|
|
Subscribe / Log in / New account

Security quotes of the week

Security quotes of the week

Posted Mar 19, 2012 21:46 UTC (Mon) by neilbrown (subscriber, #359)
In reply to: Security quotes of the week by jimparis
Parent article: Security quotes of the week

Brilliant:

schmeared
repercussing
craved
ethnocides
hierogrammatist

and so easy to remember too.

My first thought was that this would be a great way to extend your vocabulary. But then I realised you would be afraid to ever *use* these words in case someone guessed.

The hierogrammatist craved the repercussing effects of schmeared ethnocides.

Unfortunately most of by banks limit passwords to 6 or 8 chars, otherwise I would so be using that.

to post comments

Security quotes of the week

Posted Mar 19, 2012 22:04 UTC (Mon) by jimparis (guest, #38647) [Link]

You could limit it to short words and still get quite a bit of entropy: 
$ egrep '^[a-z]{3,6}$' /usr/share/dict/words | sort -R | wc -l
14706
$ egrep '^[a-z]{3,6}$' /usr/share/dict/words | sort -R | head -5
sinker
bogey
grim
rhythm
choked
log(14706) / log(2) * 5 = 69 bits. But still too long for a bank or many other password forms, as you mentioned.

Security quotes of the week

Posted Mar 19, 2012 22:21 UTC (Mon) by anselm (subscriber, #2796) [Link]

That's why my script is 10 lines. You don't want to take just any word from the dictionary :^)

Security quotes of the week

Posted Mar 20, 2012 2:12 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

>septums
>bumping
>Hasidim
>thermoplastics
>stonework

I like it! That's going to be my password for GMail account. Oh wait...

Security quotes of the week

Posted Mar 26, 2012 7:40 UTC (Mon) by robbe (guest, #16131) [Link] (4 responses)

> Unfortunately most of by banks limit passwords to 6 or 8 chars, otherwise I
> would so be using that.
Rather than cynicism, it would be nice to know how many bits you need. For banking, let's just hope offline attacks are not possible. Otherwise, you are dead in the water, unless you use 8 characters *including* some very hard to input ones (i.e. outside 0x20-0x7F).

Even 64 would not be that great for an offline attack, but that is highly dependent on the crypto used. If we assume 64 bit as sufficient, then 6 words from http://ogden.basic-english.org/word2000.html will be enough. Should be doable.

Alternatively, take fewer words from a bigger dictionary. You didn't mention the size of yours, I'll assume 300000 words, as that's more or less what I have (wbritish-huge from Debian). Three words fall short (55 bits), and four are way better (72 bits). I guess the Ogden option is preferable.

Online attacks are, in theory, easy to detect and control. Four words from Basic English are more than enough to deflect these. Hell, even a single dictionary word probably is, if you take care to exclude the top 100 passwords.

Security quotes of the week

Posted Mar 26, 2012 11:46 UTC (Mon) by ekj (guest, #1524) [Link] (3 responses)

Banking should be two-factor anyway, which greatly reduces the needed keyspace. You can, afterall, withdraw money from an ATM with a 4-digit PIN, which means there's only ~10 bits of protection in that one factor.

But that's still adequate because you need physical posession additionally, and because the ATM will eat the card after 3 failed attempts at guessing the PIN. Stealing a card isn't very much worth it if that gives you 3/10000 chance of getting at the money.

My online bank uses a password, and a 6-char tan that's sent as an SMS to my mobile phone. Neither of these are secure by itself, but the *combination* helps a lot. You'd need to steal my phone (or somehow snoop on my SMS) -and- learn or guess my password. Doing both is a lot harder than doing one.

Security quotes of the week

Posted Mar 27, 2012 11:11 UTC (Tue) by etienne (guest, #25256) [Link] (2 responses)

> My online bank uses a password, and a 6-char tan that's sent as an SMS to my mobile phone. Neither of these are secure by itself, but the *combination* helps a lot.

Do not protect you against MITM, and it seems massive scale MITM are hapenning right now.
Unless you get a text for each transactions while you are connected to your bank, it is not very safe.

Security quotes of the week

Posted Mar 27, 2012 11:51 UTC (Tue) by ekj (guest, #1524) [Link]

It does actually, because the SMS includes payment info:

"Use the TAN 45FEA0 to authorise payment of $225.50 to [recipient]".

Thus if someone had a MITM-attack going on my computer, they'd still need to be able to MITM the SMS-channel too, which *does* significantly raise the bar.

Security quotes of the week

Posted Mar 27, 2012 11:56 UTC (Tue) by ekj (guest, #1524) [Link]

And "tan" stands for "transaction authorisation number" so obviously there's one for every transaction. Though for convenience there's a setting to disable it for payment that are a) to a recipient that's received payments from me already in the last year and b) under a specific sum.

Thus I can say "don't require a TAN if sending money to someone I've sent money to before, and the amount is less than $1000".

But if I'm paranoid, I don't need to set that, in which case a TAN is used for every transaction.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds