[Discuss] Are passwords even long enough?

[kentborg at borg.org (Kent Borg)]

On 07/02/2016 06:13 PM, IngeGNUe wrote:
> Someone nearly cracked into my gmail the other day. I had a 50+
> character, randomly-generate password too. Nonetheless, it ended up
> being traded on the deep web, and I was notified of it.
>
> Naturally, I acted quickly to change my passwords. But what saved me was
> the two-factor authentication.
>
> How does that even happen though? Compromised SSL?

Allow me to drift off-topic for a moment first: you don't need a 
50-character random password. That is, a *password* doesn't need to be 
that long. In contrast, an encryption key MUST be very long to be 
secure. The difference is that password guesses can  NOT be made million 
of times a second unless the site using it is completely incompetent, in 
which case you have bigger problems. Note that an ATM PIN is only 
4-digits long. How is that secure? They severely limit guessing. Data 
encrypted with your encryption key, in contrast, can be copied across 
multiple computers and attempts can be made as fast as your foe cares to 
try. So don't waste your energy on ubercomplex passwords, put that 
effort into the passphrases you use for encryption, passwords should 
have components that are actually chosen randomly (not things that 
"seem" random to you), but don't need to be that complex or hard to 
type. Google up "diceware", for an example.

A second point: some stupid sites will silently truncate a password 
after just a few characters. If it might be a poorly designed site, make 
sure there is something pretty random in the first few characters and 
not just after character 8.

Okay, to your point:

If you made up a random password, then the only way it could be traded 
is because you gave it to someone.

What are the possibilities?

  - One, you gave it to Google, which you have to do.

  - Two, you gave it to someone else.

  - Three, they process of using it correctly, leaked.

Let's look at each in turn:

  - Evidence is that Google is doing this pretty well. Chances are they 
did not leak just your password. Maybe they leaked a bunch, but that 
would make the news and I haven't seen it.

  - SSL is a mess, there are dozens of certificate authorities that your 
web browser trusts, scattered from around the world, some run by foreign 
governments I don't trust, some poorly run in general. Any one of which 
could issue a certificate pretending to be Google, that certificate 
could be used in a man-in-the-middle attack against you, and then sold. 
There have been fake Google certificates seen in the wild but they are 
rare and they make the news. So, unless you are a juicy target or very 
unlucky and caught in some attack that has not yet made the news, then 
SSL isn't the hole.

  - Which leaves you.

Where have you *ever* typed that password? If you don't know, then you 
aren't being careful enough. If you reuse passwords on different 
accounts, then it is like you are picking a master key (or keys) for 
your life and casually handing out copies, if any single site is cracked 
or crooked, you are exposed.

Do you type your password on computers in hotel lobbies or libraries or 
on friends' computers? How do you know there isn't spyware installed on 
those computers? Is there spyware on your own computer that might leak 
your password. Have you typed that password on your phone? Do you have 
spyware installed on it? How do you store such an impossible password, 
some service or utility program? How do you know it doesn't have 
security holes, and is honest?

In the case of spyware on your own devices and computers, you can't 
entirely control that, but you can be limited and conservative about 
what you install, you can try to buy more trustworthy hardware: even big 
name manufacturers install insecure bloatware. I run Linux that I 
administer conservatively, my Android devices are "Nexus" devices that 
come with only Google software on them, and I am conservative about what 
I add. This "endpoint security" problem is really scary, and impossible 
to do perfectly. But is is *easy* to do it very, very poorly, so don't 
do it poorly.

The bottom line is that most likely you typed your password someplace 
that was not secure. Every time you type your password, why are you 
doing that, why is it a save place to type that password?


-kb