Re: [9fans] offered without comment or judgement

["Devon H. O'Dell" <devon.odell@gmail.com>]

2010/6/30 erik quanstrom <quanstro@quanstro.net>:
>> I certainly have several nonsensical words / names for my cats. None
>> of them contain numbers or punctuation or anything associated with a
>> strong passphrase. The longest of these is probably about 12
>> characters. And a system that can try a billion RSA keys per second is
>> going to quickly exhaust the relatively short combination of these,
>> even brute forcing. And you're right -- as I also alluded above, the
>
> assuming the attackers have a dictionary of only 500000 words that
> contains your nonsense words and assuming unicase and no spaces
> or other punctuation you get 18.9 bits/word.  for a neat 3 word phrase,
> that's 56.8 bits.
>
> for a login, that's plenty since there should be some protection
> against password guessers.  general slowness or just a slow connection
> should be enough to prevent 1e9 guesses/sec.

As networks get faster, it becomes more of an issue. Luckily, most
places that have information about you / your money will lock your
account after N invalid login attempts within a certain time period.
The places that don't probably don't matter. But usually there are
easier ways to get that information anyway.

>> People have enough difficulty remembering short passwords. Or creating
>> "good" passwords in the first place. Upper bounds along with enforcing
>> permutations are placed to reduce peoples' likelihood of forgetting
>> them while still providing some level of security. It's not the best
>> approach, but until people start treating passwords like an ATM card
>> with a PIN, it's not going to matter much anyway. (Ignoring that PINs
>> for most cards are only have 9990 or fewer permutations.)
>
> people will learn.  real computer passwords have not
> been common for very long.
>
> also, an atm card is a 2-factor authentication scheme.  and
> you get 3 guesses.  assuming you can steal the card your chances
> of success are about 3/10000.  (wiki says 6/10000 due to unused
> numbers http://en.wikipedia.org/wiki/Pin_number#PIN_security)
>
> a better attack might be to shoulder surf and then socially
> engineer the bank into sending you a card.  say by stealing
> it out of the mailbox.

What people do these days is put magnetic readers on the outside of
the reader you're putting your card through. They store information
about N cards, and then write their own cards based on that
information. There's little guesswork involved; there are plenty of
online shops that don't check CVV or shipping address, especially
internationally.

Then you also have keyloggers and screen scrapers. Lots of ways to get
all that information, very, very easily. Social engineering, indeed,
works charms.

> - erik
>
>