[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Have I been hacked?

On Tue 13 Jan 2015 at 22:16:12 -0700, Bob Proulx wrote:

> Brian wrote:
> > Seeing that my argument that enforcing (if it is possible) an
> > unmemorable password is not in the best interests of security doesn't
> > gain any tracton, let me try a different tack.
> > 
> > The password
> > 
> >   TwasBrilligAndTheSlithyToves
> > 
> > strikes me as a pretty good one for an ssh login. (I have capitalised
> > some letters for readability, not to add complexity). Personally, I find
> > it easy to remember and associate with ssh and my account. I cannot see
> > why it is not a good password for me.
> 
>   Why passwords have never been weaker—and crackers have never been stronger
>   http://arstechnica.com/security/2012/08/passwords-under-assault/
> 
>   Most importantly, a series of leaks over the past few years containing
>   more than 100 million real-world passwords have provided crackers with
>   important new insights about how people in different walks of life
>   choose passwords on different sites or in different settings.  The
>   ever-growing list of leaked passwords allows programmers to write
>   rules that make cracking algorithms faster and more accurate; password
>   attacks have become cut-and-paste exercises that even script kiddies
>   can perform with ease.
> 
> To summarize the problem it is that you as a human are unique in the
> universe, just like everyone else.  Analyzing 100 million passwords
> exposes the human bias that you introduce that you don't realize you
> are introducing.  It is "big data" removing the uniqueness and
> reducing the search space.

A good article. There is a follow-up at

   http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

Although it affects a user, the lack of security at a site is not fixable by
him and is not his responsibility. If usernames and hashes are exposed to
an off-line attack I would agree the only certain protection is a long,
complex password comprising random characters. It would be beyond the
present techniques to match the hash in any realistic time.

I am still going to maintain that "TwasBrilligAndTheSlithyToves" is a
more than adquate password for logging in *on-line*. If I were to lack
trust in the maintenence of security at a site I might consider a change
of heart. But then - what would I base my judgement on. apart from the
theoretcal possibility?

> I won't say that the technique you show above is a bad thing.  But the
> current wisdom is that it isn't good enough anymore because after
> analyzing millions of real world passwords, programs can now guess
> what humans will do much of the time.  So what you really need is
> something other than what a human would produce.

We are still on off-line cracking? How does this sound?

Memorable passwords are good. Long, complex passwords are also good. One
needn't exclude the other.

I can remember "TwasBrilligAndTheSlithyToves" and associate it with an
account.

Before signing up I do

    echo TwasBrilligAndTheSlithyToves | sha1sum | base64 | cut -c -30

The output is what I give to a site as a password.

Furthermore, before any future logins I can run the command again to get
the same password. Isn't this on-line and off-line cracking taken care
of?
Reply to: