• WANTED: Happy members who like to discuss audio and other topics related to our interest. Desire to learn and share knowledge of science required. There are many reviews of audio hardware and expert members to help answer your questions. Click here to have your audio equipment measured for free!

Important: Another Wave of Account Hacks

Last edited:
Ok, so a fastasfuch computer can create a list of passwords that includes your password in a nanosecond.

How does it figure out which of the gazillion passwords in the list it created is the one you are using for some purpose?
 
Ok, so a fastasfuch computer can create a list of passwords that includes your password in a nanosecond.

How does it figure out which of the gazillion passwords in the list it created is the one you are using for some purpose?
Exactly, what system will allow multiple failed login attempts without at least temporarily locking the account?

That is why people that want passwords tend to just send out massive amounts of emails trying to trick people into giving up their password or just letting spyware onto their devices.
Or if they want a specific system they look up the org chart from the company and send out emails to employees pretending to be their boss or someone else higher up in the company. Or they search social media to see who just got a job there....

Yet the Bitwarden password checker site says such a password can be cracked in as little as 4 seconds or as long as 3 years. Depends upon what is chosen even if it is 12 characters, upper, lower case, number and symbol.
I wonder how the checker calculates it and what makes some combinations better.
 
I wonder how the checker calculates it and what makes some combinations better.
They have a link to an article about their methods. One difference that is obvious is some of the numbers quoted up thread are based upon brute force cracking where the only thing that matters is the entropy in the password. Actual people doing this have other methods that use dictionary word lists, rainbow tables and more. So two passwords that have identical entropy to brute force cracking will have very different levels required if some of the password is part of common words numbers etc. For instance you can try passwords in the Bitwarden checker that have 4 numbers. 20xx or 19xx cracks quicker than 18xx or 21xx because the easier ones relate to years when people were born or their children were born etc. Checking those first is a shortcut. So Bob1988 is 6 seconds, but Bob2288 is 12 minutes. While 19Bob88 is 17 minutes.

Best Android password generator.
 
Last edited:
Government was all at arms about 4 years ago, because of how "quantum computing" was going to make mince-meat of the current, advanced encryption algorithms. Everyone seems to have forgotten about that little ditty, now that we are preoccupied with AI.
pfffft!
 
Well maybe by then we will all have good passkeys.
Everyone is trying out novel identifiers like biometrics (fingerprint, retina, bad breath, etc.) for mobile devices because complex passwords requiring caps/#s/funky characters are just too cumbersome on mobile devices.:mad:
 
Everyone is trying out novel identifiers like biometrics (fingerprint, retina, bad breath, etc.) for mobile devices because complex passwords requiring caps/#s/funky characters are just too cumbersome on mobile devices.:mad:
I think most passkeys require biometrics to use the passkey. I do have a couple apps that use biometrics instead of a password. My newer Win11 laptop with the auto log in when it sees my face is awfully convenient.
 
Curious, any relation to what a poster might post about gear (owned or not) as to who got targeted? You'd let me know if someone pirating my account posted something way different from my usual posting?
 
Some financial institutions use the Symantec hardware fob, for their most secure, multi-factor authentication methods; which generates a rolling 6-digit (numerical) code every 30 seconds.
What a kludge!:mad:
 
They have a link to an article about their methods. One difference that is obvious is some of the numbers quoted up thread are based upon brute force cracking where the only thing that matters is the entropy in the password. Actual people doing this have other methods that use dictionary word lists, rainbow tables and more. So two passwords that have identical entropy to brute force cracking will have very different levels required if some of the password is part of common words numbers etc. For instance you can try passwords in the Bitwarden checker that have 4 numbers. 20xx or 19xx cracks quicker than 18xx or 21xx because the easier ones relate to years when people were born or their children were born etc. Checking those first is a shortcut. So Bob1988 is 6 seconds, but Bob2288 is 12 minutes. While 19Bob88 is 17 minutes.

Best Android password generator.
Another reason to use the password manager is that it can randomly generate the password. In that case, the number of bits of entropy is the only thing that matters (that the user controls) - because the entropy number is correct.

Because of the reasons that you listed, if the password isn’t randomly generated you don’t actually know how much entropy is in it.

And no, humans are not effective random number generators.
 
How secure are the generators/storage devices for passwords?
 
2 weeks ago i got hacked via this account with emails with aziatic writing.
Then i got from my ISP a warning that they would close my email account for spamming.
And they did so. other account starting to protest also claiming the account was breached.

So i had to make everywhere new paswords, the ISP filtered out the spam mail by disabeling automatic answer filter and now it's quite on the email front and on the asr front.
And it al began with unable to login at asr.
 
