Comment Re: There we go again (Score 1) 383
Thank you! Someone that actually took the time to figure out the context of my statements.
Thank you! Someone that actually took the time to figure out the context of my statements.
By your previous posts it seemed you needed things put in simple terms, especially since you claimed that 1) knowing the hash is the same as knowing the password (it's not) and 2) rate limiting could defeat offline password cracking (it can't). Do you stand by those claims?
Nope, because I never claimed that. You misunderstood my point and started falsely assuming things.
That's no solution: 1) Relies on the attack being detected in the first place.
Of course it is predicated on knowing you've been attacked. I was pretty sure that would be quite obvious. Of course, if you've been attacked and have no knowledge of it that these security measures won't prevent an attacker from being able to attack you again after offline brute forcing a password.
It's also completely irrelevant to the question of being able to dictionary attack a password.
And I never said it had anything to do with that scenario. You've basically have been twisting my words into something I never stated or implied and then have applied them to scenarios outside of what I originally responded to. At this point I'm simply just going to ignore you.
Yes, they aren't. But all these scenarios are orthogonal to what I was responding to originally which is someone talking about using a dictionary attack to brute force password.
As I originally responded to AC-x, if the attacker already has the hash and can then brute force it, of course what I mentioned doesn't stop them, but that scenario is no different than knowing their phone's PIN and being able to side step any of the very same protections I mentioned that phone OSes use which is to use a lock-out after a certain number of failed attempts.
And before the grammar nazis come out, yes I accidentally typed you're instead of your. Let me go commit seppuku now.
Hey Desler I really don't get you, you (appear to) know what a salt is yet you don't understand that an attacker would be performing the attack on the hash offline, with their own hardware. Rate limiting their own hardware would be, as you put it, the height of idiocy.
Except what you are talking about was not what I was originally responding to. You basically injected yourself into the conversation and completely changed the context and then started calling me an idiot. I suggest you re-read what I originally responded to:
They can be, but it would be incredibly stupid to use something like that. A dictionary attack would crack that password in seconds.
What I do is have a single, strong password that I have stored only in my brain and all other passwords are hashed on-the-fly from that and the domain or name of whatever I need the password for. I get unique, strong password for everything, but only have to remember a single one.
Do you notice that nowhere in that quoted statement is there anything about the attacker already having the password hash?
You probably shouldn't try to write about things you don't know about or understand.
My irony meter exploded.
1. The industry accepted way to store passwords securely in a database is with a one-way, salted cryptographic hash (using as CPU intensive algorithm as possible).
Duh. Being Captain Obvious again?
2. Many organisations have had database intrusions where these password hashes have been stolen (eg. eBay [threatpost.com], Linkedin [sophos.com], LivingSocial [arstechnica.com] etc.)
Yes, they have.
3. When this happens (i.e. "they have a copy of the password hash") passwords can be cracked offline. Strong passwords are safe (too hard to brute force), but weak passwords can be found using a dictionary attack.
Of course, this is why you lock the accounts until the user resets the password. Poof that attack vector is now gone.
4. Once the password is found offline a hacker can log straight in to the victim's online account with a single password attempt.
Only if you're system admins are dumb enough to not do what I state above.
Only if the passwords haven't been salted properly. Even then, a rainbow tables attack can also be thwarted by the same techniques I mentioned above. Allowing any attacker the ability to do 10s of millions if not a couple of billion (with powerful enough hardware) tries a second to brute force a password is just the height of idiocy. Using constant time password checking, rate limiting, cooldown periods and as a last resort IP bans makes you such an unattractive target that they usually just move on to some other insecure site.
Forgot to close my quote tag so fixing it.
However if a chosen password appears in a password dictionary than you can cut down your brute force search space by so much it goes from taking years (even centuries) to crack a password to taking a few hours (sometimes minutes).
Yes, that's why you stop such attacks by rate limiting and cooldowns and then eventually just ban their IP if they are just obviously an attacker. If they can only have 5 tries every 15-20 minutes the attacker is going to give up unless the user's password just happens to be near the very beginning of the dictionary.
You seem to have no clue what a password hash actually is.
Nope, you're just a poor mind reader.
Yes, that's why you stop such attacks by rate limiting and cooldowns and then eventually just ban their IP if they are just obviously an attacker. If they can only have 5 tries every 15-20 minutes the attacker is going to give up unless the user's password just happens to be near the very beginning of the dictionary.
And to further add, combined with timing attacks and any other potential weaknesses the key space of that 50 character password can be dramatically reduced.
To add above, just because the brute forcing theoretically might take a long time is no reason to allow someone to have unlimited tries. You never know when exactly their brute forcing will stumble upon the password. The user's password could potentially be within the first billion or so tries which means they could potentially brute force it in the first second with powerful enough hardware.
Based on what do you falsely assume that?
Thanks for suggesting everyone configure their system such that I can DOS them!
It's better than allowing someone to brute force account passwords. When combined with IP banning when seen that someone is just trying to attack the system your DOS attack would be short-lived.
Yeah, and I can unlock your phone without being locked out by the authentication program if I know your PIN. Were you going for a Captain Obvious award or did you think a tautological statement was somehow insightful? But if the attacker knows the password hash that is not a dictionary attack. In fact, there would be no need for any attack at all.
To clarify, I should say any brute forcing attacks rather than just dictionary attack. Any authentication program that allows unlimited tries without any rate limiting is totally broken.
The faster I go, the behinder I get. -- Lewis Carroll
