On 30/10/11 11:28, William Allen Simpson wrote:
I'm going to pick on Neil a little, because I know he can take it,
Yes, I can ;-)
but it applies to just about everybody else in this thread.
For shame.
My main point here is that (given some simple assumptions about how the site is administered) this is largely a theoretical problem, not a practical one, and there are far bigger problems that need fixing more urgently.
This is not to say that a few more characters in the password, or a long term move to a more secure mechanism using much longer tokens, wouldn't be a good idea, but I don't think it's nearly as big a deal as you currently think, and we have more serious problems than this (see below) which need fixing first.
[snip]
I really wish folks would at least read a Wikipedia article before making such calculations. :-(
No, you've listed the number of combinations, not the entropy.
No, 40-bits of strength means 2**20 attempts on average. Same order of magnitude as WEP. You remember WEP, the security designed to be easily crackable?
https://secure.wikimedia.org/wikipedia/en/wiki/Wired_Equivalent_Privacy
No, you're thinking of a birthday attack, which does indeed takes ~ sqrt(n) guesses on average. A simple brute-force guessing attack, which this would be, takes n/2 guesses on average. In this case, 62^7 ~= 2^41, so you're looking at roughly 2^40 guesses to hit a collision, not 2^20.
A bit of rate-limiting on the password recovery mechanism should be enough to limit this to a reasonable level of security: even with the current 7-character temporary passwords, if the mechanism has a site-wide limit to (say) one forced password reset attempt per second, one account will end up being successfully brute-forced roughly every 30,000 years.
Of course, this would mean that the mechanism could easily be DDoS'd, but that's really no big deal either -- the password reset mechanism is hardly core infrastructure, and, could trivially be tweaked to be more secure -- and yes, adding a few more characters to the password wouldn't hurt.
However, this is way, way, way lower risk than the current risk of brute-forcing low-hanging-fruit user passwords: for every user with a password generated by base64-encoding the output of /dev/random, there will be _thousands_ with passwords like "secret99" and "trustno1".
-- Neil