<html><head></head><body><div class="ydpc334f3f7yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div dir="ltr" data-setdir="false">So the banks that now ask us to remember passwords with punctuation and be able to enter it on a smart phone would be better off looking at other vulnerabilities in their system?</div><div dir="ltr" data-setdir="false"><br></div><div><br></div>
</div><div id="ydp908295b8yahoo_quoted_7975706794" class="ydp908295b8yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Saturday, April 25, 2020, 4:39:16 AM PDT, Michael Paoli <michael.paoli@cal.berkeley.edu> wrote:
</div>
<div><br></div>
<div><br></div>
<div>> From: "<a shape="rect" href="mailto:paulz@ieee.org" rel="nofollow" target="_blank">paulz@ieee.org</a>" <<a shape="rect" href="mailto:paulz@ieee.org" rel="nofollow" target="_blank">paulz@ieee.org</a>><br clear="none">> Subject: Re: [conspire] Password permutations<br clear="none">> Date: Thu, 16 Apr 2020 05:13:48 +0000 (UTC)<br clear="none"><br clear="none">> Now a different question. <br clear="none">><br clear="none">> Who can actually try a large number of logins? In my experience <br clear="none">> just trying to get into my own account, it takes a second to get a <br clear="none">> response that I messed up. That limits my attempts to not very many <br clear="none">> in an hour. Also, If I mess up more than 4 or 6 times in a row, I <br clear="none">> get locked out and have to phone the bank for assistance.<br clear="none">> Me thinks there is a different sort of security hole that would <br clear="none">> allow an unlimited number of tries in a short time.<br clear="none"><br clear="none">As I, and many others, oft say, at least approximately:<br clear="none">If the security is too hard/egregious, folks will go around it.<br clear="none"><br clear="none">"Of course" this applies to the "bad guys" too.<br clear="none">E.g., infeasible to brute force password on the "front door" (general<br clear="none">login screen or the like), then use other methods. E.g. get/find/steal<br clear="none">the password hashes, nor brute force 'em with impunity, any cracked,<br clear="none">so long as they've not (yet) been changed - one now has valid password.<br clear="none"><br clear="none">Or put in a hidden camera to get PINs, and a skimmer for mag stripe data.<br clear="none"><br clear="none">Super secure hardened firewall? Okay. How many authorized users have<br clear="none">access? Oh, only something over 150,000 folks? Yeah, not all that secure.<br clear="none"><br clear="none">Etc., etc.<br clear="none"><br clear="none">Uber secure cyber security? Computationally "impossible" (infeasible)<br clear="none">to break/thwart? Roll up the damn armored tank. How's the physical<br clear="none">security lookin'? Or apply undue influence to person(s) with access, etc.<br clear="none">Launch the thermonuclear warhead? There's a reason it takes two separate<br clear="none">keys in two locations far apart enough it's infeasible for one person<br clear="none">to operate them ... not to mention all the (armed, etc.) hardened defenses<br clear="none">one needs to get to before making it to those physical keys.<br clear="none"><br clear="none">So, too, yes, there's always questions about how much security applied<br clear="none">where to protect what of what value/risk. And don't forget, what are<br clear="none">the easiest/weakest ways to get there - taking into account *all*<br clear="none">possible ways not just the simple straight-forward conventional head-on<br clear="none">approaches ... though, too, sometimes those work if enough force is<br clear="none">applied (law enforcement can take down most front doors without too<br clear="none">much difficulty ... bad guys could do it too but they'd look more<br clear="none">suspicious running around with a battering ram ... and also not very<br clear="none">stealth).<div class="ydp908295b8yqt2933461231" id="ydp908295b8yqtfd30639"><br clear="none"><br clear="none"><br clear="none">_______________________________________________<br clear="none">conspire mailing list<br clear="none"><a shape="rect" href="mailto:conspire@linuxmafia.com" rel="nofollow" target="_blank">conspire@linuxmafia.com</a><br clear="none"><a shape="rect" href="http://linuxmafia.com/mailman/listinfo/conspire" rel="nofollow" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br clear="none"></div></div>
</div>
</div></body></html>