Passwords: Too Much and Not Enough

An anonymous reader writes: Sophos has a blog post up saying, "attempts to get users to choose passwords that will resist offline guessing, e.g., by composition policies, advice and strength meters, must largely be judged failures." They say a password must withstand 1,000,000 guesses to survive an online attack but 100,000,000,000,000 to have any hope against an offline one. "Not only is the difference between those two numbers mind-bogglingly large, there is no middle ground." "Passwords falling between the two thresholds offer no improvement in real-world security, they're just harder to remember." System administrators "should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen."

Re:Why so high?

[tqk]

If you flag an account after 10 wrong guesses, start requiring a CAPTCHA after the first one ...

Didn't we see a story a while ago purporting CAPTCHA had been cracked? I didn't bother with it myself (don't much care). It's only useful for web based logins, yes? I'm not suggesting those don't matter; just they don't matter much to me.

... and ban ip addresses when you detect massive multiple account attempts ...

A few years ago, someone reported that has changed the attackers from "batter on the door until it breaks" into slow trickle instead; lots and lots of attacking hosts on separate IPs, each one making only one or two attempts, then moving on to the next on the list.

Re: Passwords should not exist

[sexconker]

When you send things down a wire, everything is "something you know".
A smart card or an RSA clock or a code sent via SMS is effectively just another password. And while it may be a strong password that's hard for an attacker to know, changes with time, etc., it's still vulnerable to MITM attacks because you're sending your shit over a single, unsecured channel. It's also a password the user has little to no control over, can lose and not have a backup of, etc., so there are entire management, recovery schemes introduced to make them usable. They provide very little in terms of security over a strong password. They only fix 2 problems - weak passwords and keyloggers. But keyloggers are just a subset of compromised boxes, and if you're using a compromised box then you're susceptible to an active attacker MITMing you using your valid smart card / token / codes / etc.

For two-factor security to actually be "two-factor", you have to validate the 2 things separately and via different means. A bank can do this in person by verifying your account information/name/etc. and your photo ID by actually fucking looking at the ID and you. When you automate everything and shove it down a single pipe (the internet), it's all effectively just a password.