[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: One-line password generator


Brian wrote:
> I think you had a provider's compromised database in mind when you wrote
> this.

Yes. That's the way how an attacker can get the biggest harvest
and also the risk which you cannot influence from remote.

> An attacker would be limited by his imagination and monetary and
> time costs but, in the end, it could be assumed he would get something
> out of it.

It would be desirable if he could not get your password before the service
provider takes notice of the theft and decides to take action.

> The compromise is also not the user's responsibilty and it is
> unfair to put the burden for mitigating it on him

If suddenly money vanishes from your account or luxury goods get ordered
at your expense, then it will possibly be seen as lame excuse if you point
to a possible password theft.

> Guessable? Is this the type of guessing done by friends, acquaintances
> and close family members to try to get at your gmail or bank account?

I rather think of web crawlers, statistical tools, and artificial
intelligence on the field of human psychology.
The goal is to avoid most of the tries with passwords which a human is
very unlikely create.

> Random is excellent; write it down or use a password manager.

The first advice was deprecated for a long time but seems now to be
revived by the necessity to use superhumanly safe passwords.
Need makes courageous.

The second way means that you give all your passwords to one or a few pieces
of software, which might be safe, maybe.
You still need to memorize at least one password that is good enough to
guard all the others.
As for allowing only a limited frequency of tries: If the attacker can
steal the encrypted passwords, then he can probably create a version of the
password manager software which makes as many tries as fast as the CPU
can do.
It would help a lot if nobody knows how to make the tries fast.

Have a nice day :)


Reply to: