[conspire] brute force & ... Re: Password permutations
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Sat Apr 25 04:37:14 PDT 2020
> From: "paulz at ieee.org" <paulz at ieee.org>
> Subject: Re: [conspire] Password permutations
> Date: Thu, 16 Apr 2020 05:13:48 +0000 (UTC)
> Now a different question.
>
> Who can actually try a large number of logins? In my experience
> just trying to get into my own account, it takes a second to get a
> response that I messed up. That limits my attempts to not very many
> in an hour. Also, If I mess up more than 4 or 6 times in a row, I
> get locked out and have to phone the bank for assistance.
> Me thinks there is a different sort of security hole that would
> allow an unlimited number of tries in a short time.
As I, and many others, oft say, at least approximately:
If the security is too hard/egregious, folks will go around it.
"Of course" this applies to the "bad guys" too.
E.g., infeasible to brute force password on the "front door" (general
login screen or the like), then use other methods. E.g. get/find/steal
the password hashes, nor brute force 'em with impunity, any cracked,
so long as they've not (yet) been changed - one now has valid password.
Or put in a hidden camera to get PINs, and a skimmer for mag stripe data.
Super secure hardened firewall? Okay. How many authorized users have
access? Oh, only something over 150,000 folks? Yeah, not all that secure.
Etc., etc.
Uber secure cyber security? Computationally "impossible" (infeasible)
to break/thwart? Roll up the damn armored tank. How's the physical
security lookin'? Or apply undue influence to person(s) with access, etc.
Launch the thermonuclear warhead? There's a reason it takes two separate
keys in two locations far apart enough it's infeasible for one person
to operate them ... not to mention all the (armed, etc.) hardened defenses
one needs to get to before making it to those physical keys.
So, too, yes, there's always questions about how much security applied
where to protect what of what value/risk. And don't forget, what are
the easiest/weakest ways to get there - taking into account *all*
possible ways not just the simple straight-forward conventional head-on
approaches ... though, too, sometimes those work if enough force is
applied (law enforcement can take down most front doors without too
much difficulty ... bad guys could do it too but they'd look more
suspicious running around with a battering ram ... and also not very
stealth).
More information about the conspire
mailing list