Security Basics mailing list archives

RE: Hashing passwords

From: "Mikhail A. Utin" <mutin () commonwealthcare org>
Date: Wed, 13 Jun 2012 12:09:22 -0400

I would not personally trust THIS article. Not because it comes from the company having the nick M$, but because ofits 
poor educated personnel. That possibly has roots in its former president and founder, who did not manage to finish even 
4-years college.
Writing such articles discussing security cost/benefits requires the understanding of exposure/losses. They are 
completely statistically based, but, unfortunately, such statistics are not known. If the author took a course of 
probability theory basics and did home work, he would understand that first of all he need to get reliable statistics 
for each specific security event, for instance a probability of a user getting "phished", and then correlated 
statistics for getting infected by one of millions of known and unknown malware. The he needs to know losses for each 
phishing event, which do depend on a business size, IT infrastructure, installed AV software, user education, etc., 
etc. So far, I have not seen any such statistics or databases. Such database would be a matrix of billions of security 
events by billions of exposures. We even do not have REAL number of all phishing attempts and the number of successful 
attack cases in the US.
Writing such articles is an easy process of misleading people by speculating on unreliable set of facts or statistics. 
We definitely can say that having AV software is right and protects one's computer. How much? For a set of known 
viruses it is basically known, because such research is done both vendors and independent organizati0ons (for instance, 
AV Comparative). However, when it comes to correlation with phishing ... 
So, simple matter of phishing mentioned in the article in question is not really simple when we discuss that geared 
with math and common sense. Not having either or both leads to such articles.
Summary: where ever you see people talking about security risks, losses and benefits using numbers (like quantitative 
risk analysis) , think about "billion by billion" matrix.

Best regards

Mikhail Utin, CISSP, PhD


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kai Wirt
Sent: Tuesday, June 12, 2012 2:30 PM
To: security-basics () securityfocus com
Subject: Re: Hashing passwords

Just also revise enforcing password changing rules (every after 30 days) on your site and strong passwords(no less 
then 8 characters, special characters, upper cases,numbers and symbols) , this helps when attackers try brute 
forcing, so by the time they crack the password its no longer in use...

There's an interesting paper on this topic:

http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf

In short, most of the password rules employed today are mostly annoying to users and don't really improve security.
CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named above. If you are
not the intended recipient, you are hereby notified that you have received this communication
in error and that any review, disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,
please visit our Internet web site at http://www.commonwealthcare.org.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Hashing passwords haZard0us (Jun 11)
- Re: Hashing passwords Ansgar Wiechers (Jun 11)
  - Re: Hashing passwords Rory Browne (Jun 11)
    - RE: Hashing passwords Liam Randall (Jun 12)
    - Re: Hashing passwords martin . mngoma (Jun 12)
    - Re: Hashing passwords Kai Wirt (Jun 12)
    - Re: Hashing passwords Kurt Buff (Jun 12)
    - Re: Hashing passwords Ansgar Wiechers (Jun 13)
    - Re: Hashing passwords Kurt Buff (Jun 13)
    - Re: Hashing passwords Alexander Klimov (Jun 13)
    - RE: Hashing passwords Mikhail A. Utin (Jun 13)
    - Re: Hashing passwords Kai Wirt (Jun 13)
  - Re: Hashing passwords Kai Wirt (Jun 11)
    - Re: Hashing passwords gold flake (Jun 12)
    - Re: Hashing passwords Kai Wirt (Jun 12)
- Re: Hashing passwords Jennifer Wachter (Jun 12)
  - Message not available
    - Re: Hashing passwords Jennifer Wachter (Jun 12)
    - RE: Hashing passwords Dave Kleiman (Jun 12)
- Re: Hashing passwords Leon Jacobs (Jun 13)