Texas Cititzens Defense League site HIJACKED

[Mark F]

Because TXCDL main page has been HIJACKED by someone, here is an alternate way in.

http://www.txcdl.org/phpbb3/index.php?s ... 64e1d45b25

I certainly hope they catch the jerk...

[KaiserB]

This can be prevented by enacting one simple rule:

Always use strong passwords...

Strong Password Definition

Format
Strong Passwords must be at least 8-characters long; not to exceed 32-characters and at a minimum contain at least:

One upper and lowercase character
One digit
One punctuation character
See Strong Password Example below

Criteria

Contain both upper and lower case characters (e.g., a-z, A-Z)
Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
Are at least eight alphanumeric characters long
Are not words in any language, slang, dialect, jargon, etc.
Are not based on personal information, names of family, etc.
Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered.


Poor, weak passwords have the following characteristics and must not be used:

The password contains less than eight characters
The password is a word found in a dictionary (English or foreign)
The password is a common usage word such as:

• Names of family, pets, friends, co-workers, fantasy characters, etc.
  Computer terms and names, commands, sites, companies, hardware, software.
  Birthdays and other personal information such as addresses and phone numbers.
  Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  Any of the above spelled backwards.
  Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Strong Password Example:

TbM&htr1

[The Annoyed Man]

One of my personal websites (http://www.goodreturns.com) was hacked over the weekend by some group called "VEZiR.04". If you google that name, you'll see that they hit over 127,000 websites all over the world last weekend. Mine was just one of them. It was a Joomla! installation, version 1.5.2, running in legacy mode because the template I had chosen when I started the site was not 1.5 compatible. (Version 1.5.6 closes the security hole, and I'm working on upgrading that site to this version.) The hackers had realized that most open source software packages start with the default administrator username of "admin", and most website owners using open source software never bother to change the admin user's username once the site is installed because they (like me) figured that setting the password was enough security. So all the hacker script had to do was crack the password, which was apparently not that hard because of an oversight in the code in the software's password reset script. (I'm not going to post anymore about that aspect here, but if you want to research it, go to http://www.joomla.org.)

PhpBB - the same software that your linked site uses (as well as this one) - is commonly installed alongside Joomla! installations, and when I looked at a lot of the hacked sights that I googled, there were a lot of phpBB sites, as well as Joomla! sites that were hacked. In fact, http://www.joomla.org, the parent website for the software's development team, was hacked as well.

A software developer that I work with told me yesterday that Southwest Airlines was one of the sites that was hit, so this was truly more than just hacking a bunch of personal websites and discussion boards. He also said that he was able to trace the IP address of the hacker to Turkey. The sites that were hit were located all over the world. A few of the sites that I saw that were defaced were either Christian or Jewish. Turkey is a largely Muslim nation. Maybe I'm just being paranoid, but given the scope of the attack, my gut says that this was more than just cyber vandalism, and borders on cyber warfare.

[brianko]

This can be prevented by enacting one simple rule:

Always use strong passwords...


Strong Password Example:

TbM&htr1

The problem with random "strong" passwords (in quotes because they' really aren't as strong as the casual user might expect) such as this is that they generally encourage individuals to record them somewhere because they simply cannot be memorized. A better (and much more secure) system is to generate easily-remembered (but tough to crack) passphrases. For those who might be interested, http://www.diceware.com is an excellent primer and provides everything necessary to generate extremely secure passphrases (basically, a set of dice and an appropriate passphrase list). Don't let the fact that short English words are used -- given a list of 7776 short English words, there are *far* more combinations of easily-remembered five-word passphrases (28,393,742,898,980,409,600) that can be generated than can be generated with an 8-character password from a field of 70 or so possible characters (380,634,949,094,400). Which would you rather want to remember:

TbM&htr1

or

1910 insect grass kafka genie ?

What this has to do with concealed carry I have the slightest idea, so I'll now return everyone to their regularly-scheduled program...

[The Annoyed Man]

I tend to use passwords in "leet".

For example: Take the word "grapevine" and make it into "gr4p3v1n3" (don't even think about it... that's not my password! ).

[KaiserB]

This can be prevented by enacting one simple rule:

Always use strong passwords...


Strong Password Example:

TbM&htr1

The problem with random "strong" passwords (in quotes because they' really aren't as strong as the casual user might expect) such as this is that they generally encourage individuals to record them somewhere because they simply cannot be memorized.

