[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Mon, Nov 5, 2012 at 10:28 PM, Simon Waters wrote: > I think the idea security and conflicts with usability or convenience is > overstated. Sure, I oversimplified. But in the short term, almost every security measure I take is inconvenient. It'd be more convenient if I could take money out of an ATM by just showing it my bank card. It would of course cause a lot more inconvenience in the longer term. > We have already seen large lists of hashed passwords stolen from big > providers, and various friends were changing passwords they had reused > at lastfm, linkedin and elsewhere. This is part of what motivated me to > change the passwords so extensively. > > I agree about rapid password guessing, I think this is unlikely, > although I could believe it might be an issue for my twitter password. > It is not inconceivable a botnet might have guessed the password, and > I'm guessing whilst twitter try and mitigate that it must be hard if the > botnet is large enough. I seriously doubt that. I just looked up your Twitter account, unless you've lost 99.9% of your followers recently, you don't seem to be a very prominent target. Not to mention that only with a very prominent account (someone with 1,000,000+ followers) it'd be worth going through a dictionary of passwords. Even if you control a huge botnet. You can do 'better' things with these. And Twitter doesn't allow too many login attempts either: https://support.twitter.com/articles/63510-i-m-locked-out-after-too-many-login-attempts > But I don't think that is the threat here, the danger if you reuse > passwords is it will become known by any means, and will be either in > their list for new attacks or used in a targeted attack. e.g. someone > will look to see if the email/password combination was reused elsewhere > on the net. Yes password reuse is really bad. I'd say it is a lot worse than using weak passwords, yet most security people focus on the latter. This shouldn't be an either/or choice, but if for some hypothetical reason you were faced with a choice between one very strong password for everything, or a different weak one for each service you use, you should always go for the latter. > If you have a list of 2.5 million hashes from lastfm, then the question > is not how hard it is to crack a specific password but how many > passwords fall out as low hanging fruit. Good point. That's why hashes should be salted, but at least those of LinkedIn weren't. I guess those of Last.fm weren't either. But again, I did not argue against using strong passwords. I'm just worried that by focusing on password security, people focus too much on something that may be the cause of about 5% of account compromises. The problem with the remaining 95% is that it's a lot less hard to turn into clear advise to users: "don't use machines with keyboards" or "don't use services with XSS vulnerabilities" aren't very helpful. Mind you, I don't really have a solution to that problem. Other than tell people if their account is compromised to change their password but then don't assume the problem has been fixed. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq