Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Data Storage United States

How the Secret Service Cracks Encrypted Evidence 658

Posted by timothy from the throw-at-wall-see-what-sticks dept.
tabdelgawad writes "The Washington Post offers this writeup about how the U.S. Secret Service uses a Distributed Network Attack program to crack encryption on computers and drives seized as evidence. How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords."
This discussion has been archived. No new comments can be posted.

How the Secret Service Cracks Encrypted Evidence More

How the Secret Service Cracks Encrypted Evidence

Comments Filter:

  • Passwords?! (Score:5, Funny)

    by Enze6997 ( 741393 ) * on Monday March 28, 2005 @04:23PM (#12069860)
    King Roland: The combination is: one . . . Dark Helmet: One. Col. Sandurz: One. King Roland: Two . . . Dark Helmet: Two. Col. Sandurz: Two. King Roland: Three . . . Dark Helmet: Three. Col. Sandurz: Three. King Roland: Four . . . Dark Helmet: Four. Col. Sandurz: Four. King Roland: Five . . . Dark Helmet: Five. Col. Sandurz: Five. Dark Helmet: So, the combination is: one, two, three, four, five. That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!

    • Re:Passwords?! (Score:5, Funny)

      by ArsonSmith ( 13997 ) on Monday March 28, 2005 @04:26PM (#12069908) Journal
      Note to self: Change combination on lugage when I get home.

      • Re:Passwords?! (Score:5, Insightful)

        by ScoLgo ( 458010 ) <scolgo@nospam.gmail.com> on Monday March 28, 2005 @04:37PM (#12070048) Homepage
        You're lucky if you really have a 5-digit combo on your luggage. My cousin came to visit from Sweden a couple of years ago. He had locked his (most common) 3-digit combo lock before the 10-hour flight and then promptly forgotten the combination. It didn't take me long to start running through the 1000 possibles. Had it open in 10 minutes.

        He sure was happy to get to a clean pair of drawers. :)

        (Yes. I've seen Space Balls. And yes, the 1-2-3-4-5 combination joke is wearing pretty thin.)

        • Re:Passwords?! (Score:5, Interesting)

          by tlhIngan ( 30335 ) <slashdot@worf.ERDOSnet minus math_god> on Monday March 28, 2005 @04:44PM (#12070149)
          There's always 24445 as a valid combination that can be spoken as 1-2-3-4-5... (One 2, Three 4s, 5).

          People always seem to stumble on that when they ask for my combination and I tell them that. Then I show them the correct combination and a light dawns on their heads...

          • Re:Passwords?! (Score:5, Funny)

            by Bingo Foo ( 179380 ) on Monday March 28, 2005 @04:58PM (#12070311)
            I hope I never think any of my passwords are so clever that I feel compelled to tell everyone about them.

            • Reminds me of a story... (offtopic) (Score:5, Funny)

              by hanshotfirst ( 851936 ) on Monday March 28, 2005 @05:28PM (#12070657)
              A minister wakes one Sunday morning to a bright sunny day. He decides to play hooky for a day, and calls his Jr. Pastor to cover services for him as he is very sick.

              He then proceeds to get his golf bag and head for the links. The course is beautiful, the sun is shining, and his game is great.

              Up in heaven, St. Peter asks God "Aren't you going to do something about this?" God replies, "Wait and see."

              As the round of golf continues, the minister is shooting the best game of his life. On the 18th tee, The minister swings... God commands the ball and it bounces off the water, out of a bunker, and right into the cup.

              St. Peter is incredulous. "Why are you REWARDING this man for shirking his duty!? I don't understand?!"

              God replies "Who's he going to be able to tell about it?"

              • Re:Reminds me of a story... (even more offtopic) (Score:5, Funny)

                by commodoresloat ( 172735 ) on Monday March 28, 2005 @07:41PM (#12071984)
                So a guy walks into a church and goes to confession. He tells the priest: "Father, I'm 75 years old, and I've been happily married and faithful for 50 years. I have two children in their thirties and I've never cheated on my wife. Until yesterday. I was driving down the street and saw these two hot 20-year old coeds hitchhiking. I picked them up and drove them to a hotel. They convinced me to join them in the hotel where I proceeded to have sex with both of them for the next two hours."

                The priest is quiet for a moment and then says, "are you sorry for your sins?"

                The man replies, "Sins? What do you mean?"

