Army Rumour Service

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

3 tips to make you more secure online

' I say we take off and nuke the place from orbit...it's the only way to be sure'




Appreciate what you're attempting here HTB...as you say, not everyone who stumbles on the wonders of t'Interweb has the benefit of annual IT SyOps doctrine battered into them , or a three day IT Sy O course (now almost completely obsolete sadly).

I do IT volunteer thing at my local Library. The level of sy awareness amongst Joe Citizen is eye-wateringly low.

In addition to bolt-ons like Ghostery there are other browsers out there which ALLEGE they are free from Google tracking...here's one you can try:

Help Spread DuckDuckGo

I've been making a comparison between Google & DDG.
One notable point is how the latter "buries" information that might give a negative perception of certain institutions & businesses.
For example; search for fentanyl deaths & compare the results.
 
Always use different passwords on each site - and change them regularly - use phrases such as 'Did you take the dog out today?', as these passwords are long and very difficult to hack.

I''m sorry old bean but I just need to point out that "Did you take the dog out today" is not a strong password. It will take a few seconds for a machine to guess that. The first thing anyone does when trying to guess a password is a "dictionary attack" they simply try words and combination of words from a dictionary. When a machine is doing this it takes a few seconds or maybe a few minutes at the most to run through it all.

This is a strong password "5m*ljS4mC#RKEg@6UfTfO09sHxuVs3Y6Z5BZ9#" and as any normal person will know, there is no hope of remembering it. That is why we use Lastpass. It means you can use a different password like that on every site and you never need to remember it and nobody will be able to guess it.
 
I use Lastpass and it's brill, but I do worry about having so many passwords in one information silo

If Lastpass gets hacked it's going to be brutal
 

Goatman

ADC
Book Reviewer
I've been making a comparison between Google & DDG.
One notable point is how the latter "buries" information that might give a negative perception of certain institutions & businesses.
For example; search for fentanyl deaths & compare the results.


Coo, very topical given the recent review of 'Dopesick' by Beth Macy kindly undertaken by @Themanwho on these very pages - LINKY.

I'll take a look via Duckduckgo and, as you say, compare & contrast, thanks for that.

As synchronicity would have it, I was browsing Gordon Corera's book only today:

Amazon product
Drawing on unique access to intelligence agencies, heads of state, hackers and spies of all stripes, INTERCEPT is a ground-breaking exploration of the new space in which the worlds of espionage, geopolitics, diplomacy, international business, science and technology collide. Together, computers and spies are shaping the future. What was once the preserve of a few intelligence agencies now matters for us all.

@Auld-Yin 's legendary powers of persuasion might be able to produce an Arrse review copy .....
 
Last edited:
Reference passwords, I use my army number mixed with family names. I use the same password for all websites, except for my email account which has a unique password.

Hope is, if any of the other websites get hacked and my details are taken, they won't be able to get into my main email account. Stuff like amazon etc, I'm not too fused about as I know it can always be recovered using my main email account.

If you haven't got an army number, then i guess another number could used such as your bank sort-code or something, mixed in with family members names or initials.
 

happyuk

War Hero
Use a modded hosts file with a decent up to date blocking list, for network wide ad blocking - use a raspberry Pi with pi-hole installed.

Always use an Antivirus program such as defender - you can use this in a sandboxed mode so it's even more secure.

Don't download dodgy software or open email attachments from people you don't know.

Always check the url of any email you receive to make sure it came from where it says it does.

Always use different passwords on each site - and change them regularly - use phrases such as 'Did you take the dog out today?', as these passwords are long and very difficult to hack.

Don't answer spam calls, and don't give any details to anyone via a phonecall - unless of course you have phoned the company yourself such as a bank and they need to verify who you are.

Open unknown/new programs in a sandbox first, so they can be verified to be what they are - and can't damage your OS.

Probably switch to Linux - such as Ubuntu, this is far more secure than windows and doesn't contain all the 'spying' software that windows uses.

That's a really good point about the passwords thing. So few of us stop to question the wisdom of the using the typical 8-10 characters-with-numbers-with-special-characters thing, and having to change it at regular intervals, when a concatenated group of easy-to-remember words if far far stronger.

IT Industry guru Jim Coplien says exactly the same thing at the following geekfest. Skip to almost exactly the 07:00 mark when he goes off on one about passwords ("voodoo")

 

happyuk

War Hero
2. Check out https://haveibeenpwned.com
The chances are you have, either a username/email or password or both.
I know I have.
 

endure

GCM
Here's a brute force password tester for anyone interested to play around with. Once a dictionary attack fails the only way to try and crack a password is brute force. The GRC website shows how long it would take using different computing powers for whatever password you put in

GRC's | Password Haystacks: How Well Hidden is Your Needle?
 

Camm1

LE
I use Lastpass and it's brill, but I do worry about having so many passwords in one information silo

If Lastpass gets hacked it's going to be brutal


The only information lastpass gets is the encrypted blob you send it. They cannot decrypt your data and providing it was encrypted by you with a strong password no one else can decrypt it either.

If you use lastpass, look after your password, as no one can help you if you lose it!!
 
I''m sorry old bean but I just need to point out that "Did you take the dog out today" is not a strong password. It will take a few seconds for a machine to guess that. The first thing anyone does when trying to guess a password is a "dictionary attack" they simply try words and combination of words from a dictionary. When a machine is doing this it takes a few seconds or maybe a few minutes at the most to run through it all.

