×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Password Security: Why the Horse Battery Staple Is Not Correct

mseeger Re:Wrong Wrong Wrong (549 comments)

The idea does not work: If you do this, i can lock you out from your service every 5 minutes. The prevention of password guessing is a bit harder and therefor you need a bit more.

about a month and a half ago
top

Password Security: Why the Horse Battery Staple Is Not Correct

mseeger Re:Negative (549 comments)

If you choose 4 English, non-trivial words, you already have about 40bit of entropy. Searching only 1% of the namespace would take Trillions of tries.

To have those tries, the provider (not the user) must have already screwed up. The user cannot defend against screwups of the provider of the password protected service efficiently

"Hard to guess" is aimed at direct, human guessing. If I know you love "Sarah", so "Sarah4me" makes a bad password. That would be your screwup.

My primary goal is: burden the user only what naturally belongs in his domain. Trying to offload your security as a company to the users (e.g. to reduce costs) usually backfire.

about a month and a half ago
top

Password Security: Why the Horse Battery Staple Is Not Correct

mseeger Re:Negative (549 comments)

Thx for looking it up and not blasting me ;-).

I didn't want to do self-advertisement, so i did not link to my blog.

about a month and a half ago
top

Password Security: Why the Horse Battery Staple Is Not Correct

mseeger Negative (549 comments)

Good, bad & ugly - Your password

PASSWORD REQUIREMENTS

A good password must have two properties:

1) It has been memorized by the user
2) It is difficult to guess for a third person (even if he/she knows the user well)

But in most cases another requirement is thrown into the mix:

3) The password shell be complex (have a high entropy)
Usually the requirements take the form of a password policy like this:

The password must be at least 8 characters long
The password must contain upper- and lower-case letters
The password must contain a number
The password must contain a non-alphanumeric character

You notice anything? Yep, this policy only focuses on the third requirement. And it does so at the expense of the first requirement and (knowing human psychology) it also has a negative impact on the second requirement.

THREATS TO PASSWORDS

Let us take look at how the security of password can be compromised:

- The input of the password has been observed (by eavesdropping, key-loggers or by the ordinary Mark 1 Eyeball)

- The password has been re-used by the user in a different context where the attacker has access to it

- The attacker gained access to the encrypted storage of password and managed to extract it from there

- The password has been guessed by the attacker

How does having a complex password help you against these attacks?

In case of an attacker observing the user entering the password, no complexity will help. Rather the contrary, a password with mixed upper/lower-case, numbers and special characters is entered at a significantly slower pace. This helps an attacker observing the password by good old-fashioned peeking.

If the password is known to the attacker from the use in a different context, the complexity is no help either. Knowing the psychological side, cryptic passwords are rather compound the problem. Once a user has found a password that fits the typical policy, he tends to use it wherever such a password policy is in place and therefor increases the chances of an attacker to use a known password of the user in a different context.

In case of access to the encrypted password store, the complexity clearly helps to hamper the attacker (if the password is encrypted properly).

One would expect that password policy should help making a password un-guessable for a third person. From my personal observation the contrary is true. Under the watchful eye of a password policy they tend to stick to first names, upper-casing the first or last letter, replacing characters by similar looking special characters or numbers and/or adding numbers at the end (like birthdays).

Summary: Only in one attack scenario choosing a complex password helps, in all other scenarios it does not have any or even a negative impact. So let us look at this scenario a bit more detailed.

DECRYPTING PASSWORDS

To decrypt the password of a user, the attacker has first to have access to the password storage. At which point the first and most critical security failure has already occurred. And the user had nothing to do with it.

When it comes to decrypting a password, the algorithm used is a more important than the complexity of the password. If the service provider has not done his home work, complex passwords offer only little protection. This is another critical point, where the user has no influence whatsoever.

But in case of the service provider having botched the safety of his password file but made everything correct when choosing the algorithm the complexity of the user passwords can offer extra protection against the attacker.

Does this case justify all the negative impact?

I want to point out, that the safety of the encrypted password is not the responsibility of the user. So would say: Don't make him part of the process here. Don't shift the responsibility to to him where the service provider is responsible.

Remark: I did not specifically address the issue of an attacker trying out all passwords by automatically entering them one after another. It falls into the same category since it starts with a critical error on the service provider side by allowing this.

WHAT SHELL WE TEACH USERS ABOUT PASSWORDS?

I think we should focus on the first two requirements i started this comment with:

Choose a password you can remember

Use a password someone else does not associate with you
and (which is more important than complexity):

Use distinct passwords, at least for the most critical uses (Work, Banking, Apple, Facebook, Google, Paypal, Amazon) and never use those somewhere else.

If the user follows those three advice only, his security would be greatly improved. It is much better to use several (cryptographically) weak passwords than one good one for everything.

WHAT ABOUT PASSWORD COMPLEXITY?

I am not opposed to complex passwords, as long as it has no negative impact on the more important issues. There is nothing bad about advising the user about his password being weak or strong as information.

But if you do so, please do it right. Do not just look for which kind of characters are used. Don't care about the source of entropy as long at it is there.

