Your Passwords Suck - a lesson in security

Talk about non-ss13 stuff here.

Moderator: testing123

User avatar
Vekter
In-Game Admin
 
Joined: Thu Apr 17, 2014 10:25 pm
Location: Fucking around with the engine.
Byond Username: Vekter

Your Passwords Suck - a lesson in security

Postby Vekter » Fri May 15, 2020 8:32 am #561878

So yeah, I got hacked today.

If you were on Manuel or Bagil this afternoon, you might have noticed that I sorta went apeshit hitting buttons and breaking things. Except that wasn't me, of course. It was some script kiddie fucks who got my password from one leak or another and decided to unban their buddy before having some fun with buttons. It's easy to blame these guys and just go about my business but, at the end of the day, it's my fault for my password sucking.

Now, thankfully, the headmins let me know that things had gone south so I could fix them and I'm now unbanned. I replaced most of my passwords with unique random strings and saved them using a password manager that's secured with two factor authentication. In basic terms, my passwords are long and hard to guess and stored in a database that's hard to break into with a longer and more complex password which, also, requires a second code from my phone to unlock.

The moral of the story is not to assume your accounts are safe or that you're safe from getting hacked because you know what you're doing. Safety on the internet is a zero sum game that I ended up losing. Given what I know about the people who did this, I'm very lucky that my paypal and bank passwords were unique when this happened or I'd be in a lot of shit.

My admin should hopefully be restored within the next day or two and we can go back to being angry at me for being mean to you. I'm not going to tell you it's not going to happen again because that'd be ridiculous and about as arrogant as I was about the situation to begin with. But I'm damn sure gonna do what I can to keep it from happening again.

Y'all are lowkey a bunch of good folks and I enjoy playing with you.
Image
Image
Image


Spoiler:
Reply PM from-REDACTED/(REDACTED): i tried to remove the bruises by changing her gender

PM: Bluespace->Delaron: Nobody wants a mime's asscheeks farting on their brig windows.

PM: REDACTED->HotelBravoLima: Oh come on, knowing that these are hostile aliens is metagaming

[17:43] <Aranclanos> any other question ping me again
[17:43] <Vekter> Aranclanos for nicest coder 2015
[17:44] <Aranclanos> fuck you



User avatar
terranaut
 
Joined: Fri Jul 18, 2014 11:43 pm
Byond Username: Terranaut

Re: Your Passwords Suck - a lesson in security

Postby terranaut » Fri May 15, 2020 8:39 am #561879

Just use long, unique passwords
The longer a password the more difficult it is to bruteforce and gibberish won't save you from some garbage website leaking your plaintext password
2fa is nice but you're overdoing it, it's like people who've had a break in suddenly hiring a security consultant instead of making sure their locks and frames are good and getting insurance.
Image

User avatar
Vekter
In-Game Admin
 
Joined: Thu Apr 17, 2014 10:25 pm
Location: Fucking around with the engine.
Byond Username: Vekter

Re: Your Passwords Suck - a lesson in security

Postby Vekter » Fri May 15, 2020 9:22 am #561883

I don't really think 2FA is overdoing it. I don't require it for all of my logins, just to access my password manager. Considering it has a lot of logins attached to it, I feel like it's mandatory for a setup like this.
Image
Image
Image


Spoiler:
Reply PM from-REDACTED/(REDACTED): i tried to remove the bruises by changing her gender

PM: Bluespace->Delaron: Nobody wants a mime's asscheeks farting on their brig windows.

PM: REDACTED->HotelBravoLima: Oh come on, knowing that these are hostile aliens is metagaming

[17:43] <Aranclanos> any other question ping me again
[17:43] <Vekter> Aranclanos for nicest coder 2015
[17:44] <Aranclanos> fuck you

Tlaltecuhtli
 
Joined: Fri Nov 10, 2017 12:16 am
Byond Username: Tlaltecuhtli

Re: Your Passwords Suck - a lesson in security

Postby Tlaltecuhtli » Fri May 15, 2020 10:29 am #561891

lol just dont use the same pw on different things

Jack7D1
 
Joined: Tue Oct 29, 2019 2:00 am
Byond Username: Jack7D1

Re: Your Passwords Suck - a lesson in security

Postby Jack7D1 » Fri May 15, 2020 11:40 am #561894

Password requirements result is less secure passwords. The only requirement should be >8 characters.
Tip for making a good password, think of three random words. Congrats you have a password that will be impossible to brute force.

