BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Most common (or Most important) privacy leaks
- Subject: [Discuss] Most common (or Most important) privacy leaks
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Tue, 17 Feb 2015 22:15:54 -0500
- In-reply-to: <CANiupv5ogzhJeFOoF=RFXPO8SZe7G+__yb-5aep0PgaFtS=Ymw@mail.gmail.com>
- References: <BN3PR0401MB12046B091F0FA6E67DDB34A2DC2F0@BN3PR0401MB1204.namprd04.prod.outlook.com> <54E366FE.3060806@borg.org> <BN3PR0401MB1204BCFBB4B81B46A3F6A020DC2F0@BN3PR0401MB1204.namprd04.prod.outlook.com> <54E37F9E.9040001@borg.org> <54E388A3.9080608@mattgillen.net> <54E391AE.2000304@borg.org> <54E39B78.1050909@borg.org> <BN3PR0401MB120461F5A6D32B345AC39231DC2F0@BN3PR0401MB1204.namprd04.prod.outlook.com> <54E3B908.9090809@gmail.com> <CANiupv5ogzhJeFOoF=RFXPO8SZe7G+__yb-5aep0PgaFtS=Ymw@mail.gmail.com>
So. Someone replied directly to me instead of the list suggesting that character length is an important factor in password security. Letter count is a pointless factor in password security. "Four score and seven years ago" is 30 characters and still trivially vulnerable to dictionary attacks. "We hold these truths to be self-evident" is 40 characters and it is just as weak as the first example. Password reform starts with abandoning password rules and policies. Rules and policies are bad. Every policy that you enforce makes it easier for attackers to analyze passwords. If you have a policy that enforces a 15 character minimum then an attacker knows to ignore everything that is 14 or fewer characters, and given human nature he can ignore everything over about 20 characters for most passwords. If you have a policy that enforces the use of at least one number then an attacker has 9 known possible plaintexts in every password. At least one capital letter is 26 known possible plaintexts. And so forth. LastPass was suggested as an enterprise solution. By Ghu, where do I start with this. Relying on a third party that has no obligation to maintain the integrity of your keys? Relying on a third party that has crafted its terms of service such that you have no recourse if they screw up or an attacker compromises their system and exposes your entire business to the world? And this is being floated as an enterprise solution? 'Nuff said. -- Rich P.
- Follow-Ups:
- [Discuss] Most common (or Most important) privacy leaks
- From: gaf at blu.org (Jerry Feldman)
- [Discuss] Most common (or Most important) privacy leaks
- From: bogstad at pobox.com (Bill Bogstad)
- [Discuss] Most common (or Most important) privacy leaks
- From: eric.chadbourne at icloud.com (Eric Chadbourne)
- [Discuss] Most common (or Most important) privacy leaks
- References:
- [Discuss] Most common (or Most important) privacy leaks
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Most common (or Most important) privacy leaks
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Most common (or Most important) privacy leaks
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Most common (or Most important) privacy leaks
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Most common (or Most important) privacy leaks
- From: me at mattgillen.net (Matthew Gillen)
- [Discuss] Most common (or Most important) privacy leaks
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Most common (or Most important) privacy leaks
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Most common (or Most important) privacy leaks
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Most common (or Most important) privacy leaks
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Most common (or Most important) privacy leaks
- Prev by Date: [Discuss] Most common (or Most important) privacy leaks
- Next by Date: [Discuss] Most common (or Most important) privacy leaks
- Previous by thread: [Discuss] Most common (or Most important) privacy leaks
- Next by thread: [Discuss] Most common (or Most important) privacy leaks
- Index(es):
