `hard’ to remember password.

        1. Zukhramm says:

          I’ll claim using words is always better. It might not be much, but assuming a sequence of words is as easy to remember as a sequence of characters, and n-number of symbols password will still be 1.5-2 times as effective. The gain/effort ratio is pretty good.

      2. krellen says:

        No, that is not the point of that XKCD. An 8-character password that breaks common cracking shortcuts – such as using regular words, perhaps with some digit substitutions – is more secure than “correcthorsebatterystaple”. Once you’ve got the attackers using brute-force to crack your password (and note, “correcthorsebatterystaple” does NOT require brute-force), you’ve pretty much already won, provided you’ve got at least 8 characters.

        Longer is better, but please don’t go around spreading the lie that a truly random 8-character password is “less secure”.

        (Here is a site that will give you some metrics on how long it might take to brute-force a given password.)

        1. Bryan says:

          *Randomly* choosing four words out of a list of 100k gives (10^5)^4 different combinations, which is 10^20. Using a set of eight choices from 256 (assuming a byte per; Unicode can make this bigger but Unicode is a PITA to type, too) gives 256^8 different combinations. Which is 2^64.

          $ python
          >>> 10**20
          100000000000000000000L
          >>> 2**64
          18446744073709551616L
          >>> 10**20 / 2.**64
          5.4210108624275222

          Just over 5x as many passwords from 4 words randomly chosen out of a list of 100k, compared to 8 characters randomly chosen out of a list of 256.

          So no. Randomly choosing four words *IS* more secure. Assuming the list of source words is long enough.

          And because the words are chosen randomly, it *does* require brute force. (Though it requires brute force combinations of choices from the word list.)

          1. krellen says:

            100k is an unrealistically large list. I’ll note that XKCD is assuming a list of 2k. The point of the XKCD is to create an easier-to-remember password; a completely-random-from-100k-words passphrase isn’t going to qualify.

            XKCD’s four-word passphrase takes 550 years to crack. An eight-character password that forces use of the full keyboard key-space (roughly 95 characters) takes 21,300,000 years.

            Also, dictionary attacks are not brute force. They are, in fact, pretty much the definition of “not brute force”.

            1. Bryan says:

              $ wc -l /usr/share/dict/words
              99171

              So, uh? That’s basically 100k.

              Of course, there are a lot of things in there that are similar (lots of possessives and plurals, for instance). But if you use that list directly, and use whatever comes out directly (and figure out a way to memorize it — personally, using it several times a day for my screen-unlock password generally works, though of course this doesn’t help for websites), 100k is still valid.

              Edit: They’re bruteforcing at the level of words, because the word choice is random. Not at the level of letters, but that’s why I’m using the word count, not the letter count, as the basis for number of tries required…

              1. krellen says:

                You’re missing the point. No one has a vocabulary that large. No one’s going to use a dictionary file to generate their random four words (that’s why XKCD assumes a 2k word list). Doing it your way fails to clear the hurdle of “easier to remember” that was the POINT of the XKCD comic.

                Then again, I only have to add one character (thus a nine-character password) to blow even your expanded dictionary out of the water, which only further supports my point that using dictionary words is not “more secure”.

                1. Zukhramm says:

                  Randomly chosen words will still be easier to remember than randomly chosen characters, even if they’re outside the vocabulary I normally use,

                  1. krellen says:

                    Yes, the real secret isn’t actually random characters, but a string of characters that appears random that is, in fact, relatively easy for the user to remember.

                    Take a regular word, one with some meaning to you (it can be a name, if long enough). Reverse a couple letters, or add an intentional misspelling (one you’ll be able to easily remember). Substitute in some leet-speak substitutions, maybe add a “signature” symbol/number combo (beginning, middle, or end – vary it) to push the search depth out of pure alphanumeric. Throw a random capitalisation in the middle of the word (syllable breaks are good places for this).

                    This is very easy to remember, and yet devilishly difficult for a computer to interpret, because the pattern, while relatively simple to our human brains, would be really really hard to program (how the hell do you tell a computer to “try these words, but with misspellings”?).

                    I wrote a post about this, actually.

                    1. Zukhramm says:

                      Yeah, sure, but is that easier to remember than a string of words? For some, maybe, I don’t know.

                    2. krellen says:

                      “!9SteVyn84” is a lot easier to remember (assuming your son is named Steven and was born in 1984) than any string of random words.