Do you have a dollar bill in your wallet? You could keep a post it note in your wallet with the password written on it. Human beings are very good at guarding small pieces of paper in their wallets.

[Excaliber]

This can be prevented by enacting one simple rule:

Always use strong passwords...


Strong Password Example:

TbM&htr1

The problem with random "strong" passwords (in quotes because they' really aren't as strong as the casual user might expect) such as this is that they generally encourage individuals to record them somewhere because they simply cannot be memorized.

Do you have a dollar bill in your wallet? You could keep a post it note in your wallet with the password written on it. Human beings are very good at guarding small pieces of paper in their wallets.

An easier solution is to load Roboform onto your PC. It appears as a toolbar in your browser, remembers your site URL's, usernames, and passwords, and fills in forms with a single click. It has only one master password you need to remember to access all others, and it contains a random password generator to create secure passwords as well. I've used it for years and wouldn't consider going without it.

[KD5NRH]

Do you have a dollar bill in your wallet? You could keep a post it note in your wallet with the password written on it. Human beings are very good at guarding small pieces of paper in their wallets.

Until said wallet is lost or stolen, and you can't remember the unmemorizable password to log in and change it, nor can you get to the list of the credit card numbers you need to cancel that you stored behind the same password.

A password that has to be written down is no better than any other physical access device - less so, really, since a lot of people will make extra copies in case they lose the main one. The whole point of using passwords or pass phrases is that they can't be stolen when they're only stored in your head.

Assigned passwords are even worse, since they will have no meaning to the user at all. Picking a phrase that would be impractical to guess is pretty easy; one line from an obscure book, for example, is just one of millions of possible phrases that would have to be tried in order to crack the phrase. Intentionally misspelling it or translating to a language the book was never published in makes it as near random as you can get without losing meaning. The Julian date of your birthday converted to octal or hex is, while maybe not memorable, at least relatively easy to calculate again when needed from easily remembered data. As long as nobody knows what formula you used to get there, these are significantly more secure than any random data that you have to write down.

[KBCraig]

As long as nobody knows what formula you used to get there, these are significantly more secure than any random data that you have to write down.

Thank you. I wish you would convince our IT weenies of that. And while you're at it, remind them that two weeks is a ridiculously short period to de-authorize an unused login. We don't all use, nor even have access to, all of our programs and systems, but if we don't use them, we get locked out. Huh?

[brianko]

As long as nobody knows what formula you used to get there, these are significantly more secure than any random data that you have to write down.

Please don't do this! Picking a random phrase from a book results in an entropy level of about 1.5 bits per character. About 50 bits of entropy is considered easy to break, so you would need at least 30 characters from your "random" passage to meet the threshold of being trivially easy to crack (remember, there are many predictable patterns in English). About 100 bits would be considered "strong," so you'd need a 67-character passage for a truly secure password. A truly randomized password has about 4.7 bits of entropy per character, so we're talking about a 20-character random password with the same level of security. A seven-word passphrase (randomly selected from a list of 7,776 English words) has about the same level of security.

Which do you want to remember (or type on a consistent basis): A 67-character English passage, or a 20-character password, or a seven-word passphrase?

(The source for most of this info is here: http://world.std.com/%7Ereinhold/dicewa ... redundancy. Anyone with a math background can verify the information provided.)

Of course, it all boils down to how important you believe it is that you have a secure password. If you believe it's highly unlikely anyone will want to break into your system, then feel free to use a "weak" password. The problem, though, is that it's rather difficult to predict when someone will take an interest in you (sort of the same situation when you carry!)...

[Xander]

Please don't do this! Picking a random phrase from a book results in an entropy level of about 1.5 bits per character

No it doesn't. If you read the explanation in the link you provided, that's the (approximate) entropy level you might if you string consecutive letters from a book together, and though it doesn't specifically mention it, that's also assuming a single case. An actual phrase, properly capitalized and punctuated, spaces and all, will be significantly stronger.

[brianko]

Please don't do this! Picking a random phrase from a book results in an entropy level of about 1.5 bits per character

No it doesn't. If you read the explanation in the link you provided, that's the (approximate) entropy level you might if you string consecutive letters from a book together, and though it doesn't specifically mention it, that's also assuming a single case. An actual phrase, properly capitalized and punctuated, spaces and all, will be significantly stronger.

In fact, using the actual phrase with proper caps and punctuation would make the phrase weaker (not stronger) due to increased predictability and decreased randomization.