User avatar
Lumbermancer
 
Joined: Fri Jul 25, 2014 3:40 am
Byond Username: Lumbermancer

Re: Your Passwords Suck - a lesson in security

Postby Lumbermancer » Fri May 15, 2020 12:13 pm #561895

https://keepass.info/download.html

use this, safe, only need to remember one password
my master password is 25 character long uncrackable for maybe next 10-20 years until they perfect quantum computing
and every individual password has 130 bits of entropy
aka Schlomo Gaskin aka Guru Meditation aka Copyright Alright aka Topkek McHonk aka Le Rouge
Image

User avatar
wesoda25
In-Game Admin
 
Joined: Thu Aug 10, 2017 9:32 pm
Byond Username: Wesoda25

Re: Your Passwords Suck - a lesson in security

Postby wesoda25 » Fri May 15, 2020 3:32 pm #561898

What was your old password
Wesoda25two/(Lalla Hayhurst) "WESODA DIDNT MAKE IT VERY LONG IN THIS ECONOMY"

User avatar
NoxVS
In-Game Admin
 
Joined: Sun Apr 22, 2018 7:43 pm
Location: The Verge of Irrelevancy
Byond Username: NoxVS

Re: Your Passwords Suck - a lesson in security

Postby NoxVS » Fri May 15, 2020 4:53 pm #561902

Image
The weak should fear the strong

thehogshotgun wrote:How does having jannies like you, who have more brain tumor than brain benefit the server

User avatar
bobbahbrown
 
Joined: Mon Nov 10, 2014 1:04 am
Location: canada
Byond Username: Bobbahbrown

Re: Your Passwords Suck - a lesson in security

Postby bobbahbrown » Fri May 15, 2020 5:21 pm #561904

terranaut wrote:...2fa is nice but you're overdoing it...


this is an incredibly bad take

Jack7D1 wrote:Tip for making a good password, think of three random words. Congrats you have a password that will be impossible to brute force.


also bad take
Last edited by bobbahbrown on Fri May 15, 2020 5:22 pm, edited 1 time in total.
Image
Image
Image
Image
Image
Image

Jack7D1
 
Joined: Tue Oct 29, 2019 2:00 am
Byond Username: Jack7D1

Re: Your Passwords Suck - a lesson in security

Postby Jack7D1 » Fri May 15, 2020 5:22 pm #561905

2fa should be a requirement for admins

User avatar
terranaut
 
Joined: Fri Jul 18, 2014 11:43 pm
Byond Username: Terranaut

Re: Your Passwords Suck - a lesson in security

Postby terranaut » Fri May 15, 2020 5:48 pm #561906

bobbahbrown wrote:
terranaut wrote:...2fa is nice but you're overdoing it...


this is an incredibly bad take


in my defense i worded that poorly, 2fa IS nice and definitely a must for a password manager; i just think he is overdoing it, in general
Image

User avatar
NikNakFlak
In-Game Admin
 
Joined: Thu Apr 17, 2014 5:08 pm
Byond Username: NikNakflak

Re: Your Passwords Suck - a lesson in security

Postby NikNakFlak » Fri May 15, 2020 7:06 pm #561910

terranaut wrote:
bobbahbrown wrote:
terranaut wrote:...2fa is nice but you're overdoing it...


this is an incredibly bad take


in my defense i worded that poorly, 2fa IS nice and definitely a must for a password manager; i just think he is overdoing it, in general

bad take. Use 2fa WHENEVER you can. Congrats you just added way more security for 10 seconds of your time. Use a password manager that has a password generator in it. You can set the length to hella long with symbols and numbers.
Sure you won't remember it but if you really need to remember a password, use the phrase method with numbers and symbols as well, and it's minimized since you only have to remember a few passwords. Otherwise, changing passwords isn't bad now either since it's a random string and you just have to generate a new one.

