On 8 Jun 2012, at 22:59, John Levine wrote:
> Given that most compromised passwords these days are stolen by malware
> or phishing, I'm not understanding the threat, unless you're planning
> to change passwords more frequently than the interval between malware
> stealing your password and the bad guys using it.
>
> I agree that keeping a big file of unsalted hashes is a dumb idea, but
> there isn't much that users can do about services so inept as to do
Hi John,
I can't easily reconcile the statement that "most passwords … are stolen by
malware/phishing" with the subsequent para referring to the likes of LinkedIn
(6.5 million apparently without usernames) or Playstation Network (77 million
with PII) or RockYou (32 million IDs) … but then I lack stats for the former,
perhaps you can tell me how many tens-of-millions of people got phished last
year?
Creditcards scraped by malware may touch that number, but might be themselves
outpaced by wholesale CC database theft.
Sometimes password changing is done for reducing the window of opportunity,
other times it is for education, yet more times it's for both, or to get
everyone to refresh their password so the new Bcrypt or SHA512crypt hash
algorithm can be enabled and the crummy old short Unix passwords
(aaU..z/8FAYEc) can be expunged.
With the right tools your identity can be quite (shall we say?) agile and
involve a lot of hard work for bad guys to hit. That's the goal.
Turning the matter on its head: How tragic would it be for someone still to be
using the same password that they were using in the Playstation hack, 14 months
after the event?
Is 14 months a excusable length of time for someone not to have changed their
password after a break?
I would say not - but then would 6 months be any more excusable?
Or 3 months?
How long is it excusable to not get around to changing a known-to-be-hacked
password?
And what if you don't know you've been hacked?
In this game of diminishing time windows and not being sure about whether
User-A's password was taken but User-B's was not, perhaps the best strategy is
to assume that all passwords are likely broken after a period of time and to
change all of them - but that idea does not appeal to everyone; I can see why,
but perhaps my goals are different.
-a
