New HTTPS Bicycle Attack Reveals Details About Passwords From Encrypted Traffic

campuscodi writes: Dutch security researcher Guido Vranken has published a paper [PDF] in which he details a new attack on TLS/SSL-encrypted traffic, one that can potentially allow attackers to extract some information from HTTPS data streams. Attackers could extract the length of a password from TLS packets, and then use this information to simplify brute-force attacks. The new HTTPS Bicycle Attack can also be used retroactively on HTTPS traffic logged several years ago. Hello NSA!

How useful really is password length?

[Sowelu]

Seems to me that if you wanted to brute force something, you'd start with the minimum size allowed and go up from there. If there's 50 different characters allowed for any letter of a password, then testing all possible 7-length passwords takes 1/50th the time as testing all possible 8-length passwords, and so on. Negligible.

I guess it could be useful to know whether or not a given password IS brute forceable, though, and give you a rough ETA. An attacker could say "huh, this guy only has a 6 letter password, we can grab that in a minute", or "this guy has a length 20 password, we have no chance".

https bicycle attack

[PopeRatzo]

I think this is taking the Internet of Things too far.