How secure are the generators/storage devices for passwords?
You mean password managers like Bitwarden or 1Password? If so...

Both 1Password and Bitwarden use cryptographically secure methods to generate unique passwords. While specific implementations may vary slightly, they both rely on CSPRNG (Cryptographically Secure Pseudo-Random Number Generators) to ensure the security and randomness of the passwords they generate.

### 1Password

1Password, developed by AgileBits, uses a CSPRNG to generate secure passwords. Here's a summary of its approach:

1. **Cryptographic Libraries**:
- 1Password leverages platform-specific cryptographic libraries to ensure the security of random number generation. For example, on macOS and iOS, it uses the Security framework; on Windows, it uses the Windows Cryptography API.

2. **Password Generation**:
- The passwords are generated using a combination of secure random numbers and character sets defined by the user (such as including symbols, numbers, uppercase, and lowercase letters).

### Bitwarden

Bitwarden, an open-source password manager, also uses CSPRNG to generate secure passwords. Here's a summary of its approach:

1. **Cryptographic Libraries**:
- Bitwarden uses libraries such as `crypto` in JavaScript, which rely on secure random number generation methods provided by the operating system (e.g., `window.crypto.getRandomValues` in browsers, and `crypto` module in Node.js).

2. **Password Generation**:
- Bitwarden generates passwords using these secure random numbers to select characters from a predefined set, ensuring high entropy and randomness.

### Technical Details

Both password managers prioritize using strong, platform-native cryptographic functions to ensure that the passwords they generate are secure and suitable for cryptographic purposes. Here’s how they generally implement these methods:

1. **Secure Random Number Generation**:
- Both 1Password and Bitwarden use CSPRNG functions provided by the operating systems or cryptographic libraries to ensure the randomness of generated passwords. These functions are designed to produce high-entropy, unpredictable values.

2. **User Customization**:
- Users can often customize the parameters for password generation, such as length and character types (uppercase, lowercase, digits, symbols), to meet specific security requirements or preferences.

### Example: Bitwarden’s Password Generation in JavaScript

Here’s a simplified example of how Bitwarden might generate a secure password using the `crypto` module in a web environment:

```javascript
function generateSecurePassword(length) {
const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+~`|}{[]:;?><,./-=';
let password = '';
const crypto = window.crypto || window.msCrypto;
const randomValues = new Uint32Array(length);
crypto.getRandomValues(randomValues);

for (let i = 0; i < length; i++) {
password += charset[randomValues % charset.length];
}

return password;
}

console.log(generateSecurePassword(16)); // Example output: "G7y@e!f2#s$1Wq5N"
```

### Conclusion

Both 1Password and Bitwarden use CSPRNG to ensure that the passwords they generate are secure and unique. They rely on platform-specific cryptographic libraries and methods to achieve high entropy and randomness, providing strong protection against various types of attacks.

If you mean other password manager, or password-generating websites or other browser extensions that do the same?
Who knows?
I don't trust anyone other than 1Password or BitWarden to generate a unique password, because I don't know their method of generating passwords.
 
Dell recently had a big hack of at least 49 million accounts. 1/3 of my accounts got hacked last months, all using the password I used at Dell.
 
I had 2FA enabled until I realized it kicks you out every 30 days and you need to log-in again. Is there a way to make this feature optional? I'd be happy to keep 2FA on if the cookies didn't expire despite daily use.

This is a tiny inconvenience compared to getting hacked
 
This isn't really correct to my knowledge. If the DB is stolen they can crack your password offline and then log in with one attempt. This is why 2FA is also needed.
Yes but that would mean they need to hack my bank directly (the PW is unique).
It then would make little difference whether I used 5 or 12 digits.
I'd need to go 16+ to make a difference with today's technology and even that may be insufficient 5 years down the line.

But lets say they DID hack my bank account. There's nothing they could do.
Every transaction needs a transaction number that is generated by a little device in combination with may bank-card. The TAN-generator is not an internet based device. IIRC, that includes logging in from an unfamiliar device.

That TAN-Generator is already the 2nd Factor. So a 5 digit "pin" is more than sufficient.
My newer Win11 laptop with the auto log in when it sees my face is awfully convenient.
My boss has that too ... then he forgets to wear his glasses and Windows is all like:

"Who the fork are you?!" after that he scrambles to find his darn glasses.

Must be nice to be actually able to operate a computer w/o them. I could never "forget" my glasses. Can't see anything but colored blobs. .__.
 
Last edited:
Back
Top Bottom