dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7
share rss forum feed


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Snowy

Re: P@$$1234: the end of strong password-only security

said by Snowy:

Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent.

The problem is that the current attack methods aren't brute force on the actual account, they are brute force on the captured password file, so lockout policies have nothing to do with the attack. By the time they are using your user name and password they already know what they are and the lock out policy won't be of any use.

The same issue applies to the suggestion from DarkSithPro See Profile. The password entry isn't the weakness. It is the loss of the password file. Having twenty levels of password checks does nothing if the one in charge of securing the data is the one who lost your user information in the first place.

The weakness comes from the off line attacks that are being run against the password files, provided the entity storing the data bothered to hash them.

NotTheMama See Profile, okay you use long pass phrases, do you have a different one for EVERY password? Probably not. So, once I have one of your pass phrases I can access other accounts that you have used the same pass phrase. Additionally if you used the same user name, if you had any choice and e-mail address isn't it, I already have all I need to be you.

A password generator is the only way to ensure that you have minimum exposure. I use LastPass with an Yubikey for two factor authentication to my passwords. The problem comes in when the places that want a password limit the length. Fidelity is a personal favorite with that issue. I don't remember what their length limit is, but I do know it is less than 15 characters. Thanks for holding my money and not taking much effort to keep it secure.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 edit

said by Kilroy:

said by Snowy:

Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent.

The problem is that the current attack methods aren't brute force on the actual account, they are brute force on the captured password file, so lockout policies have nothing to do with the attack.

If Deloitte is talking about a 90% failure rate for passwords stored in the password file then logically the only way this can have any real world significance would be if 90% of all password files are insecure.
Sure, if their talking about illegally accessed password files with plain text or simple hashing, then yeah, the password is pretty much toast.
That's like the security sites that ask you to drop your defenses so they can show you how insecure you are.

EDIT to add: I have been unable to locate where Deloitte specified their study was about hacked password files.
where are you getting that from?


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN

Note number 5 pointing to this link - »xato.net/passwords/more-top-worst-passwords/

quote:
Note that all passwords on this list are from publicly available sources and can be found by anyone. The list does not include the 30 million passwords from the rockyou release because the list does not contain usernames and therefore duplicates with my own list cannot be detected and so they cannot be merged.
From that I would conclude that these are from publicly available leaked/stolen user name and password lists.

I would conclude by saying it doesn't matter how strong your password is, if the entity you are using it with fails to protect it. In reality, it isn't user passwords that are the problem, it is the leaked/stolen passwords that were entrusted to the people requiring a password.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Kilroy:

I would conclude by saying it doesn't matter how strong your password is, if the entity you are using it with fails to protect it. In reality, it isn't user passwords that are the problem, it is the leaked/stolen passwords that were entrusted to the people requiring a password.

I completely agree with that.
I completely disagree with:
"Deloitte predicts that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking."

I'll stand by:
"Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent."

Why?: Because if the Deloitte study was about hacked password files & they failed to mention that they'd be guilty of more than just sensationalism.