tag:blogger.com,1999:blog-37798047.post3872220574697222219..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Passwords: uniqueness, not complexityDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-37798047.post-71700541031069267662012-01-08T23:16:49.817-05:002012-01-08T23:16:49.817-05:00I prefer a modified form of the unique password ge...I prefer a modified form of the unique password generated by keepass per site. I use super genpass, available as a bookmarklet that runs on every browser, from my iPhone, desktop, and even my old palm treo back in the day. I remember one password, each site gets A unique password. Best of both worlds. (it just hashes my "master password" with the domain name to generate a unique PW. Works great for things like Internet cafes since I can generate the PW on my phone and not care too much if it gets key logged.Jordanhttps://www.blogger.com/profile/08341608982649448622noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-22246051971087079832012-01-06T12:24:37.388-05:002012-01-06T12:24:37.388-05:00Maybe just me, but better to create and manage com...Maybe just me, but better to create and manage complex passwords across the board (using the right tools). "Any" info obtained by subterfuge could be used to compromise those interests at any time. <br /><br />Hackers tools like "Purpose-built password breaking machines" provide hackers with advanced algorithm calculation speed abilities. <br /><br />If too much for the average user, moving away from "easy" to using unique passwords, combined with "complex" for the important ones - is fine, as long as one makes note of the info included in messages (sometimes read by hackers, spammers, malware makers...)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-92113791638918490922012-01-06T05:24:27.466-05:002012-01-06T05:24:27.466-05:00Oh, and somebody should buy Nick Selby a beer. He&...Oh, and somebody should buy Nick Selby a beer. He's got it right.<br /><br />Robert Lemos wrote about the same things here: http://www.infoworld.com/t/password-security/dont-blame-users-dumb-passwords-970<br /><br />(and the summary from Cormac Herley at Microsoft at the second page of that article is pure genius.)securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-60990983928901154562012-01-06T05:21:50.380-05:002012-01-06T05:21:50.380-05:00I've blogged a response for your blog post, av...I've blogged a response for your blog post, available here: http://securitynirvana.blogspot.com/2012/01/errata-for-errata-security.html<br /><br />While I do agree with your overall conclusion, I think you have parts of it wrong.<br /><br />As for the hysteria over the #stratfor leak, the interesting question is more about whether the hackers got the passwords a long time ago, and whether the users at #stratfor used the same passwords at other and more important sites.<br /><br />The blog post in 2011 from Troy Hunt on password reuse between Sony and Gawker showed a 67% reuse rate. If the stratfor leak is anywhere that, hackers may have gained access to much more valuable data than a few million USD in credit card data and the apparent "fun" of displaying bad security practices to the world.securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-63252184475529911172012-01-04T17:10:55.872-05:002012-01-04T17:10:55.872-05:00Well said. The near hysteria over this leak is fun...Well said. The near hysteria over this leak is funny. Analysis of this leaked DB isn't going to help many people unless they are attacking throw-away accounts.<br /><br />now if people are also using these passwords on their gmail/twitter/blah accounts or on their personal systems...<br /><br />Reminds me of the genius of xkcd: https://www.xkcd.com/792/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-29343444550694939542012-01-04T15:06:45.558-05:002012-01-04T15:06:45.558-05:00I have been using a different password for every s...I have been using a different password for every site that I have an account. I can recommend everyone keepass, runs on android/win/linux and supports storing of the password vault on an ftp.Unknownhttps://www.blogger.com/profile/13159770866463470632noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-17072685788594202302012-01-04T13:43:25.481-05:002012-01-04T13:43:25.481-05:00BTW, this is what frustrates me with full-disk enc...BTW, this is what frustrates me with full-disk encryption. I need one level of complexity to protect "sleep mode", and a much higher level of complexity to prevent offline brute-force cracking of the encrypted password on the disk.<br /><br />Unfortunately, I can't choose two passwords, and have to choose the more complex one. Therefore, every time my notebook goes to sleep, I end up having to type a long password to bring it out of sleep. It usually takes me more than one try. This is very very annoying.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.com