Posts by 124Out 9 publicly visible posts • joined 22 Jan 2010
- Missing methodology section? Check!
- Unverified user input? Check!
- Report the average but not the median? Check!
- Sponsored by security vendor? Check!
"It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy."
http://www.theregister.co.uk/2011/06/09/cybercrime_surveys_are_tosh_says_ms/
> Your entry for Paypal, 8 chars, says you're wrong! Paypal may not think 12 chars is needed, but they obviously think that more than six is.
Not obvious. Everyone likes some margin for error. That serious sites like Facebook, hotmail, Fidelity manage with 6 chars suggests online brute-forcing can be resisted at that level.
> Anyway, many of those sites will not admit to intrusions even when they are aware of them, so your suggestion that "the people who run real sites know..." is spurious
Evidence?
> I suppose the people who run real banks know how to run, err, real banks? Experience of the past few years says they don't!
They knew how to run real banks for their own profit while shareholders got torched. Worked out rather well for them.
The Georgia Tech analysis makes sense only if the attacker has the hashed passwords. The threat to your password is keylogging, phishing, SQL injection etc. Online brute-forcing isn't very feasable against well protected sites.
Schneier's recent Cryptogram has a section about password policies at various sites:
http://www.schneier.com/blog/archives/2010/07/website_passwor_1.html
Policies at some well-known sites:
Amazon: 6 chars unrestricted
Fidelity Investments: 6 chars unrestricted
facebook: 6 chars unrestricted
Hotmail: 6 chars unrestricted
Yahoo: 6 chars unrestricted
Paypal: 8 chars unrestricted
The people who run real sites serving 100s of millions of users know that 6 chars is enough to protect against online attacks, and make sure that there's no offline attack. People who tell us that 12 chars are necessary have no idea what is actually going on.
"Trend Micro researchers cite underground sources in speculation that ZeuS programmers earn more than $800,000 per year. The potential earnings of botnet herders may be even higher than this"
They might be earning more than $800k, or only $80k, or $8k or nothing. The only good FUD is more FUD.
The message here isn't the users who choose weak passwords. The message is the (32million-N) users who wasted their time choosing and remembering strong passwords and had them compromised anyway.
Users show a better understanding of the risk than most security people:
http://www.schneier.com/blog/archives/2009/11/users_rationall.html
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
