Security Basics mailing list archives

RE: Bank Of Montreal Online Security

From: "Hough, Kenneth P" <kenneth.phough () WPI EDU>
Date: Thu, 01 Nov 2012 12:24:05 -0400

Also substituting letters with symbols will help, for example:

And then william sayed:"I really hate cake!"

Change the 'a' to @ and 's' to $

And then willi@m $ayed:"I really hate cake!"

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alexander Meesters
Sent: Thursday, November 01, 2012 9:53 AM
To: Alexander A. Kelner
Cc: security-basics () securityfocus com; security-basics-return-58248-a kelner=noc brsi ru
Subject: Re: Bank Of Montreal Online Security

Well, i believe that if you use proper punctuation it would be near to impossible, cause a automated dictionary attack 
does not know proper grammar, for example:

And then william sayed:"I really hate cake!"

plus a dictionary attack also has a lot of problems with dialects and slang, so in order for a dictionary attack to be 
successful they must use a tool that uses some kind of AI.
At least that is what i believe, please correct me if i'm wrong, my experience with dictionary attacks are not that 
great.

Alex 


----- Oorspronkelijk bericht ----- 

Van: "Alexander A. Kelner" <a.kelner () noc brsi ru>
Cc: security-basics () securityfocus com, "security-basics-return-58248-a kelner=noc brsi ru" 
<security-basics-return-58248-a.kelner=noc.brsi.ru () securityfocus com>
Verzonden: Woensdag 31 oktober 2012 21:49:23
Onderwerp: RE: Bank Of Montreal Online Security 

On Wed, 31 Oct 2012, Dave Kleiman wrote:

Date: Wed, 31 Oct 2012 09:26:30 -0500
From: Dave Kleiman <dave () davekleiman com>
To: "security-basics () securityfocus com" 
<security-basics () securityfocus com>
Subject: RE: Bank Of Montreal Online Security
Resent-Date: Wed, 31 Oct 2012 09:07:10 -0700 (PDT)
Resent-From: 
security-basics-return-58248-a.kelner=noc.brsi.ru () securityfocus com

Alexander,

Which password length is more secure - that is a question.<<<


If you used the above statement, just as you typed it, as your 
password (passphrase), would it not both much stronger than 6 
characters and very easy to remember?


Hi Dave! 

Yes, it's very easy to remember, but I think this method for password 
setting is not as strong as it may appears :-) 

The phrase "Which password length is more secure - that is a question" 
contains not 58 "random chars", but 11 only, because each word must be 
considered as a single symbol in the vocabulary, say for brute force attack. 

There is a strong corelation between the chars inside of the words if these 
words are taken from our lexicon. So, these characters should not be 
considered independent. Yes, this password is long but it is not too random, 
and so it is not too secure. 

Moreover there may be found efficient heuristics when you try to attack 
passwords like human speech sentences due to existing correlation between 
words inside of such sentences and due to quite deterministic structure of 
sentences. 

If you bring some order (the way for easy memorizing) into your password 
you decrease it's strength. 

Well, and now try to type above phrase in invisible mode and don't make 
mistake :-) 

Though, IMHO six chars passwords are too short. I like at least 8 :-)


Respectfully, 

Dave Kleiman - http://www.ComputerForensicsLLC.com - http://www.computerforensicsexpertwitnesses.com 

4371 Northlake Blvd #314 
Palm Beach Gardens, FL 33410 
561.310.8801 


-----Original Message----- 
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alexander A. Kelner 
Sent: Monday, October 29, 2012 16:20 
To: security-basics () securityfocus com 
Subject: RE: Bank Of Montreal Online Security

From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of mrtolton () gmail com 
Sent: Friday, October 26, 2012 2:08 PM 
To: security-basics () securityfocus com 
Subject: Bank Of Montreal Online Security 

It's come to my attention that the Bank Of Montreal online security is 
shockingly lax. First of all regardless of your password length, it 
only cares about the first six characters. Even more insane is it 
doesn't matter what case of the letters are, it will allow you access all the same. 

On top of this, theres a bug in the iPhone app which will not allow 
you to unsave your card number. 

Its a good thing they guarantee 100% of your money against fraudulent 
transfers, because its only a matter of time.


Hello. 

IMHO "shockingly laxity" is not as obvious as it may appear at first approach. 

Six chars give us about (26+10)^6=2 billions of possible passwords. 
If their server is smart enough to allow as low as 1 authentication attempt per second for the same account then you 
will spend some hundreds years trying to brute force it. 

BUT! The short password can be easy memorized, when the long password must be recorded somewhere (sometimes in very 
inappropriate place), and then may be stolen. Which password length is more secure - that is a question.



--- 
Alexander A. Kelner 
Senior engineer 
CT Network Operation Center 
RosTelecom - Bryansk 

------------------------------------------------------------------------ 
Securing Apache Web Server with thawte Digital Certificate 
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. 

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 
------------------------------------------------------------------------ 

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

RE: Bank Of Montreal Online Security Globalart4u Enquiries (Nov 01)
- <Possible follow-ups>
- Re: Bank Of Montreal Online Security Alexander Meesters (Nov 01)
  - Re: Bank Of Montreal Online Security Davin Enigl (Nov 01)
  - RE: Bank Of Montreal Online Security Hough, Kenneth P (Nov 01)
    - RE: Bank Of Montreal Online Security Alexander A. Kelner (Nov 01)
    - Re: Bank Of Montreal Online Security Michael Peppard (Nov 01)
    - Re: Bank Of Montreal Online Security Davin Enigl (Nov 02)
    - RE: Bank Of Montreal Online Security Mike Vella (Nov 02)
- Re: Bank Of Montreal Online Security Juan F. Campos - Computalleres.com (Nov 01)
  - Re: Bank Of Montreal Online Security Alexander A. Kelner (Nov 01)
- RE: Re: Bank Of Montreal Online Security Mikhail A. Utin (Nov 02)
  - Re: Bank Of Montreal Online Security Davin Enigl (Nov 02)
  - Re: Bank Of Montreal Online Security Davin Enigl (Nov 02)
  - Re: Bank Of Montreal Online Security Davin Enigl (Nov 04)

(Thread continues...)