On 23/08/17 14:11, Brian wrote: >> As for the scenario where the password is compromised and that leads to >> somebody posting slander in one behalf, that can happen without any need >> for password cracking. Anybody can create a profile in a social network >> pretending to be you with the intention to taint your reputation. >> >> Hence that only your reputation as perceived by stupid people would >> suffer from such an attack. > > A slander coming from your own (compromised) account is somewhat > different from one posted from a created account. It is a lot harder > to deny one but not the other. The problem here is that only *you* know which account is legitimate and which is the impersonator. The rest of people read that account A claims that account B is impersonating it, but they can not know that is true, or whether it is actually the other way, or whether account B is actually the same person as account A but posing as a impersonator of himself (like the so called “self-robbery”). If you have access to an account, you can prove this easily to anybody through a challenge-response protocol. However, in general you can not prove that you do *NOT* have access to an account. It can be done only in *some cases*. For example, if you were unconscious in the hospital, the hospital personnel can attest to this. Of course, this works only if people is willing to trust the hospital personnel. >>> "Probably" is probably good enough. The probability of either of the two >>> previous passwords being deduced from pure guessing is close to zero. >> >> It is not human guessing, but brute force attacks with specialized >> hardware what you should try to protect against. > > It is all "human guessing". Think about it. Machines do not guess by > themselves. Not yet anyway! > > Two passwords: > > IhaveaMemorablePasswordwhichIwillnotforget! > > MyDogHasNoNose.HowDoesItSmell?Terrible! > > Please would you give your opinion of how long it would take to brute > force these over the network. > > (I do not understand "specialized hardware" when it is network attacks.) An answer can not be given for “how long it would take” because this question depends on too many factors. It is an open-ended question. Anyway, you have to take into account that sometimes a data base of hashed passwords of the users can be obtained through normal cracking. Then the attacker can perform a brute force search without any further need for network access. If your ~/.gnupg directory leaks, then your OpenPGP key is protected only by your password. No network access is required after the initial leak. -- Do not eat animals, respect them as you respect people. https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan
Attachment:
signature.asc
Description: OpenPGP digital signature