[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Mon, Nov 5, 2012 at 7:37 PM, Simon Waters wrote: [a long and good argument for using strong, unique passwords] Of course I agree with all that. Using strong passwords, and unique ones for each site/service you use, isn't that difficult, especially if you use a password manager. Even without it, there are many good methods to remember passwords, several of which involve writing them down in one way or another. It is one of those rare cases where security doesn't really get in the way of usability. At the same time, it is good to realise that most attack scenarios work regardless of the password strength. The only scenarios in which it does matter are if a hashed list of passwords is stolen, or if the service allows one to make login attempts at a _very_ large rate. (If it's a web-based service, the latter is very unlikely given latency.) > A 384-bit key I can factor on my laptop in 24 hours Yes, the use of weak DKIM keys by those who should know better was a bit of a shock to discover. There is one important difference with passwords though: if you're going to crack a 384-bit private key, you know the bit length. So you know in advance how long it is going to take you to crack it. That is not the case if you want to brute-force a password from its hash. Unless you have some kind of upper bound for the password strength, you don't know if you'll find the password within a minute, or if it's going to take you a few centuries. It's one thing to wonder whether it is worth an hour of an attacker's (computing) time to crack your password. It's another thing to wonder whether it is worth that hour if they have no guaranteed positive outcome. But then again, most people shouldn't wonder these things, they should just use a strong password. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq