Someone tried or has been able to guess my password ?

RetroComputingCollector said:
I don't think it is installed by default anymore. However github still shows that 1.2% of the base system code is written in perl, so I don't really know what the hell is going on.
Click to expand...
Really, I didn't know. I set up a 4.3-RELEASE box a week or so ago, with xorg and windowmaker, and it seems to have perl on it. I probably didn't check the base before installing xorg etc though, I'm so used to perl being there by default, so maybe it got sucked in as a dependency. Its a sad day if there is no perl in the base... and they want to add rust. Makes no sense to me. :'‑(
 
I guess it will be back to slackware then... hang on in there, Pat Volkerding.... or I guess there's always open/net-bsd, hopefully.
 
astyle said:
AND they require you to have a password that is different enough from the last 5 or 6 ones,
Click to expand...
Which means they store your last passwords in plain text or close enough to detect this, right? Or did I miss some magic algorithm that can do this?
 
Crivens said:
Which means they store your last passwords in plain text or close enough to detect this, right? Or did I miss some magic algorithm that can do this?
Click to expand...
DId you miss the simple fact that previous passwords are not even valid? Even the current password amounts to the same thing as a public key shared by the SSH server that is available in FreeBSD's base.
 
it may store something like salted hashes of the password trigrams so even if you have access to them they are (mostly) useless
 
eternal_noob said:
It is. Research has shown that changing passwords too often can lead to weaker password habits, as users may resort to simpler or more predictable choices just to remember them.
Click to expand...
Username checks out.

You need to start using password manager like keepassxc.
You need to generate strong, complicated and long passwords like this: bvBRxIh}r[E8h%"K|];&M_H|
Never use same password twice. Generate completely different password for each platform you use.
Create alternative email that has no link to you, and use that for forums and websites. Do not use private email(s).
Do not use password managers that are built into browsers and avoid using "remember me" option.
Log out of sessions once you are done to prevent session hijacking.
Lock your password manager database with yubikey or similar.
Make several backups of your password database.
Always be security aware.

If you are not doing all this, YOU are the problem.
 
If you ever used the password reset function at the forum's login you know the real thing looks completely different - I never got any email from freebsd.org with some code to be verified.
That's "just a normal fake BS junk mail" you catched. Though made for FreeBSD forums is new to me.

The way the login is protected here feels pretty safe to me. As long as you don't use an easy to guess email address, and above all a strong password you don't give away or click on some BS link in some dubious, unasked emails, I was not concerned.

Anyway, strong passwords:

As eternal_noob already pointed out, unless you use weak passwords, which were the most risky security gap anyhow, a frequent change will not really increase security, but can even lower it, as he explained. A strong password is always better than to change passwords frequently.
I like that anecdote about Ken Thompson used the password p/q2-q4! for quite a long time. And I'm pretty sure many tried to get it 😁

Btw: There is no safer place for a password as in your head.

Your random password generator is a nice thing, blackbird9, but it may need a bit polishing, since besides it produces passwords hard (impossible) to remember, the pw it produces only contain A-Z, a-Z, and 0-9, but lack any additional signs.
As long as you don't use one trivial word the strength of a password is not really increased by using random garbage. The strength of a password simply is defined by its length, and the sign base it uses.
Since you cannot remember those random pws you need some passwordmanager to deal with them. At least for that you need a really strong pw you have in your head, only. If the pw manager's pw is hacked all passwords in it are toast - no matter how strong those were.

That classic xkcd explains the most important issues better than any long post:

xkcd-pw.gif
 
Password generators:
The one that was in DEC VMS was pretty cool. It would try to generate something that actually looked like a word you could pronounce; that made it easier to remember.
 
ZioMario said:
How does it work ? Someone guessed my password or not ?
Click to expand...
Ehm, I guess you reused passwords? Your registered email address shows up in 50 data breaches, including some that managed to pilfer passwords.

haveibeenpwned.com

Have I Been Pwned: Check if your email address has been exposed in a data breach

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.
haveibeenpwned.com haveibeenpwned.com

SirDice

Thread 'Compromised accounts'

No, there hasn't been a breach, at least not here. We have recently noticed a sharp increase in accounts (some old; some recent) that are suddenly posting spam on our forum. After a brief investigation almost all the registered email addresses of those accounts show up on https://haveibeenpwned.com/ in one or more previous data breaches. We can only conclude those people reused the same password for multiple websites and this information has been used to take over accounts here.

