You need to be a member of diydrones to add comments!

Join diydrones

Comments

  • https://github.com/blog/1698-weak-passwords-brute-forced
    https://news.ycombinator.com/item?id=6759786

    We checked our accounts and found 8 attempts on our repo from an unrecognized IP in china over the last 3 days. We have strong passwords, but just turned on 2FA.
  • Github hacks everyday. Employees there are pretty smart and they hack on cool projects.

  • uh kids.. just be done with this crap and use KeePass or KeePassX both open source password managers

         HZl

  • I use lastpass. But that means I have to trust some other company subject to national security letters to have implemented zero knowledge crypto right.

  • http://xkcd.com/936/

  • Moderator

    Which do you think is the stronger password?

    z7Xt$.Ar46y or B1g_D0g..... Most people would think that passwords must be complex, as in the first example in order to be effective, but in truth that is not the case. The fact is the second password is stronger simply because it is longer. It is in fact perhaps as much as 95 times stronger than the first password (depending on the number of permissible 'special"characters in the password) . There are 26 possible lower and uppercase letters 10 numbers and as many as 33 possible "special characters, for a total of 95 possible characters for character in the password.

    Since the "hacker" isn't told why (or even if) the password is wrong he doesn't know if he's close or a mile off. This isn't the movies after all! So for every character you add to your password you increase the amount of time it would take to break a password by an order of magnitude. As Tilman said, as long as you don't use and words from the dictionary, and use common sense practices like not using significant dates, use at least one lower case, one uppercase, one symbol and make your password at least 7 characters long (longer is better, but sometimes you are restricted in length by the site) you should be good. The password B1g_D0g..... fills all these requirements and is also easy to remember! This simple password has the following possible combinations 5.46 x 10^23. Assuming a brute force attack could attempt 1,000 passwords/second it would take 174 years to go through all the possible combinations. We can probably assume they would likely get it right within half the possible combinations, that would still be a really long time, and that's if they could make guesses without any restrictions. Most systems will lock the user out for a period of time after so many incorrect guesses.

    The hard part is convincing people to follow best practices. I'm always amazed when I work with a client and they tell me their password is something like 12345678 or password or something equally simple. Passwords like these would probably be broken on less than a few minutes (assuming they weren't the very first passwords tried!).

    So as Tilman said, just use strong passwords and you'll be fine. Also don't use the same password for multiple accounts. I have an encrypted thumb drive I use to store all my passwords and never use the same password on more than one account. I also change them on a regular basis.

    Stay safe and secure!

    Regards,

    Nathaniel ~KD2DEY

  • Both suck ass to be on the receiving end…;)

  • Actually a brute force is more like carpet bombing, while hacking is more like sniping.

  • Moderator

    A bit of difference between a brute force and a hack.  (Like a shot in the dark and a sniper)

  • No, you said Gihub was hacked (in the title). It was not.

    And you said you recommend to reset the password. No sweat.

    If you had stupidly weak passwords, then github probably just saved your sorry arse. They will have told you so. And there is a slim chance that your account got compromised.

    If you have reasonable passwords (as in long enough and not dictionary words) you are fine. Be proud, open a beer and watch the masses panic.

This reply was deleted.