this post was submitted on 23 Aug 2023
553 points (99.1% liked)

Technology

59669 readers
2856 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 33 points 1 year ago (7 children)

Something to note here - with AI, if you’re using any sort of heuristic for your password, it’s pretty simple to work out a pretty good set of possibilities which makes brute force even easier and puts you at risk across the board.

Always come up with random passwords that are as random as possible. If there’s a path you took to get to a password, in theory it can be worked backward.

For example I know some people who only change a single letter when changing their passwords which is ultimately trivial to guess if the old password was compromised (hence the need to change the password or the need to proactively work against this possibility)

[–] [email protected] 45 points 1 year ago (5 children)

I wish more websites allowed random words as passwords instead of forcing numbers and special characters (but not THAT special character, you have to use one of the ones on this list).

People change their passwords by one letter or digit because they're tied to these restrictive formats. If 5-6 random words was the norm, people would update more than just one character when needing to change passwords.

"poison navy series ruler handshake papaya" is a fantastic password.

"Ilovemygrandkids!123" is a horrible password.

[–] [email protected] 29 points 1 year ago (1 children)

Just use a password manager and a unique, long, random generated password for every site. There's no need or reason to know the password to anything other than your password manager and your primary email.

[–] [email protected] 10 points 1 year ago (1 children)

in like a decade the use of a password manager will be a bad idea. i don't know how but it will be.

[–] [email protected] 15 points 1 year ago (2 children)

Hmm, a single point of access for every password you have? I don't see the problem...

[–] [email protected] 21 points 1 year ago* (last edited 1 year ago) (1 children)

The thing is the average person either can't or can't be bothered to remember even a dozen actually secure passwords, so they fall back to a couple of simple derivations of a common password, meaning each and every site a user signs up on represents an additional single point of failure.

[–] [email protected] 2 points 1 year ago

That's a good point.

[–] [email protected] 10 points 1 year ago

Lucky until we get actual quantum computing, it's not worth the years on a supercomputer to crack a single stolen set of encrypted passwords.

[–] [email protected] 20 points 1 year ago* (last edited 1 year ago) (1 children)
[–] [email protected] 3 points 1 year ago (1 children)

That's why I use IncorrectBatteryHorseStaple

They'll never figure that one out

[–] [email protected] 0 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago

You just linked the same thing that the thing you responded to responded to had linked!

[–] [email protected] 12 points 1 year ago

You immediately know that they're not handling your passwords correctly when they block certain characters.

[–] [email protected] 5 points 1 year ago

Agreed! I also think that the next steps would be getting rid of the need for users to even know their own password and instead replace with other securities like biometrics (with sufficient permutations possible to match or exceed passwords) and a physical device or something else entirely that removes the need to let the user in on what the exact password is

[–] [email protected] 3 points 1 year ago

Tools like Bitwarden will let you fairly customize the randomly generated password it makes. You can tailor it to not use certain characters for those sites that don’t allow it. And each vault object can be customized like that independently so you don’t compromise all your passwords by not allowing _ or (, you can also have it do pass phrases like you gave an example of

[–] [email protected] 4 points 1 year ago (1 children)

I use a heuristic to update my main passwords. It's not a character but easily guessable if you see it in plaintext and now you've made me facepalm my actions.

I only use that for certain things because I use Google Oauth or Bitwarden for most things and you've just woken me up about what could be exposed.

[–] [email protected] 2 points 1 year ago

The goal should usually be as random as possible, if it’s got a series of steps to create, they can be traced backward

Now the trick I’m not telling you is that randomness is hard to get because you need a sufficient amount of entropy (basically just means randomness, chaos, formally it’s how much uncertainty there is in the system) to ensure that it’s strong enough which can be challenging sometimes. For example, if your password is only 3 characters long and has 10 possibilities for each spot in the string, you’re only looking at 10^3 possibilities to guess accurately which is nothing to pcs and people with time on their hands haha

[–] [email protected] 4 points 1 year ago (1 children)

That's why I let Bitwarden generate a random 64 character password with special characters and numbers

[–] [email protected] 2 points 1 year ago (1 children)

I also take advantage of Bitwarden's 'passphrase' generation as I understand that pass phrases can be even more secure.

If the password requirements allow longer passwords I typicallyuse a passphrase generated by bitwarden, shorter ones I use generated passwords.

[–] [email protected] 5 points 1 year ago (1 children)

The only thing that affects how long it takes to brute force a password is length and entropy (the different types of characters used). Passphrase is designed to make it easier for a human to remember, so if you are using a PM to remember it anyway, a 64 character random password is going to be better than a 64 character passphrase.

I usually use the password generator in the 32 character range with all of the symbols, numbers, and characters included, since it seems like a lot of places don't like longer passwords.

[–] [email protected] 3 points 1 year ago (3 children)

wow thanks, I always remembering hearing people talk about passphrases being better, and saw bitwarden add a feature to generate them, I just went with it.

But given I have no interest in remembering these pass phrases, it would make sense to use generated passwords vs passphrases as you said. Good thing my effort to transition to pass phrases was recent and wasn't done too much yet.

[–] [email protected] 4 points 1 year ago

Hah, honestly either one is better than just having the same password on every site. You are all good.

[–] [email protected] 3 points 1 year ago

The rise of a pass phrase is more to do with mitigating the human risk in security which is people using memorable passwords. So a passphrase is typically easier to remember. That's the theory anyway.

[–] [email protected] 2 points 1 year ago

Hah, honestly either one is better than just having the same password on every site. You are all good.

[–] [email protected] 2 points 1 year ago

something I did before letting bitwarden take over my passwords, was using a phrase consisting of 2-3 words + a series of numbers and special characters. Safer than anyone I knew at the time's passwords. Admittedly it was not the most secure, as i only changed the beginning part of the 2-3 word phrase, and left the last word, numbers and symbols the same. So if one of those passwords were breached, it wouldn't be too difficult for AI to brute force the missing pieces. So yeah I don't do that anymore.

[–] [email protected] 1 points 1 year ago (1 children)

That's why correcthorsebatterystaple is the best way to do passwords imo, just 4 random words with a random special character dividing them and a random number tacked onto the end. Good luck brute forcing that or using AI to guess 4 randomly generated words in the correct order.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

we were talking about password changes, not creation though

Guessing someone’s password with no prior history vs with an “averaged” prior history of the world/some large dataset are two different sized sets.

If you’ve got a feel for how the majority of people are changing their passwords, guessing those passwords is significantly easier when compared to traditional brute force

Edit:

Passphrases are fairly good too but I want to see some real word examples of AI trained on some password dumps to see how much better it performs in comparison to traditional brute force and through targeted info gathering. I’m curious to see if there’s any user friendly techniques that’d work against AI specifically and it’s ability to find patterns most people wouldn’t pick up on