{"id":209,"date":"2012-03-04T16:48:36","date_gmt":"2012-03-04T22:48:36","guid":{"rendered":"http:\/\/fraudbump.wordpress.com\/?p=209"},"modified":"2012-03-04T16:48:36","modified_gmt":"2012-03-04T22:48:36","slug":"password-haystacks","status":"publish","type":"post","link":"https:\/\/amirbekian.com\/blog\/2012\/03\/password-haystacks\/","title":{"rendered":"Password Haystacks"},"content":{"rendered":"<p>In recent months the \u201cdead horse\u201d of password-based authentication got some new life in the form of so-called \u2018<a href=\"http:\/\/abclocal.go.com\/kabc\/story?section=news\/consumer&amp;id=8361856\">password haystacks<\/a>\u2018. An approach introduced by well-known security expert (and one of my favorite gurus) Steve Gibson relies on the knowledge of the logic used by password brute force attackers. In essence the attackers \u2013 after trying a list of well-known passwords (\u201cpassword\u201d, \u201c123456\u201d, \u201ccat\u201d etc.), their variations (\u201cpa$$w0rd\u201d) and finally plain dictionary \u2013 switch to \u2018pure guessing\u2019 when arbitrary combination of alphanumeric characters and some special signs is generated and tried methodically until the password is guessed. Hence the \u201cbrute force\u201d nature of the attack. So far the best prescription for passwords was to make them both random and very long \u2013 an advise routinely ignored by the users community as it made such passwords extremely hard for humans to remember. What Steve came out with is that passwords with similarly high \u201cstrength\u201d (i.e. resistance to guessing) could be created by artificially increasing their length (each added character increases time needed to crack it exponentially) and the space of characters used in them (the bigger variety of small, capital case, number and special characters is used the more combinations are possible \u2013 again drastically increasing the cracking time) by, say, prepending or appending some easy-to-remember \u201cpadding\u201d to passwords. For example, \u2018000Johny000\u2019 is infinitely harder to brute force than \u2018johny\u2019 \u2013 yet it requires comparable effort for humans to remember them. Makes perfect sense \u2013 you come out with your own secret \u201cpadding\u201d pattern, and use it to enhance your simple but consequently easy-to-guess passwords. Once enhanced such passwords are both easy to remember and hard to crack (get more detailed explanation from the source\u00a0<a href=\"https:\/\/www.grc.com\/haystack.htm\">here<\/a>). Sounds like a perfect solution, huh?<\/p>\n<p>Up to the point. While the \u201chaystack\u201d approach certainly adds to the password-based security &#8211; it is hardly the end of the game. Like anything else in security, password attacks are never ending cat-and-mouse game between the \u2018locks\u2019 and the \u2018keys\u2019. Thus it\u2019s a matter of time till fraudsters update their password guessing algorithms\/tools to check \u2018popular padding\u2019 patterns first before switching to \u2018pure brute forcing\u2019. Not to mention the possibility of \u2018leaking\u2019 your password in some other way (e.g. through phishing site) thus revealing the \u201csecret sauce\u201d of all your strong passwords \u2013 the \u201cpadding pattern\u201d \u2013 to the attackers.<\/p>\n<p>At the end of the day, as often mentioned in the\u00a0<a title=\"Passwords are\u00a0pass\u00e9\" href=\"http:\/\/fraudbump.wordpress.com\/2007\/09\/07\/passwords-are-passe\/\">past<\/a>, passwords as viable protection mechanism are pretty much dead (mostly). Indeed, other approaches like multi-factor authentication have no real alternatives no matter what clever way we come out to make our passwords less guessable.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In recent months the \u201cdead horse\u201d of password-based authentication got some new life in the form of so-called \u2018password haystacks\u2018. An approach introduced by well-known security expert (and one of my favorite gurus) Steve Gibson relies on the knowledge of the logic used by password brute force attackers. In essence the attackers \u2013 after trying &hellip; <a href=\"https:\/\/amirbekian.com\/blog\/2012\/03\/password-haystacks\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Password Haystacks<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[20],"class_list":["post-209","post","type-post","status-publish","format-standard","hentry","category-general-observations-commentary","category-prognosis","tag-passwords"],"_links":{"self":[{"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/posts\/209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/comments?post=209"}],"version-history":[{"count":0,"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/posts\/209\/revisions"}],"wp:attachment":[{"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/media?parent=209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/categories?post=209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/tags?post=209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}