[Discuss] Most common (or Most important) privacy leaks

[Eric Chadbourne]

On Feb 17, 2015, at 10:15 PM, Richard Pieri <richard.pieri at gmail.com> wrote:
> 
> So. Someone replied directly to me instead of the list suggesting that character length is an important factor in password security.
> 
> Letter count is a pointless factor in password security. "Four score and seven years ago" is 30 characters and still trivially vulnerable to dictionary attacks. "We hold these truths to be self-evident" is 40 characters and it is just as weak as the first example.
> 
> Password reform starts with abandoning password rules and policies. Rules and policies are bad. Every policy that you enforce makes it easier for attackers to analyze passwords. If you have a policy that enforces a 15 character minimum then an attacker knows to ignore everything that is 14 or fewer characters, and given human nature he can ignore everything over about 20 characters for most passwords. If you have a policy that enforces the use of at least one number then an attacker has 9 known possible plaintexts in every password. At least one capital letter is 26 known possible plaintexts. And so forth.
> 
> LastPass was suggested as an enterprise solution. By Ghu, where do I start with this. Relying on a third party that has no obligation to maintain the integrity of your keys? Relying on a third party that has crafted its terms of service such that you have no recourse if they screw up or an attacker compromises their system and exposes your entire business to the world? And this is being floated as an enterprise solution? 'Nuff said.


Well said!

- Eric C