Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

Your initial post in this thread exposed the fact that you don't know what the fuck a hash is, and thus don't know what the fuck you're talking about.

That's weird. My initial post nor the post I responded to said anything about hashes. My initial post was responding to someone talking about using a dictionary attack to get someone's password. I presume you falsely think my "initial post" was the one in response to AC-x which it wasn't. I also very much do know what a hash is. You and him seem to have a reading comprehension problem since you failed to understand my post. The point of my post was to say that, yes, having a password hash which you can use to try to recreate the original password does defeat what I stated, but that is tautological. If you can do an end run around the authentication protections it is no different than, as I said in an analogy, to having someone's PIN to their phone. I never once stated that having a hash was the same as having a plaintext password nor was their any such implication. Him stating that I believed the two were the same is basically a false presumption on his part by failing to understand my analogy.

You should have simply stopped posting, but here you are, digging deeper and deeper, committing more and more errors. You couldn't even quote a post properly.

I only messed up a quote once out of more than a dozen posts. Yeah, I totally don't know how to quote properly. Oh wait, I do.

Do you have an actual argument or just stupid ad homs like AC-x?

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

I would mod you up if I had points. I'm glad some people actually bothered to read and comprehend the context of my posts. Thank you!

At this point I will simply give up because I can't win when being bombarded by all these people twisting my words and taking me out of context.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

Maybe you should read the book I mentioned.

And that changes the fact that you redefined dictionary attack how?

You keep trying to defend a point beyond exhaustion.

Yes, because I was not wrong. Dictionary attacks are still dictionary attacks even if the attacker does not have password hashes. A dictionary attack simply means that the attacker has a list of dictionary words that can be used to try to guess the user's password. Nothing more.

Lay off on the aspergers.

Don't have it. Nice ad hom, though.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

Did you read his whole post?

This of course assumes the administrators are paying close enough attention to notice in short order when the database has been compromised

I also said this as well. Of course if you have no clue that you were attacked you can't employ such a measure. Isn't that quite an obvious implication? Secondly, there is no way any single website can prevent password reuse, so as such both him and I both acknowledged that was another weakness. As he also said:

It also ignores the issue that most users use the same username and password across multiple sites, such that a pair compromised on one site and invalidated as described would still be valid on another site.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

Should be "Notice how neither that quote or even the rest of the article makes any mention".

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

And here is an article on Dictionary Attacks by Jeff Atwood. Notice how nowhere in the article does he mention anything about already having password hashes? And here is the original article from Wired about the very dictionary attack used against Twitter which is the context of Jeff's article. Here is a nice relevant quote:

The intrusion began unfolding Sunday night, when GMZ randomly targeted the Twitter account belonging to a woman identified as "Crystal." He found Crystal only because her name had popped up repeatedly as a follower on a number of Twitter feeds. "I thought she was just a really popular member," he said.

Using a tool he authored himself, he launched a dictionary attack against the account, automatically trying English words. He let the program run overnight, and when he checked the results Monday morning at around 11:00 a.m. Eastern Time, he found he was in Crystal’s account.

Notice how that quote or even the rest of the article makes any mention of the attacker already having hashes yet it was still called a dictionary attack.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

IP banning is less effective against a DDoS using a botnet of thousands of compromised home PCs.

Already mentioned in another post. At that point, you just lock the account entirely and just ignore any and all further login attempts into you can get in contact with the account holder and work out things from there. It's an inconvenience for them, but much better than a breach.

Someone who wants to keep a legit user from being able to use the service could just log in a few times with an incorrect password and then repeat a few minutes later. Each IP would DDoS a separate user.

Better they be kept out of the service for some period of time versus their account being breached. You can also get around this by some sort of whitelisting mechanism paired with a two-factor authentication.

