On Dec 29, 2010, at 12:56 PM, Joshua Kehn wrote:
> On Dec 29, 2010, at 12:37 PM, tedd wrote:
>
>> At 11:06 AM +0200 12/29/10, Dotan Cohen wrote:
>>> Also, change them {passwords} frequently.
>>
>> I've always wondered about that -- if your password works, then why change
>> it? Where's the logic in that?
>>
>> From my perspective, it looks like "Hey, the crackers have not been able to
>> crack this, so let's give them another chance". That doesn't sound logical.
>>
>> There are things we "think" are right, but is this practice supported in
>> some way that's provable?
>>
>> Cheers,
>>
>> tedd
>>
>> --
>> -------
>> http://sperling.com/
>
> An attacker manages to obtain the hashes and starts an attack. You change
> your password. The attacker now has to restart the attack.
>
> Changing your passwords prevents an attack from continuing past the length of
> time between password changes.
>
> Also if they _have_ managed to crack the password changing it forces them to
> crack it again, thus also limiting the time the account is compromised.
Gosh. Think about it. Lets not take the "your machine is compromised case"
and/or your password is moronic and/or you are not passing your password
cleartext.
So the threat is external. Now there are 2 types of external: one in house and
one on the 'net.
The one in house is simply detected by an IDS like snort looking for very rapid
login attempts. Slow walkers are no risk at all. Further if your password is
computationally hard your GigE LAN is not fast enough to support cracking a
computationally hard password before you retire. So there is no threat that
your computationally hard password will be cracked so your password is safe.
For a 'net threat, the bandwidth is even more constrained so you could live 9
lives and still not have your computationally hard password cracked. Further,
log checking at the firewall and on internal machines can easily detect
cracking attempts. I detect about 4 per day on our mailserver looking for pop
logons and about 25 a day against ssh where we don't even use passwords. ftp is
not used.
So an external threat against your machine as defined above, is not a risk.
So now lets look at the case where there is malware on your machine which will
try to brute force your computationally hard password and is smart enough to
use your graphics engine to increased computational power. Folks at MIT and
Carnegie Mellon have already numerically proved that a 12 character password is
not crackable using brute force in any reasonable timeframe. In fact an 8
character one has strength of years. I would contend that using that much power
will make its existence known to you and coupled with the fact that you restart
your computer every now and again and that you run an antivirus periodically
that will eventually find it even if you don't notice the slow down.
As you can see, cracking a password on your machine is so fruitless that no one
would even try to since if you have access to the machine a keylogger, for
example, is faster and more reliable. To thwart this you might want to run
tripwire or equivalent and institute exfiltration detection.
The big problem today is that "security" people in IT and security wannabee's
quote cracking numbers not based in the real world but mathematically based on
quasi "real" preconditions. They and some crazy guys who I know at Microsoft
along with some NIST guys are pushing 12 character minimums of upper, lower,
numbers and specials, changed every 60 days and no reuse for 2 years in
business settings. They say this will make the corporate machines safe. This is
utter BS. And, in fact, makes corporate networks even more vulnerable due to
the fact that people can't remember all these password so they write them down
or make them relatively easy thus increasing social engineering break-in
opportunities.
The best solution is to select a computationally hard password and then don't
change it unless you have to. I also recommend that you select another that is
different and use it for all 'net based logins with a extension concatenated
for each service.
This comment about "if they _have_ managed to crack the password changing it
forces them to crack it again, thus also limiting the time the account is
compromised" is ridiculous. First, I assume you really mean stealing rather
than cracking for the reasons above. Notwithstanding the fact that the site
broken into should immediately lock down all accounts. Whats to say that the
bad guys brake-in right after you have changed your password and they are not
noticed. You are still at risk until you change it maybe 30, 60 90, 120 days
later. So what is the real good of changing password routinely? Nada! The
probability that your change matches the threat is miniscule. It just make
people feel good. In fact ,if the bad guys broke in to a financial system they
wouldn't steal your password; they would institute immediate bank transfers.
Not only would they; they do constantly today.
As for the "black helicopters", Carnivore was never finished by the FBI and is
part of fokelore. Its much easier to do packet replication at a router in an
ISP and send it to disk for offline analysis. This also has another effect of
having evidence that can be used in a court of law.
Other "issues" to be addresses later.
Tom
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
