From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <1449883d7baedf2bc03d0857a73b6a98@coraid.com> Date: Wed, 30 Jun 2010 12:22:16 -0400 Message-ID: From: "Devon H. O'Dell" To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] offered without comment or judgement Topicbox-Message-UUID: 3b317bde-ead6-11e9-9d60-3106f5b1d025 2010/6/30 erik quanstrom : >> I certainly have several nonsensical words / names for my cats. None >> of them contain numbers or punctuation or anything associated with a >> strong passphrase. The longest of these is probably about 12 >> characters. And a system that can try a billion RSA keys per second is >> going to quickly exhaust the relatively short combination of these, >> even brute forcing. And you're right -- as I also alluded above, the > > assuming the attackers have a dictionary of only 500000 words that > contains your nonsense words and assuming unicase and no spaces > or other punctuation you get 18.9 bits/word. =A0for a neat 3 word phrase, > that's 56.8 bits. > > for a login, that's plenty since there should be some protection > against password guessers. =A0general slowness or just a slow connection > should be enough to prevent 1e9 guesses/sec. As networks get faster, it becomes more of an issue. Luckily, most places that have information about you / your money will lock your account after N invalid login attempts within a certain time period. The places that don't probably don't matter. But usually there are easier ways to get that information anyway. >> People have enough difficulty remembering short passwords. Or creating >> "good" passwords in the first place. Upper bounds along with enforcing >> permutations are placed to reduce peoples' likelihood of forgetting >> them while still providing some level of security. It's not the best >> approach, but until people start treating passwords like an ATM card >> with a PIN, it's not going to matter much anyway. (Ignoring that PINs >> for most cards are only have 9990 or fewer permutations.) > > people will learn. =A0real computer passwords have not > been common for very long. > > also, an atm card is a 2-factor authentication scheme. =A0and > you get 3 guesses. =A0assuming you can steal the card your chances > of success are about 3/10000. =A0(wiki says 6/10000 due to unused > numbers http://en.wikipedia.org/wiki/Pin_number#PIN_security) > > a better attack might be to shoulder surf and then socially > engineer the bank into sending you a card. =A0say by stealing > it out of the mailbox. What people do these days is put magnetic readers on the outside of the reader you're putting your card through. They store information about N cards, and then write their own cards based on that information. There's little guesswork involved; there are plenty of online shops that don't check CVV or shipping address, especially internationally. Then you also have keyloggers and screen scrapers. Lots of ways to get all that information, very, very easily. Social engineering, indeed, works charms. > - erik > >