[ale] evernote security breach

Tue Mar 5 10:17:44 EST 2013

On 03/05/2013 08:10 AM, JD wrote:
> On 03/05/2013 07:37 AM, Watson, Keith wrote:
>> Ron,
>>
>> Use a pass phrase. They are easy to type and when they reach 15 characters or
>> more, very difficult to crack.
>>
>> Example pass prase:
>>
>> OK so you think you can brute force this pass phrase. Good luck.
>>
>> Like I said easy to type and remember, very difficult to crack. It would be
>> easier use rubber hose cryptography to get the pass phrase.
> It is all about the size.  Remember, the people trying to crack our passwords
> * do not know how long the password/passphase is
> * do not know which alphabet we are using
> * Assume certain patterns will be used. (because most passwds follow these)
Mostly dictionary with simple substitution (password = pa55w0rd) or 
always adding punctuation at the end of the password (password = password?).
> http://blog.jdpfu.com/2011/08/30/easy-technique-for-secure-easy-to-type-passwords-size-matters
> has some thoughts on this. I summarize how passwords are cracked so we can avoid
> creating passwords that fit those patterns.
> * everything else being the same, size matters most.
>
> Do not reuse your "good passphrase" between KeePassX and any login - especially
> a Windows login.
>
> 5 yrs ago, people used multiple supercomputers to crack passwords that (4) $500
> GPUs handle today. What happens when a $500 GPU does 20x-100x more in 5 more
> years?  Length is the only way to combat these sorts of improvements. Clearly,
> if there are other flaws in the encryption, those will be used first, but most
> of us do not control that aspect. Size is all we can control.
Always assume that a password can be cracked if someone wants to spend 
the time and effort. The key is make it very difficult so yours gets 
punted instead of cracked. The other reason for length is to buy time to 
change your password. If yours can reasonably expect to take a few years 
to crack with current technology and the site is hacked you have some 
time to change the password. Many passwords take only a few seconds to 
minutes to crack at most. Thus the easy ones are cracked within a few 
hours depending on how many there are while the harder ones will be punted.

If you are someone very important by virtue of your position and the 
hackers need to crack your specific password then hackers might spend 
the time to try crack your password. More likely they would try a 
spearphishing attack to get the password. Otherwise hackers are more 
likely looking for passwords to bank/credit card accounts or others that 
might give them access to someone's money but not specifically your 
money. The latter concept is often hard for people to grasp; hackers 
usually are not targeting you but anyone who is careless about passwords 
to gain access to money. I had a PHB who never grasped this concept and 
was so bad that everyone's password in the office was the same derived 
from the company's name and was not even 8 letters long (no numbers or 
punctuation).

I think of passwords as a defensive measure that is primarily used to do 
two things:
1. stop the casual snoopers who get physical access to the computer. For 
this depending on physical access a very simple password might be 
suitable (home desktop that only family members use).
2. buy time for one to react to the threat and take appropriate measures 
(very hard password on bank account login for example). If I learn my 
bank has been hacked I would like to have some time to change my 
password before it is cracked. Assume the hack is not immediately 
discovered so the hackers at least few days head start on cracking 
passwords.

Since passwords are defensive (a concept most people do not grasp), they 
can (and will) be defeated eventually because all purely defensive 
measures can be defeated if one is willing to spend the time and effort 
necessary to defeat them. If you are in a besieged castle the length of 
time you can hold out is determined by the amount of food you have. If 
the besiegers can not or will not stay beyond a certain time (say late 
fall/early winter) and you have only a few days of food you will 
surrender or starve. But if you have 3 years of food you win.

-- 
Jay Lozier
jslozier at gmail.com