                The priest sounds concerned. "What do I mean? What kind of Catholic are you?"

                The man replies, "Catholic? Father, I'm Jewish!"

                The priest is incredulous. "Well then why are you telling me this?

                The man replies, "are you kidding? I'm telling everybody!"

            • Re:Passwords?! (Score:4, Funny)

              by theLOUDroom ( 556455 ) on Monday March 28, 2005 @08:08PM (#12072197)
              I hope I never think any of my passwords are so clever that I feel compelled to tell everyone about them.

              Reminds me of one of my favorite userfriendly strips:

              Tech: Hello

              User: Hi, I need (some random tech support thing)

              Tech: Sure, what's your password?

              User: Asterix asterix asterix asterix asterix asterix

              Tech: (stunned silence)

              User: HA! You can't tell if I'm being stupid or clever.

    • Re:Passwords?! (Score:4, Interesting)

      by JustKidding ( 591117 ) on Monday March 28, 2005 @05:11PM (#12070465)
      Actually, it isn't really all that stupid. It's a perfectly valid combination from a 5 digit set.
      If you were to exclude this, and many other "stupid" combinations, there would be very few left, which, therefor, would be stupid combinations, because you would only be using a small subset of the whole set of possible combinations.
      There is, for example, not a single 4 digit code (like a PIN number) that isn't somehow easy to remember when entering it into a keypad. There is always some clear pattern to remember.

      • Re:Passwords?! (Score:5, Funny)

        by plover ( 150551 ) * on Monday March 28, 2005 @06:47PM (#12071523) Homepage Journal
        INTER-OFFICE MEMO

        From: Info Security
        To: All staff
        Subject: Secure PIN requirements

        We have determined that you are using an insecure PIN, because it has a pattern in it.

        Through extensive research, our staff has determined that many PINs are insecure because they contain patterns, birthdays, anniversaries, etc. By excluding all combinations of duplicate numbers, keyboard-pattern entries, and significant numbers, we have determined that the most secure PIN you can use is 7439. Please change your PIN to 7439 immediately in order to ensure our company's assets are properly protected.

        Thank you for your cooperation.

    • LOL! Actually, one of the funniest things that I saw was this paranoid freak at work. He has three or four different anti-spyware programs and just as many privacy programs. He didn't trust anyone. Except, his password was "2222" -- for everything. I was fixing his computer and asked him what his password was, and it was "2222." Email problems, password, "2222". Anyhow, I found it interesting that he had gone through great lengths to encyrpt all his data, and used the password of "2222." I would love to hav

  • It's like social engineering, without the person (Score:5, Interesting)

    by Phoenixhunter ( 588958 ) on Monday March 28, 2005 @04:24PM (#12069874)
    Sounds pretty logical to me.

  • Isn't the effectiveness now compromised? (Score:5, Insightful)

    by iammaxus ( 683241 ) on Monday March 28, 2005 @04:24PM (#12069883)
    Why did they not keep their tactic of creating customized password dictionaries secret? Seems like they just gave potential criminals a big warning...

    • Re:Isn't the effectiveness now compromised? (Score:5, Insightful)

      by Scarblac ( 122480 ) <slashdot@gerlich.nl> on Monday March 28, 2005 @04:28PM (#12069929) Homepage

      Why did they not keep their tactic of creating customized password dictionaries secret? Seems like they just gave potential criminals a big warning...

      Because it doesn't matter one bit. Right now, most places where you must pick a password, there is already a warning that you shouldn't pick a word, pick something alphanumeric, something random. Nobody cares. If that doesn't change people's behaviour, this news story won't either.

      • Re:Isn't the effectiveness now compromised? (Score:5, Interesting)

        by khrtt ( 701691 ) on Monday March 28, 2005 @04:50PM (#12070223)
        A friend of mine ran crack over /etc/passwd on his physics department's unix system, successfully cracking 20% of the passwords on file. He sent the results to his sysadmin, with a note asking the sysadmin to implement crack system-wide, and was promptly reprimanded.

        On VAX VMS you had to pick a password from a list of randomly generated "pronouncable" strings, if I recall correctly. On many properly-managed UNIX installations the crack program is used to check the user's passwords and will not allow you to use a crackable one. Is there as option to allow only hard passwords on Windows? I honestly don't know...

        On the whole, soft password problem seems like a healthy n00b-usability-over-security type thing.

