Re: One-line password generator
On Wed 23 Aug 2017 at 18:06:49 -0500, Mario Castelán Castro wrote:
> On 23/08/17 14:11, Brian wrote:
> >> As for the scenario where the password is compromised and that leads to
> >> somebody posting slander in one behalf, that can happen without any need
> >> for password cracking. Anybody can create a profile in a social network
> >> pretending to be you with the intention to taint your reputation.
> >>
> >> Hence that only your reputation as perceived by stupid people would
> >> suffer from such an attack.
> >
> > A slander coming from your own (compromised) account is somewhat
> > different from one posted from a created account. It is a lot harder
> > to deny one but not the other.
>
> The problem here is that only *you* know which account is legitimate and
> which is the impersonator. The rest of people read that account A claims
> that account B is impersonating it, but they can not know that is true,
> or whether it is actually the other way, or whether account B is
> actually the same person as account A but posing as a impersonator of
> himself (like the so called “self-robbery”).
>
> If you have access to an account, you can prove this easily to anybody
> through a challenge-response protocol. However, in general you can not
> prove that you do *NOT* have access to an account. It can be done only
> in *some cases*. For example, if you were unconscious in the hospital,
> the hospital personnel can attest to this. Of course, this works only if
> people is willing to trust the hospital personnel.
It comes down (IME) to protecting and preserving one's online identity.
Treating some accounts as deserving passw0rd while others get a urandom
generated Odju56LAVGMXl8nJQBE4KA is not conducive to that. Also, taking
shortcuts in health and safety matters rarely turn out well.
> >>> "Probably" is probably good enough. The probability of either of the two
> >>> previous passwords being deduced from pure guessing is close to zero.
> >>
> >> It is not human guessing, but brute force attacks with specialized
> >> hardware what you should try to protect against.
> >
> > It is all "human guessing". Think about it. Machines do not guess by
> > themselves. Not yet anyway!
> >
> > Two passwords:
> >
> > IhaveaMemorablePasswordwhichIwillnotforget!
> >
> > MyDogHasNoNose.HowDoesItSmell?Terrible!
> >
> > Please would you give your opinion of how long it would take to brute
> > force these over the network.
> >
> > (I do not understand "specialized hardware" when it is network attacks.)
>
> An answer can not be given for “how long it would take” because this
> question depends on too many factors. It is an open-ended question.
Fair enough.
> Anyway, you have to take into account that sometimes a data base of
> hashed passwords of the users can be obtained through normal cracking.
> Then the attacker can perform a brute force search without any further
> need for network access.
>
> If your ~/.gnupg directory leaks, then your OpenPGP key is protected
> only by your password. No network access is required after the initial leak.
I'll give you that. 50,000 tests per second offline (or whatever it is
now) beats an online attack of a few hundred (?) per second any day of
the week.
I've seen it said that a memorable password is a weak password. Perhaps
there is some truth in that, but (again IME) it needn't be so.
--
Brian.
Reply to: