[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 05/11/12 20:33, Martijn Grooten wrote: > On Mon, Nov 5, 2012 at 7:37 PM, Simon Waters wrote: > [a long and good argument for using strong, unique passwords] > > Of course I agree with all that. Using strong passwords, and unique > ones for each site/service you use, isn't that difficult, especially > if you use a password manager. Even without it, there are many good > methods to remember passwords, several of which involve writing them > down in one way or another. > > It is one of those rare cases where security doesn't really get in the > way of usability. I think the idea security and conflicts with usability or convenience is overstated. Sure some aspects of security are harder such as authentication e.g. better passwords, two factor authentication, and protocols for handling cryptographic keys can be painful. Most other aspects of security make life better and more convenient. Working with software that doesn't crash when the inputs are erratic. Working with user interfaces that are well designed. Getting your data back after the hard disk crashes. Not having other people read your email. Not having to clean up after malware. Having all your software up to date. These are nice things that good computer security requires or ensures. > At the same time, it is good to realise that most attack scenarios > work regardless of the password strength. The only scenarios in which > it does matter are if a hashed list of passwords is stolen, or if the > service allows one to make login attempts at a _very_ large rate. (If > it's a web-based service, the latter is very unlikely given latency.) We have already seen large lists of hashed passwords stolen from big providers, and various friends were changing passwords they had reused at lastfm, linkedin and elsewhere. This is part of what motivated me to change the passwords so extensively. I agree about rapid password guessing, I think this is unlikely, although I could believe it might be an issue for my twitter password. It is not inconceivable a botnet might have guessed the password, and I'm guessing whilst twitter try and mitigate that it must be hard if the botnet is large enough. But I don't think that is the threat here, the danger if you reuse passwords is it will become known by any means, and will be either in their list for new attacks or used in a targeted attack. e.g. someone will look to see if the email/password combination was reused elsewhere on the net. > There is one important difference with passwords though: if you're > going to crack a 384-bit private key, you know the bit length. So you > know in advance how long it is going to take you to crack it. If you have a list of 2.5 million hashes from lastfm, then the question is not how hard it is to crack a specific password but how many passwords fall out as low hanging fruit. If passwords are short (<12 characters), and the algorithm susceptible to rainbow tables without a huge salt space, the answer is likely "a lot" and quickly. Alec spelt out that with the story of crack, what matters to an attacker is that some password are found, not that you need to find all of them. Just enough to get you into more systems (where they are reused) or more opportunity for abuse or escalation on the same system. The linkedin password hashes were released with those already cracked zeroed out, several people still got ~50% of the passwords out of those hashes within days. > But then again, most people shouldn't wonder these things, they should > just use a strong password. Or even "strong passwords" -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq