Re: One-line password generator

To: debian-user@lists.debian.org
Subject: Re: One-line password generator
From: Brian <ad44@cityscape.co.uk>
Date: Fri, 25 Aug 2017 19:14:33 +0100
Message-id: <[🔎] 20170825181433.GF15649@copernicus.org.uk>
In-reply-to: <[🔎] fc2041b8-c442-af01-27c3-8a49370ec839@yandex.com>
References: <[🔎] e8b3ccf7-e69d-1ce6-eb58-709708b7aacb@yandex.com> <[🔎] 20170823191148.GD15649@copernicus.org.uk> <[🔎] 27f7d34e-c86f-9898-df2f-a5e756b3c35d@yandex.com> <[🔎] 24082017181355.6b8eb9ad36fa@desktop.copernicus.org.uk> <[🔎] 20170825004941.GA15966@alum> <[🔎] slrnopvoka.3vn.curty@einstein.electron.org> <[🔎] 20170825165100.GE15649@copernicus.org.uk> <[🔎] 9da8f6c5-e969-e0d6-8dbf-76cfa64c231e@yandex.com> <[🔎] 25082017180638.eccb7482d618@desktop.copernicus.org.uk> <[🔎] fc2041b8-c442-af01-27c3-8a49370ec839@yandex.com>

On Fri 25 Aug 2017 at 12:14:18 -0500, Mario Castelán Castro wrote:

> On 25/08/17 12:11, Brian wrote:
> >> Unless you have a good reason to think otherwise (e.g. *you* manage the
> >> web site and you know you are doing a good job), you should assume that
> >> the data-base with hashes passwords will leak without the system
> >> administrators noticing, and then an attack can be carried offline.
> > 
> > The problem with assumptions is that they often do not reflect the truth
> > of a situation and predispose us to making recommendations which are not
> > in the best interests of other people.
> 
> This *sounds* very reasonable, but the truth is that you are simply
> dodging that your recommendation leads to weak passwords.

It not only *sounds* very reasonable, it *is* very reasonable. All of
us, at one time or another, make assumptions which, in the light of
experience or on closer examination, do not stand up.

I really am not trying to dodge anything, but would like to know if
distinguishing beween offline and online is reasonable. Passwords which
are possibly not immune to *offline* cracking is how I would categorise
my idea.  But that is not the responsibility of the user to mitigate.
(Does one take a parachute on to a plane "just in case...?).

> In security, one should not take things for granted. One should plan for
> the worst plausible case. Leaking hashed passwords has happened many
> times, so it is very plausible.

My bank has never (to my knowledge) had a breach. I trust it. I assume
the people it employs are conscientious and competent. I assume they
know more about their systems than I do. (BTW, one does this all the
time, from surgeons to train drivers). I could use a random password
to log in, but where is the deficiency in "Gimmethed0sh. It's*my*money!"
for an online login?

To "take things for granted" is just another way of talking about
assumptions. Maybe I am taking my bank's security for granted. But what
other option is there, other than to form an opinion and then weigh up
the risk? I have no control over their policies regarding data access.
The worst possible case for my argument would be that the online and
offline cases are indistinguishable.

-- 
Brian.

Reply to:

References:
- Re: One-line password generator
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>
- Re: One-line password generator
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>
- Re: One-line password generator
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: One-line password generator
  - From: Curt <curty@free.fr>
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>
- Re: One-line password generator
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>
- Re: One-line password generator
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>

Prev by Date: Re: One-line password generator
Next by Date: Re: One-line password generator
Previous by thread: Re: One-line password generator
Next by thread: Re: One-line password generator
Index(es):
- Date
- Thread