What are the chances of my password being stolen?

[Silpheed2K]

Windows, GNU/Linux, Mac...
What are the chances of my passwords being stolen? I was watching one of my favorite tech shows and they said it's good practice to change your password every 6 months and to never use the same password across multiple sites.
Realising this would make 40 different passwords you have to remember, they also recommended that you use a password manager so you only have to keep track of one master password.

However, is all of this even really necessary if you aren't going to explicit websites and downloading "bad" things?
What are the chances of someone stealing your password; or even bothering you on the internet? (although you don't want to take any chances at all so it wont happen to you)

[bob]

Chances are pretty slim, particularly if you don't have anything interesting on your machine. Let's see....hmmmm.....nope, you don't.

Seriously, there are more sophisticated criminals than ever out there and I would still err on the side of caution. Changed mine the other day, despite being behind a firewall/router and running only linux and never keep important data on the box.

"Paranoia strikes deep. Into your mind it will creep... (Buffalo Springfield)"

[Evil_Bert]

While the chance may be small (assuming you adopt reasonable security mechanisms and processes), it' still wise to change passwords and not use the same password on important sites ... although I don't consider a forum an important site (unless one is a moderator or admin).

In the recent Gmail and Yahoo mail cracks, many thousands of e-mails, usernames and passwords were obtained. People who used the same usernames and passwords on other sites did make statements that they were very worried about other possible compromises.

I think of adopting good practices in this area as like wearing a seatbelt: once you get used to it, it really isn't a hindrance, and it might save you one day ... and if it does, it'll be in a situation that occurs without warning and with no time to react.

[marcrblevins]

http://www.movingtofreedom.org/2007/...sword-gorilla/

Please spend time reading this about Password Safe(Windows) and Password Gorilla(Linux). Both uses Password Safe's file layout. I used both products for years. If I updated a password in Windows, I secure file transfer to my Linux box so both are in sync.

Both product can generate hard-ass passwords for you.

Cheers

[blittle]

post your password here and I will tell you the likelihood of it being stolen.

[Min]

You can use something like
yourmasterpassword + site name(or maybe just two first|last characters from the site name)

[droidhacker]

I think that the key important thing to remember is that MOST of the sites you visit that ask you to create a password don't make one lick of difference. If the password gets stolen, who cares? Make sure that your online banking passwords and SSH passwords (if you use) are strong and frequently changes.

[Velociraptor]

Sorry for the big post...But, being a linux newbie i'd thought i'd share some security tips i tried and that have appeared to work!
1.Ssh Attacks
Change the ssh port.

Code:

su -
gedit /etc/ssh/sshd.config

Code:

# $OpenBSD: sshd_config,v 1.77 2008/02/08 23:24:07 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 1500
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
----------------------------------
Disallow root login to ssh.
Code:
su -
gedit /etc/ssh/sshd.config

In the /etc/ssh/sshd_config file under Authentication - "PermitRootLogin no"

For these changes to take effect, the SSH daemon must be restarted. (I used the gui to do this)

2.Anti-Virus
Install clamav
klamav.i586 0:0.46-2.fc11
yum install -y klamav
Removing clamav-
# yum remove clamav*



----------------------------------
3.Protect grub.
Use passwords
open a shell, log in as root, and then type the following command:
/sbin/grub-md5-crypt
When prompted, type the GRUB password and press Enter. This returns an MD5 hash of the
password.
Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the
timeout line in the main section of the document, add the following line:

password --md5 <password-hash>

Replace <password-hash> with the value returned by /sbin/grub-md5-crypt .
The next time the system boots, the GRUB menu prevents access to the editor or command interface
without first pressing p followed by the GRUB password.
Unfortunately, this solution does not prevent an attacker from booting into an insecure operating
system in a dual-boot environment. For this, a different part of the /boot/grub/grub.conf file must
be edited.
Look for the title line of the operating system that you want to secure, and add a line with the
'lock'
directive immediately beneath it.