don't be stupid terranuts
REDACTED
pm for deets

Tlaltecuhtli
 
Joined: Fri Nov 10, 2017 12:16 am
Byond Username: Tlaltecuhtli

Re: Your Passwords Suck - a lesson in security

Postby Tlaltecuhtli » Fri May 15, 2020 8:32 pm #561922

wesoda25 wrote:What was your old password

User avatar
oranges
Code Maintainer
 
Joined: Tue Apr 15, 2014 9:16 pm
Location: #CHATSHITGETBANGED
Byond Username: Optimumtact
Github Username: optimumtact

Re: Your Passwords Suck - a lesson in security

Postby oranges » Fri May 15, 2020 9:06 pm #561926

In order of usefulness to people
1) stop reusing passwords
2) This will make the task of remembering passwords much harder, use a password store, online or not, doesn't matter, secure this store with your one strong password
3) now you can make individual site passwords 25 character random strings of letters, numbers and symbols as you will not be having to remember them so why not.

Congratulations, you're safer than 99% of your peers.

4) add two factor auth to services that have credit card details and your password store or access to personal, sensitive information.

On 2FA
totp is easy to setup, but inconvenient to use, as you have to type a time bound code.
A hardware token like yubikey is very convenient (literally just a push button on the token that can travel with you) but you need to get at least two (in case you lose one) and sign them both up to supporting websites. I use this configuration and it's very low friction once the initial setup is done. One token stays at home in a secure location, the other comes with me around my neck (It's on a lanyard with other important keys)

A middleground is something like DUO, where it uses your phone plus an app to push login notifications.

Oh and with regard to strong passwords, you can make very strong passwords by simply rolling dice with a word list
https://theworld.com/~reinhold/diceware.html

easier to remember than one using symbols/numbers, and as long as you have about six-eight words, you're in good strength territory.

This is how you should generate the password that is then used for your password store.

Tlaltecuhtli
 
Joined: Fri Nov 10, 2017 12:16 am
Byond Username: Tlaltecuhtli

Re: Your Passwords Suck - a lesson in security

Postby Tlaltecuhtli » Fri May 15, 2020 10:53 pm #561949

want a strong password?


aaaaaaaaaaa69aaaaaaaaaaaaa

User avatar
Armhulen
Global Moderator
 
Joined: Thu Apr 28, 2016 4:30 pm
Byond Username: Armhulenn
Github Username: bazelart

Re: Your Passwords Suck - a lesson in security

Postby Armhulen » Fri May 15, 2020 11:26 pm #561951

oranges wrote:In order of usefulness to people
1) stop reusing passwords
2) This will make the task of remembering passwords much harder, use a password store, online or not, doesn't matter, secure this store with your one strong password
3) now you can make individual site passwords 25 character random strings of letters, numbers and symbols as you will not be having to remember them so why not.

Congratulations, you're safer than 99% of your peers.

4) add two factor auth to services that have credit card details and your password store or access to personal, sensitive information.

On 2FA
totp is easy to setup, but inconvenient to use, as you have to type a time bound code.
A hardware token like yubikey is very convenient (literally just a push button on the token that can travel with you) but you need to get at least two (in case you lose one) and sign them both up to supporting websites. I use this configuration and it's very low friction once the initial setup is done. One token stays at home in a secure location, the other comes with me around my neck (It's on a lanyard with other important keys)

A middleground is something like DUO, where it uses your phone plus an app to push login notifications.

Oh and with regard to strong passwords, you can make very strong passwords by simply rolling dice with a word list
https://theworld.com/~reinhold/diceware.html

easier to remember than one using symbols/numbers, and as long as you have about six-eight words, you're in good strength territory.

This is how you should generate the password that is then used for your password store.

