I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember each one of them and dutifully update them every month or two?
Yes; of course if most of those accounts are moribund and unused then you don't need to change them so often, but the passwords you use frequently should be changed at regular intervals.
It's pretty commonsensical once the threat is understood.
Does anybody have a good URL explaining that idea? It's been kicking around for many years. I've never seen a convincing writeup. Does your bank request/require that you change the PIN on your ATM card every few months? Security is a tradeoff. I think there are two cases for passwords. I'll call them important and junk. I'm willing to store the junk ones in a file or piece of paper that I'm careful with. I have to memorize the important ones. I'm only smart enough to memorize a few good passwords. If I change them every few months, they will be less good, or fewer of them. -- These are my opinions. I hate spam.
Does anybody have a good URL explaining that idea? It's been kicking around for many years. I've never seen a convincing writeup.
I've tried to do that in another mail - it's in the realms of philosophy more than strategy; like if you're a really security-aware person and take great care you can probably stretch the useful life of a password out to _years_ - but how typical are *you* in that instance?
Does your bank request/require that you change the PIN on your ATM card every few months?
ATM cards are not passwords, they are a coarse form of two-factor authentication - You have the card, you have the PIN. You have to possess both in order to transact - at least in in theory. Compare that with the secrecy surrounding the CVV - the "last three digits on the number on the back of the card" which you are "not meant to tell anyone" and which _will_ be different if your card is lost/stolen and reissued. Now _that_ is a password.
Security is a tradeoff. I think there are two cases for passwords. I'll call them important and junk. I'm willing to store the junk ones in a file or piece of paper that I'm careful with. I have to memorize the important ones.
You know, that's not bad. I am pro-paper for long passwords. I am even-more pro "password safes".
I'm only smart enough to memorize a few good passwords. If I change them every few months, they will be less good, or fewer of them.
It's harder as we get old. Use technology to aid with the heavy lifting. :-) -a
On 6/8/12 16:05 , Alec Muffett wrote:
Does anybody have a good URL explaining that idea? It's been kicking around for many years. I've never seen a convincing writeup.
I've tried to do that in another mail - it's in the realms of philosophy more than strategy; like if you're a really security-aware person and take great care you can probably stretch the useful life of a password out to _years_ - but how typical are *you* in that instance?
I have a slide in a presentation I give about oncea year that goes something like: How good does a password/phrase have to be in order to protect against brute-force or dictionary attacks against the password itself? ● Entropy in language. – A typical english sentence has 1.2 bits of entropy per character, you need 107 characters to get a statistically random md5 hash. – Using totally random english characters you need 28 characters. – Using a random distribution of all 95 printable ascii characters you need 20 characters. ● Observation, good passwords are hard to come by.
Does your bank request/require that you change the PIN on your ATM card every few months?
ATM cards are not passwords, they are a coarse form of two-factor authentication - You have the card, you have the PIN.
You have to possess both in order to transact - at least in in theory.
Compare that with the secrecy surrounding the CVV - the "last three digits on the number on the back of the card" which you are "not meant to tell anyone" and which _will_ be different if your card is lost/stolen and reissued.
Now _that_ is a password.
Security is a tradeoff. I think there are two cases for passwords. I'll call them important and junk. I'm willing to store the junk ones in a file or piece of paper that I'm careful with. I have to memorize the important ones.
You know, that's not bad. I am pro-paper for long passwords. I am even-more pro "password safes".
I'm only smart enough to memorize a few good passwords. If I change them every few months, they will be less good, or fewer of them.
It's harder as we get old. Use technology to aid with the heavy lifting. :-)
-a
On 6/10/12, Joel jaeggli <joelja@bogus.com> wrote:
How good does a password/phrase have to be in order to protect against brute-force or dictionary attacks against the password itself? ? Entropy in language. A typical english sentence has 1.2 bits of entropy per character, you need 107 characters to get a statistically random md5 hash. Using totally random english characters you need 28 characters. Using a random distribution of all 95 printable ascii characters you need 20 characters. ? Observation, good passwords are hard to come by.
I don't disagree, except regarding dictionary attacks. If the attack isn't random then math based on random events doesn't apply. In the case of a purely dictionary attack if you choose a non-dictionary word and you are 100.000% safe. :) John John Souvestre - New Orleans LA - (504) 454-0899
On 6/10/12 00:25 , John Souvestre wrote:
On 6/10/12, Joel jaeggli <joelja@bogus.com> wrote:
How good does a password/phrase have to be in order to protect against brute-force or dictionary attacks against the password itself? ? Entropy in language. A typical english sentence has 1.2 bits of entropy per character, you need 107 characters to get a statistically random md5 hash. Using totally random english characters you need 28 characters. Using a random distribution of all 95 printable ascii characters you need 20 characters. ? Observation, good passwords are hard to come by.
