Forgot your password?
typodupeerror

Comment Re:Rethinking our approach (Score 2) 81

Well, any effective throttling mechanism can also be used as a DoS vector.

That may not be how they breach them

While I agree that more software = more attack surface, in the specific case of a password keeper, I think that easily allowing high-entropy passwords increases security much more than using a password keeper decreases it.

Comment Re:Kaspersky Sales (Score 1) 81

My rainbow table from 2004 has hashes for every combination of 0-255 (not just printable ascii) up to 256 bytes long.

256 bytes is 2kbits which means your table has to have 2^2048 entries? I doubt that. If you took every atom in the universe and turned it into its own universe, and did that 3 times, the number of atoms in the resulting universe of universe of universes would still be less than 2^2048.

Comment Re:Rethinking our approach (Score 1) 81

Anyhoo the best kinds of passwords are phrases with subtle errors or small random changes

No, that is not true. The best kinds of passwords are long sequences of characters derived from /dev/random. Using a cryptographically-secure random number generator to make a password with as much entropy as possible, is provably better than anything else.

I guarantee that nobody will crack something like k$18aWIpbQuo(s!opM2eKCiotu,W?jvr There are plenty of password-cracking tools that introduce "subtle errors" or "small random changes" to English phrases.

Comment Re:Rethinking our approach (Score 1) 81

No, if you base it on IP address, then it's pointless to lock out attackers because they have more IP addresses than you can ever hope to lock out. And consider your authentication system design, potentially having to keep track of tens of millions of locked IP addresses per user account...

I have never encountered a system that took IP addresses or even networks into account when deciding whether or not to lock an account. If an organization is aware that someone is trying to crack your account and they do use lockouts, but don't lock it out globally, then IMO they are at risk of a lawsuit.

Comment Re:Rethinking our approach (Score 2) 81

What I'm saying is this: Throttling is ineffective if you base it on IP address (because attackers have nearly unlimited numbers of those) and is a DoS if you don't consider the IP address.

While password keepers can be subject to attacks, because they let you use long and random passwords, an attacker obtaining the encrypted vault is probably not going to be able to decrypt many passwords, as opposed to not using a password keeper and using passwords you can memorize. I think you are not really understanding how password attacks work.

Comment Re:Rethinking our approach (Score 2) 81

When I ran my company, that's exactly what we did. We picked people's passwords for them and did not let them change the password. If they wanted to change it, then we generated a different random one for them.

My rationale was that if we got hacked and the passwords were leaked, at least those passwords were very unlikely to be useful on any other sites used by our customers. Unless they loved our password so much they reused it, I guess... but that's not too likely.

Comment Re:Rethinking our approach (Score 4, Insightful) 81

A traditional login system throttles based on the endpoint (ie, the IP address or a specific browser cookie.) I read your setup as a global throttle. If that's not what you meant, then fine; I'll explain why throttling doesn't work: Attackers have armies of machines at their disposal as part of a botnet, and they can distribute their cracking attempts so it doesn't look like any one particular machine is trying too often.

And if you lock an account after a certain number of incorrect guesses... we're back to the DoS situation, where anyone who knows or can guess your login name (often your email address) can lock you out of your account.

Yes, a password keeper is a vector for hacking. But if your password keeper is locally stored on your computer, it's a very distributed target compared to getting a juicy list of encrypted passwords from a big web site. Hackers are going to spend mountains more effort trying to hack LinkedIn than they are trying to sniff around my PC to try to find my encrypted passwords.

Password keepers are also good for ensuring you don't use the same password on multiple web sites. Because if you do, then someone figuring out your Pintrest password might also get hold of your online banking password, since they are the same.

Comment Re:Rethinking our approach (Score 4, Insightful) 81

Great, so now attackers can easily DoS your login system.

Besides, most password-strength analyses assume the attacker has full access to the file of encrypted passwords.

However, nobody in their right mind will store a password by simply storing the MD5 sum of the password. It will be salted and stored with a large number of rounds of a more secure hashing function which makes the crackers' job much harder.

You don't need to write "War and Peace". I will generate a perfectly secure, practically-uncrackable password for you right now.

/qh->0,uzLCb!51Wlcha4:a?@4Nmr:&^

Of course, you'll never be able to remember it. Which is why you store it in a password-keeper, encrypted with a strong passphrase (the only thing you do need to remember) and using a strong encryption algorithm like AES256.

Slashdot Top Deals

You had mail. Paul read it, so ask him what it said.

Working...