Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How save are passwords etc on your computer


  • Please log in to reply
11 replies to this topic

#1 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:53 AM

Posted 08 November 2014 - 04:45 AM

Many people, like myself, keep most passwords in a text file on their computer. We are often warned not to do that because a computer criminal can find this info and abuse it. How does that work? How can they find the info in a text file? Do they use a 'robot' to search through all the text files, or is it a physical person?

 

KR, Leo



BC AdBot (Login to Remove)

 


#2 Kilroy

Kilroy

  • BC Advisor
  • 3,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:53 AM

Posted 08 November 2014 - 11:48 AM

It depends on how and where they are saved.  If you save them on your desktop in a file called passwords, probably not as safe as storing them in an encrypted file with a generic file name.  The passwords are more likely to be stolen as you use them.



#3 rp88

rp88

  • Members
  • 3,081 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:53 AM

Posted 08 November 2014 - 12:35 PM

In general it's safer to write passwords on paper in a locked safe rather than store them digitally. Most cyber-crooks aren't physically there so whilst they might read a text file thye would almost certainly never see the written text. For really important passwords (bank, main email account) the password should be remembered and never written/typed anywhere except in the necessary login page, if you need a reminder don't store the password, store a written hard copy hint.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 AM

Posted 08 November 2014 - 12:40 PM

Well, here is a scenario:

 

A computer criminal has access to your computer and wants to read the content of a password protected ZIP file. He doesn't have the password, but you have stored the password somewhere on the disk in a text file.

He then will run a program that will index all your files: this program creates a list of all the words (a dictionary) it finds in files on your computer.

Then he uses this dictionary with a password cracker to perform a dictionary attack against the ZIP file.

The password cracker will quickly decrypt the password protected ZIP file because the password will be in the dictionary.


Edited by Didier Stevens, 08 November 2014 - 12:40 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Falu

Falu
  • Topic Starter

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:53 AM

Posted 08 November 2014 - 01:48 PM

Thanks.

 

Does it mean that a criminal only checks text files to find the critical password, protecting the text file with all the sensitive information?



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 AM

Posted 08 November 2014 - 02:24 PM

I don't understand your question. What critical password are you talking about?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Falu

Falu
  • Topic Starter

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:53 AM

Posted 08 November 2014 - 06:00 PM

You have a text file with all your passwords etc., zip/encrypt the text file but you still need a password for the compression/encryption. This password, the critical pass word, should be kept safe somewhere. If this is kept in a text file criminals could find it using the specific software, as you described.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 AM

Posted 08 November 2014 - 06:45 PM

You have a text file with all your passwords etc., zip/encrypt the text file but you still need a password for the compression/encryption. This password, the critical pass word, should be kept safe somewhere. If this is kept in a text file criminals could find it using the specific software, as you described.

 

Ah, yes, if you are talking about the password protecting your passwords (aka master password), then it should be kept safe.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Kilroy

Kilroy

  • BC Advisor
  • 3,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:53 AM

Posted 08 November 2014 - 07:39 PM

To tell you the sad truth the bad guys are more likely to just encrypt all of your files and demand $300+ from you to decrypt it.  It isn't worth their time or effort to copy data off of your drive to access your accounts.  It is easier for them to just charge a ransom so that you assess your data or use a program to capture your user names and passwords as you use them.



#10 Falu

Falu
  • Topic Starter

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:53 AM

Posted 09 November 2014 - 05:27 AM

# Kilroy: Point taken.

 

# Didier Stevens: If criminals look through text files to find the master keyword, storing it as an image (e.g. jpg) makes it more safe?



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 AM

Posted 09 November 2014 - 06:18 AM

# Didier Stevens: If criminals look through text files to find the master keyword, storing it as an image (e.g. jpg) makes it more safe?

 

I'm not going to predict what criminals do, that's impossible. I know some of the things that are possible (criminal or not).

There is indexing software that looks through text files, Office files, PDFs, ...

There is Optical Character Recognition software (OCR) that can read text from images.

 

If you need to store a password, I recommend you use a password manager. Online of offline, that's your choice.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:53 PM

Posted 09 November 2014 - 06:54 PM

Many people, like myself, keep most passwords in a text file on their computer. We are often warned not to do that because a computer criminal can find this info and abuse it. How does that work? How can they find the info in a text file? Do they use a 'robot' to search through all the text files, or is it a physical person?

KR, Leo

To tell you the sad truth the bad guys are more likely to just encrypt all of your files and demand $300+ from you to decrypt it. It isn't worth their time or effort to copy data off of your drive to access your accounts. It is easier for them to just charge a ransom so that you assess your data or use a program to capture your user names and passwords as you use them.

If Internet, L.A.N, or physical access, to your computer, a keystroke logger would be the first option.
 
0123456789 = 10
abcdefghijklmnopqrstuvwxyz = 26
abcdefghijklmnopqrstuvwxyz0123456789 = 36
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz = 52
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 = 62
abcdefghijklmnopqrstuvwxyz0123456789 + 32 special characters in an American keyboard = 68
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + 32 special characters in an American keyboard = 94

  
Your password is: TdAnWdWrOnTeCsIsSn = 18 characters with ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz = 52

52^18 = 7727876721872448746791521746944 password combinations.

"Stairway To Heaven"

There's a lady who's sure all that glitters is gold
And she's buying a stairway to heaven.
When she gets there she knows, if the stores are all closed
With a word she can get what she came for.
Ooh, ooh, and she's buying a stairway to heaven.

There's a sign on the wall but she wants to be sure
'Cause you know sometimes words have two meanings.
In a tree by the brook, there's a songbird who sings,
Sometimes all of our thoughts are misgiven.

Ooh, it makes me wonder,
Ooh, it makes me wonder.

There's a feeling I get when I look to the west,
And my spirit is crying for leaving.
In my thoughts I have seen rings of smoke through the trees,
And the voices of those who stand looking.

Ooh, it makes me wonder,
Ooh, it really makes me wonder.

And it's whispered that soon, if we all call the tune,
Then the piper will lead us to reason.
And a new day will dawn for those who stand long,
And the forests will echo with laughter.

If there's a bustle in your hedgerow, don't be alarmed now,
It's just a spring clean for the May queen.
Yes, there are two paths you can go by, but in the long run
There's still time to change the road you're on.
And it makes me wonder.

Your head is humming and it won't go, in case you don't know,
The piper's calling you to join him,
Dear lady, can you hear the wind blow, and did you know
Your stairway lies on the whispering wind?

And as we wind on down the road
Our shadows taller than our soul.
There walks a lady we all know
Who shines white light and wants to show
How everything still turns to gold.
And if you listen very hard
The tune will come to you at last.
When all are one and one is all
To be a rock and not to roll.

And she's buying a stairway to heaven.

 
Open the MS calculator in scientific mode. You remember 1234 for example, can be 56872, or whatever?

1234^2 = 1522756
1522756^3 = 3530945043777457216
3530945043777457216 x 3.1415926535897932384626433832795 = 11092791009760550469.010560652058


11092791009760550469.010560652058 = 33 characters

10^33 = 1.e+33 password combinations.


110927910097605504 = 18 characters

10^18 = 1000000000000000000 password combinations.

As for brute-forcing these password combinations, it will go pass the scope of this example.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users