    • Because people are stupid/lazy (Score:5, Insightful)

      by Andy Dodd ( 701 ) <atd7@@@cornell...edu> on Monday March 28, 2005 @04:29PM (#12069949) Homepage
      It's always been known that a fully random password is more secure.

      But it's a bitch to remember, so people use easier-to-guess passwords anyway.

      Knowledge of this technique changes nothing. Any crook smart enough to use totally random passwords after this incident probably is already doing so.

      • Acronym passwords are a good compromise (Score:5, Interesting)

        by Rei ( 128717 ) on Monday March 28, 2005 @04:43PM (#12070118) Homepage
        You don't have to use random passwords to be secure. Slightly modified acronym passwords tend to be almost as good as completely random passwords, and people tend not to mention the phrase that the acronym is from very often.

        For example, a password 'JWfimf#aIgtVae' is about as good as random; and yet, it's simply an acronym for "Juffo-Wup fills in my fibers and I grow turgid. Violent action ensues." with a hash sign thrown in for good measure. Any Star Control II fan would have an easy time remembering it after just a couple uses.

        • Re:Acronym passwords are a good compromise (Score:4, Interesting)

          by JustKidding ( 591117 ) on Monday March 28, 2005 @05:19PM (#12070540)
          I used to use a L0pthcrack (LC4 by @Stake) proof password on my w2k box. It contained a non-printable ascii character (alt + keypad combination), that LC4 doesn't scan for, and you can't enter it in the custom search range field.
          I stopped using it because I suspect it caused problems with authentication over a network (w2k + xp prof).
          I don't know if LC5 (just noticed a new version is out) is able to find it.

          • Backspace.

            This stopped working once login(1) implementations the world over started paying attention to the "special" characters even when in raw mode. Ah well. Fun while it lasted.

            (I was inspired by a SF short story, where two robbers break into a paranoid guy's computer. They set off alarms because they had gotten the password right on the first attempt. The paranoid guy had, for years, deliberately screwed up the first attempt before giving the right one on the second try. Eventually the semi-s

        • Here at Microsoft they have strong passwords enabled and they force you to change passwords every 70 days, and it keeps a list of your most-recent passwords and disallows selecting one of them. After my first 70 days I got the little password change dialog. I tried a few things to no avail and then settled on: Micr0$hizzle -- a 12-character password with a digit and a punctuation symbol. I chuckled to myself every day I logged on for 70 days. I find that leet-icizing common words makes for really nice passw

          • Re:Acronym passwords are a good compromise (Score:4, Informative)

            by John-D ( 125880 ) on Monday March 28, 2005 @08:32PM (#12072341)
            No, those are all horrible. If it is based on a real word, it will be tried first.

            Any good cracking program will substitute $ for S, 4 for A, 3 for E, 7 for L, so on and so on.
            This problem is even easier if (like most places, hopefully not microsoft) your IT dept still uses NTLM passwords for window auth. The password algorithm breaks your character into 2 7-char halves and generates a hash via DES. So your great 12 char password is really one 7 character and one 5. The 5 character part will be broken in under 1 hour ( I broke the NP4UL! portion of your password as I typed this; 7minutes, 27 seconds). Even worse are "policies" that enforce 8 character passwords under Windows. Guess how long it takes to 'break' a 1 character password. Those passwords halves are also non-salted and only DES. DES is made to be fast. look up some of the magic you can do with the MMX registers to make DES really fast in certain circumstances - where you are breaking about 60 or more password halves at once.
            So if you have a list you are in luck because you can now compare the hash of the half you just broke with all the other halves in the list. Then you may save it off into a database to look up next time you are cracking passwords. Pre-calculation and other methods (so-called Rainbow tables) make cracking these passwords even easier.

            Regular crypt passwords under Linux are almost as bad, except the salt makes them much more resistent to pre-calculation.
            MD5 passwords under Linux are much more robust if you choose a moderately hard password; as all of the characters in your password count towards the hash, and MD5 is SLOW compared to DES.

            My advice is to generate a random password and use that. Include non-printables (alt + numpad). Avoid real words. Write it down and keep it on you until you remember it; 3-4 uses for me usually does the trick. Play with John The Ripper - it does ntlm passwords now.

            PS If you use samba, its passwords are also stored in NTLM format; so you should use a different password than your standard MD5 Linux login.