It's amusing how everyone is telling me that my ideas are bad yet they are basic security measures that almost every decent website and service use. I can even name drop Jeff Atwood to back me up as well:

Limiting the number of login attempts per user is security 101. If you don't do this, you're practically setting out a welcome mat for anyone to launch a dictionary attack on your site, an attack that gets statistically more effective every day the more users you attract. In some systems, your account can get locked out if you try and fail to log in a certain number of times in a row. This can lead to denial of service attacks, however, and is generally discouraged. It's more typical for each failed login attempt to take longer and longer, like so:

http://blog.codinghorror.com/d...

And even Bruce Schneier agrees and quotes the very same article:

Bad Password Security at Twitter
Twitter fell to a dictionary attack because the site allowed unlimited failed login attempts:

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

Coding Horror has more, but -- come on, people -- this is basic stuff.

http://www.schneier.com/blog/a...

So are you guys going to tell me how Jeff Atwood and Bruce Schneier are idiots and don't know anything despite the fact that what I said is basically parroting their own suggestions?

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

I am going to have to side with AC-x, here, you don't have a fundamental understanding of what he is putting forth in this discussion. You seem to be defending your points without fully understanding them.

I fully understood what he put forth and repeatedly stated that it had no relation to the context of my original statement.

Dictionary attacks are not used on things that are rate limited - they are used on grabbed hashes.

Not true. A dictionary attack has no such prerequisite. Dictionary attacks are used all the time even when you have no grabbed hash. You're simply redefining the term.

Wikipedia:

In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.

Technique
A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values).[1] In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack). Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), such as single words found in dictionaries or simple, easily predicted variations on words, such as appending a digit. However these are easy to defeat. Adding a single random character in the middle can make dictionary attacks untenable. Unlike Brute-force attacks, Dictionary attacks are not guaranteed to succeed.

Funny, not a single mention of a grabbed hash and I can find many such more definitions and explanations that also contain no such prerequisite.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

Sure, that is a problem but it's not as if any single site can prevent that. As I've said over and over again, nothing of what I have stated is perfect since there is no such perfect security measure. As stated numerous times, my comments about certain things are always within a certain context.

To offer up an analogy to the way AC-x has been attacking me: My original post would be like me talking to someone who says that it's pretty easy to pick a lock that has an external keyhole (which is certainly true in many situations), and then I come back by saying that in such a case you should have a deadbolt that has no way to be unlocked externally. AC-x then comes into the conversation to tell me about how if the person has a sledgehammer that they can just brute force there way around the deadbolt problem. I then come back and say, sure, they could also simply break a window to bypass the deadbolt as well. And then he comes back telling me about how I'm stupid and don't know anything of how deadbolts and sledgehammers work.

Now, his statement is surely true that a sledgehammer breaking through a door will certainly be able to bypass a deadbolt. He is also correct that having previously infiltrated a system you can try to offline brute force a password so that you can get in without hitting any of the mitigations I brought. But that was not the context of the response that I made to the person which was simply that of someone trying to dictionary attack a site without having any prior knowledge about the user's password (or in the hypothetical situation the person simply has a lockpick set not a sledgehammer).

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

To add, I want to again stress that what I stated is not a catch-all for any and all potential attack vectors. It was simply made in the context of a person attempting to dictionary attack a user's password without them already having a password hash list or any other information from having previously breached your system. Anything beyond that scenario obviously requires further mitigations and procedures being in place.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

If they do, there are botnets that help you try lots in a short period of time.

After the first 5 failed logins you don't allow ANY logins for the cooldown period so having a botnet does't really help you. Also, it would be trivially to detect that someone is hopping from IP to IP to try to login to the same account as this would not be something a normal user would ever do. At that point you simply lock the account entirely, ban any of the IPs that continue to try to login to the account and then work from there.

Most attacks involve dumping the password hash database.

Which is a different scenario than what I was referring to. In that case you better hope you detected the attack or else you are basically fucked.

And even brute forcing is getting easier. If you need a SPECIFIC password, it's not any easier, but if you have a bunch of hashes and you want a good chunk of accounts (without caring if you have every account), it's actually easy. In fact, Ars Technica covers a domain-specific brute forcer [arstechnica.com].that relies on terminology from the sites cracked to get a list of potential passwords EXTREMELY quickly. Follow this with trivial modifications to get more. If you have a list of a million passwords, you could easily derive half of them this way, and then move on to the next list.

