On Fri 25 Aug 2017 at 12:14:18 -0500, Mario Castelán Castro wrote: > On 25/08/17 12:11, Brian wrote: > >> Unless you have a good reason to think otherwise (e.g. *you* manage the > >> web site and you know you are doing a good job), you should assume that > >> the data-base with hashes passwords will leak without the system > >> administrators noticing, and then an attack can be carried offline. > > > > The problem with assumptions is that they often do not reflect the truth > > of a situation and predispose us to making recommendations which are not > > in the best interests of other people. > > This *sounds* very reasonable, but the truth is that you are simply > dodging that your recommendation leads to weak passwords.
It not only *sounds* very reasonable, it *is* very reasonable. All of us, at one time or another, make assumptions which, in the light of experience or on closer examination, do not stand up. I really am not trying to dodge anything, but would like to know if distinguishing beween offline and online is reasonable. Passwords which are possibly not immune to *offline* cracking is how I would categorise my idea. But that is not the responsibility of the user to mitigate. (Does one take a parachute on to a plane "just in case...?). > In security, one should not take things for granted. One should plan for > the worst plausible case. Leaking hashed passwords has happened many > times, so it is very plausible. My bank has never (to my knowledge) had a breach. I trust it. I assume the people it employs are conscientious and competent. I assume they know more about their systems than I do. (BTW, one does this all the time, from surgeons to train drivers). I could use a random password to log in, but where is the deficiency in "Gimmethed0sh. It's*my*money!" for an online login? To "take things for granted" is just another way of talking about assumptions. Maybe I am taking my bank's security for granted. But what other option is there, other than to form an opinion and then weigh up the risk? I have no control over their policies regarding data access. The worst possible case for my argument would be that the online and offline cases are indistinguishable. -- Brian.
