Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.security.misc > #1285

Re: random passwords

From Ivan Shmakov <ivan@siamics.net>
Newsgroups alt.os.linux, comp.os.linux.misc, comp.security.misc
Subject Re: random passwords
Date 2018-08-23 16:40 +0000
Organization A noiseless patient Spider
Message-ID <871sapghob.fsf@miko.siamics.net> (permalink)
References (3 earlier) <plkv63$ab3$1@dont-email.me> <pllofa$fbr$1@news1.tnib.de> <plm57g$p91$2@dont-email.me> <878t4xgouh.fsf_-_@miko.siamics.net> <87r2ip16jf.fsf@LkoBDZeT.terraraq.uk>

Cross-posted to 3 groups.

Show all headers | View raw

>>>>> Richard Kettlewell <invalid@invalid.invalid> writes:
>>>>> Ivan Shmakov <ivan@siamics.net> writes:

 >> I'm actually curious on what recent research says about the amount
 >> of randomness that one should have in one's password?  (Or, to put
 >> it other way around, how simple one password has to be for it to be
 >> possible to break it in reasonable time under one threat model or
 >> another?)

 > How much is your password worth?

 > As a concrete example:

 > - suppose your password is 8 random lower-case characters

 > - suppose it uses crypt(3) with MD5 with 1003 rounds (which is/was
 > the Glibc default)

	And it makes me curious about the Heimdal defaults...

 > - your attacker gets the ciphertext of the password

 > At least one real 8-way cluster can do 3E11 md5/second[1] and a
 > p2.8xlarge instance costs $720/hour[2].  I make that
 > 3E11*3600/1003/720=1.5E9 candidate passwords per dollar, or $140
 > dollars to do an exhaustive search.

	Yes; that's a fairly specific threat model, which I'd describe
	as "the attacker gets one of your passwords and uses that to
	deduce some other."  That's a huge problem for those who use a
	single password, perhaps with slight alteration, across several
	resources.

	Now, if that's not the case; the attacker getting the ciphertext
	means that the resource was compromised.  And somehow, I cannot
	readily imagine a plausible scenario where the password's
	ciphertext can get leaked without the adversary getting control
	over other, more important parts of the system.

 > [1] https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505
 > [2] https://aws.amazon.com/ec2/pricing/on-demand/

-- 
FSF associate member #7257  http://am-1.org/~ivan/

Back to comp.security.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 14:05 +0000
  Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-23 09:47 -0500
    Re: random passwords Wouter Verhelst <w@uter.be> - 2018-08-24 10:16 +0200
      Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:46 +0100
        Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-24 09:19 -0400
        Re: random passwords Daniel60 <daniel47@eternal-september.org> - 2018-08-25 21:57 +1000
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-25 13:32 +0100
  Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-08-23 15:50 +0100
    Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 16:40 +0000
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:12 +0000
      Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-08-23 18:49 +0100
        Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-09-01 13:45 +0000
          Re: random passwords Rich <rich@example.invalid> - 2018-09-01 15:02 +0000
          Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-09-01 16:54 +0000
          Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-09-04 07:37 +0100
  Re: random passwords Rich <rich@example.invalid> - 2018-08-23 15:12 +0000
    Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-23 12:49 -0400
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:18 +0000
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:27 +0000
          Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:44 +0000
    Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:38 -0600
      Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:47 -0600
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-24 02:20 +0000
        Re: random passwords Jasen Betts <jasen@xnet.co.nz> - 2018-08-24 05:10 +0000
      Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 02:32 +0100
        Re: random passwords Rich <rich@example.invalid> - 2018-08-24 01:56 +0000
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:37 +0100
        Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 20:13 -0600
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:42 +0100
            Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-24 11:55 +0100
              Re: random passwords Paul <nospam@needed.invalid> - 2018-08-24 08:37 -0400
                Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-24 13:51 +0100
                Re: random passwords Paul <nospam@needed.invalid> - 2018-08-24 12:41 -0400
            Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-25 02:03 +0000
              Re: random passwords Java Jive <java@evij.com.invalid> - 2018-08-25 11:32 +0100
              Re: random passwords Paul <nospam@needed.invalid> - 2018-08-25 07:49 -0400
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-27 23:12 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-27 23:40 +0000
                Re: random passwords Paul <nospam@needed.invalid> - 2018-08-27 20:10 -0400
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-28 00:17 +0000
                Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-27 20:52 -0400
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-27 22:31 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-28 10:23 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-28 14:45 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-28 23:00 +0000
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 01:22 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-29 07:21 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 11:37 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 12:25 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 19:35 +0100
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-29 17:46 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-30 06:53 +0100
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-30 07:48 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-30 19:07 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-31 00:36 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-31 03:10 +0100
                Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-31 12:26 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 23:36 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 11:35 +0100
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-29 23:45 +0000
      Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-24 18:07 +0000
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-24 20:27 +0000
    Re: random passwords Bud Frede <frede@mouse-potato.com> - 2018-09-03 07:23 -0400
  Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 16:57 +0000
    Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:07 +0000
  Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:02 +0000
    Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 17:25 +0000
      Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:32 +0000
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:46 +0000
        Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 18:07 +0000
        Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:51 -0600
    Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-08-24 02:35 +0000
  Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-25 11:13 -0500
    Re: random passwords Rich <rich@example.invalid> - 2018-08-25 17:24 +0000
      Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-25 13:17 -0500
        Re: random passwords Rich <rich@example.invalid> - 2018-08-25 20:27 +0000
          Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-25 21:28 -0500
            Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-26 01:19 -0400
              Re: random passwords Rich <rich@example.invalid> - 2018-08-26 13:43 +0000
                Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-26 14:15 +0000
                Re: random passwords Rich <rich@example.invalid> - 2018-08-26 15:18 +0000
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 09:30 -0500
              Re: random passwords Michael Black <mblack@pubnix.net> - 2018-08-26 11:44 -0400
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-26 16:40 -0500
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 21:11 -0500
                Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-08-28 13:29 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-28 14:32 +0100
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 07:17 +0100
                Re: random passwords Melzzzzz <Melzzzzz@zzzzz.com> - 2018-08-27 06:21 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 08:15 +0100
                Re: random passwords Roger Blake <rogblake@iname.invalid> - 2018-08-27 22:44 +0000
              Re: random passwords azigni <azigni@yahoo.com> - 2018-08-26 12:55 -0600
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 16:09 -0500
                Re: random passwords Rich <rich@example.invalid> - 2018-08-26 21:32 +0000
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 21:11 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 07:19 +0100
            Re: random passwords Doug McIntyre <merlyn@dork.geeks.org> - 2018-08-26 00:41 -0500
              Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 06:48 -0500

csiph-web