gHacks technology news » passwords

Log in to websites with your site’s URL as your OpenID

Joe — Fri, 17 Jul 2009 11:12:56 +0000

A few years ago, Martin covered OpenID, an open authentication system. Since then, it has become increasingly popular and a wide range of sites, from AOL to LiveJournal provide OpenIDs, and OpenID login is also quite common. OpenID is particularly popular for blog comments, with Blogger now integrating support for it.

An OpenID is an URL. However, using an URL like http://computerjoe.myopenid.com/ to log-in and post comments with just doesn’t look sophisticated. I much prefer to use my own blog’s URL to post comments and log-in; it pumps traffic to my blog and frankly just looks better.

Whilst you could run your own OpenID identity server to do this, this takes quite a bit of expertise to set-up and whilst it is probably more secure, it isn’t needed in my opinion.

It is possible to use a any identity server with your website’s URL. I personally use MyOpenID, but I log in to sites with joeanderson.co.uk/blog; not with computerjoe.myopenid.com.

This can be done by simply adding a few lines of HTML to your website’s .

For example, I put

Naturally, these have to be modified depending on your username and server, but the provider should provider the information.

There are several benefits using this type of OpenID identificatin. The main one is that it just looks better but the most practical one is probably that it allows you to change provider whilst keeping the same log on. So, if I suddenly decide not to use MyOpenID, I can change to any other provider but my URL remains the same.

Tags: authentication, authorisation, html, id, my open id, myopenid, openid, passwords, Security, username, web

Password Recovery Questions Make Online Accounts Vulnerable

Martin — Wed, 01 Jul 2009 20:19:54 +0000

Password recovery questions are great to recover a forgotten password in a matter of seconds. All that needs to be done is to answer the password recovery question to receive a new password in the email inbox. This does however make email hacking a profitable business as email accounts are usually connected to online stores and other web services. Attackers with access to a compromised email account only need to answer the secret question to retrieve the password of the web account. This matter is definitely more secure than sending out the password without confirmation on the user’s request.

A recent study shows on the other hand that password recovery questions are usually answered honestly. Questions about the birth town, mother’s maiden name or first animal name can sometimes be easily guesses. The study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly.

Password recovery questions should therefor not be answered honestly. Experienced users fill them out with password like characters which makes the answers more or less impossible to guess. These answers can then be stored in password managers as notes.

How do you handle password recovery questions?

Tags: accounts, Email, online security, password recovery, password recovery questions, passwords, secret questions, Security

Password Asterisk Logger

Martin — Fri, 12 Dec 2008 20:53:20 +0000

Most software programs display passwords in asterisks to prevent bypassers from accidentally identifying the typed in password. That feature is however superfluous if there are no other users who can accidentally spot the password. Still, asterisks are displayed whenever the password is entered.

Problems can arise if a user is forgetting the password that he used in the application. This can lead to all kinds of problems like having to reinstall a software program or losing encrypted data.

Asterisk Logger is a portable software program that runs quietly in the background. It monitors and logs windows with password forms. Asterisk Logger basically records passwords and related information giving the user access to those information in case of lost passwords.

It does that for many applications in Windows but not for all. It is up to the user to find out about the limitations. Generally speaking it works with most password text-boxes but not with applications that use additional security including web browsers like Firefox or Internet Explorer.

The application is not only logging the password but also the window title, application where the password has been entered and the time. These information can be exported to html.

Tags: asterisks logger, nirsoft, password software, passwords, portable software, reveal-passwords, snadboys revelation, windows software

Brute Force Calculator

Martin — Tue, 11 Nov 2008 14:21:24 +0000

Have you ever wondered how long it would take for a typical computer bought in 2008 to brute force your passwords? Now you can find out with the Brute Force Calculator. While it does not provide scientific results it could be interesting to see how long it could take to brute force your passwords to make sure they are hard enough to crack.

To explain the brute force concept in a few words. It basically is a method to try every possible combination until the right password has been discovered. Passwords that use lots of characters and make use of the complete char set including upper case, lower case, numbers and special chars are harder to brute force.

The Brute Force Calculator lets you enter the amount of chars of the password divided into upper case, lower case, numbers and special characters.

According to the script a single computer can brute force a password consisting of seven lower case chars and one number in 29 minutes while a password consisting of 7 upper case, 7 lower case, 1 number and 1 special char would take 3,129,145,610.89 days to crack on a single machine.

All based on a computer that is able to try 137,438,953,472 combinations per hour. The script is basically interesting for users who are still using short passwords who do not make use of the complete character set possible. It shows them that someone could crack their password in a short amount of time not even taking into consideration using distributed computing to brute force the password.

Tags: Brute Force Calculator, brute-force, computer password, cracking passwords, password security, password strength, passwords

One Password Management Software To Rule Them All

Martin — Mon, 29 Sep 2008 18:41:35 +0000

Choosing secure passwords is important to protect the user accounts from being accessed by unauthorized users. The problem that arises for all users is that secure passwords are harder to remember. Writing them down is one solution to the problem. The other possibility that is more reasonable is using a password management software.

A good password management software should ensure data security, provide password generation and integration into common web browsers to make the life of the user as comfortable as possible.

The password management software Last Pass does all of that and much more. It currently supports Microsoft Internet Explorer and Mozilla Firefox on Windows, Linux and Macintosh. It provides the option to import the existing passwords from Internet Explorer, Firefox and multiple password management software applications like KeePass and RoboForm and makes them available on their secure website and in the browser of choice.

The password manager automatically recognizes websites that it has user data stored for in its database and will fill out the login forms automatically so that it is only a matter of clicking on login to login to the website.

Each password and the rest of the user data can be accessed on the last pass website. Sites can be loaded from there and data changed. The online profile provides access to another interesting feature: It is possible to fill out form data for login forms so that it will be automatically filled out as well when the user registers at a new service.

The password generator comes in handy when registering to a new service on the Internet. A hotkey or the notification on top of the website can be used to open the password generator which can be configured to suite the website’s requirements.

The Password Management Software Last Pass will also recognize password changes and ask the user if he wants to store the new password in the database. The passwords can be easily backed up and restored to access them on multiple computers. Since all of them are stored in encrypted form on the Last Pass website it’s only a matter of entering the login information and / or installing the plugin for the browser to access the passwords on other computers.

Windows users can also use a portable USB client that can connect to the password management service and pull the passwords from there after proving the correct login details.

One interesting feature is the function to share passwords. Have you ever send someone passwords in plaintext before? That should be a thing of the past because passwords can now be shared securely using Last Pass as well.

Lastly there is a feature to supply different login credentials if more than one account is stored in the password manager for a website.

The only problem that was encountered during tests happened when trying to change passwords on websites. The generated password would fill out the Old Password and the first form of the New Password field. A workaround for this was to copy the password from the password generator, let it paste the password and paste it manually in the second password field and enter the old password manually. Not a huge deal but something that could probably be easily fixed in future builds.

Last Pass is a comfortable password management software that should appeal to many users.

Tags: password generator, password management, password management software, password manager, password manager software, password managers, passwords, websites

Google Chrome Password Manager

Martin — Sun, 28 Sep 2008 15:39:50 +0000

Most modern web browsers make use of a password manager that stores usernames and passwords of websites and services in the browser so that the user does not have to enter them over and over again. Mozilla Firefox and Opera provide access to a password manager in the browser that can be used to manage passwords in the browser.

ChromePass is a new software program by Nirsoft that can display the most relevant information that have been saved in Google Chrome. The browser provides a basic password manager. The Google Chrome password manager displays the url of the website and the username by default and provides a Show Password button to display the password as well.

The data cannot be copied which is one of the major disadvantages of the Chrome password manager. Chromepass displays the data that has been stored in Google Chrome. The application displays additional parameters like the action url, data and the names of the user and password fields.

The passwords can be saved as txt files or generated as html files. Several command line parameters are available that can be used to save the list of passwords automatically. Chromepass is a portable application for Microsoft Windows operating systems.

Tags: browser, export passwords, google browser, google chrome, google passwords, password manager, passwords

Outlook Express Password Recovery

Martin — Fri, 08 Aug 2008 18:01:00 +0000

It is beyond me why someone would still use Outlook Express unless company’s policies would force him to do so. Many users probably use it because it is there within Windows by default and because it works. If you are one of those users you might like to continue reading this article about password recovery in Outlook Express.

Outlook Express Password Recovery by Passcape (via Techmixer) is able to recover all saved passwords in Outlook Express including smtp, pop3 and imap passwords. It does that by either decrypting the passwords or revealing the real chars behind asterisks depending on the menu in Microsoft Outlook Express.

It can even decrypt passwords directly from the ntuser.dat file which is handy if only the files but not the installation can be accessed.

The password recovery software is compatible to Microsoft Outlook Express 4-6 and can be installed on most Windows operating systems starting with Windows 95 including Windows XP and Windows 2003 Server. Passwords can be exported in text, Microsoft Excel and html files.

Tags: Email, microsoft outlook, outlook, outlook express, password recovery, passwords

Scan Computer for password protected files

Martin — Thu, 13 Mar 2008 15:27:51 +0000

Did you ever loose track of all the password protected files on your system ? This happened to me just a few days ago when I was looking for a zip file that a friend send me which was password protected. I could not remember the name and location where I saved it to and since I tend to clear the history at each reboot I was not able to take a look at the software protocol of the transfer anymore.

I could ask my friend and admit that I did not look into it yet and make myself look a little bit lost or try to find the file by myself. I naturally decided to try to find it on my own first and use my friend as a last resort.

The application that helped me find it was the Passware Encryption Analyzer, the free version of it to be precise. This tool scans the computer or selected folders / drives for encrypted or passworded files. It lists everything that is found in a table with information such as name, location, file type and date modified.

The software detects lots of different file types including archives, Microsoft Office documents that have been password protected but also other file types like pdf documents or Bestcrypt files.

The free version has the limitation that it is not able to recover the passwords but that should not be necessary most of the time.

Tags: encryption, password finder, passwords, software, Windows

Create unique secure passwords for websites

Martin — Fri, 01 Feb 2008 13:17:40 +0000

A lot of techniques exist to create unique secure passwords for the websites that you want to join. Most users however prefer the easy way and use one or a few passwords for all of the websites they are a member of and never change the password as well. The same applies to the username which is most of the time the same or a variation of that name.

The problem with this is that an attacker needs to get his hands on one password to be able to try and get into a lot of accounts from that user. This is a high security risk and it is advised to create unique passwords (and usernames) for the websites that you are a member of.

One tool that aids in the creation of unique passwords is the Password Hasher extension for Firefox. The Password Hasher creates a unique password, called Hash Word, that is generated from a unique site tag (normally the name of the website) and a master key provided by the user. The master key can be the same password because it is not stored on the website that you are a member of, only the generated hash word is used as the password on that website.

The benefit is that the user needs to remember the master key and not the unique and complicated hash word. Several options are available to define the size and keys of the hash word. The size can be between 6 and 14 chars with optional numbers, upper,lower case and special chars included.

The benefit of using Password Hasher is obvious. The user still needs to remember only one password if he likes but all websites he is a member of store different passwords that are generated using Password Hasher.

Tags: firefox, firefox-extensions, mozilla, password hasher, passwords

Remove Stored .Net User Names and Passwords

Martin — Tue, 15 Jan 2008 11:49:19 +0000

Windows XP and Windows Vista save username and password information for network resources and services like Windows Live on the hard drive of the operating system. If you want to check if and which usernames and passwords are stored with the option to remove some or all of them you can do the following.

Open the command line by pressing Windows R, typing cmd and hitting enter. Now use the command control keymgr.dll to open a window called Stored User Names and Passwords that lists all stored usernames and passwords of the currently active profile. You can use the command Control Userpasswords2 to open the User Accounts configuration instead. If you click on Advanced in that tab you can access the same menu by clicking on the Manage Passwords button.

You may then mark any entry in the list and either remove it or display its properties for additional information. If you remove an entry you have to enter the username and password again during the next login to the service.

Tags: passwords, Security, user names, usernames, Windows, windows tips

Reveal Passwords behind asterisks in Internet Explorer

Martin — Mon, 10 Dec 2007 11:55:31 +0000

What was the password again for that website ? I bet you have asked that question numerous times, I know that I did. I’m not that good at remembering passwords and it happens that one slips under the radar and I have troubles remembering it. This is not such a huge problem in Firefox with its Password Manager that reveals all passwords that you have saved before but it could be on in Internet Explorer.

