[extropy-chat] Password Security
BillK
pharos at gmail.com
Fri Sep 23 11:36:15 UTC 2005
On 9/23/05, spike wrote:
>
> So we each have an infinite number of passwords
> that will unlock our secrets, yet wrongdoers usually
> cannot find even a single element of that infinite
> set, so awash are they in a far vaster sea of higher
> order infinity. Stare into this abyss within a
> metabyss.
>
> Here's the punchline: the total infinity of possible
> passwords (assuming any finite number of keystrokes)
> and the infinity of *your* passwords are the same order
> of infinity. Yet still your secrets are safe. Ponder
> this paradox until you are delightfully insane.
>
> Math is so cool. {8-]
>
Sorry Spike, but it isn't like this in today's world. Password
security and cryptography is a field that has been extensively
studied. For really good reasons. :)
<http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm>
"Think your passwords are strong enough to survive a brute force attack?
Think again. The keyspace (number of possible combinations) created by
even the most creative human mind is no match for password audit
tools.
According to @stake, the Rolls Royce of password auditing tools, their
LC5 "password auditing tool" includes pre-computed password tables
containing trillions of password hashes that have been computed in
advance of the password auditing and recovery process.
Trillions. That's right, Trillions.
A "strong", humanly generated 8 character password consisting of a few
upper and lower case letters, a couple of numbers and a special
character or two approaches approximately only 100 billion
combinations. Simply put, running a password auditing tool to decode a
humanly generated password's hash is as fast and automated an exercise
as spell checking an email."
-------------------------
But while brute-force attacks are easy nowadays, they are rarely
necessary. Humans are notoriously bad at password security. If you are
told to create a password, but you must remember it and never write it
down, what happens? You choose an easy-to-remember password like your
wife's name or your dog's name. So it is also easy for someone to
guess. Then you find that you have to remember about twenty passwords
and never write them down. So you use the same password all the time.
It's hopeless from a security POV.
Also people give their passwords to other people. "Just check my email
for me". People write them down, and other people read them. People
send them in e-mail, and that e-mail is intercepted. People use them
to log into remote servers, and their communications are eavesdropped
on. People use public terminals in airports or web cafes and leave all
their info in the cache when they logoff. Apart from all the
key-loggers and trojans that are installed on all these public pcs
(and their own pcs!).
The latest trick is man-in-the-middle attacks. Fake bank sites or fake
Ebay sites that look identical to the real thing and users happily key
in all their details.
Your secrets are NOT safe. Just hope that you never attract the
attention of a hacker group.
BillK
More information about the extropy-chat
mailing list