                      (“But that’s easily-obtained personal information!” I can hear you protest. Sure, probably. But then you have to guess the exact pattern that information was broken into, the exact manner of capitalisation and misspelling of “Steven”, and what (if any) symbol-substitutions were used for the numbers.

                      And that’s assuming your attacker knows (or cares) enough to find out anything about the individual whose password they are cracking, which is almost certainly not the case. The chances of you being in a category of people important enough to deliberately, individually hack is about the same as your chances of having systems requiring more security than a password in the first place.)

                    3. Zukhramm says:

                      Easier perhaps, but definitely not by a lot, at least in my opinion. Though, if we’re talking about non-random strings the passphrase could be equivalently non-random and thus easier to remember as well.

                    4. Khizan says:

                      It all depends on how frequently you use the password.

                      If it’s an email password, or a screenlock password, or something for work that you use every day, at the least, it’s not that hard to remember. If you rarely use it, you’ll end up going “Well. I mispelled Steven’s name and birthyear, in some pattern…”

                      My typical password is an uppercase/lowercase/number/symbol string that’s usually 10-15 characters long. The characters appear random, but I actually picked them all so that I can sing the password along to a song in my head. Here’s an example I just made up:

                      Cy3*X7N/mZx910

                      This password I just made up goes along somewhat with the Hall of the Mountain King. C y 3 star X sev-en, N slash m, Z n nine ten. Capital letters go on stressed letters in the tune.

                      As long as you don’t sing the password out loud when you type it in, I find this drastically increases my ability to remember a random character string.

                    5. Thomas says:

                      ‘Though, if we're talking about non-random strings the passphrase could be equivalently non-random and thus easier to remember as well.’

                      Thats fine, but then we’re back to the 2k word lists because you’d be using common usage words again

                    6. Zukhramm says:

                      Not necessarily, but even if you do, 2000 is still better than the 100 or so possible characters you’d use.

                    7. Thomas says:

                      That’s comparing an entire word to a single letter though. If I choose two random letters which can be capitalised or non capitalised that’s 52^2=2704. If I choose three random capitalised or non capitalised letters then that’s 52 X 2704 combinations, the equivalent of a string of way over 50 random words taking from a 2000 word vocabulary

                      If I choose four random capitalised or non capitalised letters that has the equivalent security 2700 words taken randomly from a vocabulary of 2000 :P

                      If we want to go alphanumeric (because symbols suck) thats 3800 combinations for two letters.

                    8. Zukhramm says:

                      You can’t calculate the number of combinations for letters and compare that to a straight multiplication of words. Of string of 50 words from a 2000 word dictionary there are 2000^50 possible strings, way above the number of three letter passwords.

                2. Shamus says:

                  But is it more secure if the attacker doesn’t know anything about your password? They don’t know the length, or how you generated it, or whatever. Basically, is a multi-word dictionary attack something that attackers do? Maybe I’m missing something here, but aren’t we arguing over which is better, when the “better” depends on the method of attack?

                  Also: Seems like throwing some proper nouns into the word list would help. Throw a Sepheroth, Spira, Istanbul, Magna Carta, James K Polk, or Jupiter in there and the words should be more memorable and harder to attack. Just throwing in the name of a town that’s 500 kilometers from you should make a massive difference. Are the attackers going to have a word list of every city in the world?

                  (Again, this is assuming you’re being attacked in general. If you’re being attacked specifically by someone who knows who you are, then… pffft. I dunno. Depends on the attacker.)

                  To be clear, I’m not really arguing with you. I’m actually interested in this and curious and trying to get my head around what sort of scenarios we’re talking about.

                  1. Zukhramm says:

                    I don’t really know much about brute force attacks, but to use one for attacking a specific person seems odd. What you’d do is hope they’d filled in the pre-chosen “secret” questions, hope their e-mail has been closed so you can re-register it or just contact support and act like you know what you’re talking about until they give you some information they’re not supposed to. It’s bypassing the password completely, and it’s surprisingly easy.

                    Don’t ask.

                  2. krellen says:

                    If no one was doing “four random words” checks before that XKCD comic came out, they are now. Obviously, the math involved means they’re still pretty safe, but the math Randall Monroe was using in his examples assumed crackers would be using dictionary attacks, not brute force.

                    Throwing proper names in there is a pretty good plan, at least for the “stranger attack” (that is the most likely form). Somewhat less so to protect against an “acquaintance attack” (for lack of a proper term for the sort where you are specifically targeted.)

