[ale] OT - New encryption technology using a piece of paper

Michael H. Warfield mhw at WittsEnd.com
Sat Sep 3 20:41:00 EDT 2011


On Sat, 2011-09-03 at 20:24 -0400, JD wrote: 
> > Good response.  Reminds me that its about time for me to change my
> > passwords.  (As much as I hate password change requirements, I can't
> > trust most websites to not have lost hashes at some point.)
> > 
> > I understand you have an incredible memory (wish I did) but is it good
> > enough for all your passwords, or do you store them somewhere?  If so,
> > what do you use to store them?
> > 
> > I currently use KeePassX, and my only complaint is that it has no
> > browser integration (thought that might be a good thing, depending on
> > the attack scenario).

> I also use KeePassX (and compatible other options on other systems) for
> all but 3 of my logins. I couldn't tell you any other passwords and I
> probably can't type them.  Most are 45+ characters randomly generated by
> the tool.  The few that aren't long and random are from logins that
> don't allow it.  For example, the router for out business ISP (their
> equipment) has some of the dumbest rules and lack-of-length requirements
> that I've ever seen, only banks are worse.

> As long as we are talking about cracking passwords, at the last
> OuterZ0ne, one of the speakers was a professional password hacker. His
> talk explained "why your password  policies suck".  Here's the vieo of
> his talk:
> http://www.irongeek.com/i.php?page=videos/outerz0ne-2011-hacker-con#Pure_Hate_-_Why_your_password_policy_sucks

> Basically, passwords less than 12 characters are a joke these days if
> the database gets out.  It has been 6 months, but I recall that in a few
> hours, his team has cracked 40% of the passwords on a system with 1000+
> users.

Yeah, that's pretty much the operative rule of thumb we are going under
nowadays.  With those hashes, any decent cluster of GPUs (PS3's) running
in parallel with a rainbow table on the front end to weed out the low
hanging fruit fast and concentrate the heavy firepower on the tough ones
is going to pretty much rape anything less that 12 and I wouldn't even
bet on 12, myself.  Really operative word is "if the database gets out".
How are they lost.  Unencrypted backups lead the fray with direct
btreak-ins right in there with it.  Lame web sites with SQL injection
are not helping matters either (keep those web passwords seperate).

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110903/650e84c7/attachment.bin 


More information about the Ale mailing list