Cryptosmith

Ivan Lucas of “Lockdown.co.uk” has posted an interesting summary of Password Recovery Speeds. These are scaled on the assumption that the attacker will do trial-and-error attempts of all possible permutations. I think it would be interesting to include a scale that considers ‘likely’ password selections.

I’ve been reviewing postings from the past few months that look at password selection, including a password list stolen from phpbb, a built-in list used for cracking by the Conficker worm, and a list of the “500 most common passwords from a book called Perfect Passwords. Bruce Schneier also did a thing on MySpace passwords back in 2006. Dan Klein did the classic assessment of password selection and cracking ‘way back in 1990 and it seems like peoples’ choices haven’t changed a lot since then.

Aside from speedup due to Moore’s Law, I don’t think password security has changed much since 1990.

Posted under Security | No Comments »

It’s no surprise that someone managed to reset Sarah Palin’s password on a freebie e-mail account.  She’s a public figure and the answers to her so-called “security questions” are on the public record. It’s one thing to do personal and political e-mail on a Yahoo account but it’s DUMB to use such an account for government business when you have your very own support staff to keep that e-mail secure.

Large scale vendors like Yahoo and Google can’t help but do a bad job at authentication. This is why OpenID poses such promise – it lets us choose our authentication provider. Yes, some people will choose bad vendors. Careful people, however, get to choose safe ones. Continue Reading »

Posted under Security | No Comments »

There’s some terrific stuff here. Unfortunately, it’s packaged with Internet-based password selection.

Get it straight: you’re only supposed to share your passwords with yourself and your keyboard. You aren’t supposed to ask your astrologer for one, or collect one from someone on the bus, or at a cocktail party. And never, ever from an Internet web site.

read more

Posted under Security | No Comments »

Another chuckle:

Someone picked up the domain ‘highsecuritypasswordgenerator.com‘ and has proceeded to implement a password generator on it. The generator applies a common technique (I described it in my book Authentication) wherein you choose two words from long lists and separate them with a special character of some sort.

The down side should be obvious to anyone who thinks about web security: the password is shared with the password generating site and with anyone who sniffs the web page as it travels across the Internet. Continue Reading »

Posted under Security | No Comments »