View Single Post

DisNamConInaLang's Avatar

03.11.2013 , 03:49 AM | #474
Quote: Originally Posted by Hengeste View Post
I read the first couple of pages of this link and I was honestly amazed mostly because it actually makes sense, unfortunately. I will not profess to know exactly the headaches that BW has nor at this point in my life will I ever fully be able to. However, given that I am logging in with a physical key generator every time and might be changing to an android app instead, I feel relatively safe logging in because the code changes with every press of the button.

I would suggest that BW perhaps consider an exercise in greater explanation with this move, if it has not already been that is.
Lots of sensationalist points made in that article, but every logical attack he makes begins with the assumption that something is already vulnerable or has been compromised -- the database containing the passwords (which should be protected at a minimum by web service layers, and the passwords should be hashed with a unique salt), the computer the user accesses, the length and strength of the password itself, or the carelessness of the housekeeper in trusting someone over the phone whose identity isn't properly verified. That doesn't prove anything about passwords being outdated. That's like saying keys are outdated because the burglar has stolen the key or broken a window. And yet keys remain the staple of physical security. And passwords the staple of web security. Utter fallacy.

Algorithms exist to stretch the length of time it takes to calculate password hashes, thus making brute force much more unlikely to succeed. Brute force only works in the first place against unsalted hashes of exposed passwords or systems that accept infinite logon attempts. It still remains that a large enough password (20 characters or more, maybe a little less) cannot be brute force cracked or guessed. Humans can remember strings that long if properly constructed: twentYplUschar@cterS! is one trivial example. If they're lazy then that is a different story, but once again doesn't prove anything about passwords being inherently weak or outdated.

I will stipulate that as systems grow complex the vulnerabilities appear in various ways. All of these need to be protected in order for the password to be useful. That, I take it, is the author's point, but again that does not prove the password to be useless.

The fact remains that humans put a much higher premium on convenience than security. The former is easy to understand and directly impacts productivity, unlike the latter. People need to be educated and pressure needs to be placed on large companies in order for any real change to occur.