                    However, it still takes a LOT of word space to get competitive with a good random-seeming password of moderate length. Push your standard to 10 or 12 characters (the government uses 15 as a minimum) and there’s pretty much no way of mixing up words that beats it. Just adding some padding to the end of your password is a good start (“d0G……………” is a surprisingly secure password, for instance.)

                    1. Thomas says:

                      If you’re being smart, incorporating names into your methods is probably even better than starting with dictionary words. By 1000 names we’re getting down to ‘Eliezer’ for a boy so it probably doesn’t need to hugely expand your dictionary
                      http://www.behindthename.com/top/lists/us/1990

                      You get a good 50% of names just from the top 100

                    2. Uristqwerty says:

                      Why not take a highly memorable string of words, then rot13 part of it? If they aren’t expecting rot13, they not have to brute force it, if they are, it still greatly increases the number of combinations. More realistically, it’s not the sort of thing I would expect someone trying to crack passwords to use early, as it significantly multiplies the possible passwords and, as far as I know, it is not something commonly seen in comics and other media.

                      More importantly, it’s simple enough to work out by hand if you remember the highly memorable string and the pattern for what parts are altered.

                      Since you already have the passphrase broken up into sections (alternating rot13 and not), you could then add an extra layer of obfuscation. Perhaps take all the vowels and move them to the end of that portion of the password. So, CorrectHorseBatteryStaple, grouped into 7s becomes CorrectUbefrOntteryStncyr and then CrrctoebfrnUeOttrSteyncry, which is long, obviously not English, and still easy to reproduce because each of the steps is a fairly simple concept.

                    3. Zukhramm says:

                      You’d need between half and two thirds as many words as character to match a random character password.

                      Replied to the wrong post.

            2. Shamus says:

              Clearly NOT brute force:

              “Hi, I’m from World of Warcraft security and there’s a problem with your account. Please send me your login and I’ll fix it for you!”

              Clearly brute force:

              Let’s just try every possible combination of characters, in order.

              The stuff that confuses me:

              We suspect that this user is using 4 random words from the dictionary. Let’s try them all.

              It’s actually got a little bit of both. You know (or suspect) something about the password, but you’re still obliged to guess from a huge possibility space. There’s this gradient between the two and I’ve never been able to tell where you draw the line.

              1. Calling back to a comment you once made in Spoiler Warning, is this form of hacking called a “Wheatley?”

                1. DGM says:

                  I think it was Rutskarn who came up with that, although Shamus strongly approved. That was from the DX3 season, wasn’t it?

              2. krellen says:

                “Brute force” is a term used to specifically mean “trying every character”. The sort of attack that uses words and patterns to try to guess passwords quicker is called a “dictionary attack”.

                Colloquially, there may not be any real difference between those two, but they do mean different things to professionals.

                (While I suspect pretty much everyone is familiar with the term by now, that first example is specifically called a “phishing attack”.)

                1. Zukhramm says:

                  Though more generally, outside of security terminology, they’re both brute force type solutions.

                2. I thought “trying every character” was something you did with an RPG, if it’s really fun.

                3. Abnaxis says:

                  I’m sort of curious–has there been any record of a hacker tool actually intelligently guessing passwords, other than randomly?

                  What I’m thinking of is: take one of those compromised servers that stupidly, stupidly stored their passwords in plain-text format (PSN I’m looking at you) and use that to create a Bayesian generator to plug through the most likely candidates first, similar to how language interpreters work (“if I see the word ‘doctor,’ ‘sutures’ is more likely to come up later in the sequence than ‘bungee'”). Bonus points if they actually do use personal and account information to inform their model.

                  The thing I’m trying to get at is, unless your password is completely 100% randomly generated (words or characters), there’s a pattern someone can pick up on. All the tricks Amazon and Google use on BIG DATA can work equally well on compromised passwords as they do shopping histories and search terms (and lets face it, sticking a zero in for an ‘O’ isn’t at all novel–a well-constructed hack tool will not be all that phased)

                  1. krellen says:

                    The short answer is yes. Every leaked password list is another set of patterns for programmers to build their cracking software around.

                    But humans are still infinitely better at determining patterns than computers, so while a person might be able to look at a password list and quickly determine patterns used to construct the passwords, translating that ability into language the computer can use to reconstruct the password is another matter altogether. Simple patterns (word+numbers) are pretty easy to programm. Complex patterns (split the number, insert word inside) are somewhat harder. Just because your pattern can be cracked doesn’t necesarily mean it’ll find its way into a botnet.