The Internet Explorer does not have a password manager equivalent which means that you are left to guess what the password behind those asterisks is. You might need the password if you want to create a pop3 account for Gmail in your favorite mail software which requires the Gmail password.

AsterWin is a small software by one of my favorite developers Nirsoft. The utility will scan all open Internet Explorer windows and reveal the password behind the asterisks. This works if the password is stored on the computer and displayed once you visit the site or enter the username.

Tags: internet explorer tips, lost password, passwords

Make sure you set a master password in Firefox

Martin — Tue, 02 Oct 2007 15:21:05 +0000

I can’t stress the importance of the master password in Firefox if you are one of the users who is letting Firefox save passwords for you so that you do not need to enter the password and username again when visiting the site at a later time. While this feature is surely comfortable and takes away the need to memorize usernames, passwords and corresponding sites plus the typing that has to be done when logging into a site it is a security risk.

Even more so if you have not set the master password. Anyone with access to your computer is able to go into Tools > Options and click on Show Passwords under the Security tab. What this does is that it lists all sites and usernames that Firefox has stored in its database.

Pressing the button ‘Show passwords’ in that new menu displays all corresponding passwords for all sites. Gmail, Blogs, Myspace, nothing is really safe. By taking a look at your passwords someone could also analyze patterns. If you were using the same passwords on all sites it is fairly easy to assume that your pop3 email account would most likely use the same password.

So, set your master password to be on the safe side here.

Tags: firefox master password, firefox tips, passwords

Avoid multiple login names with OpenID

Tobey — Wed, 30 May 2007 20:54:22 +0000

I really like the idea of an open and decentralized standard which allows you to sign in to multiple websites without entering your username and password over and over again on every site that requires you to login to vote (digg.com), comment, or participate in other means. There are so many sites where you have to login to use basically the same features that you used on another site just before you visited the new one.

Moreover, if you don’t use a very unique username, most likely you’ll sooner or later find out that your username has already been taken by someone else on a particular website. That forces you to choose another one and remember it or write it down. A good solution for storing such username password combinations for various services is KeePass but it doesn’t resolve the problem of multiple logins. The solution to this might be OpenID.

You simply create your openID account at one of openID providers (e.g. myOpenID ) and after that you can sign in to all OpenID enabled sites without having to re-enter login details on all of them.

You just provide your unique ID (username.openidprovider.tld) and that’s it. It could be especially useful if you don’t have the possibility to use features such as Opera’s Wand. One disadvantage is that the website must support it. However, the number of OpenID enabled sites is growing quite fast. Some of them are:

ImageShack
Technorati
Ma.gnolia
Crunchy
Rootly

Another disadvantage is that if someone steals your identity, he could gain access to all of your accounts on these websites. Does not make a difference for users who do use the same username and password on all sites though.

Tags: crunchy, imageshack, my open id, open id, openid, openid providers, passwords, technorati, usernames

Weak Passwords

Martin — Tue, 27 Mar 2007 05:19:03 +0000

I came upon the article “How I would hack your weak passwords” yesterday and pondered if I should write an article about it. I decided that it would be worth it. The author of the article details how he would try and find out your passwords and get access to all of your accounts in the end. His first approach would be to use the most common used passwords by users on the net. He needs information about your personal life for some passwords but those information can be obtained pretty fast through social engineering. Trying those “top 10″ passwords would already cover a large percentage of online users, statistically speaking that is.

The common password approach is the one that could give him instant success if the user is really using one of those common passwords for his accounts. His next approach would be to brute force his way in by brute forcing the password on a website that has weak security. Those sites would not react if large amounts of password requests would come in in short time. Most sites however ban IPs at least temporary after several failed attempts, still no problem if you know how to use proxies to attack with different IPs.

But the brute force programs that he suggests are way outdated. Brutus ? wwwHack ? That’s last millennium. Current state of the art bruteforcers for basic authorization and form protected sites are C-Force or Sentry. The brute force approach has one disadvantage. If you do not know the username you have to try username and password combinations and there is no guarantee that you will discover the combination for the user that you want to hack. You could get login details for other users which are absolutely worthless to you. This means, bruteforcing is only an option if you know the username of the user.

