[dba-Tech] Check password strength

Mark Breen marklbreen at gmail.com
Tue Jul 24 03:02:17 CDT 2012


Hello Hans-Christian,

Thanks for your reply, very nicely articulated.

Unfortunately for me, you have forced me to change my mind :(  Your
examples of looking over the shoulder are valid, in fact all of what you
say is valid.

As with many times, if it is all done according to best practice, including
use of a keepasx file, then we should be safe.

I think it is fair to say that almost every situation is slightly
different, sometimes physical security trumps the security of the password.

However, you have forced me to update my thoughts in ilovetotravel, and
d0g.....................

I am off to grit my teeth and type in another password that causes me to
strain my wrist to type it in :)


Mark


On 24 July 2012 08:20, Hans-Christian Andersen <hans.andersen at phulse.com>wrote:

> Yes and no.
>
> Certainly, from the perspective of password cracking a password that has
> been hashed following all the good rules of security (applying a good
> hashing algorithm, salting it with a secret salt and a  unique salt and
> then some arbitrary number of rounds (or using an adaptive hashing
> algorithm like bcrypt)), then yes - if some hacker is able to steal a list
> of password hashes, such a password would be quite difficult to hack. But
> this is an assumption based on current circumstances and circumstances
> which you may not have an knowledge or control over. It is hardly difficult
> to imagine that as technology progresses that hackers are able to improve
> brute force techniques combined with the additional computing power to comb
> for grammatically consistent phrases like "ilovetotravel". But, a good
> password is also only as good as the backend that stores it. Use a password
> like that on a site that doesn't hash passwords and what's the point? The
> game is up. And then even for sites that!
>   apply MD5 and even SHA1 suffer from collision vulnerabilities.
>
> Then there is the issue of "what if someone is looking over your shoulder
> security". Perhaps that password is decently complex so that John the
> ripper and whatnot would find it impossible to hack, anyone looking over
> your shoulder would be able to quickly understand the simplicity of
> d0g................... And eventually be able to find the right number of
> dots.
>
> I also hear people ridicule rotating passwords on a regular basis. There
> is a good reason for this. Should an employee write down a password or get
> their personal computer breached or leave the company, you minimise your
> exposure to having a third party get access to that and be able to take
> advantage of it.
>
> So, my point is simply that there are many concerns and you need to judge
> what yours are. Ideally, in my opinion, there is simply no replacement to
> unique passwords that are (pseudo) randomly generated and making sure that
> you do not reuse your passwords (only use a password for one specific thing
> and create a new one for another site or place where you need to login).
> You should store your passwords in a secure place, like within an encrypted
> Keepassx file, for instance, or use something like LastPass or Yubikey. If
> you want proper security, you can't bypass it with some basic assumptions -
> you need judge the risk you are exposing yourself to on multiple levels and
> decide what works for you (ie. if you don't care if your X site login is
> broken into, then go ahead and reuse an easy to remember password).
>
> Truly secure passwords are hard to crack, hard to guess and hard to
> remember. That's the point of security.
>
> Best regards,
> Hans-Christian Andersen
>
>


More information about the dba-Tech mailing list