This is the very reason why "tricks" like phrases from books, birthdays, pet's names,etc. aren't as secure as they appear to be and should not be used. As an IT professional, I cringe every time I see some "novel" way of generating so-called "secure" passwords. These methods aren't novel, and if you search hard enough you can find an attack on every one of these "novel" methods. Often, I see a level of defensiveness from people who don't like to be told that their "unique" method of selecting passwords isn't so unique after all. No one likes to be told they're wrong (me included).

If you want to learn more about this, a good place to start is with this blog post by cryptographer Bruce Schneier.

[Xander]

In fact, using the actual phrase with proper caps and punctuation would make the phrase weaker (not stronger) due to increased predictability and decreased randomization.

Nonsense. I'm not sure you understand the concept of entropy, as it relates to language. The general idea is that you can anticipate future characters in the sequence based on the past characters in the sequence. Anytime you increase the number of characters in the working set, you increase the difficulty of prediction because you need a larger known sample in order to predict the pattern, since there are more possible/likely patterns.

I've been reading Schneier for many years and I certainly respect his work, but I fail to see how the blog post you linked to which isn't about the mechanical predictability of passwords at all, but rather about the psychology of passwords, applies.

[brianko]

In fact, using the actual phrase with proper caps and punctuation would make the phrase weaker (not stronger) due to increased predictability and decreased randomization.

Nonsense.
...
I've been reading Schneier for many years and I certainly respect his work, but I fail to see how the blog post you linked to which isn't about the mechanical predictability of passwords at all, but about the psychology of passwords applies.

Good. Then you'll certainly understand the weaknesses inherent with any predictive method used to generate passwords. Unless we're talking about brute-force attacks, there is always going to be an element of "social engineering" involved. A predictive password scheme readily lends itself to an attack once the attacker narrows the choices down. Any scheme that depends upon a personal "token" such as a birthday, pet's names, etc. is an exploit simply waiting to happen. And any scheme that relies on a predictive method to generate passphrases (such as book passages) simply provides a false sense of security.

[Xander]

Good. Then you'll certainly understand the weaknesses inherent with any predictive method used to generate passwords. Unless we're talking about brute-force attacks,

Errr..We are. That's about the *only* possibility when we're talking about mass automated attacked against public facing systems, from a password guessing perspective. This also, of course, covers attacks against known unsalted hash values using rainbow tables, of course. Or attacks against salted hash values with a known or guessed salt value.

here is always going to be an element of "social engineering" involved.

??? I think we're getting multiple weaknesses and the attack vectors that can be used to exploit these given weaknesses confused here. The whole point of "social engineering" is to *completely* eliminate the complexity of the password as an obstacle. If I can convince you to give me your password for a gift (check theregister.co.uk as they've published several articles over the past couple of years on studies, one where the examiners gave out chocolate bars in exchange for passwords and another where they gave coupons, if I recall correctly) or because I convince you that I'm from the IT help desk and I need it (probably the favorite social engineering trick of all time, and one used to great success by Kevin Mitnik) then it doesn't matter at all if your password is your pet's name, or a memorized binary sequence for your 2048-bit RSA private key, because it's game over, regardless.

A predictive password scheme readily lends itself to an attack once the attacker narrows the choices down. Any scheme that depends upon a personal "token" such as a birthday, pet's names, etc. is an exploit simply waiting to happen.

Yes. That is correct. The point of a pass-phrase is to exponentially increase the keyspace that you have to choose from so that you *don't* have to use a pet's name, or a birthday in order to have a memorable and secure password.

And any scheme that relies on a predictive method to generate passphrases (such as book passages) simply provides a false sense of security.

Again yes, if you're pitting yourself against determined investigators and a cryptanalyst who is motivated to access your data. Potentially. Depending on how specifically they can pin down where your password might have come from. And there aren't very many of those folks out there. The only places I know of in the US who employ cryptanalysts who actively attack systems are the FBI, the Secret Service, the NSA, and the DoD, in Naval Intelligence and the now apparently stillborn Air Force Cyber-Command.

We certainly both know that security isn't absolute, and I'm sure that we both clearly want to send the same message that you need to pick secure passwords, but in the world of massively parallel processing where billions of brute force password attempts are significantly cheaper than a cryptanalyst's time, a long pass-phrase is considerably more secure than a relatively short "complex" password.