12 Aug 17 – Password guru regrets past advice

Home Forums The Poll Discussion 12 Aug 17 – Password guru regrets past advice

This topic contains 2 replies, has 3 voices, and was last updated by  RChandra 1 week, 1 day ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #5903
    Nick Francesco
    Nick Francesco
    Keymaster

    Now it’s all about length of the password. Complexity is nice, but length is much better, because of how fast computers are these days.

    #5904

    HotDawg
    Participant

    I think the responsibility for safe password usage really lies with the people designing systems where a password will be needed. Just this past week I ran into a site (for a nationally known company) that requires a password to be between 6 and 12 characters, consisting only of letters and numbers. And this same company would not recognize any email address as being valid if it contained any capitalized letters. Everything (username and domain name) had to be lower case.

    Simply locking someone out for a few minutes after 3 wrong guesses of a password would end the dictionary attack method. How many ways can you spell “password”?

    #5915

    RChandra
    Participant

    Just this past week I ran into a site (for a nationally known company)

    Hmmm…(just sayin’) this isn’t OTA where the radio station would be worried about the sales department, y’know, giving free advertising (mention) to someone…or in the case of WGMC (public broadcasting), an outright ad. C’mon, you can name them 🙂

    that requires a password to be between 6 and 12 characters, consisting only of letters and numbers.

    That is unfortunately fairly typical. The credit union at which I’m a member subcontracts out itsme247.com for their “online banking” service. I don’t know what their min is, but their max is 12. There is the twist of a very limited challenge/response, in that (ahead of time) you fill out the responses to three questions, and the login page chooses one of these three. But since this messes with KeePass, I simply made the answer the same for all three challenges (and surprisingly, they do not check for this).

    And this same company would not recognize any email address as being valid if it contained any capitalized letters. Everything (username and domain name) had to be lower case.

    That is in direct violation of the email RFCs, including the most recent one I know of, RFC 5321 (section 2.3.11 where it says “Consequently, and due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address.” (emphasis mine)). It drives me nuts that many companies can’t seem to read these. The aforementioned Western Division also did not seem to understand when I explained to them that their email server must identify itself (HELO or EHLO) as a resolvable name (ibid. sect. 2.3.5)

    Simply locking someone out for a few minutes after 3 wrong guesses of a password would end the dictionary attack method.

    That’s the primary concern, but then the other concern is if the host where it is store is compromised, and the password database (even if hashed, see this Computerphile video on YouTube about trying millions of hashes per second with 4 high end GPU cards) is exfiltrated. So there is more than the threat posed by someone just trying to brute force their way in, or with a dictionary attack.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

Comments are closed.