Your Passwords Suck - a lesson in security

[Vekter]

So yeah, I got hacked today.

If you were on Manuel or Bagil this afternoon, you might have noticed that I sorta went apeshit hitting buttons and breaking things. Except that wasn't me, of course. It was some script kiddie fucks who got my password from one leak or another and decided to unban their buddy before having some fun with buttons. It's easy to blame these guys and just go about my business but, at the end of the day, it's my fault for my password sucking.

Now, thankfully, the headmins let me know that things had gone south so I could fix them and I'm now unbanned. I replaced most of my passwords with unique random strings and saved them using a password manager that's secured with two factor authentication. In basic terms, my passwords are long and hard to guess and stored in a database that's hard to break into with a longer and more complex password which, also, requires a second code from my phone to unlock.

The moral of the story is not to assume your accounts are safe or that you're safe from getting hacked because you know what you're doing. Safety on the internet is a zero sum game that I ended up losing. Given what I know about the people who did this, I'm very lucky that my paypal and bank passwords were unique when this happened or I'd be in a lot of shit.

My admin should hopefully be restored within the next day or two and we can go back to being angry at me for being mean to you. I'm not going to tell you it's not going to happen again because that'd be ridiculous and about as arrogant as I was about the situation to begin with. But I'm damn sure gonna do what I can to keep it from happening again.

Y'all are lowkey a bunch of good folks and I enjoy playing with you.

[terranaut]

Just use long, unique passwords
The longer a password the more difficult it is to bruteforce and gibberish won't save you from some garbage website leaking your plaintext password
2fa is nice but you're overdoing it, it's like people who've had a break in suddenly hiring a security consultant instead of making sure their locks and frames are good and getting insurance.

[Vekter]

I don't really think 2FA is overdoing it. I don't require it for all of my logins, just to access my password manager. Considering it has a lot of logins attached to it, I feel like it's mandatory for a setup like this.

[Tlaltecuhtli]

lol just dont use the same pw on different things

[Jack7D1]

Password requirements result is less secure passwords. The only requirement should be >8 characters.
Tip for making a good password, think of three random words. Congrats you have a password that will be impossible to brute force.

[Lumbermancer]

https://keepass.info/download.html

use this, safe, only need to remember one password
my master password is 25 character long uncrackable for maybe next 10-20 years until they perfect quantum computing
and every individual password has 130 bits of entropy

[wesoda25]

What was your old password

[NoxVS]

[bobbahbrown]

...2fa is nice but you're overdoing it...

this is an incredibly bad take

Tip for making a good password, think of three random words. Congrats you have a password that will be impossible to brute force.

also bad take

[Jack7D1]

2fa should be a requirement for admins

[terranaut]

...2fa is nice but you're overdoing it...

this is an incredibly bad take

in my defense i worded that poorly, 2fa IS nice and definitely a must for a password manager; i just think he is overdoing it, in general

[NikNakFlak]

...2fa is nice but you're overdoing it...

this is an incredibly bad take

in my defense i worded that poorly, 2fa IS nice and definitely a must for a password manager; i just think he is overdoing it, in general

bad take. Use 2fa WHENEVER you can. Congrats you just added way more security for 10 seconds of your time. Use a password manager that has a password generator in it. You can set the length to hella long with symbols and numbers.
Sure you won't remember it but if you really need to remember a password, use the phrase method with numbers and symbols as well, and it's minimized since you only have to remember a few passwords. Otherwise, changing passwords isn't bad now either since it's a random string and you just have to generate a new one.

don't be stupid terranuts

[Tlaltecuhtli]

What was your old password

[oranges]

In order of usefulness to people
1) stop reusing passwords
2) This will make the task of remembering passwords much harder, use a password store, online or not, doesn't matter, secure this store with your one strong password
3) now you can make individual site passwords 25 character random strings of letters, numbers and symbols as you will not be having to remember them so why not.

Congratulations, you're safer than 99% of your peers.

4) add two factor auth to services that have credit card details and your password store or access to personal, sensitive information.

On 2FA
totp is easy to setup, but inconvenient to use, as you have to type a time bound code.
A hardware token like yubikey is very convenient (literally just a push button on the token that can travel with you) but you need to get at least two (in case you lose one) and sign them both up to supporting websites. I use this configuration and it's very low friction once the initial setup is done. One token stays at home in a secure location, the other comes with me around my neck (It's on a lanyard with other important keys)

A middleground is something like DUO, where it uses your phone plus an app to push login notifications.

Oh and with regard to strong passwords, you can make very strong passwords by simply rolling dice with a word list
https://theworld.com/~reinhold/diceware.html

easier to remember than one using symbols/numbers, and as long as you have about six-eight words, you're in good strength territory.

This is how you should generate the password that is then used for your password store.

[Tlaltecuhtli]

want a strong password?


aaaaaaaaaaa69aaaaaaaaaaaaa

[Armhulen]

In order of usefulness to people
1) stop reusing passwords
2) This will make the task of remembering passwords much harder, use a password store, online or not, doesn't matter, secure this store with your one strong password
3) now you can make individual site passwords 25 character random strings of letters, numbers and symbols as you will not be having to remember them so why not.

Congratulations, you're safer than 99% of your peers.

4) add two factor auth to services that have credit card details and your password store or access to personal, sensitive information.