1. already done
2. already done
3. already done
4. already done

nobody is gonna crack into my super mario 64 120 stars done in 0 a presses video vault
Image

User avatar
saprasam
 
Joined: Fri Nov 16, 2018 11:42 pm
Byond Username: Saprasam

Re: Your Passwords Suck - a lesson in security

Postby saprasam » Sat May 16, 2020 2:28 am #561960

oranges wrote:In order of usefulness to people
1) stop reusing passwords
2) This will make the task of remembering passwords much harder, use a password store, online or not, doesn't matter, secure this store with your one strong password
3) now you can make individual site passwords 25 character random strings of letters, numbers and symbols as you will not be having to remember them so why not.

Congratulations, you're safer than 99% of your peers.

4) add two factor auth to services that have credit card details and your password store or access to personal, sensitive information.

On 2FA
totp is easy to setup, but inconvenient to use, as you have to type a time bound code.
A hardware token like yubikey is very convenient (literally just a push button on the token that can travel with you) but you need to get at least two (in case you lose one) and sign them both up to supporting websites. I use this configuration and it's very low friction once the initial setup is done. One token stays at home in a secure location, the other comes with me around my neck (It's on a lanyard with other important keys)

A middleground is something like DUO, where it uses your phone plus an app to push login notifications.

Oh and with regard to strong passwords, you can make very strong passwords by simply rolling dice with a word list
https://theworld.com/~reinhold/diceware.html

easier to remember than one using symbols/numbers, and as long as you have about six-eight words, you're in good strength territory.

This is how you should generate the password that is then used for your password store.

thanks doc
Image
(FORMER) tgmc admin (I HAVE REGAINED MY HUMAN RIGHTS)

Jack7D1
 
Joined: Tue Oct 29, 2019 2:00 am
Byond Username: Jack7D1

Re: Your Passwords Suck - a lesson in security

Postby Jack7D1 » Sat May 16, 2020 12:53 pm #561994

Oranges excercises levels of security that would suggest that he works for a data handling/engineering company.
Well done sir especially if this is not the case

User avatar
BeeSting12
 
Joined: Sat Apr 16, 2016 1:11 am
Location: 'Murica
Byond Username: BeeSting12
Github Username: BeeSting12

Re: Your Passwords Suck - a lesson in security

Postby BeeSting12 » Sat May 16, 2020 8:30 pm #562005

I have a potentially dumb question so please don’t yell at me. Everyone says a combination of random characters 25 characters long is the best, but what makes several words equal to 25 characters worse than that? A brute force hacking attempt trying combinations of characters would theoretically take just as long to break it, right? It’s still 25 characters, just happens to be something a human being can remember. What makes something like MyFordMustangIsCherryRedAndFast worse than -$7,6391’xyqhdkxi1835.)/&oqpeir2772?

Another potentially dumb question: How do I know these password stores are secure and not just trying to take my info? I personally use Google Chrome’s password saving thing anyway so I’m fairly sure they can steal my private info even more than they already do, but I also doubt Google is interested in my tgstation forums account or college passwords.
Edward Sloan, THE LAW
Melanie Flowers, Catgirl
Borgasm, Cyborg
Spoiler:
OOC: Hunterh98: to be fair sloan is one of the, if not the, most robust folks on tg

DEAD: Schlomo Gaskin says, "sloan may be a faggot but he gets the job done"

DEAD: Rei Ayanami says, "YOU'RE EVERYWHERE WHERE BAD SHIT IS HAPPENING"
DEAD: Rei Ayanami says, "IT'S ALWAYS FUCKING EDWARD SLOAN"
oranges wrote:Bee sting is honestly the nicest admin, I look forward to seeing him as a headmin one day


[2020-05-21 01:21:48.923] SAY: Crippo/(Impala Chainee) "Shaggy Voice - She like... wants to get Eiffel Towered bro!!" (Brig (125, 166, 2))

hows my driving?

