[ale] OT: password gripe
krwatson at cc.gatech.edu
krwatson at cc.gatech.edu
Thu Dec 31 12:05:01 EST 2009
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> Charles Shapiro
> Sent: Thursday, December 31, 2009 10:05
> To: Atlanta Linux Enthusiasts - Yes! We run Linux!
> Subject: Re: [ale] OT: password gripe
>
> Ah, so what you're telling me is I only need to beat one password out
> of you. Hmm. Useful.
>
> -- CHS
>
Charles,
True, but let us analyze your use of rubber hose password decryption.
1. There is no such thing as perfect security.
2. All passwords are susceptible to this method.
3. Once used it works for all the passwords the target knows so it really doesn't matter how many there are.
4. It works faster on the person who has the password if you use it on someone else the person cares about. According to TV and movies this method even works on people like Jack Bauer.
5. In order to use it you have to be in physical proximity of the target. This makes it as dangerous for the attacker as it does for the target.
6. It violates the law and all social custom so the data must be worth the risk. My data isn't worth that much, if it were I would put in safe guards similar to what I used in my previous line of employment making it very high risk for the attacker.
7. Given the inherent physical risk of rubber hose password decryption a remote attack is the most likely.
8. KeePass can use a pass phrase and/or two factor authentication using keys. This renders it less susceptible to the post-it note (also high risk to the attacker) and remote attack.
I see your rubber hose decryption and raise you reasoned risk analysis,
keith
--
Keith R. Watson Georgia Institute of Technology
Systems Support Specialist IV College of Computing
keith.watson at cc.gatech.edu 801 Atlantic Drive NW
(404) 385-7401 Atlanta, GA 30332-0280
More information about the Ale
mailing list