Security Now 596: Password Complexity

Author: Security Now
4740 View
0m 0s Lenght
86 Rating

Symantec issues additional invalid certificates while on probation, Tavis Ormandy finds a very troubling problem in Cisco's Web conferencing extension for Chrome, yesterday's important update to iOS, renewed concerns about LastPass metadata leakage, the SEC looks askance at what's left of Yahoo, a troubling browser form auto-fill information leakage, Tor further hides it's hidden services, China orbits a source of entangled photons?  Heartbleed three years later, a new take on compelling fingerprints, approaching the biggest Pwn2Own ever, some miscellany... and some tricks for computing password digit and bit complexity equivalence. We invite you to read our show notes. Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Comments

1. I was listening since 2005.
2. There was no need to convert to bits. Just compare the number of possible combinations
   4 words: (100,000)^4= 1.0e20
   12 letters from a 90 word alphabet: (90)^12 = 2.8e23
   
   5 words ups the possible combinations to 1.0e25, but can a person remember 5 word taken at random? Or even type them correctly?
   
   Most people's mental dictionary, excluding proper names, is 500 words or less. If you access a 100,000 word dictionary, truly randomly, you would need to use words like Ozymandias or Ptolemy. Remembering them all becomes a problem if you need to remember several passwords. 5 passwords of 5 random words will likely become soup. Then you have to remember to spell the long obscure words correctly. I can almost guarantee people who tout and use the word system, at best have one obscure word or word of long length out of a 3 word combo. Their combinations at best are more like
   100,000*500*500 = 2.5e10
3. A button to let me execute the form fill would be a useful compromise to consider. If the button pops up with what its about to fill, It wouldn't just protect me, it would tell me funny business is going on here.
4. Quantum entanglement does not allow FTL communication. They're using these satellites for quantum encryption.
5. FYI - You do not need the extension to use WebEx - there is a run once application option that does not require the extension at all
6. OMG, their discussion on Diceware was awful. It's telling Steve never actually talks about what level of entropy he considers necessary for a password. I typically use seven-word randomly passphrases which is >90 bits of entropy which is more than adequate.
   
   The character limit is a problem with character limits, period, not with Diceware-style systems. Ironically, the place I see these sorts of ridiculous limits are generally at banks, etc.
7. ill stick to my Smoleys tables
8. 2640
9. He gave 100,000 for the number of possible nouns, so I'll go with that. log(100000^4)/log(2)=66.4, above the 64 bits of entropy considered to be a minimum for a strong password, and log(100000^5)/log(2)=83, above the 80 bits of entropy considered to be sufficiently strong for almost any purpose.
   
   So, you only need 4 words for a minimally strong password and 5 for a sufficiently strong password.
10. Leo's credit card info, although only last 4 digits, was left unblurred. And we know that can be enough to trick phone companies to "confirm" your identity.
11. Wonderful show.. thanks