The Daily Static
  The Daily Static
UF Archives
Register
UF Membership
Ad Free Site
Postcards
Community
Geekfinder
UFie Gear
Advertise on UF
Forum Rules
& FAQ

Username

Password


Create a New Account

  
 

Back to UserFriendly Strip Comments Index
Topic for debate: changing passwords by nix2005-05-16 11:03:40
  My understanding by psychoi3oy2005-05-16 11:15:16
    Rest of my response by nix 2005-05-16 12:15:31
Obviously, changing group passwords when group membership changes is a good idea. What I am arguing about is periodic changes of personal passwords.

Changing passwords on a ($bruteforcetime/2) - e timescale is only really useful if you know when the brute force attack began. For instance, if we assume an off-line attack, and assume that the attacker can download your password file at will, or at least at relatively frequent intervals, then the attacker has a 50-e% chance of having your password at the time you change it. Then, it has to start over. After two runs through half of the password file, the equivalent time to one complete run, the attacker has a (100 - (50+e)^2)% (about 75%) chance of having your password. The expected time to get the password is something like the time to process (50+e^2)% of the password space. If the attack is on-line, then the attacker has a (50-e)% chance of having your password when you change it, and a ((50+e)% chance that the new password is in the remaining space)*((50+e)% of the search space) of finding the new password, which is once again about 75%. Assuming that the attacker can trojan your system as soon as they get a valid password, there is no difference between the two attacks.

Unfortunately, if you assume that the attack is at T((50-e)%, while it is really at T(20%), then the attacker has a 20% + (80%)*(80%) = 84% chance of finding your password in one brute-force round, at an expected time of T(57.5%). If the attacker is at T(80%), then the attacker once again has a 84% chance of finding it, with an expected time of T(50%).

So, the more accurately you know when the attack started, and how fast it is progressing, the more you can improve your chances. The only safe assumptions to make about when the attack started is that it started as soon as the password was set, or not at all. However, determining the speed of the attack is another issue. If you're using a long password, stored with a strong hash, then an offline attack could several years on a modern computer. Unfortunately, the old estimates about needing a machine costing $large_amount_of_money to speed up password cracking are no longer valid; many attackers could have access to bot-nets of thousands of modern machines, which allow relative unsophisticated attackers to crack your long passwords in a few days. Do you really want to change your passwords every three days to keep ahead?
[ Reply ]
      This is why security has to be multi-layered. by Didactylos2005-05-16 12:37:22

 

[Todays Cartoon Discussion] [News Index]

Come get yer ARS (Account Registration System) Source Code here!
All images, characters, content and text are copyrighted and trademarks of J.D. Frazer except where other ownership applies. Don't do bad things, we have lawyers.
UserFriendly.Org and its operators are not liable for comments or content posted by its visitors, and will cheerfully assist the lawful authorities in hunting down script-kiddies, spammers and other net scum. And if you're really bad, we'll call your mom. (We're not kidding, we've done it before.)