[colug-432] password survey

Sat May 24 12:38:42 EDT 2014

OK, so let's say we all start immediately using public key
authentication (in reality, I would bet that we will still be using
password authentication 20, 30 or even 50 years into the future).  How
long until the next tool comes along that renders even that useless? 
It's only been around 20 years since computers have moved from the
gamer/hobbyist/scientist realm to general, wide-spread business use. 
Who's to say that in another 20 years, computer hardware combined with
cracking software will become sufficiently advanced to render public key
authentication useless?

I guess my point here is that the user in the joke is probably an office
drone who is not keeping any sensitive information on her computer.  A
cracker would most likely not invest much time trying to crack her
password, and move on to her more vulnerable co-workers.

On 05/24/2014 11:25 AM, Rob Funk wrote:
> On Friday, May 23, 2014 07:57:51 PM Bill Baker wrote:
>> Thanks for the articles.  I glanced through the second link, the one you
>> said references XKCD, and the password examples they gave that their
>> crackers were able to decipher were terrible.  If they weren't too
>> short, the words they used were related to each other, not random
>> dictionary words.
> ...
>>  I still
>> maintain that the password in the joke (if it was not already a
>> well-known joke) would be practically Fort Knox secure.
> You're right for the old tools. But you're missing the general point about 
> the the modern tools, which (combined with modern hardware) make it easy 
> and fast to guess by using combinations of random words (along with 
> mutations of them).
>
> Historically we've been able to rely on counting characters for security, 
> while making things more memorable by using a few longer semantic clumps. 
> But now the software understands those semantic clumps, reducing the 
> entropy in a long memorable password. So the same features that make a long 
> password memorable make it easier for the wordlist-equipped software to 
> guess.
>
> http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
> "The other variable was the account holders' decision to use memorable 
> words. The characteristics that made "momof3g8kids" and "Oscar+emmy2" easy 
> to remember are precisely the things that allowed them to be cracked. Their 
> basic components—"mom," "kids," "oscar," "emmy," and numbers—are a core 
> part of even basic password-cracking lists. The increasing power of 
> hardware and specialized software makes it trivial for crackers to combine 
> these ingredients in literally billions of slightly different permutations"
>
> The use of wordlists means that what we used to think of as an 11-character 
> password turns into a 4-5 element password, and a 52-character password 
> (which is within the limits of the software described) turns into a 9-
> element password. Still a much-better-than-average password (and not 
> deserving of ridicule), but also still crackable with today's tools.
>
>
>> So what do we do?
> Depends on who "we" are. For users, password managers seem to be the 
> current best practice, generating and saving meaningless random long 
> passwords.
> http://arstechnica.com/security/2013/07/how-elite-security-ninjas-choose-and-safeguard-their-passwords/
> And certainly sysadmins and software developers need to make sure passwords 
> are salted and hashed using modern slow algorithms.
>
> But ultimately we need to get away from relying solely on passwords.
>
> For designing new authentication protocols, public key authentication is 
> secure but has problems with getting non-techies up to speed. And it still 
> doesn't help much with existing protocols that weren't designed with 
> public-key authentication in mind. Of course, neither end-users nor 
> sysadmins have the ability to change the standard protocols or other 
> people's services to get away from passwords.
>