[Discuss] Most common (or Most important) privacy leaks

[gaf at blu.org (Jerry Feldman)]

On 02/17/2015 10:15 PM, Richard Pieri wrote:
> So. Someone replied directly to me instead of the list suggesting that
> character length is an important factor in password security.
>
> Letter count is a pointless factor in password security. "Four score
> and seven years ago" is 30 characters and still trivially vulnerable
> to dictionary attacks. "We hold these truths to be self-evident" is 40
> characters and it is just as weak as the first example.
>
> Password reform starts with abandoning password rules and policies.
> Rules and policies are bad. Every policy that you enforce makes it
> easier for attackers to analyze passwords. If you have a policy that
> enforces a 15 character minimum then an attacker knows to ignore
> everything that is 14 or fewer characters, and given human nature he
> can ignore everything over about 20 characters for most passwords. If
> you have a policy that enforces the use of at least one number then an
> attacker has 9 known possible plaintexts in every password. At least
> one capital letter is 26 known possible plaintexts. And so forth.
>
> LastPass was suggested as an enterprise solution. By Ghu, where do I
> start with this. Relying on a third party that has no obligation to
> maintain the integrity of your keys? Relying on a third party that has
> crafted its terms of service such that you have no recourse if they
> screw up or an attacker compromises their system and exposes your
> entire business to the world? And this is being floated as an
> enterprise solution? 'Nuff said.
>
While I do use lastpass... Any type of cloud system, whether being used
as a secure password vault, or for your personal storage has the 1 issue
in that it is run by a business. A business needs to make money, but
businesses can go out of business, and you could lose all the data you
have stored there, While Google, Microsoft, Amazon and IBM are not going
out of business any time soon, they might decide that their cloud
business is unprofitable. and get rid of it, like Canonical did. Or can
be shut down like Kim Dotcom's megaupload.


While I agree with Richard on policies, how does a business enforce
strong passwords on its employees without policies. (Personally I would
prefer biometric, but as previously mentioned, it has problems too)

-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix
PGP key id:B7F14F2F
PGP Key fingerprint: D937 A424 4836 E052 2E1B  8DC6 24D7 000F B7F1 4F2F