"Test1234!" is not safer then "mucho danke shopping magazzini", rather the opposite. Let the user find his way to create a memorable complex password. If you force him into a scheme you think best, you will weaken passwords.

And: Except for the most critical uses, 40 bits of entropy are enough. If it is not enough, you need to rethink the way you store your passwords.

That is why i think XKCD has it right, no matter what Bruce Schneier says (i never thought i would agree on a security topic rather with a comic author than one of my most respected security experts).

ARE THERE EXCEPTIONS?

Yes, of course. There are always exceptions. But in those cases you should rather look into using two factor authentication than trying to get the users brain work in a way that evolution did not intend it to.

about a month and a half ago
top

Slashdot Asks: What's In Your Home Datacenter?

mseeger Too much (287 comments)

Pure datacenter are: 2 firewalls, 1 Sun X2100, 1 QNAP NAS, 1 PC, 1 Raspberry, 1 VoIP-Gateway, 1 Homematic automation server, WLAN Controller
In the network: 5 mobile devices, 2 PC, 1 Notebook, BluRay-Player, 4 Audio Devices (Sonos), 2 Access Points, 2 USB-via-IP extender, Printer, Scanner, multiple IP-based sensors

about 2 months ago
top

Ask Slashdot: What Do You Wish You'd Known Starting Out As a Programmer?

mseeger Easy (548 comments)

I wish i had known that i knew nothing ;-). Because at that time i thought i knew everything...

about 3 months ago
top

Crytek USA Collapses, Sells Game IP To Other Developers

mseeger StarCitizen? (121 comments)

What does this mean for StarCitizen? AFAIK their complete work is based on the CRYTEK engine...

about 4 months ago
top

Applying Pavlovian Psychology to Password Management

mseeger Disagree (288 comments)

Is the duty for password complexity correctly placed on the users shoulder? I think not...

The users has two jobs:

1. Select a password he can remember
2. Choosing a password someone else does not associate with him

Raising password complexity requirements makes those two jobs harder. In my observation, with rising password complexity, the users tend to re-use passwords more often (which is more detrimental to security than a less complex password).

For password complexity to matter, the service provider must have failed (lost the data) and succeeded (choosen a half-way decent algorithm) at the same time.

Therefor i consider the burden of password complexity wrongly plaxced at the users end.

about 7 months ago
top

Google's Business Plan For Nest: Selling Your Data To Utility Companies

mseeger Better than the Nest Protect? (167 comments)

I hope the Nest Thermostat is better than the Nest Protect Smoke Detector. Those gave me a case of serious "early adopter burn".

The Nest Protect detectors have the tendency to generate false alarms in clean air (no smoke, no dust, no steam) and are very hard to disable (get a ladder, dismount, get a screw driver, open device, remove battery). The idea of disabling a false alarm by WIFI has not occurred to them yet :-(.

about 7 months ago
top

Civilization: Beyond Earth Announced

mseeger Shut up and take my money (89 comments)

It's says "Civilization" in the title, so i will buy it anyway... ;-)

about 7 months ago
top

Embarrassing Stories Shed Light On US Officials' Technological Ignorance

mseeger Not better here... (299 comments)

If it is any consolation, the level of competence of political decisionmakers in Germany is about at the same level. The ballpen is the last technological inovation they use.

about 8 months ago
top

German Court Forbids Resale of Valve Games

mseeger Re:Correct Headline (261 comments)

Even better ;-)

about 9 months ago
top

German Court Forbids Resale of Valve Games

mseeger Correct Headline (261 comments)

The correct headline would be:

German court refuses to force Valve Steam to allow resale of games

Too complicated?

about 10 months ago
top

Actually, It's Google That's Eating the World

mseeger Re:Too big (205 comments)

Yep, but we come back to my argument: The biggest risk for the for Google on the search market is regulation (see EU proceedings).

about 10 months ago
top

Actually, It's Google That's Eating the World

mseeger Too big (205 comments)

Actually, i think Google knows that it is getting too big: the breakneck speed of acquisitions is the result of the intent, to get as big as they can before a more confining regulation sets in.

about 10 months ago
top

Windows 8 and Windows 8.1 Pass 10% Market Share, Windows XP Falls Below 30%

mseeger Re:Windows XP still at 28.98% (470 comments)

The system will not receive any updates any more while sharing a code base with newer systems. Any patch coming for Vista/7/8 starting April will be analyzed for a matching bug in XP which will be turned into exploits quickly.

Any Windows XP system will be a real liability when connected to the Internet.

about a year ago
top

Windows 8 and Windows 8.1 Pass 10% Market Share, Windows XP Falls Below 30%

mseeger Re:Windows XP still at 28.98% (470 comments)

Windows 7 is way better than XP and even 8 (with a bit of tweaking) can be used properly.

