Re: Heh

posted by [identity profile] rfunk.livejournal.com at 07:43pm on 26/10/2007
Yeah, dictionary attacks can speed things up dramatically, as can having a list of encrypted passwords to test against. (All the "rippers" I've seen ignore the username except as a hint of text that may be in the password, and most real-world crackers don't have the list of encrypted passwords handy.) Combining a dictionary attack with the stream processing would probably give results in seconds or maybe minutes.

However, using longer passwords (actually passphrases) is still viable. Enforcing 12 characters or more might be a starting point, and just saying "passphrase" rather than "password" might encourage people to think in longer terms. Even dictionary attacks are limited by long passwords.

Anyway, really serious stuff should already be using two-factor (or more) authentication, combining passwords with tokens and/or biometrics. Single-factor authentication hasn't been acceptible for serious stuff in a long time.
[parent entry] [link] [parent] [reply]
 

Re: Heh

posted by [identity profile] tosk.livejournal.com at 08:09pm on 26/10/2007
I agree with most of what you said, cept the bit about what attackers might have avaliable... Have you poked at the Rainbow Tables?
[link] [parent] [reply]
 

Re: Heh

posted by [identity profile] rfunk.livejournal.com at 08:38pm on 26/10/2007
I'm familiar with rainbow tables via the Coding Horror blog. But a rainbow table only works if they have the password database (in the same scheme the rainbow table was built for), same as the various rippers.

Anyway, salting the encrypted password is the key. As one security person put it bluntly regarding rainbow tables: No modern password scheme is vulnerable to them. Unix has had a "modern" scheme since 1976. Of course, Windows doesn't happen to have a modern password scheme.

And once again, long enough passphrases are key; the rainbow table has a finite length, and if it doesn't cover passphrases as long as yours, it can't crack your passphrase.
[link] [parent] [reply]
 

Re: Heh

posted by [identity profile] tosk.livejournal.com at 09:03pm on 26/10/2007
*ding* Windows doesn't happen to have a modern password scheme.

But, most corporations run Windows (I use *nix, but still a lot of the major companies run on Windows). On top of that due to the proliferation of HyperActive Directory al lot of UNIX accounts now have uid/pwd in AD. Thus if you hack AD, you get all the UNIX passwords too. Ptacek is right, when talking about coding for websites, where your password scheme can be homemade and designed on sense.

As for length, I agree... my PGP passphrase has been in the double digits since I started using it. But even that is just a matter of time and technology. Salted passwords help, no doubt, securing anything important 2-factor is a must at this point, as you said. In fact, the PCI requirements for corporations now include 2-factor authentication.
[link] [parent] [reply]
 

Re: Heh

posted by [identity profile] rfunk.livejournal.com at 10:05pm on 26/10/2007
So basically, it's Windows that's FAIL at this point, not passwords. :-)
[link] [parent] [reply]

April

SunMonTueWedThuFriSat
        1
 
 2
 
 3
 
4
 
 5
 
 6
 
 7
 
 8
 
 9
 
 10
 
11
 
 12
 
 13
1
 14
 
 15
 
 16
 
 17
 
18
 
 19
 
 20
 
 21
 
 22
 
 23
 
 24
 
25
 
 26
 
 27
 
 28
 
 29
 
 30