Please, check your email address(es), and do NOT reuse the same login/password combination across...
  • Thanks
  • Like
 
covacat said:
no it does not
Click to expand...
This is where the magic algorithm comes in.
The moment you get the notification that the password you tried to use is too close (but not identical) to one you have or had X attempts before, it means the server has a way to correlate the words. This would also mean someone else who gets hold of the server database can severely limit his brute force area to check. And if your passwords were, for example, "Puuwai", "Kauai", "Oahu" then it takes no genius to know your next one will be "Moloka". Habits get exposed.
 
it does not mean that former passwds are plain text
Crivens said:
This is where the magic algorithm comes in.
The moment you get the notification that the password you tried to use is too close (but not identical) to one you have or had X attempts before, it means the server has a way to correlate the words. This would also mean someone else who gets hold of the server database can severely limit his brute force area to check. And if your passwords were, for example, "Puuwai", "Kauai", "Oahu" then it takes no genius to know your next one will be "Moloka". Habits get exposed.
Click to expand...

it may store something like salted hashes of the password trigrams so even if you have access to them they are (mostly) useless
and while a trigram is just 1mil combinations it still takes some time to crack your trigrams so they can break your former password.
for bigfatcat "trigrams" will be __b _bi big igf gfa fat atc tca cat at_ t__
i don't know if they use this method but i do use it for the search on my site for user words that are not present on the site to suggest an alternative (without hashes obviously)
 
Maturin said:
My email address there occurs in 4 breaches, while 3 of those I never heard of, 100% sure I never gave it to them, so I wonder how those got my e-mail address in the first place at all. :-/
Must have been one of those "we respect your privacy, and we will never give any of your data to anybody else, ever" services 😁
Click to expand...

For example. Your data gets compromised on freebsd forums and ends up on dark web. Someone buys that database that includes your data, and they use your data to register on another platforms. Those platforms get compromised, and your account gets pwned on platforms you never used. Its not hard really.
 
Crivens said:
And if your passwords were, for example, "Puuwai", "Kauai", "Oahu" then it takes no genius to know your next one will be "Moloka". Habits get exposed.
Click to expand...
Yeah, which is why I usually try for words that don't fit a mental pattern. A sed command (albeit mangled) for one time, next time it's a street in Kabul, next time it's a name for an obscure chemical compound, you name it. Pick an unrelated topic at random, look within it. This is why I keep an offline password app around - it reminds me what I used before. Yeah, it takes some mental effort, but that is preferable to SSO.

Besides - OP is not a big fish for hunting down. Most rank-and-file users are not, either. Just having some good habits is enough most of the time. Most of the time, careless people fall prey to crawlers and scanners, but you have to be pretty careless or totally blind to trouble signs to get into serious trouble from crawlers and scanners. And most of the time, trouble signs are relatively easy to rectify just by having good habits around password usage.
 
mer said:
I think I'm going to start using "FreeBSD forum usernames, mangled with random letters, digits, characters"
Click to expand...
I'd say that's just not enough mental effort. Has to be something that is totally unrelated to the conversation at hand. Words in a foreign language that you know (and mangling them a bit) are another idea. What I threw out was just examples of how to change the very theme to the passwords, not just the words themselves. Occastionally, a random phrase/word generator (there's plenty of those online, just pick one) can be used. Point is to not expose habits, very true.

Yeah, thinking up a password is hard, it's like getting keys to your aparment/house designed AND cut.

Changing the password is like changing locks to your place. No, it won't keep you safe if an out-of-control semi crashes into your house, but it will deter most thieves, and definitely a stubborn relative.
 
astyle said:
I'd say that's just not enough mental effort
Click to expand...
Fair enough, but sounds like you are assuming I'd only be limiting my starting point to users that have responded to this thread and not including "deleted users".
So yes, I understand your point, but using as an input "usernames I have encountered on FreeBSD Forums" is a bigger set than "Hawaiian Islands". Heck you could use my blocked/ignore list and it's still bigger :).

Passwords have always been a tradeoff between "I can remember it and I have to write it down". Remember may imply less secure, write it down my imply more secure unless someone steals the post-it. I think if you have a standard of replacements or patterns included you can create memorable passwords that are reasonably secure. Again I give you the VMS password generator that tried to make "words".
 
You must log in or register to reply here.
Back
Top