XPost: alt.comp.os.windows-10, comp.mobile.android, misc.phone.mobile.iphone   
   XPost: alt.os.linux, comp.sys.mac.system   
   From: bitbucket@blackhole.com   
      
   On 2024-07-07 13:27, Gordinator wrote:   
   > On 07/07/2024 12:26, Alan Browne wrote:   
   >> On 2024-07-06 19:28, Mickey D wrote:   
   >>>   
   >>> "Threat actors could exploit the RockYou2024 password compilation to   
   >>> conduct brute-force attacks and gain unauthorized access to various   
   >>> online   
   >>> accounts used by individuals who employ passwords included in the   
   >>> dataset,"   
   >>> the team explained.   
   >>   
   >> Why Passkeys should be used wherever financial transactions or   
   >> sensitive information are concerned.  Or at least TFA.   
   >>   
   >> And passwords need to be strong - computer generated is always best.   
   >>   
   >> Otherwise password access should have time outs.   
   >>   
   >> 1st time wrong: no delay   
   >> 2nd time wrong: 1 s delay   
   >> 3rt time wrong: 2 s delay   
   >> 4th time wrong: 4 s   
   >> 5               8 s   
   >>   
   >> 10              4 hour delay, then reset to 0 delay.   
   >>   
   >> Brute force login attacks would simply not work.   
   >>   
   >   
   > A better solution would be to use a hashing algorithm like Argon2 that   
   > is designed to be resistant to such attacks. That way, if you get   
   > offline access to a database somehow - which is how these passwords were   
   > derived - cracking takes a stupid amount of time.   
      
   Having such a list won't help against such.   
      
   > Such modern algorithms use things like salting by default as well, which   
   > eliminates rainbow table attacks (pre-computed lists of hashes and their   
   > passwords), meaning you need to perform the slow and expensive   
   > brute-force method.   
      
   Indeed, but the issue is the brute force from the outside.  (Which also   
   needs a target site and account name ... already getting very unlikely).   
      
   >   
   > Also, a timeout would only help with online logins. Offline ones are the   
   > real deal, because you can go ham with no consequence.   
      
   That implies they've copied an entire system and are going after info in   
   it.  Since the pw database is (as you mention salted an encrypted) such   
   an attack will go exactly nowhere with the passwords in the list - esp.   
   when the salt is derived from other customer data.   
      
   > That said, your idea of using computer-generated passwords is great. I   
   > use 64-character random passwords generated by KeePassXC. It works   
   > great, except for the websites that want shorter passwords, for some   
   > bizarre reason.   
      
   64 char is overkill.  20 char is much more than sufficient assuming it's   
   random.   
      
   --   
   "It would be a measureless disaster if Russian barbarism overlaid   
     the culture and independence of the ancient States of Europe."   
   Winston Churchill   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)