[Discuss] Most common (or Most important) privacy leaks

[Jerry Feldman]

On 02/18/2015 11:20 AM, Bill Bogstad wrote:
> On Wed, Feb 18, 2015 at 4:15 AM, Richard Pieri <richard.pieri at gmail.com> wrote:
>> So. Someone replied directly to me instead of the list suggesting that
>> character length is an important factor in password security.
>>
>> Letter count is a pointless factor in password security. "Four score and
>> seven years ago" is 30 characters and still trivially vulnerable to
>> dictionary attacks. "We hold these truths to be self-evident" is 40
>> characters and it is just as weak as the first example.
>>
>> Password reform starts with abandoning password rules and policies. Rules
>> and policies are bad. Every policy that you enforce makes it easier for
>> attackers to analyze passwords. If you have a policy that enforces a 15
>> character minimum then an attacker knows to ignore everything that is 14 or
>> fewer characters, and given human nature he can ignore everything over about
>> 20 characters for most passwords. If you have a policy that enforces the use
>> of at least one number then an attacker has 9 known possible plaintexts in
>> every password. At least one capital letter is 26 known possible plaintexts.
>> And so forth.
> The problem with this that if you don't enforce a minimum length on passwords
> a significant number of your users will use something that is probably less than
> 6 characters long.   Of course, many of those would fall to a
> dictionary attack as well.
> And the same users are going to use "Four score ...." if you require
> longer passwords,
>  so you lose anyway.
Many places have a requirement to use at least 1 upper case and 1 lower
case letter and at least 1 digit. So that increases the number of
possible characters in each position 62. While this along with length
will defeat a simple password cracker, using smarter techniques that
know this, make that rule somewhat moot. (again, Richard is correct).
But it comes down to usability. Many of us have multiple systems we log
into, at least 1 home computer or laptop, smart phone, work computer. My
company allows us to use our personal smartphones for company email, but
they require a strong password authentication on the phone as well as
the ability of the company to wipe the phone in the case of what they
perceive as a breach. Since I don't need to be on call 24x7, I don't
want my company to have access to my phone.

So, if you know the rules, then you can more easily crack a password,
but if you lack rules, then you allow people to have very weak
passwords. So, it is a catch-22 situation. Unfortunately I don't have a
solution.

-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix
PGP key id:B7F14F2F
PGP Key fingerprint: D937 A424 4836 E052 2E1B  8DC6 24D7 000F B7F1 4F2F