Secrets of the scammers

jockwav

jockwav

Suspended / Banned
Messages
6,085
Name
James (Retired)
Edit My Images
No
I watched this programme tonight & how easy it was for a scammer to show how to generate peoples passwords.
A lot of them were very short & easy passwords,i have now changed all my passwords to very long ones now.:eek:o_O:)
 
password_strength.png
 
Is that it?:D:p
 
Yeah, I just watched it too.
I'm even less likely to do online banking now! :LOL: (not that I was likely to start anyway)
 
^^^^^^^^^^^^^:banana::clap::D
 
Last edited by a moderator:
MWHCVT said:
Al that program did confirm is by Christ that are some gullible people out there, how some people fell for some of those scams I'll never get..
Click to expand...
I think the question to ask is this
"How did the people who are so gullible and stupid manage to get hold of the money that was stolen from them?" Stupidity and the aquisition of money don't usually mix well...
 
The best solution by far, is to get hold of a password manager, as you register with various websites etc add a new entry in it and get it to come up with your password for you.
The password generating screen (in mine, keepass) looks like this

pwdgen.jpg

As you can see you can tell it to use upper/lower, digits, how many characters etc as you see fit.

In addition the tool lets you store the urls to the sites you use and once there if you place your cursor in the correct filed it will type in your username and tab then type in the password for you.

The whole tool is also protected by a master password, this is the one you have to remember and not store on your computer anywhere. It asks for this when you first fire it up. It can also be made to require a key file as well before it will open.

A possible headache with it is if you create passwords at more than one computer, trying to keep them in synch. But it is fairly easy to email the stored, encrpyted passwords file which can be used on another computer. Your same master password will be needed to open it as before.
 
Passwords don't have to be long to be hard to crack just stick to say 9 characters and use upper and lower case mixed with numbers and punctuation.
for instance the word "character" becomes Ch4r4c!er" that is next to impossible to brute force and remember pretty much all online type resources will not allow a brute force.

It will lock the account after 5 or more incorrect logins.

Most people get caught out because they use the same password for multiple logins, thus if a spammer compromises one they have access to others.

Email is the biggy, online web access, if a spammer cracks your email he is truly in.
 
correcthorsebatterystaple is the only password you ever need because it's the most secure.
 
Keith W said:
Wrong

That would be easy to brute force, in seconds
Click to expand...

Do you actually even know what you are talking about?

Brute-force attack cracking time estimate
Machine Time
Standard Desktop PC About 2 thousand years
Fast Desktop PC About 46 years
GPU About 18 years
Fast GPU About 9 years
Parallel GPUs About 11 months
Medium size botnet About 2 hours
 
StewartR said:
correcthorsebatterystaple is the only password you ever need because it's the most secure.
Click to expand...
A small problem if the password has a maximum of 8 or 9 letters/numbers as some sites request.
 
Garry Edwards said:
I think the question to ask is this
"How did the people who are so gullible and stupid manage to get hold of the money that was stolen from them?" Stupidity and the aquisition of money don't usually mix well...
Click to expand...

This is very true, such as the former MI6 man
 
Rapscallion said:
But no passwords were taken?
Click to expand...

There quote: “We are confident that our encryption measures are sufficient to protect the vast majority of users,” and The company says the cryptographic protections it has in place on those master passwords—which include “hashing” and “salting” functions designed to make cracking the underlying passwords nearly impossible—are enough to protect almost all of its users. But those with simple passwords or ones reused from other sites could still be vulnerable. (my bold)

As I agreed above, the risk is small but it is still there.
 
Last edited:
Rapscallion said:
Theres a critique of that method here

http://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd

Summary - typing a long password is error prone (especially on a phone keyboard!) Also, how many passwords require a mix of numbers, upper and lower case letters and symbols? Im assuming your workplace systems do?

EDIT
And why can cueball not remember one word in panel 3, but can remember 4 words in panel 6?
Click to expand...
if you cant type then yeah it'll be prone to error. no work dont have complexity requirement other than length.

its a comic, its not 100% technically accurate. although would help having a longer password with brute force attempts.
 
I tend to use first letters from easy to remember nursery rhymes or songs combined with old car registrations / previous phone numbers,

Not one that I actually use, but for example :
Humpty Dumpty sat on a wall and the last 4 digits of my grandmother's old phone number would give me : HDsoaw4238

Fairly easy for me to remember, but I'd imagine fairly hard to guess.
 
