The real story, IMHO, is not so much that the art of cracking has advanced, but that there is still no good solution to the problem of user authentication. Some companies are going for biometrics of some sort, but those systems have problems too. The concept of three-factor authentication — something you know, something you have, something you are — has been around for a while, but I haven’t heard of any systems using it. Lots of system use two-factor. But there are problems with these things too.
The other real story is that despite significant publicity about cracking, lots of systems have crap for authentication mechanisms. For example, one financial system I use was allowing the entry of fairly robust passphrases, but internally truncating them to 10 characters. I discovered this when I suddenly couldn’t log in. They had “fixed” the system by matching the input fields to what they were actually using. Truncating my passphrase to the 1st 10 characters worked fine.
The human side of this sucks as well. My employer just switched to a web-bases sign up for benefits. It was a mess, though a small one. I had to call to get it straightened out, and the person I spoke with made no effort to ensure that it was really me on the phone. For the vast majority of people, this whole world of electronic security is a new and vast unknown. In fact, as Kevin Mitnick demonstrated in his book, the notion of real security is, in most cases, not understood at all. So, to refer to cybersecurity as an arms race is rather optimistic, since most people and computer systems aren’t employing any arms at all, for practical purposes.
JoelOctober 12, 2013 7:11 am
That’s distressing…
Jim B.October 12, 2013 11:47 am
They’ll have problems with the bio part of any security. Body part are easy-able to be cut offed to be used by those who are not. All the others are hackable.
The real story, IMHO, is not so much that the art of cracking has advanced, but that there is still no good solution to the problem of user authentication. Some companies are going for biometrics of some sort, but those systems have problems too. The concept of three-factor authentication — something you know, something you have, something you are — has been around for a while, but I haven’t heard of any systems using it. Lots of system use two-factor. But there are problems with these things too.
The other real story is that despite significant publicity about cracking, lots of systems have crap for authentication mechanisms. For example, one financial system I use was allowing the entry of fairly robust passphrases, but internally truncating them to 10 characters. I discovered this when I suddenly couldn’t log in. They had “fixed” the system by matching the input fields to what they were actually using. Truncating my passphrase to the 1st 10 characters worked fine.
The human side of this sucks as well. My employer just switched to a web-bases sign up for benefits. It was a mess, though a small one. I had to call to get it straightened out, and the person I spoke with made no effort to ensure that it was really me on the phone. For the vast majority of people, this whole world of electronic security is a new and vast unknown. In fact, as Kevin Mitnick demonstrated in his book, the notion of real security is, in most cases, not understood at all. So, to refer to cybersecurity as an arms race is rather optimistic, since most people and computer systems aren’t employing any arms at all, for practical purposes.
That’s distressing…
They’ll have problems with the bio part of any security. Body part are easy-able to be cut offed to be used by those who are not. All the others are hackable.
S.
Cryptocurrency wins
http://www.zerohedge.com/news/2013-10-08/bitcoin-1-0-fbi
Suggest LASTPASS with as long a random string as the site will allow.
Unless I’m mistaken, this attack does not work on random passphrases like those generated through “diceware”.
http://world.std.com/~reinhold/diceware.html
These kinds of (offline) attacks also depend on having available the passphrase hash, a non-trivial problem.