Every week seems to bring a new warning about another hacked site exposing at least a million passwords. Is security possible anymore?
Ars Technica explores the problem in “Why passwords have never been weaker—and crackers have never been stronger.” Average user: 25 accounts, but 6.5 passwords. Sites demand email addresses as usernames, so crackers of one site immediately have user credentials for many more sites.
Graphic processors create cheap cracking machines, and about 100 million passwords were published online last year. Salting passwords by appending unique characters before encrypting makes things much safer, but many hacked sites, and many more current ones, don't salt. Then there's social engineering of password hints.
Make it harder
Okay, so it can try 8.2 billion per second. All a website had to do to foil that is to deny an more tries after 10 or so, no?ewelch on arstechnica.com
What a lame story. Brute force attacks are easily thwarted with a delay after an unsuccessful login.Bill Johnson on yahoo.com
A 4-digit PIN with a 3 attempt lock-out (and no further information) is more secure than a 10 character password encrypted with MD5.casca on news.ycombinator.com
What seems to work best is to slow logins down rather than lock them out completely. Still lets users in, but slows down bulk attacks enough so that the risk is low.adrianhoward on news.ycombinator.com
Lock-outs are tricky to manage. I can flood 50 login requests and have the legitimate user quickly locked out.casca on news.ycombinator.com
There is a difference between an algorithm being cryptographically secure and being brute force resistant. They exist for different purposes (and adaptive hash algorithms build upon the foundation of a cryptographically secure hash).xoa on arstechnica.com
Use a professional grade password generator and create new ones every month, or sooner if called for.Manuel Garcia O'Kelly on yahoo.com
More and more I feel like passwords are a fundamentally broken system. We need a better system of locks and keys. What is is, I don't know. I just know that it's not "passwords".eqypturnash on news.ycombinator.com
Surely the bigger issue is Mom & Dad - are we really expecting them to use Password Managers or a different, random phrase password for every single website that they use?deadlock on arstechnica.com
I still believe hacking is 80% social engineering, 10% software and 10% brut forceC on yahoo.com
Come clean: do you or “a friend” use the same password for every site?
Now read this: