Are computer passwords REALLY that unsafe?

[EWyatt]

When I input my username and password to my banking sites, and other sites, the site usually takes several seconds to analyze my input and regard it as valid or not. Let's start there.

.

I've read that brute-force automated techniques are used by hackers to get into peoples' sites; however, if it takes several seconds to analyze a username and password, and the hackers have to try millions/billions of combinations of usernames and passwords, it would take weeks! Or longer. And that's just working on one account. Am I wrong here?

.

My point is if a person's computer hasn't been hacked for stolen data, or if a person's login info hasn't been found out physically (from a piece of paper, etc) then it's VERY difficult for a brute-force system to manage a login from scratch. Just my 2 cents.... I'm missing something, right?

 

[StringJunky]

There will be a limit on how many times an incorrect password can be entered so brute forcing a bank account password won't be viable or the chances are astronomical of doing it within the set number of allowed attempts.

 

You might find this interesting...bear in mind this is describing a 128bit encryption system and a lot of systems now use 256bit encryption:

 

"Modern cryptographic systems are essentially unbreakable, particularly if an adversary is restricted to intercepts. We have argued for, designed, and built systems with 128 bits of security precisely because they are essentially unbreakable. It is very easy to underestimate the power of exponentials. 2^128 is a very big number. Burt Kaliski first came up with this characterization, and if he had a nickel for every time I tell it, he could buy a latte or three.

Imagine a computer that is the size of a grain of sand that can test keys against some encrypted data. Also imagine that it can test a key in the amount of time it takes light to cross it. Then consider a cluster of these computers, so many that if you covered the earth with them, they would cover the whole planet to the height of 1 meter. The cluster of computers would crack a 128-bit key on average in 1,000 years."

 

http://www.codinghorror.com/blog/2006/07/brute-force-key-attacks-are-for-dummies.html

 

The whole article's interesting.

[Enthalpy]

Decent cryptographic coding wants to make brute-force attacks impossible whatever the unreasonable processing power available.

 

On symmetric codes, 128b would be more than enough IF no other attack were possible, which is generally impossible to prove.

 

Then you have asymmetric codes, or "public key codes", which demand much longer keys, oftens chosen as 2000 bits presently.

 

Signature, or authentication, demands a bit more than 128 bits, like 160 or 192. Beyond key length, authentication is in serious trouble because all traditional codes (MD, SHA, maybe SHA-1...) have been broken BUT are still used.

 

-----

 

And then you have all codes that have been voluntarily botched because governmental agencies obtained this to spy their citizens.

 

Cell phones have a too short key. The code was ill-designed, had initially short 64 bits keys, every participant to the standard had realised the code was weak, but the French reduced the key length to 40 bits in addition.

 

The French bank card has a too short public key, something like 320 bits. Consequently, it was broken by Serge Humpich as a demo. He was condemned, his software and knowledge stolen by the spooks... and the short key remains.

 

All Bluetooth codes, including the more recent ones, are very weak. Crack software exists on the Web to break the older code in few seconds on a PC: it gives the clear text AND the key.

 

You know Windows' Protected Storage Area? It stores your session password, your Outlook message password, among others - though now MS tells it's not for new design. On French Windows Nt4-2k-Xp, all users have the same one "secret" key to protect the PSA. Many years after the French law had evolved and easily allowed one key per user - W2k had received since the law 4 service pack, one SR, many patches, Xp had received 2 SP... - Microsoft issued the KB955417. But not as a security patch: as a functional improvement which isn't downloaded automatically...

 

Not bad neither: in Linux secure servers (was it Apache?) which make over 90% of all "secure" https sites, a "bug" limited the number of different keys to 65536. Perfectly visible in the open source code, but it stayed there for several years. Every https link could be cracked by trying 2¹⁶ keys, not 2¹²⁸. So open-source doesn't mean "safe because everyone can check it" but rather "someone else should have checked it".

 

The Italian government at some time accused Skype of being used by the mafias, so you can suppose Skype is botched meanwhile.

 

Since the former French government, every Internet site is requested to deliver all your identities and passwords to the police on request. Trouble: the sites are supposed to ignore your password, which is encoded by your machine even on the first time and never passes in clear text over the line. The only possibility I see is that all sites in France use phishing versions of their pages to steal you password when requested.

 

You may ask if this is the country's interest, as weak crypto is broken by foreign spooks and criminals as easily as by French ones. Or if you don't ask it, I do.

[EWyatt]

Interesting reading, StringJunky. 128 bit encryption is truly the way to go. Nevertheless, I still don't understand the paranoia about username and passwords, and the incredible amount of resources needed for hackers to access a simple account.

.

Perhaps all this crud about "having complex passwords" is a bunch of bunk, especially if the computer being used is clean and virus-free.