Documentation https://www.grc.com/sqrl/sqrl.htm
Security Now Episode 424: Steve Gibson introduces the idea (Video & Audio Podcast, or streaming) http://twit.tv/show/security-now/424
This looks very very interesting, I am looking forward to seeing how this works out.
SQRL is pronounced "Squirrel" ^_^
I lack the expertise to vet this idea, but it sounds very good to me, would solve a lot of problems for average users, while providing very strong security that would be difficult to compromise.
Looking forward to the development of SQRL, and hats off to Steve for making it public domain!!
From Practical Considerations section of first page of documentation:
"Did I invent anything? I don't care. Even if some aspects of this
system are novel, and might be subject to intellectual property
protection, this is too important and much bigger than me. It should be
made free for the world to use without encumbrance. With this
publication of every detail, I hereby release and disclaim any and all
proprietary rights to any new ideas developed and presented herein. This
work is thereby added to the public domain."
Showing posts with label Password Cracking. Show all posts
Showing posts with label Password Cracking. Show all posts
Wednesday, October 2, 2013
Monday, August 26, 2013
Updated oclHashcat-plus v0.15
Main link: http://hashcat.net/oclhashcat-plus/
oclHashcat-plus v0.15 "Added support for cracking passwords longer than 15 characters," lot of other improvements see https://hashcat.net/forum/thread-2543.html for full details.
I am still digging through the changes, and I have been sick, so it will probably take me a while, but it looks like some big improvements have been made.
They have also added support for several algorithms, including TrueCrypt 5.0+, Lastpass, & MacOSX v10.8 that are of particular interest to me.
oclHashcat-plus v0.15 "Added support for cracking passwords longer than 15 characters," lot of other improvements see https://hashcat.net/forum/thread-2543.html for full details.
I am still digging through the changes, and I have been sick, so it will probably take me a while, but it looks like some big improvements have been made.
They have also added support for several algorithms, including TrueCrypt 5.0+, Lastpass, & MacOSX v10.8 that are of particular interest to me.
Friday, January 11, 2013
More on Passwords & Password Keepers
I may have mentioned Brian Kreb's password article before, http://krebsonsecurity.com/password-dos-and-donts/, but wanted to make sure I linked to this article http://krebsonsecurity.com/password-dos-and-donts/
He mentions three Password Keepers: Roboform, Passwordsafe, & Keepass.
Keepass is the only one of those three I know a bit about, have a computer nerd friend that has used that for years.
It is good and free.
I am trying to provide a good selection of quality Password Keepers for people to chose from, not everyone's needs and wants are the same.
I prefer mSecure, partly because it has stronger encryption than many others, but it is also one of the most expensive consumer options.
Lot of my gamer friends though don't want to, or can't afford, to spend much on computer software.
Something to remember when using Password Keepers, is that you want to have that Data backed up VERY well.
You can use Dropbox or similar cloud storage, but you can also use Password Keepers on multiple devices (ie Smartphone, Tablet, & PC) I also like using a quality Flashdrive with hardware encryption.
I also like using written backup stored securely, I have physical items I have to keep secure, so I have ready storage for that.
I have written about Passwords & Password Keepers before, I specifically recommend reading Steve Gibson's Haystacks & Needles (Understanding Passwords) and "Lessons Learned from Cracking 2 Million LinkedIn Passwords."
For more posts click one of the these Labels:
Those Labels and more can be found at bottom left of Blog post, selected Labels can be found in Label Cloud at left side of blog, space limitations there, but I open to feedback for labels that should be added or removed from the Label Cloud.
Stay Safe,
Cliff
He mentions three Password Keepers: Roboform, Passwordsafe, & Keepass.
Keepass is the only one of those three I know a bit about, have a computer nerd friend that has used that for years.
It is good and free.
I am trying to provide a good selection of quality Password Keepers for people to chose from, not everyone's needs and wants are the same.
I prefer mSecure, partly because it has stronger encryption than many others, but it is also one of the most expensive consumer options.
Lot of my gamer friends though don't want to, or can't afford, to spend much on computer software.
Something to remember when using Password Keepers, is that you want to have that Data backed up VERY well.
You can use Dropbox or similar cloud storage, but you can also use Password Keepers on multiple devices (ie Smartphone, Tablet, & PC) I also like using a quality Flashdrive with hardware encryption.
I also like using written backup stored securely, I have physical items I have to keep secure, so I have ready storage for that.
