[ale] evernote security breach

Scott Plante splante at insightsys.com
Mon Mar 4 18:55:45 EST 2013


Mike Warfield wrote: 

> The passwords where hashed and salted but simple 
> passwords are still subject to off-line brute force and 
> rainbow table attacks. 

I thought the whole point of salting was to prevent rainbow tables. They don't go into details of their salting scheme, but assuming they used a separate random 32 character salt for each user, wouldn't that eliminate the effectiveness of rainbow tables? Of course, brute-force is still a big issue here, especially with these multi-graphics-card boxes they have now, but I thought salts were used pretty much for the sole reason of thwarting rainbow tables. 


By the way, as for thwarting the hash-cracking boxes, I found this "Security Now!" talk from 1/23/2013 on "Memory Hard Problems" interesting: http://www.grc.com/sn/sn-388.htm . 


I use the Linux pwgen command for generating long passwords I don't need to remember, i.e., situations where a long password is needed for one service to talk to another service, and the password will be stored in a conf file on the client. If I need to create a password to tell someone over the phone, I made a script that has this one line: 
echo $(shuf /var/lib/diceware.wordlist.asc |head -5|cut -d' ' -f2) 
If you Google the base filename, it'll come right up. The cut -d param is a tab. This is along the lines of the famous xkcd method linked to in this thread by Richard Bronosky. 


Regarding the sites that block passwords based on a dictionary word--I wonder if you took the set of all possible passwords of a certain length and eliminated all the ones that cracklib rejects, if you wouldn't end up with a smaller set than the ones you kept! ;-) I don't know if certain particular sites were specifically using cracklib, but they seem to reject an awful lot of complex passwords. 


Considering they should be only storing a hashed version of your password (+salt) which will come out to the same length no matter how long your password is, there's really no excuse for a website limiting the max length or content of your password. 


My other pet-peeve is how so many ridiculous websites ask you these personal questions, like your mother's maiden name, your first pet, etc. It made a certain amount of sense back when it was just your bank or credit card, but I can't stand all these newspapers, blogs, email providers, vendor websites, etc., asking these questions and usually 2, 3, or more. If you play along, it just means there's the possibility ( likelihood ?) of some massive database being created with your answers to all these questions. With very few exceptions, I answer nonsense to these questions. OMG! What if I've permanently lost my password to my free Podunk Daily Times login! Oh yeah, I'll create a new one or go without. Of course, those are the sites that require a 12 character password with 3 symbol, 2 numbers, a chinese character, and a random dance move. 


Scott 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130304/cf57c9d1/attachment-0001.html>


More information about the Ale mailing list