Brute forcing is getting easier. That is why you simply make your site an unattractive one to attack by making it so they can only do a very small amount of attempts before hitting a cooldown and then an eventual total account lock. Sure, this can be an annoyance to a user, but it's much better than their account being breached. But again, if the attacker already has a password hash list from already cracking your system, they have a much easier go at you especially if they can find out you didn't salt the hashes (or you used a weak PRNG for the salting, etc.) or do any other proper procedures.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

This of course assumes the administrators are paying close enough attention to notice in short order when the database has been compromised, and that all users define a secondary means of contact through which to send a reset password. It also ignores the issue that most users use the same username and password across multiple sites, such that a pair compromised on one site and invalidated as described would still be valid on another site.

A very valid concern and as I address in another post it is not a perfect solution. There is no way to prevent users from reusing passwords across sites nor will there ever be foolproof way to spot every intrusion. But then again, no security procedure is perfect and anyone stating otherwise is selling you snake oil.

And as I've had to state over and over again (and this isn't meant against you wagnerrp), my statement about rate limiting, etc. was in the context of a post that did not mention an attacker already having compromised the system and having a DB dump with all the password hashes. That is a completely distinct scenario than the one I referred to and obviously would require other mitigations.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

Thank you! Someone that actually took the time to figure out the context of my statements.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

By your previous posts it seemed you needed things put in simple terms, especially since you claimed that 1) knowing the hash is the same as knowing the password (it's not) and 2) rate limiting could defeat offline password cracking (it can't). Do you stand by those claims?

Nope, because I never claimed that. You misunderstood my point and started falsely assuming things.

That's no solution: 1) Relies on the attack being detected in the first place.

Of course it is predicated on knowing you've been attacked. I was pretty sure that would be quite obvious. Of course, if you've been attacked and have no knowledge of it that these security measures won't prevent an attacker from being able to attack you again after offline brute forcing a password.

It's also completely irrelevant to the question of being able to dictionary attack a password.

And I never said it had anything to do with that scenario. You've basically have been twisting my words into something I never stated or implied and then have applied them to scenarios outside of what I originally responded to. At this point I'm simply just going to ignore you.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

Yes, they aren't. But all these scenarios are orthogonal to what I was responding to originally which is someone talking about using a dictionary attack to brute force password.

As I originally responded to AC-x, if the attacker already has the hash and can then brute force it, of course what I mentioned doesn't stop them, but that scenario is no different than knowing their phone's PIN and being able to side step any of the very same protections I mentioned that phone OSes use which is to use a lock-out after a certain number of failed attempts.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

And before the grammar nazis come out, yes I accidentally typed you're instead of your. Let me go commit seppuku now.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

Hey Desler I really don't get you, you (appear to) know what a salt is yet you don't understand that an attacker would be performing the attack on the hash offline, with their own hardware. Rate limiting their own hardware would be, as you put it, the height of idiocy.

Except what you are talking about was not what I was originally responding to. You basically injected yourself into the conversation and completely changed the context and then started calling me an idiot. I suggest you re-read what I originally responded to:

They can be, but it would be incredibly stupid to use something like that. A dictionary attack would crack that password in seconds.

What I do is have a single, strong password that I have stored only in my brain and all other passwords are hashed on-the-fly from that and the domain or name of whatever I need the password for. I get unique, strong password for everything, but only have to remember a single one.

Do you notice that nowhere in that quoted statement is there anything about the attacker already having the password hash?

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

You probably shouldn't try to write about things you don't know about or understand.

My irony meter exploded.

1. The industry accepted way to store passwords securely in a database is with a one-way, salted cryptographic hash (using as CPU intensive algorithm as possible).

Duh. Being Captain Obvious again?

2. Many organisations have had database intrusions where these password hashes have been stolen (eg. eBay [threatpost.com], Linkedin [sophos.com], LivingSocial [arstechnica.com] etc.)