I have written about Passwords & Password Keepers before, I specifically recommend reading Steve Gibson's Haystacks & Needles (Understanding Passwords) and "Lessons Learned from Cracking 2 Million LinkedIn Passwords."
For more posts click one of the these Labels:
Those Labels and more can be found at bottom left of Blog post, selected Labels can be found in Label Cloud at left side of blog, space limitations there, but I open to feedback for labels that should be added or removed from the Label Cloud.
Stay Safe,
Cliff
Friday, October 26, 2012
Security & Hacking: How to Crack WPA & WPA2
Good, though somewhat technical, article on cracking WiFi http://www.smallnetbuilder.com/wireless/wireless-howto/31914-how-to-crack-wpa-wpa2-2012
Though not mentioned in that article, related to strong passwords, I really think everyone should be using a good password keeper.
So the only password you need to remember is the one needed to unlock your password keeper, I would use Steve Gibson's advice for that password, blogged about here http://cliffsesportcorner.blogspot.com/2012/05/steve-gibsons-haystacks-needles.html
Then use random passwords, generated by the password keeper, for everything else.
There are many good password keepers out there, I like and recommend mSecure https://msevensoftware.com/
For free I believe Strip Lite is good, their website http://getstrip.com/ or iTunes.
Another free one I might suggest is KeePass, I have heard good things about it, and have a friend that uses it.
See Also:
Though not mentioned in that article, related to strong passwords, I really think everyone should be using a good password keeper.
So the only password you need to remember is the one needed to unlock your password keeper, I would use Steve Gibson's advice for that password, blogged about here http://cliffsesportcorner.blogspot.com/2012/05/steve-gibsons-haystacks-needles.html
Then use random passwords, generated by the password keeper, for everything else.
There are many good password keepers out there, I like and recommend mSecure https://msevensoftware.com/
For free I believe Strip Lite is good, their website http://getstrip.com/ or iTunes.
Another free one I might suggest is KeePass, I have heard good things about it, and have a friend that uses it.
See Also:
- Security Now # 347 [about iOS Password keepers, but most avialable for Android/PC/etc] (text) (mp3) (VOD)
- [PDF professional review of a few password keepers] http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf
Tuesday, August 28, 2012
Security & Hacking: "How I cracked my neighbor's WiFi password without breaking a sweat"
http://arstechnica.com/security/2012/08/wireless-password-easily-cracked/
Very good article, though written for average person, there is higher level information available in many of the Comments, it clearly shows how easy it is to hack many things average people think are secure.
Also, since the author of that Ars article was using online software services (ie software that ran on servers, not on author's computer) he didn't need much of a computer to do this.
For those new to Pen Testing and Password Strength (Security?) he was basically using a dictionary of words and common passwords.
The term "Dictionary" sometimes throws people, they don't mean Websters or OED, rather it is a list based on previously cracked passwords.
Millions of cracked passwords, so current Hacker's Dictionaries tend to be pretty representative of any password that a person picks out!
If you can remember it, it is a very bad password, you should be using some tiype of password keeper, and using the generate random password feature that all the good password keepers offer.
I plan to do a post in the near future on Password Keepers, but there are a lot of choices out there, many are free.
For similar Blog Posts, click on one of these labels: Security, Hacking, Password Cracking, or Pen Testing.
Selected Labels can be found in label cloud at left side of blog, and every blog post has labels at bottom left of post.
Specific posts on Cliff's Esport Corner (aka Cliffs_esports_corner in some chat rooms) can be found best by using Google with query term and Cliff's Esport Corner in your Google search.
Very good article, though written for average person, there is higher level information available in many of the Comments, it clearly shows how easy it is to hack many things average people think are secure.
Also, since the author of that Ars article was using online software services (ie software that ran on servers, not on author's computer) he didn't need much of a computer to do this.
For those new to Pen Testing and Password Strength (Security?) he was basically using a dictionary of words and common passwords.
The term "Dictionary" sometimes throws people, they don't mean Websters or OED, rather it is a list based on previously cracked passwords.
Millions of cracked passwords, so current Hacker's Dictionaries tend to be pretty representative of any password that a person picks out!
If you can remember it, it is a very bad password, you should be using some tiype of password keeper, and using the generate random password feature that all the good password keepers offer.
I plan to do a post in the near future on Password Keepers, but there are a lot of choices out there, many are free.