I don't disagree, except regarding dictionary attacks. If the attack isn't random then math based on random events doesn't apply. In the case of a purely dictionary attack if you choose a non-dictionary word and you are 100.000% safe. :)
the search space for 6 8 10 character passwords is entirely too small...
John
John Souvestre - New Orleans LA - (504) 454-0899
On Sun, 10 Jun 2012 08:24:41 -0700, Joel jaeggli said:
I don't disagree, except regarding dictionary attacks. If the attack isn't random then math based on random events doesn't apply. In the case of a purely dictionary attack if you choose a non-dictionary word and you are 100.000% safe. :)
the search space for 6 8 10 character passwords is entirely too small...
Saw this over on Full-Disclosure. I'd love to know what inspired the HashCat software to *try* those 2 40-character passwords that broke... Subject: [Full-disclosure] Some stats about broken Linkedin passwds From: Georgi Guninski <guninski@guninski.com> Date: Sun, 10 Jun 2012 17:55:10 +0300 To: full-disclosure@lists.grok.org.uk Stumbled upon this: http://pastebin.com/5pjjgbMt ======= LinkedIn Leaked hashes password statistics (@StefanVenken) Based on the leaked 6.5 Million hashes, 1.354.946 were recovered within a few hours time with HashCat / Jtr and publicly found wordlists on a customer grade laptop. This report was created with pipal from @Digininja ======== Ironically they broke some 40 chars pwd. Another list that contains seemingly non-dictionary pwds is at: http://pastebin.com/JmtNxcnB
On Fri, 08 Jun 2012 15:33:29 -0700, Hal Murray said:
Yes; of course if most of those accounts are moribund and unused then you don't need to change them so often, but the passwords you use frequently should be changed at regular intervals.
It's pretty commonsensical once the threat is understood.
Does anybody have a good URL explaining that idea? It's been kicking around for many years. I've never seen a convincing writeup.
Gene Spafford did a nice analysis of the *contrary* a while ago, that changing and expiring passwords is essentially useless against the current threat model (he was writing about mandatory changes, but all the arguments hold up just fine for "should be changed" as well): http://www.cerias.purdue.edu/site/blog/post/password-change-myths/ http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/
----- Original Message -----
From: "Hal Murray" <hmurray@megapathdsl.net>
Security is a tradeoff. I think there are two cases for passwords. I'll call them important and junk. I'm willing to store the junk ones in a file or piece of paper that I'm careful with. I have to memorize the important ones.
Well, my personal approach to this -- one which I'm well aware is disparaged by Security Professionals -- is tiered passwords. I have one password for 'throwaway' accounts -- drive-forum postings and the like, another password for slightly more important accounts -- forums in which I participate regularly and the like, a third password for actual machine accounts, VPNs and similar things like equipment control panels, and finally a tier for accounts that people can actually change my life or spend my money; things like eBay, PayPal, etc -- on this tier, each password is actually distinct. Finally, there's a top-emergency fallback password, which I use for password safes, which is -- as nearly as I can determine, unresearchable, even if I told you its description. All of these passwords are rule/pattern constructed, using either The XKCD Rule, or one of a couple of my own construction, and each individual password is infixed after what it applies to, so as to make the actual final passwords *never be the same string of characters*, the infix going in a nondeterministic place in the string. This puts enough bits of entropy into the passwords to make them relatively strong -- sites with strength checkers on password set tend to like them a lot -- while keeping them all unique so they can't be cross referenced... and making them complex enough that they cannot be dictionary cracked either. I am, of course, a special case; I've been a system administrator for 30 years; this is my business -- I am willing to put the necessary energy into it as part of my work. I realize that lots of people (where, by lots, I mean several billion) aren't -- either because they don't understand why its important, or because they don't care, or because "it's someone else's fault when $3800 gets taken out of my bank account cause I'm a careless slob". TL;DR: Everyone, admin, user, or civilian, has to make their own decisions about how much work they want to put into security -- and *we* have to find ways to explain the choices so that Joe Q. Sixpack can understand *why it's important to him to think about it*. That's a sales pitch; engineers are *singularly* unsuited to it, in general. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
participants (6)
-
Alec Muffett
-
Hal Murray
-
Jay Ashworth
-
Joel jaeggli
-
John Souvestre
-
valdis.kletnieks@vt.edu