Yes, they have.

3. When this happens (i.e. "they have a copy of the password hash") passwords can be cracked offline. Strong passwords are safe (too hard to brute force), but weak passwords can be found using a dictionary attack.

Of course, this is why you lock the accounts until the user resets the password. Poof that attack vector is now gone.

4. Once the password is found offline a hacker can log straight in to the victim's online account with a single password attempt.

Only if you're system admins are dumb enough to not do what I state above.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

Only if the passwords haven't been salted properly. Even then, a rainbow tables attack can also be thwarted by the same techniques I mentioned above. Allowing any attacker the ability to do 10s of millions if not a couple of billion (with powerful enough hardware) tries a second to brute force a password is just the height of idiocy. Using constant time password checking, rate limiting, cooldown periods and as a last resort IP bans makes you such an unattractive target that they usually just move on to some other insecure site.

about 3 months ago
top

DARPA Wants To Kill the Password

Desler Re: There we go again (383 comments)

Forgot to close my quote tag so fixing it.

However if a chosen password appears in a password dictionary than you can cut down your brute force search space by so much it goes from taking years (even centuries) to crack a password to taking a few hours (sometimes minutes).

Yes, that's why you stop such attacks by rate limiting and cooldowns and then eventually just ban their IP if they are just obviously an attacker. If they can only have 5 tries every 15-20 minutes the attacker is going to give up unless the user's password just happens to be near the very beginning of the dictionary.

about 3 months ago

Submissions

top

Apple App Store claimed to be infested with 'zombie software'

Desler Desler writes  |  more than 2 years ago

Desler (1608317) writes "In what will possibly take some wind out of the sails of Apple's trumpeted iOS app count, mobile analytics firm Adeven has published a study saying that 2/3rds of all software on the App Store are 'zombies:

Zombies may provide a perennial source of material for mobile games, but no developer actually wants their app to be the walking dead. Nonetheless, according to new mobile analytics and ad verification firm Adeven, that’s what almost two-thirds of the iOS App Store constitutes.
The Berlin company’s Apptrace tool launches on Tuesday and as a result it’s showing off several stats as a way of strutting its stuff. The most interesting one is the revelation that around 400,000 App Store apps get no downloads, are invisible to users and have no ranking.

"

Link to Original Source
top

Nokia shareholder revolt on Windows Phone 7 was a

Desler Desler writes  |  more than 3 years ago

Desler (1608317) writes "The recently publicized revolt of "nine Nokia shareholders" has been revealed to be a hoax. From the Seattle pi:


Hoax of the week: A group of nine Nokia shareholders have, after one day, abandoned their effort to oust new CEO Stephen Elop and minimize a new partnership with Microsoft to make Windows Phone 7 the main platform for Nokia smart phones.
Turns out, there never were any renegade shareholders. In a tweet today, the person behind the “Nokia Plan B” that grabbed headlines in The Wall Street Journal, Bloomberg News and ZDNet, wrote that “there are no ‘nine young investors,’ just one very bored engineer who really likes his iPhone.

"

Link to Original Source
top

Rogue Nokia Investors Call it quits

Desler Desler writes  |  more than 3 years ago

Desler (1608317) writes "It seems that after only 36 hours of publicity the "rogue" investors have called it quits:

After reviewing the feedback we’ve received from investors on our Plan B, we have decided not to carry on with it. In the last 36 hours we were contacted by hundreds of individual shareholders (owning anywhere from 10 to 400,000 Nokia shares) pledging to support us by proxy voting or by personally attending the AGM. Nevertheless, the responses that we received from institutional investors were not encouraging. These institutions have a fiduciary responsibility to their customers and are legally bared from supporting radical initiatives like seating a bunch of kids on the board of directors. If they do not agree with Nokia’s plans, they are better off simply divesting and putting their money in other companies that better fit their investing strategy (which is exactly what they have been doing).

"

Link to Original Source

Journals

Desler has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?