Posts Tagged ‘password security’

How to guess your password…

Thursday, August 26th, 2010

Interesting post at
about how John Pozadzides would go
about hacking someone’s password.

While it’s nothing new, it does revisit good advice that everyone should
follow: avoid passwords that are based on names of people close to you,
don’t think that sticking a digit at the end of your password makes it secure,

What it does do is make the same mistake that lots of “password security”
advice does – which is to assume that an attacker can test millions
of guesses per second. That’s only true if the attacker has access to
the password hashes, which usually means that he’s already got physical
access to your computer or has compromised the security database of an
application you sign into.

That’s a big assumption and I would venture that it’s almost always false.

If an attacker has to test passwords by trying to sign into one of your
accounts using a script, he’s unlikely to get more than about 1 guess
per second and he’s quite likely to trigger a lockout after a few tries.
Moreover, many on-line login systems now use CAPTCHs, so he can’t even
script the attack.

In short: protected and inaccessible password hash databases, slow
interactive login screens, intruder lockout mechanisms and CAPTCHAs
make brute force attacks, even optimized with good dictionaries, pretty
much useless, unless your password is *really* bad.

John also suggests that your bank account is linked to your e-mail
address, so a compromise of your e-mail could also compromise your bank
security. That’s a bit of a stretch, in my mind. I can’t comment about
all banks, but none of the financial institutions that I do business
with even know any of my e-mail addresses.

So here I’m just curious: does your bank use your e-mail address as an
out-of-band authentication factor?

12 character passwords required?

Thursday, August 19th, 2010

An interesting write-up at
and elsewhere. The original content for this appears to be here:

Sounds like the good folks at Georgia Tech have worked out how fast they can
crack passwords (i.e., validate whether a guessed password matches the hash
from a password database) using a GPU. They don’t seem to mention which
password hashing algorithm they are attacking, but they do point out,
in the way that responsible journalists never would, that an attacker would
of course have to have a copy of the password hashes first.

The first line of defense in most password systems is to prevent attackers
from getting the hashes. So long as that works, this whole class of attack
is irrelevant. Something sensationalist journalists (hey, that rhymes!)
fail to point out.

So what have we learned?

  • GPUs can be used to more quickly brute-force passwords, if you have
    managed to compromise the password database.
  • In cases where the password database remains inaccessible to attackers,
    this is irrelevant.
  • Take any sensational claims about security with a grain of salt.
  • Passwords are insecure! Passwords will be gone soon! (Yeah, right.
    We’ve heard that for 20 years, and it just doesn’t seem to come true).