SarahLee said:
I tend to use first letters from easy to remember nursery rhymes or songs combined with old car registrations / previous phone numbers,

Not one that I actually use, but for example :
Humpty Dumpty sat on a wall and the last 4 digits of my grandmother's old phone number would give me : HDsoaw4238

Fairly easy for me to remember, but I'd imagine fairly hard to guess.
Click to expand...
I think that's a good technique. I do something similar on sites which don't allow correcthorsebatterystaple.
 
Garry Edwards said:
I think the question to ask is this
"How did the people who are so gullible and stupid manage to get hold of the money that was stolen from them?" Stupidity and the aquisition of money don't usually mix well...
Click to expand...

Indeed, I believe there is an age old saying to that effect....a fool and his money are easily parted. (Not being a mysogonist, the earliest versions used "his").
 
SarahLee said:
I tend to use first letters from easy to remember nursery rhymes or songs combined with old car registrations / previous phone numbers,

Not one that I actually use, but for example :
Humpty Dumpty sat on a wall and the last 4 digits of my grandmother's old phone number would give me : HDsoaw4238

Fairly easy for me to remember, but I'd imagine fairly hard to guess.
Click to expand...

Add some punctuation and padding at the end and it would be a very very hard password to crack. e.g. HDsoaw4238888.... and not much more difficult to type than the original.

Using the calculator linked to above

Original password
Medium size botnet About 2 hours

Suggested password
Medium size botnet About 13 trillion years
 
Rapscallion said:
Add some punctuation and padding at the end and it would be a very very hard password to crack. e.g. HDsoaw4238888.... and not much more difficult to type than the original.
Click to expand...

That's what I like about the technique.
Depending on how sensitive the information is, you can pick your quote / poem / whatever to have a number and/or proper name in the middle to mix up numbers and capitals, add punctuation symbols at natural breaks in the quote or include as many words as you want.

For people who need to write passwords down it's simple to make a reminder that's utterly meaningless to other people too.
For the above example I could simply jot down " Log on to Scammers.com - Wall Last 4 GrannyT".
 
Rapscallion said:
Add some punctuation and padding at the end and it would be a very very hard password to crack. e.g. HDsoaw4238888.... and not much more difficult to type than the original.

Using the calculator linked to above

Original password
Medium size botnet About 2 hours

Suggested password
Medium size botnet About 13 trillion years
Click to expand...

You are absolutely right it will, but remember these concepts only apply to brute force attempts on an entity that will allow an attack.
You cannot brute force an online service such as a bank of online website.
You will get a dozen tries at most before the service becomes wise and locks you out.

To much is made of brute force attacks and there effectiveness, they used to be very much the rage on cracking stolen files that were encrypted and cannot detect the attack.

This is why malware and keyloggers become more prominent, they then send these details to botnets and they take the data and see what can be accessed.
 
Last edited:
StewartR said:
correcthorsebatterystaple is the only password you ever need because it's the most secure.
Click to expand...
I've lost count on the amount of times that has come up as a secure password on this site times that by the amount of internet forums there are out there,
and a large % of the population think that's a good idea.....
 
I would say don't be to top heavy focused on a massive complicated password.
Be just as vigilant protecting that password :-)

If you login from a tablet or phone to sensitive sites, it must be encrypted against loss or theft.
Laptops the same, consider your next laptop to have fingerprint recognition and a complex backup password.
Also set a bios password on all your laptops and portable devices.
 
Just use a password manager. I have used 1Password for years without problems. Trouble is most people won't pay for a useful program - that's fine by me because the less 1Password is used the less interesting it is to anyone to break it.
All these wheezes along the lines of correcthorsebatterystaple and humptydumpties don't work because although easy to remember individually you still need a different one for each website, so you will need to record them somewhere.
 
Mr Bump said:
I would say don't be to top heavy focused on a massive complicated password.
Be just as vigilant protecting that password :)

If you login from a tablet or phone to sensitive sites, it must be encrypted against loss or theft.
Laptops the same, consider your next laptop to have fingerprint recognition and a complex backup password.
Also set a bios password on all your laptops and portable devices.
Click to expand...

Have bios passwords improved? It used to be the case that you only had to remove the motherboard battery to reset the password.
 
Rapscallion said:
Have bios passwords improved? It used to be the case that you only had to remove the motherboard battery to reset the password.
Click to expand...

A lot of laptops like HP have the BIOS password in ROM so it cannot be wiped by a battery swapout.
Its also just making thieves harder to resell kit.
 
JonathanRyan said:
Why don't we have retinal scanning yet?
Click to expand...
Because we don't want our eyes plucked out, it's bad enough having our fingers cut off ( and, yes, I do know that Apples fingerprint scanner really works on blood capillaries or somesuch, not actual prints).
 
Last edited:
You must log in or register to reply here.
Back
Top