[colug-432] password survey

Bill Baker bill_chris at earthlink.net
Sat May 24 13:08:47 EDT 2014


On 05/24/2014 01:00 PM, Rob Funk wrote:
> On Saturday, May 24, 2014 12:38:42 PM Bill Baker wrote:
>> OK, so let's say we all start immediately using public key
>> authentication (in reality, I would bet that we will still be using
>> password authentication 20, 30 or even 50 years into the future).  How
>> long until the next tool comes along that renders even that useless?
> There's always a progressive arms race. Both sides continually improve 
> their methods. Recognition of that doesn't mean the answer is unilateral 
> surrender.

I'm not saying that either, just that it seems that the crackers are
always going to be one step ahead because adopting new
methods/technology moves at a snail's pace.  Just look how long it took
for people to solve the Y2K problem.

>> I guess my point here is that the user in the joke is probably an office
>> drone who is not keeping any sensitive information on her computer.
> I vaguely recall Kevin Mitnick addressing that in his book about social 
> engineering. People don't realize the value, to the right person, of the 
> information that they have access to.

Yes, that's true, but the sort of information that can be obtained from
one office drone can typically be obtained from another, easier target. 
Not always, but most of the time.

>> A cracker would most likely not invest much time trying to crack her
>> password, and move on to her more vulnerable co-workers.
> Yes, a lot of personal security choices boil down to being a harder target 
> than your neighbor.
>
My point exactly.


More information about the colug-432 mailing list