Saturday, September 04, 2010

Password lenghts as told by the media

At the end of August researchers at Georgia Tech Research Institute (GTRI) released a case study that received a lot of attention in international media. Their own header was perhaps a little tough:

It's a cool case study. It's a good thing that the insecurity of short/bad passwords gets attention in the press. Still I can't see anything here that has already been said, presented and written by others already. Not that it  matters in this case.

What I think is really sad with this case is that a LARGE number of media seems to have misinterpreted or even misquoted you. Now that does happen a lot in the media, and once the damage is done it is rather impossible to fix it. The story has been reported, read, and mostly forgotten already.

See; you didn't say anything about online and offline attacks against passwords. You only focused on bruteforcing a complete keyspace in the fastest time possible using GPU's. No logic to the attack whatsoever mentioned by you as far as i can see. So you end up with a recommendation for passwords with length 12 - still without any words on online/offline attacks, encryption/hashing algorithms, detection & slowdown algorithms for online attacks etc... I tried to find a paper or something on what you've done, but no link easily available from the above article at the GTRI website. Was it just a simple calculation of GPU speed vs keyspace?

Google tells me there are ....lots of articles based on your case study. I had a look at the online story from CNN. No seggregation between online and offline attacks against passwords, happily referring to an old blog post from Microsoft as "a Microsoft website devoted to password security". That's just wrong, and while we're onto that blogpost, read what I've written earlier on password meters...

I'm sorry if I sound a little hard on you guys at GTRI, but this case study, at least in the media, becomes FUD, not much more.

Ending notes:
1. Take a look at the leaked RockYou password list - you'll find evidence of websites allowing much more than 32 characters in user passwords.

2. Once upon a time I found a person using OverbuljongpakkmesterassistentXX (2 digits) as his password on a  Windows system. Only the NTLM hash were available. The keyspace is way and beyond anything comprehensible to crack within the next couple of years. But when you decide on using a common hybrid form (Upperlowerlowerlower.....2-digits-at-the-end) along with a "word" found in a wordlist (Thank you S├ębastien Raveau!), an offline attack executed in a single thread on a standard home computer cpu will get you easily.

Well... Sorry again, but I had to comment on this one. Consider me a Troll if you get mad at me.

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.