Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.security.misc > #1374

Re: random passwords

From Ivan Shmakov <ivan@siamics.net>
Newsgroups comp.security.misc, comp.os.linux.misc, alt.os.linux
Subject Re: random passwords
Date 2018-09-01 13:45 +0000
Organization A noiseless patient Spider
Message-ID <87va7pcovw.fsf@miko.siamics.net> (permalink)
References (5 earlier) <plm57g$p91$2@dont-email.me> <878t4xgouh.fsf_-_@miko.siamics.net> <87r2ip16jf.fsf@LkoBDZeT.terraraq.uk> <871sapghob.fsf@miko.siamics.net> <87ftz50y87.fsf@LkoBDZeT.terraraq.uk>

Cross-posted to 3 groups.

Show all headers | View raw

>>>>> Richard Kettlewell <invalid@invalid.invalid> writes:
>>>>> Ivan Shmakov <ivan@siamics.net> writes:

 >>> As a concrete example: suppose your password is 8 random lower-case
 >>> characters; suppose it uses crypt(3) with MD5 with 1003 rounds
 >>> (which is/was the Glibc default);

	I haven't yet checked the source, but the manual [1] doesn't
	seem to mention the hash function being applied repeatedly.

[1] http://gnu.org/s/libc/manual/html_node/

 >>> your attacker gets the ciphertext of the password

[...]

 >>> I make that 3E11*3600/1003/720=1.5E9 candidate passwords per
 >>> dollar, or $140 dollars to do an exhaustive search.

	And I gather that adding a single digit to that will increase
	the effort by the factor of 90, while each additional lowercase
	letter will (obviously) multiply that by 26.

	I suppose I can consider a 12-character password secure enough
	for my needs, even if it's composed of lowercase characters only.

 >> Yes; that's a fairly specific threat model, which I'd describe as
 >> "the attacker gets one of your passwords and uses that to deduce
 >> some other."  That's a huge problem for those who use a single
 >> password, perhaps with slight alteration, across several resources.

 > i. e. most people.

	If that's indeed the case, shouldn't we move the emphasis to
	using unique passwords, from the current "be sure to include at
	least one punctuation, digit, a capital letter, a kanji and an
	emoji; make your password at least 99 characters long; and never
	use a dictionary word, of any language, in all of it, ever"?

 >> Now, if that's not the case; the attacker getting the ciphertext
 >> means that the resource was compromised.  And somehow, I cannot
 >> readily imagine a plausible scenario where the password's ciphertext
 >> can get leaked without the adversary getting control over other,
 >> more important parts of the system.

 > Argument from incredulity notwithstanding, it happens all the time.

	So, the point is that instead of spending their time causing
	inconvenience to their targets, the attackers instead get the
	hashes, and can have thousands of accounts compromised at their
	leisure?  That actually makes sense; not to mention that it
	makes possible to sell the data to third parties.

	Still, one another thing to recommend is to change one's
	password as soon as the leak is known.

 > Yahoo, LinkedIn and Adobe are some high-profile examples from the
 > last few years.

	Thankfully, I couldn't care less about these specific companies'
	leaks.

-- 
FSF associate member #7257  http://softwarefreedomday.org/  15 September 2018

Back to comp.security.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 14:05 +0000
  Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-23 09:47 -0500
    Re: random passwords Wouter Verhelst <w@uter.be> - 2018-08-24 10:16 +0200
      Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:46 +0100
        Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-24 09:19 -0400
        Re: random passwords Daniel60 <daniel47@eternal-september.org> - 2018-08-25 21:57 +1000
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-25 13:32 +0100
  Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-08-23 15:50 +0100
    Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 16:40 +0000
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:12 +0000
      Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-08-23 18:49 +0100
        Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-09-01 13:45 +0000
          Re: random passwords Rich <rich@example.invalid> - 2018-09-01 15:02 +0000
          Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-09-01 16:54 +0000
          Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-09-04 07:37 +0100
  Re: random passwords Rich <rich@example.invalid> - 2018-08-23 15:12 +0000
    Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-23 12:49 -0400
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:18 +0000
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:27 +0000
          Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:44 +0000
    Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:38 -0600
      Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:47 -0600
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-24 02:20 +0000
        Re: random passwords Jasen Betts <jasen@xnet.co.nz> - 2018-08-24 05:10 +0000
      Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 02:32 +0100
        Re: random passwords Rich <rich@example.invalid> - 2018-08-24 01:56 +0000
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:37 +0100
        Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 20:13 -0600
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:42 +0100
            Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-24 11:55 +0100
              Re: random passwords Paul <nospam@needed.invalid> - 2018-08-24 08:37 -0400
                Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-24 13:51 +0100
                Re: random passwords Paul <nospam@needed.invalid> - 2018-08-24 12:41 -0400
            Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-25 02:03 +0000
              Re: random passwords Java Jive <java@evij.com.invalid> - 2018-08-25 11:32 +0100
              Re: random passwords Paul <nospam@needed.invalid> - 2018-08-25 07:49 -0400
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-27 23:12 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-27 23:40 +0000
                Re: random passwords Paul <nospam@needed.invalid> - 2018-08-27 20:10 -0400
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-28 00:17 +0000
                Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-27 20:52 -0400
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-27 22:31 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-28 10:23 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-28 14:45 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-28 23:00 +0000
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 01:22 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-29 07:21 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 11:37 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 12:25 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 19:35 +0100
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-29 17:46 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-30 06:53 +0100
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-30 07:48 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-30 19:07 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-31 00:36 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-31 03:10 +0100
                Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-31 12:26 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 23:36 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 11:35 +0100
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-29 23:45 +0000
      Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-24 18:07 +0000
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-24 20:27 +0000
    Re: random passwords Bud Frede <frede@mouse-potato.com> - 2018-09-03 07:23 -0400
  Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 16:57 +0000
    Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:07 +0000
  Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:02 +0000
    Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 17:25 +0000
      Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:32 +0000
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:46 +0000
        Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 18:07 +0000
        Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:51 -0600
    Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-08-24 02:35 +0000
  Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-25 11:13 -0500
    Re: random passwords Rich <rich@example.invalid> - 2018-08-25 17:24 +0000
      Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-25 13:17 -0500
        Re: random passwords Rich <rich@example.invalid> - 2018-08-25 20:27 +0000
          Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-25 21:28 -0500
            Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-26 01:19 -0400
              Re: random passwords Rich <rich@example.invalid> - 2018-08-26 13:43 +0000
                Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-26 14:15 +0000
                Re: random passwords Rich <rich@example.invalid> - 2018-08-26 15:18 +0000
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 09:30 -0500
              Re: random passwords Michael Black <mblack@pubnix.net> - 2018-08-26 11:44 -0400
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-26 16:40 -0500
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 21:11 -0500
                Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-08-28 13:29 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-28 14:32 +0100
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 07:17 +0100
                Re: random passwords Melzzzzz <Melzzzzz@zzzzz.com> - 2018-08-27 06:21 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 08:15 +0100
                Re: random passwords Roger Blake <rogblake@iname.invalid> - 2018-08-27 22:44 +0000
              Re: random passwords azigni <azigni@yahoo.com> - 2018-08-26 12:55 -0600
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 16:09 -0500
                Re: random passwords Rich <rich@example.invalid> - 2018-08-26 21:32 +0000
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 21:11 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 07:19 +0100
            Re: random passwords Doug McIntyre <merlyn@dork.geeks.org> - 2018-08-26 00:41 -0500
              Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 06:48 -0500

csiph-web