[Fed-Talk] Password issues
[Fed-Talk] Password issues
- Subject: [Fed-Talk] Password issues
- From: Todd Heberlein <email@hidden>
- Date: Tue, 21 Aug 2012 09:59:44 -0700
Great (and lengthy) Ars Technica article on the weakness of passwords.
Why passwords have never been weaker—and crackers have never been stronger
http://arstechnica.com/security/2012/08/passwords-under-assault/
A summary of why passwords have become so much weaker in the past few years include:
(1) Technical advances such as GPUs and rainbow tables
(2) Crowd and bot-net sourcing of password cracking
(3) Password reuse (ask the guy at HBGary Federal about this one!)
(4) Entropy analysis on large corpuses of passwords.
That last one I found interesting because this is something I've wondered about for years since doing a little linguistic analysis. In short, forcing a user to choose longer passwords but letting them choose the password doesn't help so much because we humans have a limited repertoire of tricks we use.
The large corpus of passwords collected over the last few years have let crackers essentially crack the way we think. Another way of looking at it: the attackers are attacking the random number generator of our brains -- and it's a pretty sucky random number generator.
A couple of recommendations:
(A) Don't reuse passwords at multiple services.
(B) Use something like 1Password to manage large, randomly generated passwords.
(C) Have your organizational security administrators constantly download the latest hashes posted to public sites like pastebin.com looking for your organization's hashes in the list.
(I don't remember any mention of 2-factor authentication)
I'm seriously thinking about starting to use 1Password.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden