XPost: alt.comp.os.windows-10, comp.mobile.android, misc.phone.mobile.iphone   
   XPost: comp.sys.mac.system, alt.privacy   
   From: gordinator@gordinator.org   
      
   On 07/07/2024 12:26, Alan Browne wrote:   
   > On 2024-07-06 19:28, Mickey D wrote:   
   >>   
   >> "Threat actors could exploit the RockYou2024 password compilation to   
   >> conduct brute-force attacks and gain unauthorized access to various   
   >> online   
   >> accounts used by individuals who employ passwords included in the   
   >> dataset,"   
   >> the team explained.   
   >   
   > Why Passkeys should be used wherever financial transactions or sensitive   
   > information are concerned.  Or at least TFA.   
   >   
   > And passwords need to be strong - computer generated is always best.   
   >   
   > Otherwise password access should have time outs.   
   >   
   > 1st time wrong: no delay   
   > 2nd time wrong: 1 s delay   
   > 3rt time wrong: 2 s delay   
   > 4th time wrong: 4 s   
   > 5               8 s   
   >   
   > 10              4 hour delay, then reset to 0 delay.   
   >   
   > Brute force login attacks would simply not work.   
   >   
      
   A better solution would be to use a hashing algorithm like Argon2 that   
   is designed to be resistant to such attacks. That way, if you get   
   offline access to a database somehow - which is how these passwords were   
   derived - cracking takes a stupid amount of time.   
      
   Such modern algorithms use things like salting by default as well, which   
   eliminates rainbow table attacks (pre-computed lists of hashes and their   
   passwords), meaning you need to perform the slow and expensive   
   brute-force method.   
      
   Also, a timeout would only help with online logins. Offline ones are the   
   real deal, because you can go ham with no consequence.   
      
   That said, your idea of using computer-generated passwords is great. I   
   use 64-character random passwords generated by KeePassXC. It works   
   great, except for the websites that want shorter passwords, for some   
   bizarre reason.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)