nanog mailing list archives

Re: Dear Linkedin,

From: Alec Muffett <alec.muffett () gmail com>
Date: Fri, 8 Jun 2012 23:55:39 +0100


On 8 Jun 2012, at 22:59, John Levine wrote:

Given that most compromised passwords these days are stolen by malware
or phishing, I'm not understanding the threat, unless you're planning
to change passwords more frequently than the interval between malware
stealing your password and the bad guys using it.

I agree that keeping a big file of unsalted hashes is a dumb idea, but
there isn't much that users can do about services so inept as to do

Hi John,

I can't easily reconcile the statement that "most passwords … are stolen by malware/phishing" with the subsequent para
referring to the likes of LinkedIn (6.5 million apparently without usernames) or Playstation Network (77 million with
PII) or RockYou (32 million IDs) … but then I lack stats for the former, perhaps you can tell me how many
tens-of-millions of people got phished last year?

Creditcards scraped by malware may touch that number, but might be themselves outpaced by wholesale CC database theft.

Sometimes password changing is done for reducing the window of opportunity, other times it is for education, yet more
times it's for both, or to get everyone to refresh their password so the new Bcrypt or SHA512crypt hash algorithm can
be enabled and the crummy old short Unix passwords (aaU..z/8FAYEc) can be expunged.

With the right tools your identity can be quite (shall we say?) agile and involve a lot of hard work for bad guys to
hit. That's the goal.

Turning the matter on its head: How tragic would it be for someone still to be using the same password that they were
using in the Playstation hack, 14 months after the event?

Is 14 months a excusable length of time for someone not to have changed their password after a break?

I would say not - but then would 6 months be any more excusable?

Or 3 months?

How long is it excusable to not get around to changing a known-to-be-hacked password?

And what if you don't know you've been hacked?

In this game of diminishing time windows and not being sure about whether User-A's password was taken but User-B's was
not, perhaps the best strategy is to assume that all passwords are likely broken after a period of time and to change
all of them - but that idea does not appeal to everyone; I can see why, but perhaps my goals are different.

-a

Current thread:

Re: Password safes &c., (continued)
- - - Re: Password safes &c. Paul Graydon (Jun 08)
    - Re: Password safes &c. (was: Dear Linkedin,) JoeSox (Jun 08)
    - Re: Dear Linkedin, Alec Muffett (Jun 08)
    - Re: Dear Linkedin, Lyndon Nerenberg (Jun 08)
    - Re: Dear Linkedin, Michael Thomas (Jun 08)
    - Password Safes Lyndon Nerenberg (Jun 08)
    - Re: Password Safes Michael Thomas (Jun 08)
    - Re: Password Safes JC Dill (Jun 10)
- Re: Dear Linkedin, Alec Muffett (Jun 08)
  - Re: Dear Linkedin, John Levine (Jun 08)
    - Re: Dear Linkedin, Alec Muffett (Jun 08)
- Re: Dear Linkedin, Joe Maimon (Jun 08)
- Re: Dear Linkedin, John Adams (Jun 08)
- Re: Dear Linkedin, Simon Perreault (Jun 08)
  - Re: Dear Linkedin, valdis . kletnieks (Jun 08)
- Re: Dear Linkedin, Jay Ashworth (Jun 08)
- Re: Dear Linkedin, [and proposed mitigation approach] Rich Kulawiec (Jun 08)
- Re: Dear Linkedin, Ted Cooper (Jun 08)
  - Re: Dear Linkedin, Michael Thomas (Jun 08)
- Re: Dear Linkedin, Terje Bless (Jun 09)
- Re: Dear Linkedin, Scott Weeks (Jun 08)

(Thread continues...)