There are actually two ways to bruteforce an account. The first would be to use pregenerated lists of usernames and passwords or try combinations to get into an account. The second to try every char combination possible. It should be noted that the second option could very well last several years or even centuries depending on the size of the selected password.

So, bruteforcing is not really an option and he is not explaining how he would get the username of the user in question except mentioning cookies. Cookies are stored on the targets machine which would mean that he needs either access to that machine or an exploit to get them while the user is online. Not very practicable.

So, what can users learn from his analysis ?

Don’t overuse passwords, it’s more secure to use different passwords. If you only use one password someone who finds this one out gets access to everything else that is protected by that single password
Don’t use passwords that are easy to guess or common. No names, no sport teams, relatives, pets, work related, hobbies , and so on
Use numbers and special chars if possible to increase the security of the password. Remember that size matters.
Write them down locally and put them in a safe or use a software that encrypts them. You could for instance use a True Crypt partition to store a textfile with your passwords in them
Every password could be important to gain additional information about a user, never choose weak ones

Tags: brute-force, Hacking, password-generation, passwords, strategy, weak-passwords

Reveal Saved Internet Explorer Passwords

Martin — Sat, 10 Mar 2007 16:54:50 +0000

It is very convenient to save login passwords for internet sites such as forums, blogs or paysites to login quicker to those websites. That is, it is great until you can’t remember the password anymore but would like to know it again. This could be the case if you want to switch from Internet Explorer to Firefox or Opera for instance. Protected Storage Pass View does not only reveal passwords that have been saved in Internet Explorer while accessing protected sites or using the auto complete form but also passwords that have been saved in Outlook Express and MSN Explorer.

All of the passwords are encrypted and possibly hidden in the registry and Pass View automatically scans and displays all the information that it can find in the registry. Internet Explorer passwords are shown next to the url and the username which is all the information one needs to access the site again.

Please note that only the passwords of the user who is currently logged into the system are revealed in this manner. Click here to download protected storage pass view and ie pass view.

Tags: ie-pass-view, ie-passwords-outlook-passwords, ie7, msn-explorer, pass-view, passwords, reveal-passwords

Bugmenot, login without registering

Dearon — Sun, 26 Nov 2006 12:09:04 +0000

Ever been to an website like www.nytimes.com and had to register to login? Of course you can register a fake account using a disposable email address (like 6url or dodgeit) But there are more people who do that, so why not have a database with these kinds of fake accounts?

This is exactly what Bugmenot is made for. You can search per url and the site will give you logins (if there are any) for that website. Of course you can also submit your dummy accounts to this site so other people can use.

Even better is the fact that for all the Firefox users there is an Bugmenot Extension which is really easy to use.
You just right click on an login form and then select “Login with Bugmenot” and the extension automatically looks for login data on the bugmenot website.
And if an account doesn’t work the extension will try out the next account until you are logged in or until there are no more accounts. This site and the extension saved me allot of hassle on different occasions, and hopefully it will also be the same for you.

Tags: Bugmenot, firefox, firefox-extensions, login, passwords, register, registering

Make your passwords stronger with password chart

Martin — Sat, 05 Aug 2006 12:28:42 +0000

Password chart is an online service that helps you improve the quality of your passwords. The principle is pretty easy: You enter a phrase at the beginning which will be used to create the password chart. An example would be “Make your passwords stronger with passwordchart.com” or “http://www.ghacks.net/ is gr3at”. The password chart will be displayed on the right side of the screen changing while you are adding new chars to the phrase. You can opt to add numbers and punctuation for increased security, they will be added to the chart on the right.

Every letter now equals between 1-3 chars in the password chart. For example A=88, B=tr3 and C=?. If you did not opt to include numbers and punctuation the password chart will be filled with upper and lower case letters only. Now type a usual password that you use into the second form and see how the letters are substituted by the chars of the passwords chart. Lets say we choose the password ABC which would be converted to 88tr3?. Guess which one will be easier to brute force ? Right..

It is of course not really convenient to remember 88tr3? or larger sequences but that is not necessary either. Save or print the password chart and look it up whenever you forget the new password. Printing would be even better than saving it to the computer because no one on the internet will have access to your password chart then.

My thanks fly out to Thunder7 who found this website and is sending me a lot of great links. Keep up the good work Thunder, I really appreciate it.

Tags: password strength, passwords

Secure Password Generator

Martin — Fri, 14 Jul 2006 08:12:55 +0000

Most people use easy to remember passwords that are as easy to brute force. The name of your wife, your birthday, a combination of personal data or simple words like password or god. This might be convenient and nice as long as no one tries to break into your account. When this is happening you will quickly realize that insecure passwords are a big security thread.

Password Generator (click here for a windows version) makes sure that the password that is generated will be hard to brute force and impossible to guess because it is not related to your personal life in any way. The entire process takes place in three steps. The first step involves choosing a password size ranging from 32bit to 2048bit which influences the password length. The author suggests using 40-72 bits for normal security and 90-128 bits for high security.

72 bits for instance means a password with 12 chars, 1024 bits would mean a password with unbelievable 171 chars. After choosing the password size you have to type some random keys (longer for greater sizes) which are used to compute a password. The last step displays the password. The default encoding is base64, you can also opt for hexadecimal or pass phrases which influence the length of the password.

You might have a problem remembering the password and I suggest you use a program that saves the password safely. I wrote a little article about a secure password manager pins which you might want to try.

Tags: password generator, passwords, secure passwords

Ultra High Security Password Generator

Martin — Sat, 27 May 2006 11:17:55 +0000

If you´re ever in the need of a high security password the Ultra High Security Password Generator Website might be exactly what you´ve been looking for. Everytime you visit or refresh the website it will display three randomly generated passwords, one 64 random hexadecimal charakters password, one 63 random printable ASCII chars and finally a 63 random alpha-numeric characters password.

“Every one is completely random (maximum entropy) without any pattern, and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again. Also, because this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection, and it is marked as having expired back in 1999, this page which was custom generated just now for you will not be cached or visible to anyone else.”

Just one hint, make sure you save the password somewhere because I think it´s rather difficulty to remember the passwords. You might want to consider using a password safe like keepass which I also recommended here at ghacks some time ago.

Tags: generator, password, passwords, Security

Related posts

Remove Stored .Net User Names and Passwords (2)

Password Recovery Speeds (0)

Password Recovery Questions Make Online Accounts Vulnerable (10)

Log in to websites with your site’s URL as your OpenID (4)

Introduction Series Part 3: User Name and Password Protection (0)

Password Security: What Users Know and What They Actually Do

Martin — Sat, 22 Apr 2006 19:01:12 +0000

The study “password security: what users know and what they actually do” was conducted by the department of psychology from the Wichita State University. The study investigated the common password generation practices of online users. All participiants took part in a survey querying (1) the types and number of different password protected accounts maintained; (2) actual practices used in generating, storing and using passwords; (3) practices believed they should use in generating and storing passwords; and (4) general demographic information.The results are interesting:

The average length of time users have maintained their primary personal use password was reported as 31.07 months

How frequently do you change your password on a regular basis when not required by the system?�? 52.7% (166) responded “Never�?

85.7% (270) reported that they use lowercase letters and 56.5% (178) reported that they use numbers or digits in their passwords. In addition, 54.9% (173) indicated that they use personally meaningful words, such as names of children, pets or street names, while 49.8% (156) indicated that they use personally meaningful numbers, such as birthdates or telephone numbers

54.6% of users (177) report using the same exact password for multiple accounts “Very Frequently�? or “Always�?, while 33.0% (104) report using some variation of the same password for multiple accounts

73% (230) of respondents reported that they should change their passwords for accounts every three to six months, but 52.7% (166) responded that they “Never�? change their password when not required.

70.5% (222) of respondents indicated that personally meaningful words should not be used, but 49.8% (156) reported that they use this practice.

So, what´s the lesson we learn from this stufy ? Users have to be forced to create passwords that meet certain security standards. I hate the IT section at my workplace because they force you to change the passwords regulary, use upper / lowercase, numbers and chars. The new password is not allowed to match with the nine previous ones, is not allowed to have repeated chars and not allowed to have logic sequences (123456, eee, sort of things).

Tags: password security, passwords