LabVIEW

cancel
Showing results for 
Search instead for 
Did you mean: 

VI's password

I really don't quite understand this discussion. It is a fact of life that there is a race between encription algorithms and the cracker community to break it. (look what happened to WEP). It seems NI simply needs to raise the bar a little bit with the next release. 😉

 

Protecting code by password is just one small component of the overall security approach and will never be secure, no matter how long the password is. More typical are social engineering approaches. It would take just one fired or otherwise disgruntled LabVIEW developer to post all internal passwords to wikileaks. If the results were so valuable, the competition could also just bribe an existing developer.

 

Fortunately, diagrams in vi.lib are typically only passworded if they use undocumented functions that are not safe to use and can change at any time. Who really cares?  The vast majority is not passworded! The real interesting algorithmic stuff is inside dlls and this not accessible anyway.

So, trying to crack vi.lib stuff is not very interesting. At the same time, trying to crack a password by reverse engineering, (e.g. by trying to find the hash location) is against the license agreement and could get you in hot water.

 

Similarly, any company that uses LabVIEW has some interest protecting their IP. Again passwording VIs is probably low on the list of priorities because it hampers development and introduces headaches when developers change (or die) and there is no protocol in place to migrate the knowledge. More important are IT and server security, etc. For computers that can leave the premises (laptops), we also have whole disk encryption, which e.g. recently became mandatory for all laptops owned by the medical center here.

 

Once LabVIEW developed software is released to the public, it is built into an application or dll, and all diagrams and unused front panels are removed, and there is very little left to chew on. 😉

 

In my limited experience, passwords are typically used to hide embarrasingly bad code so we cannot see past the pretty front panel. 😄 Personally, I don't use them!

 

 

 

 

Message 41 of 82
(2,758 Views)

@altenbach wrote:

I really don't quite understand this discussion. It is a fact of life that there is a race between encription algorithms and the cracker community to break it. (look what happened to WEP). It seems NI simply needs to raise the bar a little bit with the next release. 😉

 


Lost in the noise of the discussion are a few very interesting points (IMO).  Two statements being tossed around are that passwords are either impossible to crack, or essentially useless.  The reality of course lies in the middle, and in a quantifiable way.  When you understand the trade-offs you can decide how secure is secure.  Plus, you can go further and figure out methods to thwart hash attacks while allowing recovery in the case of forgetting a password.  The fallacy is that you can have some "secure" method with a simple backdoor for the right people.  And yes, people are always the weakest link.  

 

I was rooting for the password to be cracked, that would have been a data point.  If it took two days you say add 1 more lower case letter and now it is two months.  It is still interesting that in the simple password vs cracker battle even a simple password won.

 

I don't agree that NI needs to raise the bar, the current system is as secure as you want it to be.  Would I use the system to protect national security info? no.  Would I use it to protect my personal info?  Without hesitation, assuming I get to pick the password.  

 

Passwords:

 

Length is good, even if it means you add a simple word like your name in front just to pad the length.

Expand the character set (use a symbol or two, mix cases, use numbers).  Simply avoid the usual spots (first letter capitalized, numbers at the end).

@Avoid words in the dictionary.  Drop vowels, replace the letter O with the number 0, replace a with

 

Personally, I am more interested in the idea of 'signing' VIs so you know it hasn't been changed.  I'd like to see a way to have a VI locked but require a password to unlock.  I don't mind letting others get a peek of the BD, just don't touch my stuff!

 

Message 42 of 82
(2,745 Views)

  My Facebook account was hacked this week (spam for HCG was posted).  I had a 12+ character password (all lower case, but using misspelled words).  When I went to change it, it was rated as 'weak'.  My new password is only 'moderate' (but at least I can remember it).

 

  The hash code stored on Facebook's servers cannot be transferred to a GPU, so you still have to deal with an Internet connection during any brute force attempt.  I'm guessing that a lot of people build their passwords in a manner similar to mine and the hackers know this, so they are using guile instead of force.

 

 

Jeff

 

0 Kudos
Message 43 of 82
(2,739 Views)

The facebook was most likely not a brute force attack, besides, you cannot brute force it over the internet, because patterns of intrusion attempts (rate of failed login attempts, etc.) will most likely get your IP address blocked very quickly.

 

Do you use https for facebook? Do you use public hotspots? It is possible that you ever tried to login on a fake lookalike facebook page (e.g. from an e-mail message or other link, even on facebook)? Do you run an updated antivirus?

0 Kudos
Message 44 of 82
(2,726 Views)

  The purpose of my post was to surmise that hackers have other methods besides brute force attacks.

 

  To address your questions:

 

htpps: Yes

Public WiFi: Maybe once, and well over a month ago.

Accidental login to a lookalike page: No

Updated anti-virus: Yes

 

Jeff

 

0 Kudos
Message 45 of 82
(2,719 Views)

I think I have posted it before, but even if the BD is password protected, LabVIEW itself could read it to update to newer versions right?

So it's not to hack the vi, a hacker would tweak LV exe 😉

 

Greetings from Germany
Henrik

LV since v3.1

“ground” is a convenient fantasy

'˙˙˙˙uıɐƃɐ lɐıp puɐ °06 ǝuoɥd ɹnoʎ uɹnʇ ǝsɐǝld 'ʎɹɐuıƃɐɯı sı pǝlɐıp ǝʌɐɥ noʎ ɹǝqɯnu ǝɥʇ'


0 Kudos
Message 46 of 82
(2,695 Views)

@TorPedoCXC wrote:

The password that was used was not found though, so I think he misspelled the word or that it may be in another language.



No it was not misspelled.  It is an English word.  Actually it is a compound word.  Though I think it would often be spelled as two words with a space in between.  Two very simple words, both have their initial letter capitalized that I'm sure would be in your dictionary.

 

I think Ben (if you're still following) would have the best chance of just outright guessing what the password might be.

 

So the word of 8-10 characters is actually a compound word consisting of two simpler English words with initial caps, followed by a 4 digit number.

 

 

Message 47 of 82
(2,672 Views)

@Ravens Fan wrote:
I think Ben (if you're still following) would have the best chance of just outright guessing what the password might be.


I tried "SteelersFan2011", but it did not work. I guess it has too many characters.... 😄

Message 48 of 82
(2,660 Views)

@altenbach wrote:

@Ravens Fan wrote:
I think Ben (if you're still following) would have the best chance of just outright guessing what the password might be.


I tried "SteelersFan2011", but it did not work. I guess it has too many characters.... 😄


Where is that Anti-Kudo button???  Smiley Very Happy

0 Kudos
Message 49 of 82
(2,655 Views)

Rail Road

 

-AK2DM

~~~~~~~~~~~~~~~~~~~~~~~~~~
"It’s the questions that drive us.”
~~~~~~~~~~~~~~~~~~~~~~~~~~
Message 50 of 82
(2,642 Views)