This is a strong password "5m*ljS4mC#RKEg@6UfTfO09sHxuVs3Y6Z5BZ9#" and as any normal person will know, there is no hope of remembering it. That is why we use Lastpass. It means you can use a different password like that on every site and you never need to remember it and nobody will be able to guess it.

I'm taking it you've not tried hacking stuff? I've been hacking stuff for many years now so I'll explain a little bit about the process of hacking a password.

Dictionary attacks - use a pre defined list of words and then try each word usually starting from A-Z. A string of words containing upper/lower/special case characters can't work in a dictionary attack as computers don't know the combination to put them in and need to try them sequentially.

Next we can try md5 hash database etc. This is where a password on a site is hashed to an md5 value. (can be some other type encryption), but generally is not good way to hack unless you have dumped a database and all the values are hashed, and the hash is known.

Then we can try bruteforcing. This is the usual method when others fail - and each letter character (and special character )on your computer is tried 1 at a time, a short word or sequence of character is much easier to hack than a long word. as a computer needs to try each character once - then start again and try them all again each time a new character is added to the string - it takes a very long time to do that. Using a pass phrase rather than a jumbled word, can take many years - millions in some cases for each value to be checked. That's why it's better to use a phrase rather than a word (jumbled or not).

I won't go into it any more than that, but I suggest you do some research - before trying to shoot people down with miss-information.

Usually if you wan't to get some info/program hacked - you just bypass password authentication. If it's a computer program you can decompile with IDA or similar and skip over the function checks - or re-write register values, or even edit the memory when the program is running. If it's a database that's been dumped from a website - such as mysql for example, there are ways to hack the passwords - which I won't go into here. As quite a lot of people use the same passwords on many different websites, only one needs to be compromised and the database dumped, then other sites can be checked using the same username/email combo list and passphrases. People use apps such as 'sentry' and other non public software to run random checks on these to see if they get any hits.
 
Last edited:
I''m sorry old bean but I just need to point out that "Did you take the dog out today" is not a strong password. It will take a few seconds for a machine to guess that. The first thing anyone does when trying to guess a password is a "dictionary attack" they simply try words and combination of words from a dictionary. When a machine is doing this it takes a few seconds or maybe a few minutes at the most to run through it all.

This is a strong password "5m*ljS4mC#RKEg@6UfTfO09sHxuVs3Y6Z5BZ9#" and as any normal person will know, there is no hope of remembering it. That is why we use Lastpass. It means you can use a different password like that on every site and you never need to remember it and nobody will be able to guess it.

The important thing for a password is entropy - the longer the password and the larger the set each is from increases entropy.

However, a long password generally has more entropy than a complicated one, so a phrase such as "Did you take the dog out today" is actually harder to break than a shorter password with punctuation etc.

The best password is one with high entropy that you can remember - so you don't need to write it down or otherwise store it. For this purpose, a phrase is often ideal.
 

Camm1

LE
I'm taking it you've not tried hacking stuff? I've been hacking stuff for many years now so I'll explain a little bit about the process of hacking a password.

Dictionary attacks - use a pre defined list of words and then try each word usually starting from A-Z. A string of words containing upper/lower/special case characters can't work in a dictionary attack as computers don't know the combination to put them in and need to try them sequentially.
Next we can try md5 hash database etc. This is where a password on a site is hashed to an md5 value. (can be some other type encryption), but generally is not good way to hack unless you have dumped a database and all the values are hashed, and the hash is known.
I won't go into it any more than that, but I suggest you do some research - before trying to shoot people down with miss-information.

My bold.
John the Ripper
"One of the modes John can use is the dictionary attack. It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary or real passwords cracked before), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. It can also perform a variety of alterations to the dictionary words and try these. Many of these alterations are also used in John's single attack mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the hashes. "

It wasn't mis-information. It is factually correct, the phrase is not a good password. his example is a good password.
 
I''m sorry old bean but I just need to point out that "Did you take the dog out today" is not a strong password. It will take a few seconds for a machine to guess that. The first thing anyone does when trying to guess a password is a "dictionary attack" they simply try words and combination of words from a dictionary. When a machine is doing this it takes a few seconds or maybe a few minutes at the most to run through it all.

I imagine you could increase the strength of that password by simply messing the spelling of one of the words - e,g, did you take the dge today. I can't even imagine how long it would take a random generator to crack that, as it would mean it cannot rely on dictionary alone. Or swap one of the words with a foreign equivalent - did you take das dog out today
 
My bold.
John the Ripper
"One of the modes John can use is the dictionary attack. It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary or real passwords cracked before), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. It can also perform a variety of alterations to the dictionary words and try these. Many of these alterations are also used in John's single attack mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the hashes. "

It wasn't mis-information. It is factually correct, the phrase is not a good password. his example is a good password.

Dude, you have no idea what you're talking about:

QtWMChn.jpg


It's literally pointless arguing with you - so I've attached a picture so you can see how long it takes to bruteforce an easy to remember phrase.
 

Camm1

LE
And adding the important bit you missed......

1541689465441.jpeg


It is pointless arguing, that's one thing you are correct about.
 
Top