[Discuss] Most common (or Most important) privacy leaks
Richard Pieri
richard.pieri at gmail.com
Tue Feb 17 22:15:54 EST 2015
So. Someone replied directly to me instead of the list suggesting that
character length is an important factor in password security.
Letter count is a pointless factor in password security. "Four score and
seven years ago" is 30 characters and still trivially vulnerable to
dictionary attacks. "We hold these truths to be self-evident" is 40
characters and it is just as weak as the first example.
Password reform starts with abandoning password rules and policies.
Rules and policies are bad. Every policy that you enforce makes it
easier for attackers to analyze passwords. If you have a policy that
enforces a 15 character minimum then an attacker knows to ignore
everything that is 14 or fewer characters, and given human nature he can
ignore everything over about 20 characters for most passwords. If you
have a policy that enforces the use of at least one number then an
attacker has 9 known possible plaintexts in every password. At least one
capital letter is 26 known possible plaintexts. And so forth.
LastPass was suggested as an enterprise solution. By Ghu, where do I
start with this. Relying on a third party that has no obligation to
maintain the integrity of your keys? Relying on a third party that has
crafted its terms of service such that you have no recourse if they
screw up or an attacker compromises their system and exposes your entire
business to the world? And this is being floated as an enterprise
solution? 'Nuff said.
--
Rich P.
More information about the Discuss
mailing list