[153614] in North American Network Operators' Group
Re: Dear Linkedin,
daemon@ATHENA.MIT.EDU (Alec Muffett)
Fri Jun 8 18:56:13 2012
From: Alec Muffett <alec.muffett@gmail.com>
In-Reply-To: <20120608215920.33274.qmail@joyce.lan>
Date: Fri, 8 Jun 2012 23:55:39 +0100
To: "John Levine" <johnl@iecc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 8 Jun 2012, at 22:59, John Levine wrote:
> Given that most compromised passwords these days are stolen by malware
> or phishing, I'm not understanding the threat, unless you're planning
> to change passwords more frequently than the interval between malware
> stealing your password and the bad guys using it.
>=20
> I agree that keeping a big file of unsalted hashes is a dumb idea, but
> there isn't much that users can do about services so inept as to do
Hi John,
I can't easily reconcile the statement that "most passwords =85 are =
stolen by malware/phishing" with the subsequent para referring to the =
likes of LinkedIn (6.5 million apparently without usernames) or =
Playstation Network (77 million with PII) or RockYou (32 million IDs) =85 =
but then I lack stats for the former, perhaps you can tell me how many =
tens-of-millions of people got phished last year? =20
Creditcards scraped by malware may touch that number, but might be =
themselves outpaced by wholesale CC database theft.
Sometimes password changing is done for reducing the window of =
opportunity, other times it is for education, yet more times it's for =
both, or to get everyone to refresh their password so the new Bcrypt or =
SHA512crypt hash algorithm can be enabled and the crummy old short Unix =
passwords (aaU..z/8FAYEc) can be expunged. =20
With the right tools your identity can be quite (shall we say?) agile =
and involve a lot of hard work for bad guys to hit. That's the goal.
Turning the matter on its head: How tragic would it be for someone =
still to be using the same password that they were using in the =
Playstation hack, 14 months after the event?
Is 14 months a excusable length of time for someone not to have changed =
their password after a break? =20
I would say not - but then would 6 months be any more excusable? =20
Or 3 months? =20
How long is it excusable to not get around to changing a =
known-to-be-hacked password? =20
And what if you don't know you've been hacked?
In this game of diminishing time windows and not being sure about =
whether User-A's password was taken but User-B's was not, perhaps the =
best strategy is to assume that all passwords are likely broken after a =
period of time and to change all of them - but that idea does not appeal =
to everyone; I can see why, but perhaps my goals are different.
-a