          • I don't really think that 'leeticizing' a dictionary word is a very good scheme. Most of the good password cracking tools check for that. Most of them will check for common things like changing 's' to '$' or changing 'a' to '@'. It's really just another substitution (like going through the various capitalization schemes). It may slow down the programs, but not in a significant way.

            I agree that it is better to do this than to not do it, but using dictionary words (or simple substitutions based on dictio
    • Criminals are not going to write their own webbrower ap, or file sharing program, they will use a common comercially available package that the Intelligence community can use against them, just as script kiddies use the fact that Windows XP is the primary OS against law abiding people.

      And criminals, who are none-to-bright to begin with, aren't going to use a password like DSdfWe3421.
    • Since when does the Press care about what they publish? Case in point: the Press hears that the US military is tracking OBL by his use of a satellite phone. No further calls from the phone are ever made. Perhaps if the Press would have thought about what they were doing...
    • Because (a) there's a limit to how much secrecy a law enforcment agency can impose; (b) it makes them look good, because they're leveraging all those desktop computers instead of spending a lot of money on supercomputer time; (c) a technically-literate crook will already be assuming they do something like this; (d) technically-illiterate crook won't know how to respond anyway.

      Cops are certainly justified in keeping specifics of current investigations secret. But they can't and shouldn't keep their basic s

  • Not a problem for me (Score:4, Funny)

    by Dark Paladin ( 116525 ) * <jhummel&johnhummel,net> on Monday March 28, 2005 @04:25PM (#12069899) Homepage
    My password is totally unguessable - I mean, who else has the password asdjklf;@#$#@jjdakl?

    No - wait, I meant that *wasn't* my password! Hey, stop ssh'ing into my box! No - not my 20 GB of Sailor Moon music collection!

    Well, guess I'll have to use my backup password of qwurf$#@ff5a` from now on - No, wait -

    Damn it!

  • In other words.. (Score:5, Insightful)

    by doormat ( 63648 ) on Monday March 28, 2005 @04:26PM (#12069911) Homepage Journal
    If your password is something you've ever written on your computer, its likely they'll crack it? Interesting.... moral of the story: dont use words found in the dictionary as your password. Inject spaces or numbers or punctuation into the word if you do. And dont write it down on a sticky note under your keyboard.

  • Now I don't look so crazy... (Score:5, Funny)

    by redmo ( 119229 ) on Monday March 28, 2005 @04:27PM (#12069913)
    for having my hard drive encrypted by a key, on a flash drive, which is encrypted by a password that is generated randomly every five minutes and hased twice before I lock it in my safe deposit box.
  • In cases like this (and many others) security is only as strong as the person who manages it. Choose a weak password, choose weak security. I'm sure, however, if this information is public that their actual system is much more advanced. Sort of makes you wonder how sophisticated the NSA's equipment is.

  • I feel pretty safe under Fedora. (Score:5, Interesting)

    by cfalcon ( 779563 ) on Monday March 28, 2005 @04:30PM (#12069967)
    I use the built in crypto in Fedora (the device level encryption passed to a loopback file mounted under /enc). I doubt that, absent a key sniffer, my passwords would *ever* be discovered. I have some english words in them (most are long phrases with nonsense punctuation thrown in at several places), so I guess that could be some kind of issue. But overall, I feel pretty secure.

    Of course, I'm not actually defending any data that the government would care about, so it's all moot ;)

    (Unless the government has a pressing need to read my private journal about me bitching about how I can't get a date. In that case, those spooks are outta luck!)

    • Re:I feel pretty safe under Fedora. (Score:5, Funny)

      by Quixote ( 154172 ) * on Monday March 28, 2005 @04:51PM (#12070243) Homepage Journal
      Unless the government has a pressing need to read my private journal about me bitching about how I can't get a date. In that case, those spooks are outta luck!

      ... and so, it appears, are you. ;-)

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Monday March 28, 2005 @04:30PM (#12069972)
    Comment removed based on user account deletion

    • Re:You think? (Score:5, Funny)

      by Rorschach1 ( 174480 ) on Monday March 28, 2005 @04:40PM (#12070076) Homepage
      "This is probably because people still have non-random memories."

      Pfff. I can remember the opcode for the 6502 halt-catch-fire instruction. I can't, however, remember what I had for breakfast. How's that for random?

    • Re:You think? (Score:3, Interesting)

      by pilkul ( 667659 )
      One of the best solutions I've seen is to use tier passwords plus a case-dependent "salt". For example your base low-security password could be the string "HB9y1a" (possible to remember when you use it for 10 different things), and then you can append the first two letters of the site you're using. So for slashdot your password would be "HB9y1asl". Of course you don't have to do exactly this; invent your own variant for extra obscurity.

  • So, to interpret this article: (Score:5, Interesting)

    by reality-bytes ( 119275 ) on Monday March 28, 2005 @04:31PM (#12069974) Homepage


    The U.S. Secret Service is having success with breaking keys using dictionary-attacks.

    Now, reading between the lines:

    The U.S. Secret Service has just perfected a brilliant new method of brute-forcing 256-bit keys in a matter of minutes using the same processing power as a pocket calculator.

    Therefore the previous dictionary-attack system can safely become public knowledge.
  • This ties in nicely with the "BBC Writer Tries PC Repair" thread. Most people don't understand their computer's software, even if they're criminals trying to hide evidence, apparently.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Monday March 28, 2005 @04:33PM (#12069993)
    Comment removed based on user account deletion

    • Re:no shit (Score:4, Funny)

      by Slashdot is dead ( 860120 ) on Monday March 28, 2005 @04:48PM (#12070198)
      My parents only let me use alphanumerics to name my dog.

    • Re:no shit (Score:3, Interesting)

      by InfiniteWisdom ( 530090 )
      You can use a randomly generated pronouncable "word" that is a basically a pronouncable mixture of consonants and vowels. You'll need to use, say, twice the length to get the security of a purely random password, but its much easier to remember.

    • Re:no shit (Score:5, Interesting)

      by pla ( 258480 ) on Monday March 28, 2005 @05:03PM (#12070382) Journal
      And you know what happens when people use a random password? They write it down and either put it in their top desk draw or on a nice post-it note on their monitor

      Not everyone does that... Personally, I open a text editor, enter well-mixed gibberish until I find a key sequence that "feels" comfortable to type, then type it over and over until my fingers remember it.

      I couldn't actually tell you my passwords, and could swear to that in court without perjuring myself... "I" simply don't know them. But I can type them with no problem.


      Also, another trick that I recommend everyone adopt for their own security... Memorize three "good" passwords (as in, more-or-less indistinguishable from a string of random characters). Use one for public purposes (ie, normal websites), one for normal moderate security use (normal user accounts at work and home), and reserve the last one for root/admin accounts and online financial sites.

      Now, that alone will do better than nothing, but one further very easy to remember step will make each one very nearly as good as a separate random string for every single one - Pick an arbitrary character (or two) of your password, and replace them with something about the place you use it. For example, you might change the fourth and seventh characters for the last two letters in the name of the site or machine.

      Combining those, you have a basically secure password that you can easily remember, and having one use of it compromised reveals absolutely nothing. Only someone that knows at least two of them has any shot at all of guessing the rest, and even then, only within one of your three classes of password.


      Of course, personally, I've simply memorized how to type around two dozen "good" passwords. But for those who don't feel quite so paranoid, the above works rather well.

  • Secret Services Cracks? (Score:5, Funny)

    by Anonymous Coward on Monday March 28, 2005 @04:35PM (#12070019)

    How the Secret Services Cracks Encrypted Evidence

    Looks like someone used Microsoft's Grammar Checker [slashdot.org] to create the headline.

  • Passphrases get around this (Score:3, Insightful)

    by PxM ( 855264 ) on Monday March 28, 2005 @04:37PM (#12070043)
    Dictionary attacks and other brute force attacks still don't work too well on passphrases [asp.net] so those who use them can protect their drug money for a little while longer. It should also be noted that the DNA attack won't work unless the Secret Service has your private key file. The actual encryption can't be broken easily so they have to attack the weak encryption on the digital private key that's stored on your computer. If the key is stored in a manner that they can't get to it, then your data will still be safe. E.g. the key is stored on an IC in the computer that self destructs if it is tampered with like IBM's ultra-paranoid laptops. The IC would detect a brute force attack and destroy the key.

    --
    Want a free iPod? [freeipods.com]
    Or try a free Nintendo DS, GC, PS2, Xbox. [freegamingsystems.com] (you only need 4 referrals)
    Wired article as proof [wired.com]

  • Random (Score:5, Funny)

    by IPFreely ( 47576 ) <mark@mwiley.org> on Monday March 28, 2005 @04:39PM (#12070061) Homepage Journal
    If I thought these guys had any since of humor at all, I'd make a 1.5 Gb file of random binary from a random number generator and store it in a file with a suspicious name.

    Of course I'd probably end up in Camp-XRay being tortured for the password. That's not where I want to spend my summer vacation.

    • Re:Random (Score:3, Insightful)

      by drspliff ( 652992 )

      Even better would to have a spare hard disk, fill it with 100 different random 1gb files, all with random names, then store all your 'insert highly illegal topic' data in one of those files.

      Then for additional measure, have a process running in the background that modifies the access time and modification time randomly on all of them.

      The bottom line is, anybody who actually wants to secure their data, and make it almost impossible for anybody to recover it will probably already be doing this.

      The artic

  • Private Dictionaries (Score:5, Interesting)

    by Doc Ruby ( 173196 ) on Monday March 28, 2005 @04:40PM (#12070087) Homepage Journal
    It's becoming increasingly clear that human language facility is mostly a giant system of cross references. Sometimes those references attach to other experiences outside the language network, like other sensations and actions. But the language itself is a highly flexible collection of weighted references. There's no intrinsic "meaning" to the words and other language elements, just our shared experiences, including our experience of language itself. These private dictionary attacks are an extremely sophisticated attack on the very human space of personal language constraints.

  • Tron (Score:5, Funny)

    by Dachannien ( 617929 ) on Monday March 28, 2005 @04:41PM (#12070097)
    You know, it's amazing that Kevin Flynn had such trouble getting the info he needed to hang Ed Dillinger out to dry, considering that the password for the Master Control Program was "master".

    I guess we've come a long way in the past quarter century. Except when it comes to choosing passwords.

    • Re:Tron (Score:3, Interesting)

      by meringuoid ( 568297 )
      You know, it's amazing that Kevin Flynn had such trouble getting the info he needed to hang Ed Dillinger out to dry, considering that the password for the Master Control Program was "master".

      That's bad, I'll grant you - but the guys running the Jet Alone project set the main password granting full control over their nuclear-powered giant mech to a four-letter dictionary word. No wonder Ritsuko 0wn3d them so easily...

      (Two-letter, if they weren't using the Roman alphabet. No, I'm not saying what the passw

  • Do you have to give up passwords? (Score:3, Interesting)

    by rnelsonee ( 98732 ) on Monday March 28, 2005 @04:44PM (#12070138)
    I always wondered this: If your computer is siezed, but the incriminating data is encrypted, do you have to give the password to decrypt it? I'd imagine not, since it would be self-incrimination. But it seems like a lot of people get caught with having illegal stuff on their hard drives. Are they just not encrypting their data? I can see someone not knowing how to encrypt a cache of internet files (kiddie porn or something), but wouldn't most people who attract this kind of attention just keep stuff locked up? Anyone know how well Macs auto-encryption stands up (whenever you log out, all personal files are encrypted using a 256 bit key or something)? It's one feature I think is really neat with Mac OS X on my brand new Mini.
    • Now, IANAL or anything... But from what I understand, a Judge can basically subpoena your password from you. If you refuse to disclose it you can be found in contempt of court and jailed.

      Of course you can claim to have forgotten it, what with the trauma of the arrest and all.

  • Two Words: SETEC ASTRONOMY (Score:3, Funny)

    by wernst ( 536414 ) on Monday March 28, 2005 @04:44PM (#12070150) Homepage
    It looks like they figured it out after all. I just hope Martin is OK...

  • Filevault (Score:3, Interesting)

    by tdvaughan ( 582870 ) on Monday March 28, 2005 @04:46PM (#12070170) Homepage
    Does anyone have any ideas on how well FileVault in Mac OS X would stand up to this? Seems to me that with a strong, unique password it would be pretty much unbreakable since the entire home directory is encrypted.

  • Choosing a password. (Score:5, Funny)

    by bmalia ( 583394 ) on Monday March 28, 2005 @04:51PM (#12070241) Journal
    Enter a new password: ***** [penis]

    Sorry, your password is not long enough.
    Enter a new password:

  • Passphraes and diceware (Score:4, Interesting)

    by Get Behind the Mule ( 61986 ) on Monday March 28, 2005 @04:54PM (#12070268)
    Passphrases are the only sensible solution I've ever heard of for divising keys that are both relatively easy to remember and sufficiently random so as to be secure. A random string of characters cannot be reliably memorized. Any word, no matter in what language and no matter how obscure, can be cracked by a dictionary attack. A sequence of words chosen at random can be memorized, and if it's about six or seven words long, is probably beyond the reach of cracker software, even the Secret Service's.

