[Mod [dswp]JRandomNoob]

Yeah, I guess we can skip the part where various people post their solutions for “how long would it take to find one valid key if the haxx0r could harness every single connected device in the world” and just conclude that even the most resourceful and determined attempt would amount to nothing more than a needlessly elaborate DoS attack.

[24/7.x3r]

JRandomNoob, on 29 April 2013 - 04:02 AM, said:

Yeah, I guess we can skip the part where various people post their solutions for “how long would it take to find one valid key if the haxx0r could harness every single connected device in the world” and just conclude that even the most resourceful and determined attempt would amount to nothing more than a needlessly elaborate DoS attack.

Exactly, but that takes the fun out of it all haha

[H0i]

If we assume there are 7 billion accounts (one for everyone), then every attempt would have a (7*10^9 / 3.403*10^38) * 100% = 2.057x10^-27 % chance of succeeding.

In other words, ignoring the luck factor, and assuming we have 7 billion accounts (we don't) it would take 200 octillion (= billion billion billion) attempts to get one key.

[/eVo/Divinity]

The key isn't the weak spot in the auth scheme. It's the passwords to their website account via any number of attacks.

[wTf|beautifulNihilist]

Divinity, on 29 April 2013 - 04:58 PM, said:

The key isn't the weak spot in the auth scheme. It's the passwords to their website account via any number of attacks.

Bull's-eye.

[[SEG]garcassgrinder]

Well I guess we have to use the same quality of pwd for the webside account as the reg key. Maybe us the reg key also as pwd to access here ;-)

[/eVo/Divinity]

It's long been known that the weak spot in any security scheme is ALWAYS the end user assuming no fundamental design flaws and/or security bugs. People are the weak link for a variety of reasons -- they write down their passwords because they have a hard time remembering them, they choose passwords based on family names, etc. You cannot introduce password length or complexity requirements stringent enough to offset this. In fact, it will likely only make some of the factors worse.

As an interesting side note -- current token password schemes (including two-factor auth) are invariably broken long term as the computing power available to the average person continues to increase. Inevitably, biometrics will be the last stop on the authentication tour with a combination of biometrics and tokens being the final two-factor solution or a two-factor biometrics (i.e. fingerprint and voice or fingerprint and retina). The encryption scheme built on top of biometrics will be some impossibly long bit algorithm.

I know this is a bit of a digression, but I dig this stuff :)

[phd]

Basic password rules can be enforced (alpha-numeric-CAPS-|!"/$%?&*()), but that has limits.

One trick is to propose a series of images to the "registering" user.
The user selects 3 of them and assigns a password for each (with the password rules).
Each time the user connects to the website, you ask for the username first (and the user has to hit the submit button).
Then you show one image and the user has to enter the corresponding password.

When the user comes from an IP different from the last time, you show him 2 images in a row and he as to provide the right password for both.

This is not that complicated, yet it raises the security significantly.

Furthermore, I just thought about that and I don't think it has ever been implemented anywhere.

Feel free to steal my idea !!!

[/eVo/Divinity]

For a subset of people and situations, that would be fine, but in the larger grand scheme of things not so much. For example that doesn't scale to visually impaired people very well. It also raises the likelihood of someone writing down their passwords since now they have three to remember instead of just one.

[hellraiser]

Oooopsss...demo visualizating bug :