What exactly are you trying to defend against?įor example: are you trying to protect against an attacker who is specifically targeting you and knows your system for generating passwords? Or are you just one of millions of users in some leaked database? Are you defending against GPU based password cracking or just a weak web server? Are you on a host infected with malware? One of the many reasons there is no consistent advice about passwords is it all comes down to an issue of threat modeling. If you get 10 computer security professionals in a room and ask them how to come up with good passwords you will get 11 different answers. I think you will find that the correct way to generate passwords could start a holy war where each group thinks the other is making a very simple mathematical mistakes or missing the point. The other quip about "if your program ever stored it in memory" is a bit disconcerting though.aren't all passwords stored in memory at one time or another? That seems a bit overbroad what is he actually referring to? However, I assume that lowering the entropy by a factor of 2-10 isn't really significant (if the word list is doubled to 4000, not that hard, the loss is more than recovered). ![]() I assume he's alluding to people not choosing the words truly randomly, which perhaps isn't totally disingenuous, as I've rerolled a couple times to get something that isn't all adverbs and adjectives. His contention seems to be that because it's known that people might construct their passwords in such a way that it makes it amenable to attack, but it seems like the strength lies purely in the power of exponents. if your program ever stored it in memory, this process will grab it. A good password cracker will test names and addresses from the address book, meaningful dates, and any other personal information it has. The attacker will feed any personal information he has access to about the password creator into the password crackers. The password crackers are on to this trick. ![]() This is why the oft-cited XKCD scheme for generating passwords - string together individual words like "correcthorsebatterystaple" - is no longer good advice. ![]() Modern password crackers combine different words from their dictionaries: I was stumbling around and happened onto this essay by Bruce Schneier claiming that the XKCD password scheme was effectively dead.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |