dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
21

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to Kearnstd

MVM

to Kearnstd

Re: P@$$1234: the end of strong password-only security

said by Kearnstd:

I find it funny I have a bank, I cannot use all but a few select symbols in my password. My World of Warcraft account? I can have the PW be long and effectively contain pretty much everything on my keyboard.

But did you know case doesn't matter for your World of Warcraft account? So, that cuts out 26 characters.

Snowy See Profile, you're just not getting it. Did you even read the article?
said by Deloitte Aritcle :
How do passwords get hacked? The problem is not that a hacker discovers a username, goes to a login page and attempts to guess the password. That wouldn’t work: most web sites freeze an account after a limited number of unsuccessful attempts, not nearly enough to guess even the weakest password.
NO ONE tries to brute force passwords directly, due to incorrect password lockouts.

I agree that password resets are a major problem.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Kilroy:

Snowy See Profile, you're just not getting it. Did you even read the article?

Yes, I read the article.
I just didn't get that the scope was framed around
90% of user generated passwords would fail if the password file were attacked"
If it were I'd think the title would have been 90% of password files are not secure.

The article would make even less sense if that's what it's about because at the point of attack the password becomes dependent on the strength of the password file.
If it's stored in plain text then it's not 90% that would fail - it would be 100%.

How or if the password is salted would come into play etc... there's too many variables to come up with a hard number as they did (90%).

Even if it were about passwords stored in a password file that was subjected to an attack:
1. They should have attacked a plain text file to get a 100% failure rate
2. I'm not aware of any US financial institution that lost their password files - though anything is possible.
3. If their point was a stronger password to offset a lost password file advocating a best policy in password file encryption would be more practical than changing the habits of 90% of humankind.
Snowy

Snowy to Kilroy

Premium Member

to Kilroy
said by Kilroy:

Snowy See Profile, you're just not getting it. Did you even read the article?

Aah, it took reading that twice,
I usually just gloss over this type of noise
"Most organizations keep usernames and passwords in a master file. ...
So far, so secure. However, master files are often stolen or leaked....


I hope Deloitte is just setting the stage for a breach disclosure rather than actually believing that.
Deloitte's 90% figure still doesn't change any fact.
It's still true that 0% of US banking customers have had their accounts compromised due to a brute force or dictionary attack or even a weak password being cracked via a leaked or stolen password file.
Phishing, vishing, post-it notes, impersonation, forgery, ACH fraud, bank losing master password file.
It doesn't even look right.