On Sun 27 Aug 2017 at 21:12:12 +0200, Thomas Schmitt wrote: > Brian wrote: > > I do not have to run faster than the bear, just faster than anyone else.
(Analogies never work. Remind me not to use them again). > According to the article about the successful cracking, it is not so much > about how fast you are. The bear will not stop when it is done with eating > those behind you. Note that the article details the point at which the investigators gave up on going after what they saw as random passwords. They would never have got to my!only"reason£for$living%is^ebay no matter how low or high its entropy is. Which is not to say other techniques would not have caught it. Stamina is at least as important as speed. The bear will have run out of puff after trying n=10 for brute force. Protecting an online login is far more important than second-guessing how a provider has provisioned their system. A user has no control over the latter, so why should he put any great thought into comabating the provider as well as the crackers. We are mesmorised by the skills of offline crackers. They dazzle us and blind us to realities. Where is someone saying that eq8GeKBhVXOTjF0dAyd0 is a splendid password? It wouldn't have a chance of being forced via an online attack. > It is rather about not to walk the paths which all the tasty others walk. > The first found meal tells the bear that there is more food in the same > direction. With an offline attack, probably. But where are the people who say that online is the same as or even similar to offline, Inquiring minds would like to know why 'thisismySECRETpassword' is a poor login password. And, even assuming a site such as Ebay with its millions of users loses its marbles to offline cracking, why think you are first in line for rampaging? Ok, they have to start somewhere - it might as well be you. :) -- Brian.
