Re: Have I been hacked?
On 1/12/2015 8:05 AM, iain@thargoid.co.uk wrote:
>
> While it is possible to enforce certain password policies (e.g. must use
> capital letters, numbers, symbols etc) these
> do not necessarily dictate a secure password. I guess if I know you
> phone number, if it is stored in my phone I have
> it as well. Someone steals my phone they now also know and have your
> number. If I do not add it to my phone, do I still
> have it?
>
No different than having a key on your notebook and having the notebook
stolen.
<snip>
> Knowledge is easier to duplicate than a physical item. You mentioned the
> ATM attack.
Incorrect. Knowledge cannot be duplicated if there is no basis for that
knowledge.
For instance, it was not possible for archeologists to decipher ancient
Egyption hieroglyphics before the discovery of the Rosetta Stone in 1799
- before this, there was no basis for knowledge of the language.
The same is true for passwords. If you don't have a basis for knowledge
of the password's construction, it is impossible to duplicate that
password in any reasonable length of time.
For instance - let's see you duplicate the password to one of my
servers. You won't be able to do it, because it's random and I don't
have it written down anywhere. Even if you steal every one of my
computers, it won't help you at all, because it's not stored on any of
them.
>
>>
>> How do you define security?
>
> I don't need to. There is already a definition in English for this:
>
> http://dictionary.cambridge.org/dictionary/british/security
I happen to agree with Joel here. I don't want to know the dictionary
definition - I want to know YOUR definition of security.
<snip>
>>> ) my fingerprint (being something I am)
>>
>> You sure it's not something you have?
>
> Nope - I am pretty sure it is something I am, within the context of the
> above statement.
>
A fingerprint is something you HAVE. It is present on your body; it is
NOT something you are. You can leave a fingerprint on a glass, for
instance, and it doesn't affect you at all.
Also, a fingerprint be duplicated from anywhere you leave it. Watch
some of the CSI or similar TV shows, for instance. They take
fingerprints off of surfaces all the time. And it's not much harder to
make a duplicate of the fingerprint which can be used to access a
system. It's already been done multiple times with the new IPhone
fingerprint "security".
>>
>>> is more
>>> secure than a password.
>>
>> Unless someone chops your hand off to steal your BMW.
>
> Again - implementation. Is the hand warm? Is there a pulse?
>
Not part of the fingerprint - but again, these can be duplicated - a
latex glove with the fingerprint etched into it, for instance.
>>
>>> Also, an ssh-key (being something I have
>>
>> Now there's an interesting assertion. It seems reasonable, if one
>> accepts certain implicit, arbitrary boundaries between the three
>> classes of tokens invoked above.
>>
>> -- seems reasonable --
>>
>>> ) is more
>>> secure than a password.
>>
>> And, yet, it is no more secure than the user account on the machine in
>> which it is stored.
>
> OK sure - but we are discussing how to authenticate to an account right?
>
We are discussing how to authenticate an account on another machine. If
your key is on your machine, and I steal your machine, I can break the
passphrase your key uses. It may take a while, but it will be a lot
faster than if that same passphrase were uses as a password to your server.
>
> Something you have and something you are have to be digitised, to produce a
> token that can be used to prove your identity to a computer system. That is
> part of the implementation.
>
Everything you have mentioned is something I "have". I "have" knowledge
of a long, random password (not stored anywhere else). I "have" a key
stored on my computer (protected by a password). I "have" a fingerprint.
And the security of these three items are in DESCENDING order.
Jerry
Reply to: