Re: Have I been hacked?
On Thu, Jan 15, 2015 at 6:56 AM, Brian <ad44@cityscape.co.uk> wrote:
> [...]
> We are still on off-line cracking? How does this sound?
Hmm. I guess I should respond to your questions about IP spoofing and
using strategy rather than pure brute force after all.
> Memorable passwords are good. Long, complex passwords are also good. One
> needn't exclude the other.
To a certain degree, they do. However,
> I can remember "TwasBrilligAndTheSlithyToves" and associate it with an
> account.
>
> Before signing up I do
>
> echo TwasBrilligAndTheSlithyToves | sha1sum | base64 | cut -c -30
>
> The output is what I give to a site as a password.
Now you're talking sense. Maybe I don't need to answer your questions
about IP spoofing and using strategy instead of pure brute force after
all.
Although, when you don't have access to a command line that gives you
sha1sum, you're back to having to work hard to remember what you gave
that site for a password.
Frankly, rot13 or rot42 would get pretty close. But I would prefer a
tool of my own making that I can use to exclusive-or the site name
with my chosen pass-phrase before I pass it to the predictable
shuffle.
But, as John Hasler points out, we're just sort of re-inventing (half
of) ssh keys.
> Furthermore, before any future logins I can run the command again to get
> the same password. Isn't this on-line and off-line cracking taken care
> of?
Depends on whether the targetting attacker is aware that you use
sha1sum on all your passwords.
Or has a copy of the source code for my rot42xor tool.
This is the part that SSH keys gets right, of course.
The argument, SSH keys versus passwords is kind of missing the point,
unless the argument itself helps people listening in think a bit more
carefully about their security.
--
Joel Rees
Be careful when you look at conspiracy.
Look first in your own heart,
and ask yourself if you are not your own worst enemy.
Arm yourself with knowledge of yourself, as well.
Reply to: