[Discuss] Are passwords even long enough?
Kent Borg
kentborg at borg.org
Sun Jul 3 12:30:14 EDT 2016
On 07/02/2016 06:13 PM, IngeGNUe wrote:
> Someone nearly cracked into my gmail the other day. I had a 50+
> character, randomly-generate password too. Nonetheless, it ended up
> being traded on the deep web, and I was notified of it.
>
> Naturally, I acted quickly to change my passwords. But what saved me was
> the two-factor authentication.
>
> How does that even happen though? Compromised SSL?
Allow me to drift off-topic for a moment first: you don't need a
50-character random password. That is, a *password* doesn't need to be
that long. In contrast, an encryption key MUST be very long to be
secure. The difference is that password guesses can NOT be made million
of times a second unless the site using it is completely incompetent, in
which case you have bigger problems. Note that an ATM PIN is only
4-digits long. How is that secure? They severely limit guessing. Data
encrypted with your encryption key, in contrast, can be copied across
multiple computers and attempts can be made as fast as your foe cares to
try. So don't waste your energy on ubercomplex passwords, put that
effort into the passphrases you use for encryption, passwords should
have components that are actually chosen randomly (not things that
"seem" random to you), but don't need to be that complex or hard to
type. Google up "diceware", for an example.
A second point: some stupid sites will silently truncate a password
after just a few characters. If it might be a poorly designed site, make
sure there is something pretty random in the first few characters and
not just after character 8.
Okay, to your point:
If you made up a random password, then the only way it could be traded
is because you gave it to someone.
What are the possibilities?
- One, you gave it to Google, which you have to do.
- Two, you gave it to someone else.
- Three, they process of using it correctly, leaked.
Let's look at each in turn:
- Evidence is that Google is doing this pretty well. Chances are they
did not leak just your password. Maybe they leaked a bunch, but that
would make the news and I haven't seen it.
- SSL is a mess, there are dozens of certificate authorities that your
web browser trusts, scattered from around the world, some run by foreign
governments I don't trust, some poorly run in general. Any one of which
could issue a certificate pretending to be Google, that certificate
could be used in a man-in-the-middle attack against you, and then sold.
There have been fake Google certificates seen in the wild but they are
rare and they make the news. So, unless you are a juicy target or very
unlucky and caught in some attack that has not yet made the news, then
SSL isn't the hole.
- Which leaves you.
Where have you *ever* typed that password? If you don't know, then you
aren't being careful enough. If you reuse passwords on different
accounts, then it is like you are picking a master key (or keys) for
your life and casually handing out copies, if any single site is cracked
or crooked, you are exposed.
Do you type your password on computers in hotel lobbies or libraries or
on friends' computers? How do you know there isn't spyware installed on
those computers? Is there spyware on your own computer that might leak
your password. Have you typed that password on your phone? Do you have
spyware installed on it? How do you store such an impossible password,
some service or utility program? How do you know it doesn't have
security holes, and is honest?
In the case of spyware on your own devices and computers, you can't
entirely control that, but you can be limited and conservative about
what you install, you can try to buy more trustworthy hardware: even big
name manufacturers install insecure bloatware. I run Linux that I
administer conservatively, my Android devices are "Nexus" devices that
come with only Google software on them, and I am conservative about what
I add. This "endpoint security" problem is really scary, and impossible
to do perfectly. But is is *easy* to do it very, very poorly, so don't
do it poorly.
The bottom line is that most likely you typed your password someplace
that was not secure. Every time you type your password, why are you
doing that, why is it a save place to type that password?
-kb
More information about the Discuss
mailing list