Re: One-line password generator
On Fri 25 Aug 2017 at 08:40:35 +0000, Curt wrote:
> On 2017-08-25, David Wright <deblis@lionunicorn.co.uk> wrote:
> >
> > Unless you have accounts¹ that invite break-in attempts², the main
> > thing to resist offline cracking is to have better passwords than
> > your neighbours, just like security against burglary. Once a suitable
> > proportion of passwords have been cracked, which will consist of the
> > easier ones, there are diminishing returns in continuing to try to
> > crack the rest.
>
> Brian's thesis:
>
> https://xkcd.com/936/
>
> (clever and funny, BTW,
> yet contradicted by this:)
>
> https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
>
> > ¹accounts of all sorts, not just forums.
> > ²institutions, slebs, politicians, etc.
An interesting read. You would come away with the technical notion that
the only type of password which is secure against an *offline* attack is
one which is generated randomly. The rate at which hashes can be tested
is impressive and no doubt increasing, so we'll go along with that.
However, users use passwords to log into accounts *online* and those
passwords are devised to withstand an *online* attack (of 100 tests per
second maximimum(?)). This is the only aspect a user can completely
control and many make a good job of it. Passwords which are long and
have some complexity but are not a burden on the user or impossible to
memorise would withstand such an attack. (This leaves aside the defences
the site itself has in place).
A user has no control over what happens at the other end. Knowledge
about how data are stored and safeguarded will be sparse, so the user
will have to make a risk assessment about that; only time will tell
whether it is correct. What doesn't seem quite right (morally and
technically) is for it to be implied that the user should take some
responsibilty for the site's (unknown) shortcomings.
--
Brian.
Reply to: