On 8 Jun 2012, at 22:59, John Levine wrote:
Given that most compromised passwords these days are stolen by malware or phishing, I'm not understanding the threat, unless you're planning to change passwords more frequently than the interval between malware stealing your password and the bad guys using it.
I agree that keeping a big file of unsalted hashes is a dumb idea, but there isn't much that users can do about services so inept as to do
Hi John, I can't easily reconcile the statement that "most passwords … are stolen by malware/phishing" with the subsequent para referring to the likes of LinkedIn (6.5 million apparently without usernames) or Playstation Network (77 million with PII) or RockYou (32 million IDs) … but then I lack stats for the former, perhaps you can tell me how many tens-of-millions of people got phished last year? Creditcards scraped by malware may touch that number, but might be themselves outpaced by wholesale CC database theft. Sometimes password changing is done for reducing the window of opportunity, other times it is for education, yet more times it's for both, or to get everyone to refresh their password so the new Bcrypt or SHA512crypt hash algorithm can be enabled and the crummy old short Unix passwords (aaU..z/8FAYEc) can be expunged. With the right tools your identity can be quite (shall we say?) agile and involve a lot of hard work for bad guys to hit. That's the goal. Turning the matter on its head: How tragic would it be for someone still to be using the same password that they were using in the Playstation hack, 14 months after the event? Is 14 months a excusable length of time for someone not to have changed their password after a break? I would say not - but then would 6 months be any more excusable? Or 3 months? How long is it excusable to not get around to changing a known-to-be-hacked password? And what if you don't know you've been hacked? In this game of diminishing time windows and not being sure about whether User-A's password was taken but User-B's was not, perhaps the best strategy is to assume that all passwords are likely broken after a period of time and to change all of them - but that idea does not appeal to everyone; I can see why, but perhaps my goals are different. -a