[cryptography] Password non-similarity?

ianG iang at iang.org
Sun Jan 1 22:01:37 EST 2012

On 1/01/12 18:09 PM, coderman wrote:
> On Sat, Dec 31, 2011 at 9:36 AM, ianG<iang at iang.org>  wrote:
>> ...
>> When I was a rough raw teenager doing this, I needed around 2 weeks to pick
>> up 5 letters from someone typing like he was electrified.  The other 3 were
>> crunched in 4 hours on a vax780.
> how many samples? (distinct shoulder surf events)

About 1 a day, say 10, without making it obvious.

> 2 weeks sounds really generous.
He was really fast... he'd been caught before, it was all fair game to 
the obnoxious unwashed ones.  Trick was, it was the spanking new system 
5 vax 780 code from bell labs, not the locally hardened level 7 version 
(locally called kevunix), and it had the old unfixed ... 8 character 
password limit ;-)  So the other 20 or so were thrown away.

>> Force-changing the password reduces the exposure to shoulder-surfing.  In
>> some corporate environments they also see password changes as a way to
>> reduce account sharing, but then users typically fight back with the +1
>> technique.
> yup. this whole threat is a good example of why single sign on with
> multi-factor auth is great. let the password be weak - it is only a
> liveness / confirmation check. the real auth is in protected, tamper
> evident (maybe resistant) hardware storage.
> still sad the 1-wire tech never took off. crypto stick looks good; but
> haven't played with one yet... [0]
> and RSA SecurID is not, of course. ;)

An awful lot depends on what you are trying to do.  Compliance?  Legal 
contract?  Liability limitation? Hack prevention?  End-user security?  

Security is not a goal to its own.  The first step in any analysis is to 
understand the business model.  There's actually little wrong with an 
office sharing a bunch of accounts based on role not person, and they'll 
do it regardless of what you design or intend.  So the smart money used 
to be on locking down external/physical access completely, and letting 
the locals run amok.  Of course, that's getting more and more difficult.

>> It is only in recent times that people have started to rethink, and decided
>> the pre-Internet model is unhelpful.
> changing context; it's harsh on threat models!

Yep.  Or not, as the case may be.  If there is no disconfirming 
information, the system can be stable.  If there is no threat, the 
security model works perfectly, it defeat all threats, as designed.  
Unravelling that trap can be hard, because the original threat model has 
been replaced with a belief model.

> 0. Crypto Stick
>    http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/



More information about the cryptography mailing list