For similar Blog Posts, click on one of these labels: Security, Hacking, Password Cracking, or Pen Testing.
Selected Labels can be found in label cloud at left side of blog, and every blog post has labels at bottom left of post.
Specific posts on Cliff's Esport Corner (aka Cliffs_esports_corner in some chat rooms) can be found best by using Google with query term and Cliff's Esport Corner in your Google search.
Sunday, August 26, 2012
Security & Hacking: "Dropbox two-step verification security option"
Sounds like Dropbox has Two Factor Authentication available via Beta, full story at http://www.theverge.com/2012/8/26/3269423/dropbox-two-step-verification-security-beta
If you use Dropbox this is probably a good idea, but if they are hacked from inside again, it might not do much good, I don't recommend Dropbox for critical data, there are a lot better choices available for that, and honestly Dropbox is about easy access not security.
If you are worried about security of items stored on Dropbox, encrypt first with Truecrypt or similar first.
And USE A STRONG PASSWORD!
If you use Dropbox this is probably a good idea, but if they are hacked from inside again, it might not do much good, I don't recommend Dropbox for critical data, there are a lot better choices available for that, and honestly Dropbox is about easy access not security.
If you are worried about security of items stored on Dropbox, encrypt first with Truecrypt or similar first.
And USE A STRONG PASSWORD!
Wednesday, August 22, 2012
Security & Hacking: "Cracking passwords from the Philips hack - an important lesson"
Excellent article by Paul Ducklin, over on Sophos' Naked Security Blog "Cracking passwords from the Philips hack - an important lesson"
Read the comments as well!
For more posts on Security & Hacking click on one of the following Labels:
Security
Password Cracking
Pen Testing
Hacking
Read the comments as well!
For more posts on Security & Hacking click on one of the following Labels:
Security
Password Cracking
Pen Testing
Hacking
Tuesday, August 21, 2012
Security & Hacking: "Why passwords have never been weaker—and crackers have never been stronger"
Really good article from Ars http://arstechnica.com/security/2012/08/passwords-under-assault/, and as always with Ars articles, you can find some exceptional bits of information buried in comments section.
Another password cracking you should read is Lessons Learned from Cracking 2 Million LinkedIn Passwords.
For more click one of the these Labels:
Those Labels and more can be found at bottom left of Blog post, selected Labels can be found in Label Cloud at left side of blog, space limitations there, but I am always open to feedback for labels that should be added or removed from the Label Cloud.
If your looking for something specific on my blog, best way is just to add query term to Cliff's Esport Corner in a google search.
I tested the google search widget for the blog but it didn't work as well as normal google so I removed it.
Another password cracking you should read is Lessons Learned from Cracking 2 Million LinkedIn Passwords.
For more click one of the these Labels:
Those Labels and more can be found at bottom left of Blog post, selected Labels can be found in Label Cloud at left side of blog, space limitations there, but I am always open to feedback for labels that should be added or removed from the Label Cloud.
If your looking for something specific on my blog, best way is just to add query term to Cliff's Esport Corner in a google search.
I tested the google search widget for the blog but it didn't work as well as normal google so I removed it.
Monday, August 13, 2012
Security & Hacking: Ars' "Why hacked Blizzard passwords aren't as hard to crack as company says"
From Ars "A significant percentage of Blizzard passwords may already be in hackers' hands."
If you haven't already, and your on NA Bnet you need to change your password, see PSA: Blizzard NA Bnet change your passwords
The Ars article today is about how difficult, or not, it is/was for Hackers to crack encrypted passwords they managed to steal.
For more on password Hacking see "Lessons Learned from Cracking 2 Million LinkedIn Passwords"for more on good strong passwords see Steve Gibson's Haystacks & Needles (Understanding Passwords)
If you haven't already, and your on NA Bnet you need to change your password, see PSA: Blizzard NA Bnet change your passwords
The Ars article today is about how difficult, or not, it is/was for Hackers to crack encrypted passwords they managed to steal.
For more on password Hacking see "Lessons Learned from Cracking 2 Million LinkedIn Passwords"for more on good strong passwords see Steve Gibson's Haystacks & Needles (Understanding Passwords)
Monday, August 6, 2012
Security & Hacking: Mat Honan Targeted
VOD interview/discussion at http://twit.tv/show/this-week-in-tech/365
Mat Honan also talks about it on his Blog at http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard
Take the time to look at this, and think about structuring your accounts & etc to protect yourself from this, Hackers will certainly take note of this.