4.Limit access to the 'su' command
One of the simplest ways to do this is to add users to the special administrative group called wheel. To
do this, type the following command as root:

usermod -G wheel <username>

In the previous command, replace <username> with the username you want to add to the wheel
group.

[Silpheed2K]

With everything said in this topic, how long does it usually take to get into someones account or crack someones password of the average length of 8-10 characters?
I have a feeling the answer will be that it varies but I'm wondering how long it would take to actually be victim if someone was trying to get your password or into your account.

(I'm really just wanting a number or something to get an idea of how long it would take a person)

[GODhack]

Depends on networks speed. Hacker write simple software that soft tries to login with everything from 1 to 9999999. If hacker is able to obtain password hash depend of type but typical md5 or vista login will fall in less than 10 mins if hacker has nice computing resources. Xp login is waste of time at all on ex.

So in short words it depends on situation.

[Evil_Bert]

Quote:

Originally Posted by Silpheed2K

With everything said in this topic, how long does it usually take to get into someones account or crack someones password of the average length of 8-10 characters?
I have a feeling the answer will be that it varies but I'm wondering how long it would take to actually be victim if someone was trying to get your password or into your account.

(I'm really just wanting a number or something to get an idea of how long it would take a person)

I don't have hard numbers, but I'll PM you some links and you can get a feel for it yourself. (Posting the links directly would likely contravene the forum's "no cracking" rule).

[stevea]

Veliciraptor- some of your points are way down the list of concerns.

You should completely and absolutely disallow ssh password login,"PasswordAuthentication no" and only allow keyed login (Protocol 2). You should still use serous paraphrases if you move keys to attackable locations (say in a usb stick or onto a laptop during travel). Removing passwd authentication stops script kiddies cold.

Changing port is security by obscurity - not real security at all. When script kiddies will be less likely to find your ssh port, but no less likely to crack it when they do.

Removing root login from ssh is a good idea but doesn't prevent successful attacks; it only reduces the level of damage from an attack. That's not the goal IMO. Instead I'd suggest you ONLY allow certain users to use ssh at all. .Look at the sshd_config manpage for "AllowGroups". Then add the few remote-enabled used to the group.

==

For passwords being stolen ... If someone seriously want's your stuff they can get a passwd by force or threat - so there are clear limits to what security can accomplish. The biggest headache wrt passwords are these.

/People use simple dictionary terms of common names. These passwords can be guessed in a short time.

/ Ppl use many complex passworks - ands therefore must write them down. This is a major security problem.

/ Ppl use the same passwd on multiple account - so is one is cracked all is lost.

===

I'm with E'Bert - you should keep in mind the security needed for each account. If you need to login to a forum or a social website where no significant harm can occur, then a single password for all is OK. OTOH if you are using the same passwd fror all of your financial accounts - you have a major security hole. If you use a passwd variant scheme like Min suggests ...

Quote:

You can use something like
yourmasterpassword + site name

Then the variation should not allow the hacker to recognize your other account passwords. So adding "site name" for variation is a terrible example. You need a variation that A/ you can remember but B/ the perp cannot easily guess.

[beaker_]

Its by no-means secure, just a suggestion, but I'm a fan of interweaving words, including caps, characters, and numbers. And sometimes I'll rotate the characters. Crap, now that it's out, I'll have to go and change my scheme.

[Silpheed2K]

Thanks to everybody in this thread. My curiosity is now satisfied and I got some good tips on passwords.

One of the people who started Cryptography said a tip for making passwords is typing a sentence out as your password instead of a word. I thought that tip was pretty useful and sounded very appealing. (I forgot the man's name to be honest and I don't feel like looking it up)

[Velociraptor]

My last offering on this topic is:
1.treat passwords as you would underwear-change them often and don't share them around.
2.Try a MAC address generator - http://software.informer.com/getfree...ator-software/
HTH