Educause Security Discussion mailing list archives
Re: Passphrases v Password
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Tue, 9 Jul 2013 14:37:46 +0000
" How real it is depends on the format of your password hashes and how simple access is to that hash store." For web applications, the password store is generally just a SQL injection exploit away. For internal systems, access to the store probably depends on having admin rights so it could be difficult to access. One of the reasons hashes are valuable, however, is that attackers who gain admin rights can use cracked hashes to preserve access and/or to gain access to other systems. The risk doesn't go away just because the hashes aren't useful for gaining initial access. You often do not have much control over the password hash used. Most Unix/Linux systems support bcrypt, but you can't change the hash on Windows and it uses MD4 (which is an awful choice). Many web apps use MD5 or SHA-1 (which are not really any better than MD4 for password hashing). If you're writing a new app, it would be easy to just use bcrypt, scrypt or PBKDF2. If you've already deployed an app using MD5, it may be difficult to change. Steven Alexander Jr. Online Education Systems Manager Merced College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of shanna leonard Sent: Tuesday, July 09, 2013 12:29 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passphrases v Password On 7/8/13 7:02 AM, Tim Doty wrote:
I've been resisting, but I will point out that that xkcd significantly overstates the entropy of English which ruins his analysis. Relying on simple passphrases as protection against hash cracking
doesn't work against real threats (http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat- out-of-your-passwords/)
I'm not sure that I would call that a "real threat". How real it is depends on the format of your password hashes and how simple access is to that hash store. In the offline cracking example given, the crackers had access to simple unsalted md5 hashes. This made their task significantly easier (in terms of compute time) than it would have been had they only had a copy of a well constructed password db, e.g. a good passworddb (e.g. counterpane's passwordsafe), or a set of "slower" hashes. "slow hashes" with a reasonably well-constructed (e.g. mostly english 18+ character master passphrase with a bit of perturbation, ie typo and throw a few symbols in the middle) is still slow to crack (e.g. passwordsafe discussion:) http://sourceforge.net/p/passwordsafe/discussion/134800/thread/671fd0d4/#2a53 Likewise bcrypt linux passwords by default use 5000 encryption iterations and are computed much more slowly than simple md5 or NThash rendering them more difficult to crack than the example. http://samsclass.info/123/proj10/comparing-hashes.htm http://arstechnica.com/security/2012/08/passwords-under-assault/4/ "If the LinkedIn passwords had been hashed using bcrypt, I never would have been able to crack 90 percent of them," he told Ars in an e-mail. "The number of attacks I had to run, combined with the sophistication of the attacks I had to run to get many of the passwords [more than] 15 characters, would have taken literally centuries to finish. That said, the race is certainly on - the crackers are nipping at the heels of what were recently considered to be well-constructed passphrases. Writing a complex completely random 20-character master password down on a piece of paper and putting it in your wallet is looking better and better! :) Shanna Leonard ssl () email arizona edu University of Arizona This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the HelpDesk at (209) 384-6180.
Current thread:
- Re: Passphrases v Password, (continued)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Mike Osterman (Jul 05)
- Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password scott hollatz (Jul 05)
- Re: Passphrases v Password Ray McClure (Jul 06)
- Re: Passphrases v Password Tim Doty (Jul 08)
- Re: Passphrases v Password randy (Jul 08)
- Re: Passphrases v Password Tim Doty (Jul 08)
- Re: Passphrases v Password shanna leonard (Jul 09)
- Re: Passphrases v Password Steven Alexander (Jul 09)
- Re: Passphrases v Password scott hollatz (Jul 05)