[cryptography] Password non-similarity?

ianG iang at iang.org
Sat Dec 31 12:36:19 EST 2011


On 1/01/12 03:02 AM, Bernie Cosell wrote:
> So what problem _is_ being addressed by requiring passwords to be 
> changed so often [and so inconveniently]?

As far as I can tell, a lot of password threat modelling was pretty much 
settled in the days before the Internet.  In those days, the threats 
were more what we might now characterise as insider threats - attackers 
who could watch the users typing in the passwords over the shoulder.  
Part of that model was that an attacker might need multiple events to 
pick up the entire password or enough of it to contribute to a breach.

When I was a rough raw teenager doing this, I needed around 2 weeks to 
pick up 5 letters from someone typing like he was electrified.  The 
other 3 were crunched in 4 hours on a vax780.

Force-changing the password reduces the exposure to shoulder-surfing.  
In some corporate environments they also see password changes as a way 
to reduce account sharing, but then users typically fight back with the 
+1 technique.

Another artifact of those times was the password not displaying visibly 
on the screen.  Mac passwords now show the last letter ... which seems 
more useful to the attacker than the user, but it is better to encourage 
any step towards updating a dead threat model.  More sophisticated 
interfaces have a feature to turn on password display.

It is only in recent times that people have started to rethink, and 
decided the pre-Internet model is unhelpful.  Although, the attack model 
has enjoyed a resurgence with skimming attacks on payment systems, with 
attackers either being present or mounting cameras above the keypad to 
catch the finger presses.

iang, hny, fwiw, typing fast...



More information about the cryptography mailing list