    One of the best ways I've seen to construct a secure passphrase is Diceware [diceware.com]. Arnold Reinhold constructed a list of about 7500 words of up to six characters in length. Roll five dice to pick out a word in the list; do this a few times to create a passphrase, commit the phrase to memory, and burn anything you might have written down. He calculated that if you choose a passphrase consisting of seven words this way, you have about 90 bits of entropy, which a cracker probably couldn't break in this lifetime. His sample phrase is cleft cam synod lacy yr, which probably takes some practice to memorize, but it can be done.

  • How To Make Easy Random Passwords (Score:4, Informative)

    by cliffjumper222 ( 229876 ) on Monday March 28, 2005 @04:55PM (#12070279)
    This might not be new to some, but it's quite easy to create random passwords that you can remember, although, I suppose you could argue that they are not completely random. Anyway, here goes:

    1. Think of a sentence that you can remember, e.g., "My two lovely kids Spike and Mary eat noodles every day!"
    2. Take the first letter of each word and use some common substitutions: "M2lkS&Mened!" - Bingo, not only is it a pretty random collection of letters but it includes numbers, upper case and lower case mixed and even punctuation. All lovely stuff to blunt brute force password attacks.
    3. When you type it in, say the sentence to yourself in your head. It's really quite easy to remember that way. Also, you can even just about get away with writing it down (in an office environment) and not many people will understand it. Of course, I don't recommend this but people are people.
    4. Don't forget to dump the sentence every few months or so and make up a new one. It's no big deal, they're easy to remember.

    Hope that helps some.

    • I read an article from SecurityFocus [securityfocus.com] a while back that had the suggestion of using song lyrics as a password. In the example it gave, the first line from Led Zeppelin's "Stairway to Heaven" was used. Thus the line:

      There's a lady who's sure all that glitters is gold

      Becomes

      Talwsatgig

      Of course, you would then add in caps, numbers, or non-alpha characters as you see fit. And if you're thinking of hanging the "decryption key" on your cube wall, it's much less conspicuous with song lyrics than a sentence s

  • Eat this! (Score:5, Funny)

    by Maradine ( 194191 ) * on Monday March 28, 2005 @05:04PM (#12070390) Homepage
    Hey, SS!

