Scared of brute force password attacks? Just 'GIVE UP' says Microsoft Sysadmins trying to harden user passwords against brute force attacks, or everyday folk trying to make sure their passwords don't lead to nude selfie leaks may not need to bother, according to the latest research from Microsoft mavericks. Redmond password provocateurs Dinei Florencio and Cormac Herley say password hardening …
Or M$ are admitting they are clueless.
"For reversibly-encrypted codes that use a strong algorithms, crackers would need the relevant decryption key. Without it, they would have no effective means of offline attack even if the users' password was 123456, the duo wrote."
Ok, so technically accurate, but misleading. Even if I couldn't crack the password offline, there's no reason I couldn't just 'have a go' at entering 123456 as a password, which would obviously work.
Having a gnarly password doesn't just make it harder to crack, it makes it hard to guess, and if you re-use passwords from other sites, it only takes one of them to leak the password in a weak manner and all of your accounts are screwed.
Have M$ got a product launch relating to passwords coming up soon or something?
>if you re-use passwords from other sites, it only takes one of them to leak the password in a weak manner and all of your accounts are screwed.
In the article in which they discuss that, their advice is to reuse passwords across low-value sites - such as forums - and to reserve dedicated passwords for important sites, such as your email, shopping and banking services.
In addition, attackers have to know which email address you have used as your username for each site in order to use compromised password - if you use you+ebay7antelope@gmail.com for eBay and you+amazon4mountain@gmail.com for those respective sites, a compromise of one site's system won't reveal your username for another.
This post has been deleted by its author
>What if the hackers have heard about the gmail "+" trick? If they had, then they'd be able to write a script to defeat your countermeasure.
How?
They would have to brute force your username at the same time as trying to brute force your password. And as we know: lots x lots = shitloads.
>... clueless idiots running MS products are clueless?
That statement may be true *cough* TIFKAM *cough*, sorry had to clear my throat.
What was I saying? That's right, I think you missed the point. If say A! Company! Whose! Name! I! Will! Redact! So! As! Not! To! Embarrass! Them! stores your super duper unbreakable "wrong unicorn paperclip capacitor" password in clear text then it is compromised.
BTW, congratulations reg; nice click bait :)
So I guess what they're saying is that, if the thieves have your safe in a secluded lockup and have a range of power tools, plasma cutters, explosives, etc, it doesn't matter how good the locks are on the safe. Whereas if you have armed guards standing over your safe 24/7 then it's less important how good the lock is.
Hmmmm.
I read more as "there is no point investing in really expensive locks (long passwords) if everyone makes the safe out paper (i.e. the other security is implemented wrong)".
That said their approach is a race to the bottom - lets make everything as weak as the weakest part - rather than trying to improve industry best practise to reduce the number of "implemented wrong" instances in the wild.
You're right. If they can steal the safe then it doesn't matter whether it's made from cardboard or plywood or hardened steel, they will find a way to attack it.
The problem consumers have is that they are trusting their passwords to a safe of unknown quality surrounded by an unknown number of guards who may or may not be unfit and unable to run very fast and prone to fall asleep on the job.
Security is only as strong as its weakest link, so given that we don't know how careful websites are with their password security (recent incidents would suggest: not very) we should still follow all the usual rules (long complex passwords, don't reuse them, etc).
As an interesting aside, Apple are saying the iCloud attacks aren't their fault because the attacks were online.
And apparently they don't lock you out after three (or even three hundred) failed login attempts.
The users are apparently securing it wrong. Not Apple. Apple are infallible.
No, they are saying that their host systems weren't compromised, only individual user accounts due to weak passwords and security questions (there does seem to have been an issue where there was no rate limiting on guesses). If the host systems had been compromised then ALL users would have been at risk.
No, they didn't say that it wasn't their fault, they have placed rate limiting code on the affected systems now. IMHO the best way to do this is to get exponentially slower returning a response after each failed logon. Humans will just go through the "forgot my password" procedure, machines will get only a couple of chances at guessing before things become too slow to use.
What Apple did say is that it's not an issue for the vast majority of their users as the attacks were only on specific accounts and wouldn't have succeeded against harder passwords.
The Apple hating community (of which I'm assuming you're a member) seem to overlook flaws in their own chosen platform and leap on the slightest error by Apple. Yes, it was a flaw. No, Apple don't create flawless code, nor have they ever made this claim.
And to extend the safe analogy, guessing the combination of the safe if it is someone's birthday is low tech; actually drilling through a wall and cutting the safe away from the bolts that hold it to the floor takes a much higher level of criminal sophistication and commitment of resources. Lots of people can take wild guesses or less wild guesses if they know you have a habit of using your own birthday as your passcode; very few people have the expertise to actually steal the entire safe. But, to make it easy for every Tom, Dick and whoever to guess your easy password because someone might actually steal the safe? That's a very large logic fail. Make the easy stuff hard and the hard stuff close to impossible, then you can sleep at night.
Paris, 'cause like M$ she has lots of money, but not much idea of how she got it or what to do with it.
>That's exactly what I said, except for your pro-Apple spin.
My reading of your post was that it implied that Apple were lying. The iCloud servers were not breached, but individual accounts were hacked, pointing out the facts is not pro-Apple spin.
>Failure to enforce lockout after multiple failed login attempts is pathetic and there's no excuse for it.
Apple lock out accounts for eight hours after 12 failed attempts.
Apple's reset process invloves providing email address, date of birth and the answer to any one of a number of securty questions (e.g. The name of your first pet). Unfortunately for people in the public eye most of that information is likely to be easily available from a number of sources and like most people they wouldn't think of just making up an answer, so a quick trip to Google will almost certainly allow you to gain ilicit access to the account of pretty well anyone famous.
Is this Apple's /fault/? Debatable. There are more things they could do, but then there are already additional security features available for Apple accounts that do not appear to have been turned on in this case (e.g. if you have 2FA turned on, then the password reset process will also require you to go through that).
So we're back to square one, is it the fault of any company if users who do not use the security features provided then have their accounts breached?
No. It's the fault of the people who gained access, in the same way that if you forgot to lock your front door it's not your fault if someone steals your TV. What you did might have inadvertently made it easy for them, but make no mistake that the person at fault is the thief.
They are. They said they have NO responsibility for the breach. Then go on to admit they didn't have rate limits on an obvious brute force attack path.
They may not be SOLELY responsible for the breach, but they share in the blame. Yes it is good that pleebs weren't hacked because they weren't targeted. But that didn't mean the pleebs were any safer than the celebs from the standpoint of a technical analysis.
This post has been deleted by its author
saying "only as secure as the weakest link" - I disagree , If somone talks the guards into handing over the safe (loving these analagies btw) , and the safe is made of unbeakableium, then the contents are still secure.
the phrase "Two factor Authentication", which seems to be heralded as the latest , greatest and safest would be redundant if "only as secure as the weakest link" were true.
Problem is, how do I as a user know what security a site is using? Some of them actually do front up and say "we use salted hashed tables" (usually after a breach has occurred), most sites are mum on the issue (citing security concerns, but most likely these are the ones with rubbish security, and attempting security through obscurity)
What I do is pretty close to MS recommendation - use 1 common password for all unimportant sites / forums etc, and different passwords for important sites. I *hope* that email, bank, e-commerce sites DO have the requisite security to prevent user info being stolen in the first place, and I also *hope* that in that eventuality the passwords at least are secure.
The 1 site that I know (rather than hope) I can trust is my bank's e-banking site, because in the T&C's they explicitly say that THEY are responsible for security breaches of "their side" of the site.
There was a parody some time ago, where IT policy produced so many rules on acceptable passwords that in the end there was only one combination of characters that would meet the requirement,, which of course all users then were required to use.
Sometimes it feels like that when you register for a new website, forcing you to be even more imaginative on your password. Unfortunately you are then forced to write it down somewhere just so you can remember it next time you log on.
Of course by adding weak/strong password dialogs, the website owners look like they are being secure. Not a lot of uise however if they store them in some text file on a server.
Of course by adding weak/strong password dialogs, the website owners look like they are being secure. Not a lot of uise however if they store them in some text file on a server.
I find it ironic that after being chastised for sending passwords in the clear and/or not encrypting them my Tesco groceries password is now one of the strongest I've got. At least I can rest assured that no-one is going to be ordering groceries for me I suppose :-/
Tesco's own brand marmite was subject to a recall a year or two ago as it contained something which "caused skin sensitisation" in "susceptible" people,
What they fuck they added to salt and yeast shit to cause urticaria I dread to think.
Ensured I only ever bough Marmite after that...
have you read this ?
I hadn't but that pre-dates their change to more-strict passwords (they invalidated existing accounts so you had to create a new password) and it pre-dates their recent facelift (I still prefer the old look). On a practical level I've had an account with them almost since they started home deliveries and they are one of the few etailers that has never sent spam nor leaked my (Tesco specific) email address.
I'm not saying that security doesn't matter nor that they are doing it right but my experience is that Tesco is more secure than most of the etailers I've dealt with over the years. So strictly from my personal POV they are very secure.
A trick I used a while back was to never know my passwords. Everytime I needed access I simply did a reset forgotten password. Added to 2FA on my google mail account and it suited my needs. I've since changed this as I figured my passwords bouncing around the net in plain text wasn't the best either. But for low risk websites I used at the time it did the trick.
"Strength meters - the small bars that tell you if your password is weak or strong - are useless, the pair argue"
I can attest to that. I had an application that had a three-stage password strength meter, and you could only get to that elusive third band if you used non-alphanumeric characters.
Great I thought - till I found out I can't use ()*&% and some others. They were even quite helpful in letting me know what characters I can't use, to save time on brute forcing. Must have been some division of Microsoft...
"Verified By Visa" another pandoras box
It doesn't differentiate between upper and lower case.
So if you use Tz123456Q, it will ask for 3 characters, and it doesnt matter if you input tZq for the requested digits, it will still work, its a sack of shit designed so the banks can pass on blame to you for "fraudulent" use.
"But you enrolled on VBV, you MUST have given them access to your account. No compensation for you, me laddo"....
I wish it were that simple. My company has moved to office365...and my email password is now 50+ characters less than it was on the system(s) we had before.
On the other hand, I'd bet real money that this report was commissioned and published to bolster Microsoft's position regarding the use of 8-16 character passwords in Outlook Online.
I've had occasions where I click on the "I've forgotten my password" link and it's sent me back my PLAINTEXT password. In other words they never hashed it in the first place. This is indicative of a site which doesn't know what it is doing and is therefore likely to be hacked.
Using a strong password on such a site is an utter waste of time and exposes other sites which take more care to salt and hash their passwords.
These days I tend to rate sites in tiers - throwaway forums, one shot things, semi-frequent forums, online shopping / gaming stores, payment systems, banks & utilities. As I go up the tiers I become more stringent about security - the bottom tier may all share the same throwaway password. A tier up I might use a stronger password, with some uniqueness. Above that the passwords are all unique. By the time I get to banks / utilities it's usually augmented by whatever hard tokens, pins etc. that they issue. I also use different email addresses for most forum activity than I do for real life activity - I even use the likes of mailinator on the bottom tier. Everything is stuffed into Password Safe.
Nothing can stop a site being hacked, but hopefully it minimizes the damage. If a site is compromised I review which sites share the same email/password and change them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
