[Discuss] Are passwords even long enough?
    IngeGNUe 
    ingegnue at riseup.net
       
    Wed Jul  6 18:04:45 EDT 2016
    
    
  
On 07/03/16 12:30, Kent Borg wrote:
> On 07/02/2016 06:13 PM, IngeGNUe wrote:
>> Someone nearly cracked into my gmail the other day. I had a 50+
>> character, randomly-generate password too. Nonetheless, it ended up
>> being traded on the deep web, and I was notified of it.
>>
>> Naturally, I acted quickly to change my passwords. But what saved me was
>> the two-factor authentication.
>>
>> How does that even happen though? Compromised SSL?
> 
> Allow me to drift off-topic for a moment first: you don't need a
> 50-character random password. That is, a *password* doesn't need to be
> that long. In contrast, an encryption key MUST be very long to be
> secure. The difference is that password guesses can  NOT be made million
> of times a second unless the site using it is completely incompetent, in
> which case you have bigger problems. Note that an ATM PIN is only
> 4-digits long. How is that secure? They severely limit guessing. Data
> encrypted with your encryption key, in contrast, can be copied across
> multiple computers and attempts can be made as fast as your foe cares to
> try. So don't waste your energy on ubercomplex passwords, put that
> effort into the passphrases you use for encryption, passwords should
> have components that are actually chosen randomly (not things that
> "seem" random to you), but don't need to be that complex or hard to
> type. Google up "diceware", for an example.
> 
> A second point: some stupid sites will silently truncate a password
> after just a few characters. If it might be a poorly designed site, make
> sure there is something pretty random in the first few characters and
> not just after character 8.
> 
> Okay, to your point:
> 
> If you made up a random password, then the only way it could be traded
> is because you gave it to someone.
> 
> What are the possibilities?
> 
>  - One, you gave it to Google, which you have to do.
> 
>  - Two, you gave it to someone else.
> 
>  - Three, they process of using it correctly, leaked.
> 
> Let's look at each in turn:
> 
>  - Evidence is that Google is doing this pretty well. Chances are they
> did not leak just your password. Maybe they leaked a bunch, but that
> would make the news and I haven't seen it.
> 
>  - SSL is a mess, there are dozens of certificate authorities that your
> web browser trusts, scattered from around the world, some run by foreign
> governments I don't trust, some poorly run in general. Any one of which
> could issue a certificate pretending to be Google, that certificate
> could be used in a man-in-the-middle attack against you, and then sold.
> There have been fake Google certificates seen in the wild but they are
> rare and they make the news. So, unless you are a juicy target or very
> unlucky and caught in some attack that has not yet made the news, then
> SSL isn't the hole.
> 
>  - Which leaves you.
> 
> Where have you *ever* typed that password? If you don't know, then you
> aren't being careful enough. If you reuse passwords on different
> accounts, then it is like you are picking a master key (or keys) for
> your life and casually handing out copies, if any single site is cracked
> or crooked, you are exposed.
> 
> Do you type your password on computers in hotel lobbies or libraries or
> on friends' computers? How do you know there isn't spyware installed on
> those computers? Is there spyware on your own computer that might leak
> your password. Have you typed that password on your phone? Do you have
> spyware installed on it? How do you store such an impossible password,
> some service or utility program? How do you know it doesn't have
> security holes, and is honest?
> 
> In the case of spyware on your own devices and computers, you can't
> entirely control that, but you can be limited and conservative about
> what you install, you can try to buy more trustworthy hardware: even big
> name manufacturers install insecure bloatware. I run Linux that I
> administer conservatively, my Android devices are "Nexus" devices that
> come with only Google software on them, and I am conservative about what
> I add. This "endpoint security" problem is really scary, and impossible
> to do perfectly. But is is *easy* to do it very, very poorly, so don't
> do it poorly.
> 
> The bottom line is that most likely you typed your password someplace
> that was not secure. Every time you type your password, why are you
> doing that, why is it a save place to type that password?
> 
> 
> -kb
> 
Hey Kent, without giving away much detail:
Given that this is the BLU ml, things like "spyware" don't apply to GNU
Linux. I don't know anyone more careful than me with regard to password
management. My coworkers think I'm crazy when it comes to security. :) I
think about all those same things you mentioned.
For example, I never reuse passwords and I never use anyone else's
computer for logging into things. Especially not on a Winblows computer.
I only trust Free software I get straight from distros, although Free
software can have vulnerabilities sometimes. Even then, though,
everything is carefully planned.
Still, there's always the chance that I could have slipped up at the
wrong time and place. In particular, I used to have an Android with
Gmail on it. So that was probably it. It was a Nexus too. (Dang!)
Another possibility is a compromise in the security of password
managers, but I doubt it.
Another possibility is pasting or typing the password into the wrong
place by accident. If this happens, one should (I think) probably treat
the account as compromised and change the password immediately.
IMO, I think someday passwords are going to become obsolete. They have
to get longer and more complicated, and the means to crack them are
getting more clever. I predict a day when we'll need to start carrying
some sort of (physical) key with us. The push towards 2-factor
authentication seems to indicate that having good passwords isn't enough.
    
    
More information about the Discuss
mailing list