Re: Paper & pencil password algorithm

Guy Macon <http://www.GuyMacon.com/> wrote:

David Eather wrote:

Just Quoting you - you said

"One must assume that an attacker has some or
all of the passwords you use on other websites -- perhaps he owns
a few of them, and certainly you can't assume that the rest have
good security. A brute force attack starting with guesses similar
to the known one would break a system that only changes a few
characters or a few bits."

I see that I was unclear. Yes, the above is a problem against a
capable attacker. I don't think that it is a problem against the
attacker described in the threat model, which is someone who has
gathered large numbers of passwords through spyware. I don't
think it likely that such an attacker will try the brute force
attack described above on his entire password collection.

Agreed. I think the phishers try to magnify the accounts they've stolen
simply by trying the same passwords with a list of other popular sites
to catch the most common case of people using the same password
everywhere. The phishers automate this of course but, even so, speed is
important when you have 10,000 accounts to scan unless you have a botnet
working for you and, even then, there is a diminishing return for trying
too many variations on the password.

In addition, low-entropy passwords for websites are resistant
to brute force attacks for the same reason that bank ATM card
Pin #s are -- without the ability to do the brute force attack
offline, a simple lockout after N failed attempts makes even a
4-digit numerical Pin # hard to crack.

Yes, I see that point, but is it actually true in the case of most
websites? There have been some cases (Twitter comes to mind) where there
wasn't even a rate limit on the number of login attempts you could make
let alone a lockout after too many tries. It is probably true (I haven't
checked) that many sites do have a rate limit, however I've not heard of
any that have a lockout after 3 tries in the manner that an ATM PIN
does.

I can imagine a situation in which a phisher has had a poor run and only
collected a few hundred credentials. He might then leave a script trying
rather more password variations than normal because, after all, he has
nothing to lose by leaving it running for a week or two at a rate slow
enough not to trigger any alarm. Common variations on the basic password
might then be tried, perhaps following some of the ideas here:

<http://www.schneier.com/blog/archives/2007/01/choosing_secure.html>

I have been thinking about this, and it seems to me that you
can have an easy-to-use and easy-to-remember algorithm with
no external storage or you can have diffusion, but you cannot
have both.

I agree that there is a trade-off between ease of use and security, but
I disagree with your conclusion that there is no middle ground. I
believe it should be possible to find a reasonably easy method with
reasonably good security. As a minimum, I think we should be looking for
a way of trivially ensuring that similar names do not result in similar
passwords. I think David Eather's suggestion of a straddling
chequerboard with added checksum has some promise. What do you think?

The good news is that I don't think you need
diffusion to beat the threat model specified.

The problem is that, even if a phisher doesn't notice the correlation
between passwords, he eventually monetizes his stolen credentials by
selling them in bulk to scammers in Nigeria, Brazil, or wherever cheap
labour can be found to sit there manually going through the stolen
accounts dreaming up ways to scam money out of them. At this point, I
would be very surprised if all the accounts of a particular victim are
not listed side-by-side for the scammer to see clearly the opportunity
to exploit weak passwords.

Therefore, I hold out hope of finding some simple way to checksum or
hash site names so that the passwords are not similar where the names
are similar.

--
James Taylor
.

Relevant Pages

  • Re: Password / access rights check
    ... >> knowing their passwords. ... knowledge of a user's access level. ... One reason why you might care is that it ... allows the attacker to focus their attacks only on those accounts with the ...
    (sci.crypt)
  • Re: Security problem
    ... simply to use a non-standard port. ... and no attacker will ever find it. ... names and passwords, on large ranges of IP addresses. ... under the backdoor doormat instead of the frontdoor doormat, ...
    (comp.os.linux.development.apps)
  • Re: a way psuedo random numbers can be used in cryptography
    ... multiplies it together. ... Well, the first problem is multiple passwords all create the same seed, ... The attacker knows this is a letter going to Alice. ...
    (sci.crypt)
  • US-CERT security awareness tips
    ... the US-CERT recently started offering security ... Choosing and Protecting Passwords ... what attacker cares about your ... One of the best ways to protect information or physical property is to ...
    (Security-Basics)
  • Re: password expiration policy for admin and system accounts ?
    ... policy that Admins manually reset these important account passwords every ... You can still have the passwords set to never expire, ... > Privileged accounts should be the most, not the least, well guarded. ...
    (microsoft.public.security)