[clug] [OT] all text passwords == secure?

[James Ring]

Scott,

On Mon, Aug 27, 2012 at 3:59 PM, Scott Ferguson
<scott.ferguson.clug at gmail.com> wrote:
> On 27/08/12 22:54, Sam Couter wrote:
>> Scott Ferguson <scott.ferguson.clug at gmail.com> wrote:
> Examine all the major security breaches and you'll find someone,
> somewhere, decided it was "too hard" to do something very basic. That's
> a mental problem most typified by the sort of thinking that constructs
> elaborate arguments and investing great energy to justify doing very
> little. This leads otherwise intelligent and rational people to abandon
> logic and let emotion blind them - instead of measuring the various
> arguments they look for (and invent) flaws in the person presenting an
> opposing view in a sad attempt to justify their recalcitrance. eg. an
> ad-hominen attacks using large words for wanker (too be clear - I'm
> *not* referring to you Sam).

Wait what?

> Most of the math people are trotting out is just fetishism - it should
> *never* apply. Any system that allow fast password attempts (more than a
> few per minute) or a large number of failed attempts is a bad system -
> regardless of how many "developers" "need" the ability to fail all day long.

Well the problem is when your password hash gets stolen because the
site got owned and they stored passwords hashed without a salt. Now
they have a hash and they can try as many times as they like. To
protect against a rainbow attack it's actually probably more important
to use a unique password of a decent length than anything else.

>>
>> Longer combinations of words are much less vulnerable.
>
> Longer *numbers* of word are *less* vulnerable than shorter *numbers* of
> words.
>
> What you are missing is that the XKCD strip is being interprete to mean
> that number of words (total of 25 characters) is *less* vulnerable to a
> brute force (try all 218 characters) attack on 8 mixed character. It is.
> What the strip misses is that in real life (not a comic strip) an attack
> would *not* be brute force - it'd be a dictionary attack.

I think you're obsessed with brute force. Brute force is infeasible
even on an 8 character password composed only of lowercase. The point
of the comic is that successful password attacks are not brute force
because the space of passwords that people ACTUALLY USE is much
smaller than the space they can choose from.

> Do you get the point where the extra non alpha character *forces* a
> brute force attack? Whereas without it entropy doesn't apply because
> entropy is a measure of randomness - which does *not* apply to
> dictionary attacks.

It doesn't force a brute force attack in the same way that adding
substitutions to a shorter password forces a brute force attack. It's
the same thing: if you know something about the way people choose
passwords, you can reduce your search space. You only have to try the
substitutions that people are likely to select. Obviously, the more
you know about how people select their passwords, the less searching
you have to do.

Also you have to remember what the objective is for an attacker. Maybe
they only need to successfully crack 25% of the passwords they get in
order to achieve the objective...

>> Authentication is pretty integral to most applications
>> because authorisation is integral to them.
>
> That reads like gibberish (but I think I understand what you mean).

Actually it's pretty logical, you can't really have one without the other.

Regards,
James