    2. Deadfast says:

      Modern passwordcracking tools *rely* on bruteforcing combinations formed from wordlists

      No, they don’t. Dictionary attacks rely on using single words, they don’t combine them. And even if they did, you could just stick a single symbol into the pass phrase (“correct!Horsebatterystaple.”) and throw a monkey wrench into the whole process.

      1. Thomas says:

        Here’s a blog post about that comic
        http://xato.net/passwords/analyzing-the-xkcd-comic/

        The summary is, he’s sort of right because length is king in passwords, but actually you need to do that alpha-numeric/random capitalisation thing too if possible

        (Also if everyone does the word method then everyone will start cracking it with dictionaries and adding random letters to the string would be part of that method. The blog says ‘2,879’ isn’t listed in a dictionary, but actually that’s just a combination of the words two, thousand, etc)

        EDIT: Also wouldn’t mind info on how tell your computer is infected. Always paranoid about that

        1. Wes1180 says:

          26^11 Assumes that they are all lower case and just letters, as soon as you add in upper case and numbers it becomes something like 62^11 right? And that’s still not taking to account other characters like these !:[‘#*

          At least I think that’s right.

          1. Thomas says:

            Sorry I’d completely edited the post you responded to before I saw your response! I decided to get rid of it because there must some computer/cryptography thing I’m missing, because when you add in captials and numbers that number skyrockets so large that even quite weak passwords seem to be secure. The XKCD comic was talking about bits so maybe that means something different than what I was imagining

            (Or do they do the thing where the convert/round everything to powers of two? Anyway I don’t know which is why I removed the post)

            1. Bryan says:

              The xkcd entropy estimations depend on *RANDOMLY* choosing the four words. Out of a list of, say, ~100k words in my /usr/share/dict/words file, choosing four of them *at random* (…say, via “shuf -n 4 /usr/share/dict/words”), assuming a strong randomness generator, gives about 16-17 bits of entropy per word. The comic has 11 bits per; must be a shorter list.

              And because it’s a random set of words, dictionary-based tools are *completely and utterly useless* against cracking it. You can’t break a password into chunks (like, for instance, you can do to a physical lock) to linearize the cost; you have to get everything right or you get no extra information.

              But all of this requires that the words be random. You can’t just choose words in your head.

              1. Thomas says:

                Realistically speaking if people don’t know what a word means then it’s probably going to be hard to use as a password plus people are going to struggle to come up with random words. If you have a dictionary you can flick pages but otherwise it would take a small amount of effort to use a dictionary site to do that and lots of people won’t put in that effort. They’ll just take words out of their head which greatly reduces the randomness

                1. Bryan says:

                  While what you say is true, people who do that aren’t following the xkcd comic either. :-)

    3. Rax says:

      Someone didn’t read the alt-text of that comic :P

    4. X2-Eliah says:

      Oh, yes, forgot to add a disclaimer: I just generally dislike XKCD and will rag on them at every opportunity beyond reason. It’s sort of like Shamus&Bethesda type situation, I suspect.

      Anyway. Passwords and passphrases all have serious issues, imo – until we finally get either proper two/three-step verifications (e.g. google’s two-stage auth) or, better yet, biometric passes (for sake of argument, let’s ignore the ‘my fingerprint reader is not working all that well’ – I know, but this is talking about the principle and concept. If your laptop’s fingerprint reader is wonky, then site X’s passwords are all saved in plaintext / unsalted hash and most of them are “passw0rd” anyway. All situations can have best and worst scenarios, let’s not debate that, kay?).

      Also – regarding the “easier to remember” thing.. Well, is that truly true? Have you ever had to enter any of those “we give a question, you type your answer that you gae us a few months or years ago” (e.g. What is your mom’s maiden name, or what street did you grew up on, or what is your favourite sport, etc. etc.)? Those *already* have a set context, and a set scope in factual reality, *and* are things you’d normally sort of know. With a passphrase, what it is is essentially the same – you are answering a question (except here the question exists only in your mind) and only you know the answer. So, can you deal easily with those security questions? Because I sure as hell can’t. Usually it is just a two or three word answer, and STILL I can’t recall if I used the capital letter or not, if I was making a joke back then or being serious, if I used punctuation or not… And that’s when you *do* know the context, the facts, and the question. Now, what if you forgot the question itself? You just have some “socialnetworksiteNr1043” and a password box, and you plan to remember that for this site you made up a pretty picture of a fat cow reviewing a videogame whilst intoxicated, to give the answer ‘cowgamejoystickbooze’? Yeah, ain’t gonna happen.