Couple of Basic Points:
Backup critical data, you need at least 3 copies of important data, the "working" copy, plus two separate backups in different locations/companies.
Don't interlink all your accounts. That leads to domino effect of a single vulnerability being exploited, perhaps something out of your control like happened to Honan, that gives Hacker access to one of your accounts, and that one account will let them in to all the others.
Mat Honan also talks about it on his Blog at http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard
Take the time to look at this, and think about structuring your accounts & etc to protect yourself from this, Hackers will certainly take note of this.
Couple of Basic Points:
Backup critical data, you need at least 3 copies of important data, the "working" copy, plus two separate backups in different locations/companies.
Don't interlink all your accounts. That leads to domino effect of a single vulnerability being exploited, perhaps something out of your control like happened to Honan, that gives Hacker access to one of your accounts, and that one account will let them in to all the others.
Monday, July 23, 2012
PSA: Gamigo 11 Million Passwords Hacked
See Ars article, also Forbes, the Forbes article links http://pwnedlist.com/ for checking if your email has been leaked.
I haven't heard about http://pwnedlist.com/ before, but shows as green with McAfee.
For more on Password Cracking, or Hacking, and what you should do see "Lessons Learned from Cracking 2 Million LinkedIn Passwords" and/or Steve Gibson's Haystacks & Needles (Understanding Passwords).
But if you have a Gamigo account, you should change your password, the Steve Gibson link above provides good advice on passwords.
I haven't heard about http://pwnedlist.com/ before, but shows as green with McAfee.
For more on Password Cracking, or Hacking, and what you should do see "Lessons Learned from Cracking 2 Million LinkedIn Passwords" and/or Steve Gibson's Haystacks & Needles (Understanding Passwords).
But if you have a Gamigo account, you should change your password, the Steve Gibson link above provides good advice on passwords.
Saturday, July 14, 2012
NVIDA Hack update
Posted July 13, 2012
A small proportion of users’ hashed passwords for DevZone has been posted publicly.
We continue to strongly recommend that you change any identical passwords that you may be using elsewhere, as noted below.
~http://www.nvidia.com/content/devzone/index.html
NVIDIA has also shut down their online store in addition to Devloper forum that was shut down yesterday.
Friday, July 13, 2012
PSA: NVIDIA Devloper Zone Hacked
http://nakedsecurity.sophos.com/2012/07/13/nvidia-android-forums-hackers/
I saw this first on Sophos blog linked above.
Cut and paste from NVIDIA's warning post below, see their link for complete message, http://www.nvidia.com/content/devzone/index.html,
For more on Passwords see More D3 Account Security or Computer & Password Security: Salting & Hashing explained clearly or Steve Gibson's Haystacks & Needles (Understanding Passwords).
I saw this first on Sophos blog linked above.
Cut and paste from NVIDIA's warning post below, see their link for complete message, http://www.nvidia.com/content/devzone/index.html,
NVIDIA suspended operations today of the NVIDIA Developer Zone (developer.nvidia.com). We did this in response to attacks on the site by unauthorized third parties who may have gained access to hashed passwords.
We are investigating this matter and working around the clock to ensure that secure operations can be restored.
As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.
NVIDIA does not request sensitive information by email. Do not provide personal, financial or sensitive information (including new passwords) in response to any email purporting to be sent by an NVIDIA employee or representative.
For more on Passwords see More D3 Account Security or Computer & Password Security: Salting & Hashing explained clearly or Steve Gibson's Haystacks & Needles (Understanding Passwords).
Wednesday, June 27, 2012
Nerd Gear: Nexus 7 pen testing tablet?
Think all my security research has me thinking like a hacker, first thing I thought when I saw/heard the specs for Google's new Android Tablet from ASUS the Nexus 7, since it has 12 core GPU!
Some Nexus 7 links:
The Verge
Tech Radar
Google Play (ie offical Google store you can buy here $199 8GB or $249 for 16 GB)
If any hard core computer nerds can tell me, would this be useful for Pen Testing/Password Cracking with the 12 Core GPU?
Some Nexus 7 links:
The Verge
Tech Radar
Google Play (ie offical Google store you can buy here $199 8GB or $249 for 16 GB)
If any hard core computer nerds can tell me, would this be useful for Pen Testing/Password Cracking with the 12 Core GPU?
Subscribe to:
Comments (Atom)