[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Are passwords even long enough?
- Subject: [Discuss] Are passwords even long enough?
- From: kentborg at borg.org (Kent Borg)
- Date: Sun, 3 Jul 2016 12:30:14 -0400
- In-reply-to: <email@example.com>
- References: <firstname.lastname@example.org>
On 07/02/2016 06:13 PM, IngeGNUe wrote: > Someone nearly cracked into my gmail the other day. I had a 50+ > character, randomly-generate password too. Nonetheless, it ended up > being traded on the deep web, and I was notified of it. > > Naturally, I acted quickly to change my passwords. But what saved me was > the two-factor authentication. > > How does that even happen though? Compromised SSL? Allow me to drift off-topic for a moment first: you don't need a 50-character random password. That is, a *password* doesn't need to be that long. In contrast, an encryption key MUST be very long to be secure. The difference is that password guesses can NOT be made million of times a second unless the site using it is completely incompetent, in which case you have bigger problems. Note that an ATM PIN is only 4-digits long. How is that secure? They severely limit guessing. Data encrypted with your encryption key, in contrast, can be copied across multiple computers and attempts can be made as fast as your foe cares to try. So don't waste your energy on ubercomplex passwords, put that effort into the passphrases you use for encryption, passwords should have components that are actually chosen randomly (not things that "seem" random to you), but don't need to be that complex or hard to type. Google up "diceware", for an example. A second point: some stupid sites will silently truncate a password after just a few characters. If it might be a poorly designed site, make sure there is something pretty random in the first few characters and not just after character 8. Okay, to your point: If you made up a random password, then the only way it could be traded is because you gave it to someone. What are the possibilities? - One, you gave it to Google, which you have to do. - Two, you gave it to someone else. - Three, they process of using it correctly, leaked. Let's look at each in turn: - Evidence is that Google is doing this pretty well. Chances are they did not leak just your password. Maybe they leaked a bunch, but that would make the news and I haven't seen it. - SSL is a mess, there are dozens of certificate authorities that your web browser trusts, scattered from around the world, some run by foreign governments I don't trust, some poorly run in general. Any one of which could issue a certificate pretending to be Google, that certificate could be used in a man-in-the-middle attack against you, and then sold. There have been fake Google certificates seen in the wild but they are rare and they make the news. So, unless you are a juicy target or very unlucky and caught in some attack that has not yet made the news, then SSL isn't the hole. - Which leaves you. Where have you *ever* typed that password? If you don't know, then you aren't being careful enough. If you reuse passwords on different accounts, then it is like you are picking a master key (or keys) for your life and casually handing out copies, if any single site is cracked or crooked, you are exposed. Do you type your password on computers in hotel lobbies or libraries or on friends' computers? How do you know there isn't spyware installed on those computers? Is there spyware on your own computer that might leak your password. Have you typed that password on your phone? Do you have spyware installed on it? How do you store such an impossible password, some service or utility program? How do you know it doesn't have security holes, and is honest? In the case of spyware on your own devices and computers, you can't entirely control that, but you can be limited and conservative about what you install, you can try to buy more trustworthy hardware: even big name manufacturers install insecure bloatware. I run Linux that I administer conservatively, my Android devices are "Nexus" devices that come with only Google software on them, and I am conservative about what I add. This "endpoint security" problem is really scary, and impossible to do perfectly. But is is *easy* to do it very, very poorly, so don't do it poorly. The bottom line is that most likely you typed your password someplace that was not secure. Every time you type your password, why are you doing that, why is it a save place to type that password? -kb
- [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- [Discuss] Are passwords even long enough?
- Prev by Date: [Discuss] best way to automount removable SATA drives
- Next by Date: [Discuss] best way to automount removable SATA drives
- Previous by thread: [Discuss] Are passwords even long enough?
- Next by thread: [Discuss] Are passwords even long enough?