    Go stick a pig
    -----BEGIN PGP MESSAGE-----
    Version: PGP 8.1

    qANQR1DBw04DB6hKqQuGABkQD/4ndRFLEcpsuHpf24/Moh2W MS bDwKKMWLDYRUG8
    4Jap4LfE3kpiVoiHvKWpSTz2z6lxbknY88 15gzDnFVPCDgH9L/ 0Rzyh7hF1J5xm2
    nVF1z1EkQPgNJhk8nrzSs3fu96D9wSuLEt wZhkXjCaTR02/H9+ AQ8lDFKVDQYYAi
    XI4Z1knJn+kLvXhyDOXfoyBp8htnRsG5AA wGUJc/GOgAbO668a KoitTl8bwK8Amr
    HNgk/wpSGPODVb1VQ3CL8uy1F1efM1UWmO SpddpBa2gWgfs8lm b6KUrfCes38xSe
    tzfZ1b0RxyeKJkkSAwJFRH9pJb3cmXfw75 b05d6LKHphwyXXb1 rrDaw2ct6Qt5lA
    Ot8+RMrUVd1w3EXEZFO2lV0NeHyWlw0V8q qIFNM+UHcIQCP6kE eIj6niRoG87m7X
    EbdUD8Q7rrW8ELD1MBYR/uW0paxJKClUfU mRfoYnj9H4WpHd2X PdIT6AZX23rWK8
    GLJPRDo+1DK5JWGzCDmpCqPCk/hC6IaTY4 dj+A1ee7y/w255AS JxBoteG0EKC1j8
    EEgdDMGn0/7PVP221FfvUmHiEptXaOIfrH jouJ6RdammqmHWYC sjpmATiWHEP6jf
    V1Vw12K2pNTt5h9oVhf0N0g1GyD4jLLmpM OPb0qSCyk8DWaEt0 IZIjqS/QwVV3Ng
    i6516BAAj4IEcxfYcbEyxvfyDqwkxzJ6R2 GSy2D9i1P6/xiy6a ASo8qSeArFO4KZ
    ATj5YyIDe2HnX66b6z9KaJrRlStSAhKr8l E05enZbjjD9zuliM M09a1L9RDGwB1T
    glArSeHh09AKDyYOYRA3eOp6Tdlog4quaQ M8AszGHfdK07+VI7 4sODIqxI46pd/a
    frOd100aZXP0w5928LbQT4HSUw9pQAsILN Oftik4aRCNozbquR 0wJ+UDaX8f2Qf3
    tvX51ONAm2hSsjkWiBO9n2TMnYYV4th1m4 BVR0sFMO/Pw8tktG 70WC3Y6rDt02G9
    ZE6hbscNP2dPGk9Zn1xn0HJSzogOqOYwc7 nCPRIkfrZQ6GUNIQ jDhNphAkJjZQg7
    4X31KiVUuJ4LsTNrpvLwl1P+rvzrPHr3Eg IZRGRTBiSTyC4u9d fF1NLlh/iDHEwH
    MdarZSX1QRgEJt/ncSvfhqHwGo21HR9lZ7 l00xu9nQCt5PA+qf xIkJN4vsIidT0h
    YcopCBgJX61SHI+zdZkvbZ+z0NrrnTx5QD HP7FGrsEsjtrSEDE wEXjKPAltPlmQT
    dzMXIikb/312gs99vRUxKh+4tQlSQKlrWr ms/8QXoDCJ/TGbFR b8vpes6+8ce5ii
    7iIxoRlYaN5QcwPizj9cFy6AQBGHZGnXDO RX0rs8uzlaDNYnP+ PSwMYBPLhLEbzn
    JD0YluWuDrSeGkgFtYzFSf/HPdv8jrHPdV hyvtB0UxjP8VeVGY +ZIMgT+pnKyuGb
    liHKlUowBHmL7pbP5F/A348XNovPFL/YG/ xR7XScBtV7W4dSPu 0uiwSnoprHDY10
    rRO7SHaproOa+CchbNySs2raYmqk02vebG ZKL17aTZzxxwLgcC q0EfCKNuAR09pm
    P54a5qvTc3f3qv5MhvktHrQV6BGzBJvZPs q/bQw8y5OG0j96ym h5CA4YlCfJvdGV
    pfRCp8Np+DUPqT7CswmULPjYlsJJjHsxaT 3z/mHqNvkddu5QPj iIn4BXsLTIUMBv
    +yPSaWVugMtoyBwruemTV9AwgE90W6nw50 GWlHtF9zrDZ4JO8z aubc1mOsEDI1hf
    LPNVSamLx1VY4rwe7yePeAredp8VuT+nJE KGIGd+I0l32NbU1n OB6ju7MtqzYGga
    yiiy1f9TE3GVMogQ00c4OIpWXjNMa2GZFZ kcP1uN1mKiFtMQxF QxiPU+bUJhvCI=
    =qYai
    -----END PGP MESSAGE-----
    and you mother, too!

    M

  • An end to word-based passwords! (Score:3, Interesting)

    by caryw ( 131578 ) <carywiedemann@[ ]il.com ['gma' in gap]> on Monday March 28, 2005 @05:15PM (#12070507) Homepage
    Any password based on a word is inherently flawed.

    A much better way to create passwords is based on finger movements. For example, the index finger horizontal rows on the keyboard give a password such as: r f v u j m (type that password in notepad or something and you'll see what I mean)

    This is a very simple example of finger movement passwords. Much more complex passwords can be created by alternating fingers (r u f j v m), or using more fingers in the pattern.

    I personally use a password that is 12 characters long that I have no problem typing but I couldn't recite if my life depended on it.

    Just make sure you don't inadvertently encounter a dvorak keyboard layout!
    - Cary
    --
    Fairfax Underground: Where Fairfax County comes out to play [fairfaxunderground.com]

  • Liked him much better when he was on The Munsters (Score:3, Funny)

    by jpellino ( 202698 ) on Monday March 28, 2005 @05:48PM (#12070887)
    "The effort started nearly three years ago to battle a surge in the number of cases in which savvy computer criminals have used commercial or free encryption software to safeguard stolen financial information, according to DNA program manager Al Lewis."

    Oh, how the might have fallen...

Slashdot Top Deals

No spitting on the Bus! Thank you, The Mgt.

Close