User avatar
Kel
 
Joined: Sun Aug 10, 2014 1:04 am
Byond Username: Jaraxxus

Re: Your Passwords Suck - a lesson in security

Postby Kel » Sat May 16, 2020 8:33 pm #562006

BeeSting12 wrote:I have a potentially dumb question so please don’t yell at me. Everyone says a combination of random characters 25 characters long is the best, but what makes several words equal to 25 characters worse than that? A brute force hacking attempt trying combinations of characters would theoretically take just as long to break it, right? It’s still 25 characters, just happens to be something a human being can remember. What makes something like MyFordMustangIsCherryRedAndFast worse than -$7,6391’xyqhdkxi1835.)/&oqpeir2772?


math theory
Image

Jack7D1
 
Joined: Tue Oct 29, 2019 2:00 am
Byond Username: Jack7D1

Re: Your Passwords Suck - a lesson in security

Postby Jack7D1 » Sat May 16, 2020 10:35 pm #562008

Strings of random words are easier to remember and really oy sacrifice half the security. The big kicker is length. Longer passwords exponentially increase your security no matter what it's made of.

User avatar
oranges
Code Maintainer
 
Joined: Tue Apr 15, 2014 9:16 pm
Location: #CHATSHITGETBANGED
Byond Username: Optimumtact
Github Username: optimumtact

Re: Your Passwords Suck - a lesson in security

Postby oranges » Sun May 17, 2020 1:08 am #562016

BeeSting12 wrote:I have a potentially dumb question so please don’t yell at me. Everyone says a combination of random characters 25 characters long is the best, but what makes several words equal to 25 characters worse than that? A brute force hacking attempt trying combinations of characters would theoretically take just as long to break it, right? It’s still 25 characters, just happens to be something a human being can remember. What makes something like MyFordMustangIsCherryRedAndFast worse than -$7,6391’xyqhdkxi1835.)/&oqpeir2772?

Another potentially dumb question: How do I know these password stores are secure and not just trying to take my info? I personally use Google Chrome’s password saving thing anyway so I’m fairly sure they can steal my private info even more than they already do, but I also doubt Google is interested in my tgstation forums account or college passwords.


The problem is people don't randomly select their words, so the search space is usually decreased, and adding symbols/numbers increases the search space of the password (as there are now more symbols than a-zA-z)

It's not worse necessarily, and it's recommended to use a passphrase like `RandomListofWordsTogether` for the password you have to remember (for your password store).

But your password generator on your password store will usually just randomly generate 25 character random strings of symbols/numbers/letters and there's no reason to use them (they're also shorter than an equivalent strength passphrase, so you don't have issues with max password limit on sites).

As to the password stores, you don't always know that, but if you use a service with many users, you're likely in good company, you want to look for ones that claim in their marketing material that they encrypt users data clientside (so they never have the unecrypted data) and also have good press. Some examples: bitwarden, 1password, as you mentioned, chrome password store.

The main Point however, is having to trust a single company, the one who manages your password store (if you choose to use an online one), is better than having to trust the companies behind every single website you use because you share one password across all of them. It's easier to vet a single company for their security/software skills than hundreds, and to get this experience, you need a password store (so every other site has a random password that isn't shared).

User avatar
Vekter
In-Game Admin
 
Joined: Thu Apr 17, 2014 10:25 pm
Location: Fucking around with the engine.
Byond Username: Vekter

Re: Your Passwords Suck - a lesson in security

Postby Vekter » Sun May 17, 2020 2:55 am #562017

The only thing I don't like about Yubikey is how expensive it is to start out (minimum of $90) and how most password lockers charge for support for it
Image
Image
Image


Spoiler:
Reply PM from-REDACTED/(REDACTED): i tried to remove the bruises by changing her gender

PM: Bluespace->Delaron: Nobody wants a mime's asscheeks farting on their brig windows.

PM: REDACTED->HotelBravoLima: Oh come on, knowing that these are hostile aliens is metagaming

[17:43] <Aranclanos> any other question ping me again
[17:43] <Vekter> Aranclanos for nicest coder 2015
[17:44] <Aranclanos> fuck you


Return to Off Topic

Who is online

Users browsing this forum: No registered users