[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: One-line password generator

On Sat 02 Sep 2017 at 20:58:13 +0200, Thomas Schmitt wrote:

> Brian wrote:
> > I think you had a provider's compromised database in mind when you wrote
> > this.
> Yes. That's the way how an attacker can get the biggest harvest
> and also the risk which you cannot influence from remote.

True. I'm glad you ackowledged the user has no control over a breaching
of the provider's system.
> > An attacker would be limited by his imagination and monetary and
> > time costs but, in the end, it could be assumed he would get something
> > out of it.
> It would be desirable if he could not get your password before the service
> provider takes notice of the theft and decides to take action. 

Very desirable.

> > The compromise is also not the user's responsibilty and it is
> > unfair to put the burden for mitigating it on him
> If suddenly money vanishes from your account or luxury goods get ordered
> at your expense, then it will possibly be seen as lame excuse if you point
> to a possible password theft.

We are talking here about a provider's system being penetrated and a
number of password thefts happening, It is hardly a "lame excuse" if the
user uses this in a claim for compensation, so I do not know where you
are coming from. The provider is responsible for the information being
held on its systems, even if the user has used "password" for the

> > Guessable? Is this the type of guessing done by friends, acquaintances
> > and close family members to try to get at your gmail or bank account?
> I rather think of web crawlers, statistical tools, and artificial
> intelligence on the field of human psychology.
> The goal is to avoid most of the tries with passwords which a human is
> very unlikely create.

You would be better off thinking in terms of close family members. They
are the ones to beware of.

> > Random is excellent; write it down or use a password manager.
> The first advice was deprecated for a long time but seems now to be
> revived by the necessity to use superhumanly safe passwords.
> Need makes courageous.
> The second way means that you give all your passwords to one or a few pieces
> of software, which might be safe, maybe.
> You still need to memorize at least one password that is good enough to
> guard all the others.
> As for allowing only a limited frequency of tries: If the attacker can
> steal the encrypted passwords, then he can probably create a version of the
> password manager software which makes as many tries as fast as the CPU
> can do.
> It would help a lot if nobody knows how to make the tries fast.

We are back to the offline cracking. It is interesting and mesmorises
us because of its technological import but is of zero consequence for
online cracking.

Do you want to be safe online? Choose a good password and store it

Do you want to pre-empt your provider being breached and get ahead of
the game? Forget about it. Que Sera, Sera.


Reply to: