tag:blogger.com,1999:blog-8400370148915075091.post4521677575940805438..comments2023-12-12T18:59:45.550+01:00Comments on Security Nirvana: Errata for Errata securitysecuritynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8400370148915075091.post-31177809835459156452012-01-06T14:02:08.129+01:002012-01-06T14:02:08.129+01:0030k accounts might be safe still, but for how long...30k accounts might be safe still, but for how long? And are they safe because the weren't bruteforced yet, or because they didn't apply the right word list, pattern or table to them?<br />We don't even know that these passwords fit any definition of "strong".<br /><br />It's just a matter of time until they are cracked, and every day it's less and less time, as tools and computing power evolves. Even if we can move users to the "use a sentence" practice, which I strongly support myself, there is no telling how soon cracking or tables will catch up. Users might accept sentences, but not of unlimited length.<br /><br />No, secure sites and proper hashing/encryption will have far, far more to say than creating very strong passwords. What we need is to get rid of the blindingly obvious passwords, and the reuse problem.itinsecurityhttps://www.blogger.com/profile/10129725210078939594noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-16966374891117356142012-01-06T13:11:23.379+01:002012-01-06T13:11:23.379+01:00Hi Per
I agree with you on the points you are mak...Hi Per<br /><br />I agree with you on the points you are making, and although I am interested in security, I am not a security "geek" and don't know everything I probably should have known, the points you are making seems very valid based on my logic. <br /><br />I've noticed that you, and other blogs, recommend LastPass, and based on this I have been using LastPass for a while, and so far, I like what I'm seeing. The only issue I'm a little worried about, is whether I can trust LastPass (or other similar solutions). Do you have any information that could "ease my worrying" :-)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-7098693259248754732012-01-06T12:20:49.781+01:002012-01-06T12:20:49.781+01:00Since Stratfor actually did use password hashing, ...Since Stratfor actually did use password hashing, a better password could potentially save their customers from <br /><br />1) embarrassment (for some maybe more important than others)<br /><br />2) Lower risk of getting compromised at other sites, due to password reuse, since the password would be "unbreakable". @Purehate_ is above 96% cracked now, meaning there still are at least 30K+ account passwords that are "safe". If those passwords are reused at other sites, they are - for the time being - safe. (I would still enforce a password change though).<br /><br />If I read it correctly on Twitter, Anonymous claims that they have compromised other sites based on the data from Stratfor. Unconfirmed yet, but I wouldn't be surprised if we'll see clear evidence of that soon.<br /><br />Analysing the threat model is a good idea, but should never prevent you from implementing a bare minimum. Otherwise known as "good practice", it is hard to see that Stratford did that in terms of implementation, hardening and maintenance. <br /><br />As for the incident handling, information to customers etc AFTER the leak, it looks like they are handling the situation professionally.securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-83905434944811896582012-01-06T11:45:26.948+01:002012-01-06T11:45:26.948+01:00I get the impression that you and @erratabob are t...I get the impression that you and @erratabob are talking slightly past each other from your different viewpoints here.. especially since you seem to agree on Robert's main point. <br /><br />Robert subscribes to the idea that "security is like dogdeball, you're fine as long as you're not a target" (I think it was Richard Beijtlich who said something that). <br />As such, the argument that uniqueness trumps length/complexity is a sensible security trade-off for a lot of situations. <br />I mean.. how many of the Stratfor customers would really have been better off with a much stronger password? What additional protection would it give them?<br />Someone else recently wrote (on passwords): "You have to analyse the threat model", which is something a lot of the password analysis reports out there seems to forget. I see Robert's post as a reply to them. <br /><br />As I like to put it myself: Passwords only have to be good enough.itinsecurityhttps://www.blogger.com/profile/10129725210078939594noreply@blogger.com