      Bottom line: if people can forget and mistype passwords, they can forget and mistype passphrases. Heck, moreso with passphrases – a passphrase is just a bunch of passwords stuck together.

      1. Zukhramm says:

        A sequence of words has the advantage of having meaning, and perhaps the context of each other to make remembering them easier, with the disadvantage (for memory) of having a much larger pool choices. I have no evidence for it, but given a set of random words and a set of random characters of equal number, I do believe I’d remember the words more easily.

      2. Bryan says:

        The problem with your security-question comment isn’t that you’re using words. The problem is that you aren’t using the password for several months at a time. Of *course* you’ll forget it in that case.

    5. silver Harloe says:

      Why pick one or the other?

      Take that 8-12 character gibberish password you’ve spent months training your fingers to type: say xR6Qh@8imw

      Now pick 4 words from the dictionary. Actually thumb through a dictionary, don’t just use words you can think of, because your vocabulary is orders of magnitude smaller than the number of words in English. Say: correct horse battery staple

      Know a foreign language? Great! Translate one of the words to that language. Otherwise, look for the “from the French or Latin or German …” etymology bit in the definition. so I’ll be using equus for horse.

      Don’t just use the base word. Try one of the other forms, like staple (as a verb) can be stapled or stapling.

      Pick a random spot to insert your lovingly memorized gibberish password.

      Now you have a fairly easy to remember wrapper for your harder to remember but-you-already-memorized-it gibberish password. For bonus points, capitalize a random letter or three in the wrapper.

      correctequUsbatterxR6Qh@8imwystApling

      1. X2-Eliah says:

        “fairly easy to remember” HA! oh sorry, but… yeeeah no, all that kerfluffle is not easy to remember at all. If *that* is easy to remember, then the original password that xkcd dissed is easy to remember too.

      2. Syal says:

        I always shift letters left or right, so “everyday password” becomes “wbwttsst [DAEITS”. Easy to remember.

      3. Daemian Lucifer says:

        You dont even have to use something that complicated.Simply pick one of the words to put in regular brackets,and another one to put in square brackets,and there you go.Or pick a random character,like # or $ to put in there.For example, Four20&7Years(Ago) is easy to remember,and just as secure as any 18 character gibberish you may stumble upon.

    6. Scourge says:

      That reminds me of this Newsticker from the Guild wars 2 developers when people were complaining about all the bots and stuff and how people should pay attention to where they are browsing. Turns out the guys from GW2 have logs of login’s (Who would’ve thought that) and they noticed a strange trend.

      There were logins, or attempts of, of [email protected] with various passwords and a few minore variations.

      Yes, they did try to bruteforce the account but they had lots of passwords that were once linked to said email account. Doesn’t matter if it was 1 month ago or 10 years.

      1. Humanoid says:

        Dammit, everyone’s guessing my e-mail address!

        Ahem. I like to think that I have a reasonable memory, so remembering arbitrary strings of random characters isn’t too bad as long as there aren’t many of them. But there are many of them, which is where I get lazy and potentially create weak points.

        I guess the point of this comment isn’t then about passwords themselves, but thinking strategically about what weak points I have in my Internet trail. The ends of the trails would primarily just be forum accounts and e-commerce sites.

        Compromising any one of my various forum accounts would just yield an email address (and potentially a social engineering attack if I knew anyone personally on a forum, which I don’t). Knowing my email address, of which I have several (all of which redirect to my real email address) identifies a parked domain which I own. If one of them is proving to be a spam magnet I’ll just replace it. So the chokepoint here is really my domain registrar, so I need to make sure that password is a particularly secure one. The logic for shopping sites would be a bit more complex, but follows approximately the same idea.

        Aside, how do people feel about password utilities like Lastpass or 1Password? I’m leery of them for obvious reasons, but how do you feel about them in context of the layman who’d otherwise be using very weak passwords?

        1. krellen says:

          The layman using those utilities because of their weak passwords is likely to have a weak master password, which leads to a weak single-point-of-failure that subsequently unlocks all their accounts, rather than just one.

          Those utilities are, ironically, safest in the hands of those who need them least.

    7. guy says:

      Just run antivirus and keep updating it. You won’t catch everything, but it will deal with a majority of botnets.

    8. nmichaels says:

      The dictionary I use for my hangman solver has around 200,000 words in it. 200,000^4 (4 words chosen at random) is 1,600,000,000,000,000,000,000. That’s 1.6 sextillion. If you make a 10 character password out of purely random mixed upper and lower case letters and numbers, you can have 62^10 or 83,929,936,586,834,022 possible combinations. That’s about 1/2,000th as many.

