Confocal Microscopy List

Re: Password Strength

Posted by Pedro Almada on
URL: http://confocal-microscopy-list.275.s1.nabble.com/Password-Strength-tp6673797p6674107.html

*****
To join, leave or search the confocal microscopy listserv, go to:
http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
*****

Guy,

The connection speed isn't an issue with a modern hacker. Most will use
"farms" of hacked computers. Those worms your antivirus likes to delete are
usually attempts at gaining use of your machine and internet connection to
be used for attacks like this. So, one machine can't do it, but several
thousand on the internet can. Also, dictionary attacks require a reduced
number of attempts, by several orders of magnitude.
You make a good point of how the server should also throttle or block
connections after x attempts, but you'd be amazed at how many small website
administrators don't actually do that. As an example, twitter was a victim
of such a dictionary attack:
http://www.codinghorror.com/blog/2009/01/dictionary-attacks-101.html

Consider how many websites require a unique login and how many users have
the same password across several websites, you can guess that a small
website which was successfuly hacked will reveal the credentials for other,
more important websites. And hackers do keep lists of successful logins
which they sell and trade between each other...

Best,
Pedro

On 10 August 2011 21:12, Guy Cox <[hidden email]> wrote:

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Martin,
>
> It's probably right, but 1000 guesses per second would require a
> connection speed way beyond even what I get on campus to another on-campus
> computer. Even 100 per second (one month) seems implausible. At 10 guesses
> per second you're looking at 2½ years ... And any system that will allow you
> 268,435,456 attempts at logging in before it freezes you out is terminally
> insecure! (MS exchange allows 5 tries).
>
> The four random words thing is fine provided that (a) only
> very few do it and (b) the words truly are random. But if it catches on
> then all a cracking algorithm has to do is try every combination of
> dictionary words that add up to the password length, a vastly simpler task.
>
> Guy
>
>
> Optical Imaging Techniques in Cell Biology
> by Guy Cox CRC Press / Taylor & Francis
> http://www.guycox.com/optical.htm
> ______________________________________________
> Associate Professor Guy Cox, MA, DPhil(Oxon)
> Australian Centre for Microscopy & Microanalysis,
> Madsen Building F09, University of Sydney, NSW 2006
>
> Phone +61 2 9351 3176 Fax +61 2 9351 7682
> Mobile 0413 281 861
> ______________________________________________
> http://www.guycox.net
>
>
>
> -----Original Message-----
> From: Confocal Microscopy List [mailto:[hidden email]]
> On Behalf Of Martin Wessendorf
> Sent: Thursday, 11 August 2011 5:31 AM
> To: [hidden email]
> Subject: Password Strength
>
> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Dear List--
>
> I can't say I've ever sent a link for a webcomic to the confocal list,
> but here goes.
>
> http://xkcd.com/936/
>
> (As far as I know, clicking on this link will not infect your computer
> with a virus or take you to a porn site.)
>
> Anybody able to verify or disprove this? Intuitively, it makes sense,
> but so do a lot of things that are wrong.
>
> Martin
> --
> Martin Wessendorf, Ph.D. office: (612) 626-0145
> Assoc Prof, Dept Neuroscience lab: (612) 624-2991
> University of Minnesota Preferred FAX: (612) 624-8118
> 6-145 Jackson Hall, 321 Church St. SE Dept Fax: (612) 626-5009
> Minneapolis, MN 55455 e-mail: [hidden email]
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1391 / Virus Database: 1520/3824 - Release Date: 08/09/11
>