Why I'm changing my password

OfftheRails

OfftheRails

Registered User
Joined
Aug 19, 2011
Messages
4,644
Age
43
Why passwords have never been weaker

Interesting article that really gets into the gritty nitty of password security:

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
Click to expand...
 
I am always obliged to point out that in many cases cracking your password isn't even necessary. The beauty of hash collisions is I only need something that generates the same hash as your password. Increases the chances or decreases the time needed to gain access.

Then there is some of those lovely flaws out there. Amazon had a nice one. If you had the password + more stuff would still let you in. So lets say the users password was Ameliorate and my program tried AmeliorateNow, Amazon would accept it. Bug has been patched since but your password is only as secure as the system authenticating it.
 
RainMotorsports said:
The beauty of hash collisions is I only need something that generates the same hash as your password.
Click to expand...

This would be pretty hard if you have a pass phrase...or a key that's worth its while in length, and an algorithm newer then say...2000.

We have seen it work, but its pretty darn hard.
 
Tom-A-Bomb said:
This would be pretty hard if you have a pass phrase...or a key that's worth its while in length, and an algorithm newer then say...2000.

We have seen it work, but its pretty darn hard.
Click to expand...

Salting works wonders as well. But seen quite a few things storing just an md5 hash to check the password against. Facing a GPU compute rig these days time tables are a little different now. I still get a kick out of the old quote on GSM security now we have machines that can fit in a car to drive around and decrypt calls (Dunno what the time table is now used to be 30 minutes after intercept). Not much falls to brute force attacks so those figures are always inaccurate. Efficiency is usually in the flaws.

But Tom I know you have a lot more experience in the area. Security was never my thing. My brain just doesn't work right, especially in the area of reverse engineering. Funny I thought autistic spectrum people were good at it :p but as Soulzz can tell you Aspergers people are easy to trip up. A long equation is all it takes to blank our minds.
 
You must log in or register to reply here.
Back
Top