      Your concern about password reuse is legitimate, but I find that I reuse my random-character looking passwords more because they are harder to remember so I want to have fewer of them.

      The xkcd advice doesn’t compare the 4 random words approach to 10 random characters, though. It compares it to a single random word with some letters substituted in the common fashion and maybe a number tacked onto the end.

      My root passwords are very long strings (more than 20 characters) of totally random (dice are good for more than just RPGs) combinations of letters, numbers, and weird characters. I can’t remember those though, so they’re written on actual paper and kept in a physical place. Most people are not willing to go to that level of hassle. For most passwords, I’m not willing to go through that much hassle. 4 random, easy to remember words make much better passwords than tr0ubadOr1. Or whatever the other one in the example was.

      1. krellen says:

        Writing down your password is horrible. If you have to write it down, you’ve failed security on a basic level.

        1. Shamus says:

          It depends on where you write it down. If I write one down, it sits by my computer at home. If someone breaks in here, it doesn’t matter if I have it written down or not. They can just point a gun at me and ask me.

          At the office? Yeah. Writing it down in an office environment – or if you have roommates – is risky and introduces an additional point of potential failure.

  4. Stranger says:

    Problem is, my parents both have machines I *know* are infected with malware. How?

    One torrents. Actively. With an attitude of “nothing can happen to ME! I’m a special snowflake” . . . until something happens, then there’s this wide-eyed “why didn’t you warn me it could be this bad for my PC?” type attitude.

    The other surfs ninety dozen different news sites and sends me crazy chain letters which they know I don’t even open to look at. Since at least three emails have come with “free courtesy trojans” I don’t open anything until they tell me I should look at it. And then I do it on their machine, because screw them for almost compromising me.

    I’m mildly certain my own machine may be, but that’s only because it’s statistically improbable for me to have escaped it. My current headache is the strange change to my bookmark/menu spacing in Chrome which messed up my filing system. Weird but I’m dealing with it.

    Edit: Sorry, the other headache is an apparent inability for my physical RAM/temporary cache to completely empty itself after playing Minecraft or watching videos on Blip/Youtube. Requiring a restart most times before I try anything strenuous.

    1. Raygereio says:

      For the record: Downloading via torrents makes you no more susceptible to malware then anything else on the Internet.
      Sure. There are torrents that either contain virusses themselves, or attempt to infect via social engineering. But the type of person that falls for that, is just as likely to fall for any infection attempt via the spam in their emailaccount.

      The important thing is using one’s common sense.

      1. Zukhramm says:

        Given that torrents rely on people actively using them I’d consider them safer than directly downloading random files.

        1. 4th Dimension says:

          Yup. First rule of torrenting, go for the torrent with highest number of seeders (people that have already downloaded and are now offering that content to you for download), and disregard anything with less than 100 seeders, unless you are really certain that this isn’t a fake torent.

    2. ItchyTasty says:

      That Chrome spacing weirdness can be fixed by adding –disable-new-menu-style to the end of your shortcut target

  5. “I'd just be banning individual members of an amorphous blob.”

    Headline: BLOGGER LAMENTS INABILITY TO BAN FAT PEOPLE. Anonymous promises revenge, reportedly planning on sending many unsolicited pizzas to blogger’s address.

    1. Daemian Lucifer says:

      Wait,I only have to enrage anonymus in order to get free food?

      1. Zombie says:

        Where can I sign up for this?

      2. Rax says:

        It’s not free, the pizza-guy will ask you to pay for the pizza “you ordered” :P

        1. Scourge says:

          The pizza where rule34 pictures were drawn on. On request.

        2. Daemian Lucifer says:

          I dont know about the place where you live,but here you cannot order a pizza if you dont give your home phone number.Yes it sucks that you cannot order via a cell phone(unless you are a regular customer),but there are no pranks like that.

          1. I’ve used my cell phone number on several occasions. I think if Anonymous (the part of it that’s more savvy, anyway) can spoof a home phone number quite easily. Joking aside, a group attacked a security blogger by calling 911 and having a SWAT team sent to his house by tricking the 911 system into thinking the call was coming from the blogger’s house.

            I didn’t mean to get all serious, there. Oops.

            Anyway, I can’t see pizza companies keeping up the “no cell phone” policies for long without giving up deliveries, as a great many people are using cell phones as their sole means of communication.

          2. Zukhramm says:

            I didn’t even know people still had home phone numbers.

  6. StranaMente says:

    This attack wouldn't be possible if large numbers of people didn't allow their machines to be compromised.
    This is my problem, I regularly check my pc for viruses with Microsoft security essentials, I run weekly checks with spybot search and destroy, I use ccleaner to erase all unwanted/unneeded files and check automated and planned processes at start-up and still I’m pretty sure there might be something malicious running since no single antivirus can catch everything.
    And even completely computer illiterate people are not “allowing” their computer to be infected.
    What I’m saying is that people that makes viruses, trojans and other malware should get a life and stop bothering everyone else.

    1. Raygereio says:

      And even completely computer illiterate people are not “allowing” their computer to be infected.

      You can use the best security sofware available to fortify your computer and block all automated malware infection setups, but that still won’t do you any good if you decide to be dumb and trust that flashing banner add that says you’ve won a prize or the phone call from “Microsoft support” that says you have a virus on your computer.
      I don’t know if there’s any data about this, but in my experience people do generally “allow” it. In some cases you could argue that anyone could have fallen for that trick, but very often people just decided to be dumb and not use their brain.

      But to be fair, at times there really isn’t anything anyone could have done and you just got infected by something that no security software could have picked up from visiting a news website or something that was previously safe.

      What I'm saying is that people that makes viruses, trojans and other malware should get a life and stop bothering everyone else.

      That would be nice. But it’s no more realistic then all burglars getting decent jobs. Maybe one day we’ll have such a utopia, but until then the least you can do is lock your door. It won’t stop the determined guy who breaks your door down with a battering ram, but at least it’ll stop the oppertunistic fellows.

      1. Scourge says:

        I think someone once had a rather fitting quote, no idea who it was. Might have been a security expert or something:

        “We can make our computers as safe as we want with hardware, software and restrictions. That still won’t fix the security problem of the guy wanting to look porn on his Pc and disabling all of our measures or circumventing them.”

        1. ehlijen says:

          Indeed, perfect security is possible.
          Device manager -> network adapter -> right click -> disable
          Repeat for all network adapters you have.

          Downside of course is that perfect security comes with pretty much unbearable inconvenience (such as no network connection). It’s a sliding scale, you have to pick where on it you want to be.

    2. Khizan says:

      And even completely computer illiterate people are not “allowing” their computer to be infected.

      They are, though.

      They’re not running anti-virus. They’re not using any kind of anti-malware. They haven’t updated anything. They’re still using the version of IE that came on their computer when they bought it 5 years ago.

      They’re not using adblock, or flashblock, or a popup blocker. They’re not double-checking “What the hell is this toolbar?” before they click yes on the installation.

      These are not difficult things to fix. These are not things you need to be a “computer person” to avoid doing.

  7. Falling says:

    The really frustrating thing about length helping prevent cracking is SO many university websites or uni financial institutes have really short password lengths.

    I’ve started using multiple words, splicing them by syllables and splitting them with numbers. But half the time I can’t use my passwords because there is some 12 character limit or something dumb like that.

    1. krellen says:

      Sites with a MAXIMUM password length always make me nervous. This implies they are handling passwords incorrectly – likely storing them in plain text. There’s really no other reason to enforce a character limit; if they are hashing your password properly, the length of your input should not matter – the hash will be the same length regardless.

      In fact, the only things that should ever know the plaintext version of your password are you and the hashing algorithm; the site can just compare the stored hash with a newly-generated hash each time you are logging in.

      Hashed passwords also protect against leaks of password lengths. Even if you don’t seed your hash (this is adding a unique value to the password to make sure the hash is unique, even for identical passwords), it still takes considerable time to crack the hashes and get passwords. With a seeded list, only the weakest of passwords (like “password”) will be compromised in any relevant timeframe.

      The only downside to hashing is that it makes the login process slightly slower (as hashing algorithms are deliberately processor-intensive). The difference in speed in most cases will be so small, however, that no one will notice.

      1. Bryan says:

        The other “downside” (actually it’s not, but people are dumb) is that hashing prevents having a password recovery system.

        Of course, the site’s password recovery system should be “here, we reset your password to random set of characters X, here’s an encrypted email containing X” (and assuming the user hasn’t forgotten their email decryption key). But far too many places think they need to have something that will email you (…in plain text… sigh…) your current password when you need to recover it.

        (Although I will admit that at least sending plain-text passwords is less bad if you force the user to change it on the first login.)