There is no excuse for running XP as there is no excuse for housing people in ramshackle houses prone to collaps any minute.

about a year ago
top

Windows 8 and Windows 8.1 Pass 10% Market Share, Windows XP Falls Below 30%

mseeger Windows XP still at 28.98% (470 comments)

With Windows XP still at 28.98% you can only weep and cry. This means that nearly one third of all PC users are running disastrously old systems.

about a year ago
top

Alan Turing Pardoned

mseeger Re:Long overdue (415 comments)

Kernighan and Ritchie were well aware of Turing completeness. Dennis Ritchie started with Theoretical Computer Science before he wrote his first software (see http://www.gotw.ca/publications/c_family_interview.htm). You can be sure that designing C without Turing Completeness would have been for them like designing a car without tires.

Languages without Turing Completeness only make sense only in special applications because they are so limited (e.g. the C PreProcessor is not Turing Complete unless you use it recursively).

One of the marvels of the Turing machine is that it is so simple (you can describe what a Turing machine does on 2-3 pages) but it is as powefull in expression as modern languages with specification of thousands of pages are.

A lot of coders have no idea about the theories behind it. That is why a lot of code sucks. It's not the lack of Turing machines but on the theories that are connected to it (e.g automata theory, complexity theory).

What you are saying is like: I am tiler, i never check the foundation when i am building the roof, so it can't be important ;-).

You can make a living as a coder without all that knowledge. More than half of the coders do. But if you look at the people who shape the world of software (like Dennis Ritchie, Linus Torvalds, James Gosling, etc), you will notice they all are well versed in the area of computer science theories.

P.S. Concerning AI and Turing Test: computer games have no AI. The producers of computer games call their software opponents AI, but they are a collection heuristical algorithms cobbled together.

When you are playing agains an opponent, you can usually tell easily wether this is a computer or not. In fact, you are conducting a Turing Test then and the other side fails usually miserably.

about a year ago
top

Alan Turing Pardoned

mseeger Re:Long overdue (415 comments)

I cannot blame you for not seeing it. I studied the theories for five years and thought them dull and boring. Then, after decades of having to work on real world problems, it hit me. Nowadays i can e.g. look at code or database designs and easily recognise coders who have understood the theories and those who didn't.

Not understanding the theoretical background will put and upper limit to anyones capabilities as a coder. This is like being restricted in World of Warcraft to Level 20: some skills in the skill tree will remain out of reach no matter the grinding.

The best way to illustrate the genius of Turing is: he saw computers coming before the first one ever being built. He developed a trivial "assembler language" (Turing machine) that is so powerfull that no computer and no programming language built today can compute something his machine could not.

When he was finished with that, he thought not about calculations (as the opposite German genius Konrad Zuse did) but of processing symbols. He thought of computer code being processed by computer code and thereby inventing compilers and interpreters without having a name for it yet.

Then he interpolated the capabilities of those (not yet existing) machines and recognised that they would appear to have some kind of artificial intelligence and started thinking about how to tell computers and humans apart (60 years before the first SPAM was sent).

Looking back, having all the tools already on your fingertips, all this may sound trivial. But to achieve only 1% of his visionary power, i would have to grow by several orders of magnitude.

about 10 months ago

Submissions

top

Next in government sponsored malware: Mahdi?

mseeger mseeger writes  |  more than 2 years ago

mseeger writes "Several months ago, Seculert stumbled upon an interesting, yet simple, spear-phishing attack. Their Research Lab had identified a suspicious email which included a fake word document attachment. Opening the attached file executed a malware dropper, and a "mahdi.txt" file which contained and opened a real word document. The content of the document was an article discussing Israel vs. Iran electronic warfare. Interestingly this was used to distribute what looks a lot like the next goverment sponsored malware."
Link to Original Source
top

Service technicians regularly spy customer PCs

mseeger mseeger writes  |  more than 4 years ago

mseeger (40923) writes "German magazine ComputerBILD has (undercover) asked several vendors to help them with their PC. What the service technicians didn't know: a software recorded all steps taken. The shocking result (google translation): In 50% of the cases, the technicians systematically looked for images and videos on the disk. Some even copied files onto their private USB stick, if they liked what they found. So if you give your PC to the service, say goodbye to your privacy. In 20% of the cases, the perfectly working disk was replaced with the customer loosing all his data.When the PCs were turned in (in perfect condition), they gave "sporadic crashes" as problem and asked that no data was to be deleted."
Link to Original Source
top

Zone .DE plagued by problems

mseeger mseeger writes  |  more than 4 years ago

mseeger (40923) writes "The zone .DE has been plagued by problems today. Four of six root servers were declaring any .DE domain as non-existent. Heise has some news about it and recommends to enter their IP into the hosts-file for the duration of the crisis. The .de zone is the second largest of the world, only beaten by .com."
Link to Original Source
top

German data retention laws unconstitutional

mseeger mseeger writes  |  more than 4 years ago

mseeger (40923) writes "The german supreme court has ruled the current data retention law unconstitutional. All stored data has to be deleted ASAP. The court criticized the lack of data security and insufficent restrictions for the access to the data. Contrary to the expectations the court completely invalidated the law. While it not generally disallowed data retention, the imposed restriction demand a complete new law. SPIEGEL Online has the complete story, Google an english translation."
Link to Original Source

Journals

mseeger has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?