dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
27

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

1 edit

Snowy to Kilroy

Premium Member

to Kilroy

Re: P@$$1234: the end of strong password-only security

said by Kilroy:

said by Snowy:

Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent.

The problem is that the current attack methods aren't brute force on the actual account, they are brute force on the captured password file, so lockout policies have nothing to do with the attack.

If Deloitte is talking about a 90% failure rate for passwords stored in the password file then logically the only way this can have any real world significance would be if 90% of all password files are insecure.
Sure, if their talking about illegally accessed password files with plain text or simple hashing, then yeah, the password is pretty much toast.
That's like the security sites that ask you to drop your defenses so they can show you how insecure you are.

EDIT to add: I have been unable to locate where Deloitte specified their study was about hacked password files.
where are you getting that from?

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

Note number 5 pointing to this link - »xato.net/passwords/more- ··· sswords/
quote:
Note that all passwords on this list are from publicly available sources and can be found by anyone. The list does not include the 30 million passwords from the rockyou release because the list does not contain usernames and therefore duplicates with my own list cannot be detected and so they cannot be merged.
From that I would conclude that these are from publicly available leaked/stolen user name and password lists.

I would conclude by saying it doesn't matter how strong your password is, if the entity you are using it with fails to protect it. In reality, it isn't user passwords that are the problem, it is the leaked/stolen passwords that were entrusted to the people requiring a password.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Kilroy:

I would conclude by saying it doesn't matter how strong your password is, if the entity you are using it with fails to protect it. In reality, it isn't user passwords that are the problem, it is the leaked/stolen passwords that were entrusted to the people requiring a password.

I completely agree with that.
I completely disagree with:
"Deloitte predicts that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking."

I'll stand by:
"Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent."

Why?: Because if the Deloitte study was about hacked password files & they failed to mention that they'd be guilty of more than just sensationalism.