      2. krellen says:

        Where I said “seed”, I meant “salt”. To a layman it might not seem different, but these terms have specific meanings in the computer world and I apologise for mixing them up.

      3. postinternetsyndrome says:

        The worst thing is when a site sends the password in plaintext when you register. I mean what the hell, site?

        1. Falling says:

          I’ve had that too. The register email shows up with my password displayed. ??? Why ???

      4. evilmrhenry says:

        “hashing algorithms are deliberately processor-intensive”

        To clarify, *password* hashing algorithms, such as bcrypt, are deliberately processor-intensive. Common-use hashing algorithms, such as SHA, are designed to be as fast as reasonable. This is why using common-use hashing algorithms for passwords is a poor choice.

      5. Cuthalion says:

        I had a bank once where the website had a max of 10 characters in the password. Don’t think it allowed non-alphanumerics, either. Actually, a lot of places don’t allow things like periods and such. Which worries me. The bank at least always asked a security question as well if you were logging in from somewhere new, and they had a brutal attempts limit (after three failed password or I think question attempts, you had to call them and give them certain info in order to get your account turned back on). But they may not have needed to be as strict there if they let you make better passwords.

    2. Abnaxis says:

      What really skeeves me about that is that it makes impossible to come up with a good system for generating passwords. To take an example from above:

      Cy3*X7N/mZx910

      This password I just made up goes along somewhat with the Hall of the Mountain King. C y 3 star X sev-en, N slash m, Z n nine ten. Capital letters go on stressed letters in the tune

      That works, until you run into a system that forces you to exclusively use alpha-numerics. Or one that requires you to keep it under 10 characters. Oh, and don’t think you can just make your passwords REALLY long but stick to alpha-numerics (because the lack of non-alpha-numerics is the most common thing breaking my systems), because as soon as you do another site will require at least one punctuation before it will accept your passoword.

      I had a system that worked pretty well once, but somewhere after the tenth time I started creating a new account so I could see what the password policies were so I could figure out just what manner of modification I had to apply to make my generating algorithm work, I gave up.

      My solution is this: I only have three, maybe four places that have any information of note about me, which have unique strong passwords. If any other page wants to store any of my information, I turn that option off. If they insist on storing it, I cease using the service. That way, I can just use the same (albeit still strong) couple passwords virtually everywhere and screw it if hackers manage to add me to their list.

  8. Artur CalDazar says:

    I’m very paranoid about any kind of viruses for my computer and the main family computer. I don’t do anything that might compromise either machine, but I’m not the only person who uses the main computer which runs on XP.

    Also is it me, or is Ars Technica running a lot of news stories about this type of thing lately?

  9. Astor says:

    Unless the Singularity arrives before the next few hundred years, then *no* password will be safe!

    On a more realistic note, aren’t we all screwed the moment computing technology takes a *leap*? Like a quantum computer or some other form of revolutionary computing technoilogy that would instantly dwarf by several orders of magnitude our most advanced supercomputer of today? They would brute-force *anything* in a matter of seconds!

    1. Viktor says:

      Then you include a 1-second minimum time before your server processes the next password. It’s not hard, and might even happen naturally if you build a serious enough hashing program.

      1. Astor says:

        Is that really foolproof? I have no idea what I’m talking about so bear with me, but could we think today about some way to bypass that kind of protective measure? A way that only needs completely fantastical processing power on part of the attacker?

      2. Abnaxis says:

        I think the problem from the singularity arises because it would defeat public-key encryption, not because they try passwords faster.

        The way I understand it, you generally send your passwords to servers using an encrypted stream, so anyone listening to traffic between your computer and the server would have to take an extraordinary amount of time to decrypt your messages it and see what password you are sending.

        Quantum computing can do the math so much faster that decrypting current keys would take a reasonable amount of time (i.e. less than a thousand years with a million computers working on it concurrently), but honestly it’s not that difficult to start using bigger keys. The standards are already in place for it.

  10. Fang says:

    How safe would a password of a video game character be, with a random letter or 2 at the end? Such as lets say “TifaLockhart2”, etc? My password is sorta like that, with some variants of the same setup.

    Being generic enough to not just say my password, but specific enough to get my point across was a lot harder than I thought.

    1. krellen says:

      Safe enough for casual use, probably not as safe as you’d want for something you actually care about.

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun. Your email address will not be published. Required fields are marked*

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!

You can quote someone like this:
Darth Vader said <blockquote>Luke, I am your father.</blockquote>

Leave a Reply

Your email address will not be published.