[colug-432] password survey

Scott McCarty scott.mccarty at gmail.com
Fri May 23 09:00:49 EDT 2014 

Yeah, agreed AES-256 can still be broken if the password isn't complicated enough. Admittedly, I it would take some analysis to see if that particular password as it is fairly long, even if not complicated. It's plausible that it was cracked.

Personally, I do not consider hashing of any kind secure because it is plausible to crack some of the passwords. Worse, it's a moving target with ASICs and video cards cracking faster, and faster. I am not trying to preach, but prefer keys, and session encryption for anything production. By very nature, keys are two factor and revocable.

Best Regards
Scott M

----- Original Message -----
> From: "Angelo McComis" <angelo at mccomis.com>
> To: "Central OH Linux User Group - 432xx" <colug-432 at colug.net>
> Cc: "Central OH Linux User Group - 432xx" <colug-432 at colug.net>
> Sent: Friday, May 23, 2014 2:04:53 AM
> Subject: Re: [colug-432] password survey
> 
> I'm not saying you're wrong here, but it's entirely possible that
> they did have one way hash and strong encryption but used a simple
> brute force tool (aka John the Ripper) across the password file and
> it was able to solve that because it has (depending on how you look
> at it), simple pattern of letters only (upper and lower, but no
> symbols or numeric), and was only based on dictionary words.
> 
> Aside from that, yes - it's a valid point you being up here.
> 
> > On May 22, 2014, at 9:37 PM, Richard Hornsby
> > <richardjhornsby at gmail.com> wrote:
> > 
> > 
> >> On May 22, 2014, at 17:26 , Judd Montgomery <judd at jpilot.org>
> >> wrote:
> >> 
> >> A friend just sent me something a little silly on this topic that
> >> I
> >> figured I'd share.
> >> 
> >> During a recent password audit by a company, it was found that an
> >> employee was using the following password:
> >> "MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"  When asked
> >> why
> >> she had such a long password, she rolled her eyes and said:
> >> "Hello!  It
> >> has to be at least 8 characters and include at least one capital.”
> > 
> > I realize that this is a little tongue-in-cheek and that my
> > response is not ...
> > 
> > A valid retort might be: "Instead of asking me why my password is
> > so long, let me ask you what encryption method are you using that
> > you’re able to read out everyone’s password like that?”  Pushing
> > further, "Do you understand the risk to our company (and likely
> > our customers) if a bad guy gets into our stuff, because you have
> > passwords stored in a reversible, or worse, plaintext format?”
> >  And poking them just a little more for good measure, "Do you, mr
> > security person giving me grief about my insanely long password,
> > not understand what a one-way hash is?"
> > 
> > Sorry, I get annoyed by foolish waste of energy in this space that
> > seems entirely directed at the wrong problem.
> > 
> > 
> > 
> > _______________________________________________
> > colug-432 mailing list
> > colug-432 at colug.net
> > http://lists.colug.net/mailman/listinfo/colug-432
> 
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>

More information about the colug-432 mailing list