On 2FA
totp is easy to setup, but inconvenient to use, as you have to type a time bound code.
A hardware token like yubikey is very convenient (literally just a push button on the token that can travel with you) but you need to get at least two (in case you lose one) and sign them both up to supporting websites. I use this configuration and it's very low friction once the initial setup is done. One token stays at home in a secure location, the other comes with me around my neck (It's on a lanyard with other important keys)

A middleground is something like DUO, where it uses your phone plus an app to push login notifications.

Oh and with regard to strong passwords, you can make very strong passwords by simply rolling dice with a word list
https://theworld.com/~reinhold/diceware.html

easier to remember than one using symbols/numbers, and as long as you have about six-eight words, you're in good strength territory.

This is how you should generate the password that is then used for your password store.

1. already done
2. already done
3. already done
4. already done

nobody is gonna crack into my super mario 64 120 stars done in 0 a presses video vault

[saprasam]

In order of usefulness to people
1) stop reusing passwords
2) This will make the task of remembering passwords much harder, use a password store, online or not, doesn't matter, secure this store with your one strong password
3) now you can make individual site passwords 25 character random strings of letters, numbers and symbols as you will not be having to remember them so why not.

Congratulations, you're safer than 99% of your peers.

4) add two factor auth to services that have credit card details and your password store or access to personal, sensitive information.

On 2FA
totp is easy to setup, but inconvenient to use, as you have to type a time bound code.
A hardware token like yubikey is very convenient (literally just a push button on the token that can travel with you) but you need to get at least two (in case you lose one) and sign them both up to supporting websites. I use this configuration and it's very low friction once the initial setup is done. One token stays at home in a secure location, the other comes with me around my neck (It's on a lanyard with other important keys)

A middleground is something like DUO, where it uses your phone plus an app to push login notifications.

Oh and with regard to strong passwords, you can make very strong passwords by simply rolling dice with a word list
https://theworld.com/~reinhold/diceware.html

easier to remember than one using symbols/numbers, and as long as you have about six-eight words, you're in good strength territory.

This is how you should generate the password that is then used for your password store.

thanks doc

[Jack7D1]

Oranges excercises levels of security that would suggest that he works for a data handling/engineering company.
Well done sir especially if this is not the case

[BeeSting12]

I have a potentially dumb question so please don’t yell at me. Everyone says a combination of random characters 25 characters long is the best, but what makes several words equal to 25 characters worse than that? A brute force hacking attempt trying combinations of characters would theoretically take just as long to break it, right? It’s still 25 characters, just happens to be something a human being can remember. What makes something like MyFordMustangIsCherryRedAndFast worse than -$7,6391’xyqhdkxi1835.)/&oqpeir2772?

Another potentially dumb question: How do I know these password stores are secure and not just trying to take my info? I personally use Google Chrome’s password saving thing anyway so I’m fairly sure they can steal my private info even more than they already do, but I also doubt Google is interested in my tgstation forums account or college passwords.

[Kel]

I have a potentially dumb question so please don’t yell at me. Everyone says a combination of random characters 25 characters long is the best, but what makes several words equal to 25 characters worse than that? A brute force hacking attempt trying combinations of characters would theoretically take just as long to break it, right? It’s still 25 characters, just happens to be something a human being can remember. What makes something like MyFordMustangIsCherryRedAndFast worse than -$7,6391’xyqhdkxi1835.)/&oqpeir2772?

math theory

[Jack7D1]

Strings of random words are easier to remember and really oy sacrifice half the security. The big kicker is length. Longer passwords exponentially increase your security no matter what it's made of.

[oranges]

I have a potentially dumb question so please don’t yell at me. Everyone says a combination of random characters 25 characters long is the best, but what makes several words equal to 25 characters worse than that? A brute force hacking attempt trying combinations of characters would theoretically take just as long to break it, right? It’s still 25 characters, just happens to be something a human being can remember. What makes something like MyFordMustangIsCherryRedAndFast worse than -$7,6391’xyqhdkxi1835.)/&oqpeir2772?

Another potentially dumb question: How do I know these password stores are secure and not just trying to take my info? I personally use Google Chrome’s password saving thing anyway so I’m fairly sure they can steal my private info even more than they already do, but I also doubt Google is interested in my tgstation forums account or college passwords.

The problem is people don't randomly select their words, so the search space is usually decreased, and adding symbols/numbers increases the search space of the password (as there are now more symbols than a-zA-z)

It's not worse necessarily, and it's recommended to use a passphrase like `RandomListofWordsTogether` for the password you have to remember (for your password store).

But your password generator on your password store will usually just randomly generate 25 character random strings of symbols/numbers/letters and there's no reason to use them (they're also shorter than an equivalent strength passphrase, so you don't have issues with max password limit on sites).

As to the password stores, you don't always know that, but if you use a service with many users, you're likely in good company, you want to look for ones that claim in their marketing material that they encrypt users data clientside (so they never have the unecrypted data) and also have good press. Some examples: bitwarden, 1password, as you mentioned, chrome password store.

The main Point however, is having to trust a single company, the one who manages your password store (if you choose to use an online one), is better than having to trust the companies behind every single website you use because you share one password across all of them. It's easier to vet a single company for their security/software skills than hundreds, and to get this experience, you need a password store (so every other site has a random password that isn't shared).

[Vekter]

The only thing I don't like about Yubikey is how expensive it is to start out (minimum of $90) and how most password lockers charge for support for it