Comments for Ruminations on Architecture & Security

Comment on Single Account without OpenID or Carspace! by shiruba2009

shiruba2009 — Sun, 17 May 2009 00:39:55 +0000

Here’s an idea.. don’t be quite so forgetful. I don’t mean to sound condescending, but I really never understood what the problem with remember passwords is. You remember your phone number, it’s random. People remember their Social security numbers. The reason is just because they use them often and make an effort (at first) to remember them. Something like your gas utility.. you will use every month I guess for years. Just remember it.

Also, if you use a more complicated default user name, it won’t be taken. Since that will then be able to be the same at every site, hopefully you will remember it.

Comment on DropBox + PasswordSafe = Good ?? by shiruba2009

shiruba2009 — Sat, 16 May 2009 15:32:54 +0000

Obviously Joel’s method is not 100% foolproof… it would be better to store the file on a more private system where nobody else could access it, but let’s take a balance look here:
1. You need the file to crack it… of course.. and you don’t have it.
2. You need to hack his dropbox account. Good luck. Seriously, I am not saying that I think drop-box is super-secure, but unless you are an ISP, you probably won’t have access to the network in the right location to do DNS spoofing or poisoning in a way that would affect Joel. Unless you are the government, you won’t have access to random parts of the internet wherever it is needed/convenient for a particular random person’s data. If you worked at DropBox it would certainly help. In fact, even if Dropbox didn’t use SSL or anything of the kind and didn’t even used hashing, but simply sent the passwords in plaintext.. you would still need to be monitoring the right part of the internet at the right time to sniff it.
3. Let’s just assume you take care of part 2 somehow. Dropbox is hacked and you find a list of all username/password pairs online or something… you get the encrypted password database. Well… if we were sure nobody would get it, it wouldn’t need to be encrypted. We aren’t protecting it from ourselves after-all. We’d rather now broadcast it to the world for analysis, but the goal of good encryption is to be save *even if* someone has the encrypted file.

I don’t know about the software mentioned, but I do know about KeePassX, which uses symmetric 256 AES keys:
An average brute-force attack on a 16 byte password on a pentium 1.6ghz would take about 1872000 years (or up to twice as long if you’re not lucky). (reference: http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_password/ )
Let’s just say that instead of a 1.6ghz machine you had a 3.2ghz 16 processor machine, then it would take “only” 58500 years. If you doubled the speed of your brute force program *and* got a perfectly efficient 32 processor machine, then it would take “only” 14625 years.

Clearly, this isn’t something your average hacker is going to break, even if joel sends the file to them on a silver platter.

That said, someone with a large enough budget could build hardware to break it, using FPGA or even a custom ASIC… or something like distributed.net could be used to crack it much more quickly by using thousands of computers. but that data would have to be *really* valuable.. certainly more than someone’s personal checking account.

Just to quote from the Wikipedia article on AES: “In June 2003, the US Government announced that AES may be used to protect classified information:” Including TOP SECRET. That means they trust that other governments can’t break it reasonably in the forseeable future.

So your only real change to break the file is if Joel picked a short and easy password, or if the program he used has a flaw in the encryption function. Joel isn’t stupid, so the first option isn’t likely. After all, he only has to remember *one* complex password now. The second option isn’t too likely either, since there are well tested encryption libraries for the standard methods that programs tend to re-use.

A better way to get the passwords if you had access to someone’s dropbox account would be to place some sort of trojan in the account and wait for it to infect their machine and send you their keystrokes, etc.

Comment on Disturbances in the cloud by Cloudy forecast « Identity Blogger

Cloudy forecast « Identity Blogger — Mon, 22 Dec 2008 15:08:31 +0000

[...] 22, 2008 · No Comments Bavo De Ridder has this interesting take on Cloud [...]

Comment on Fly secure, don’t drink by henrimenheere

henrimenheere — Thu, 25 Sep 2008 13:22:56 +0000

Very bright thinking! Groot gelijk, zo heb ik er eigenlijk nog niet bij stil gestaan….

Comment on What about me !? by henrimenheere

henrimenheere — Mon, 08 Sep 2008 21:08:15 +0000

Interessante blog, ik ga blijven volgen; niet alle berichten zijn echt in mijn “werkveld” of interesses, maar je hebt ten minste iets te zeggen dat verstaanbaar is en nuttig. Petje af!

Henri Menheere

Comment on Single Account without OpenID or Carspace! by henrimenheere

henrimenheere — Mon, 08 Sep 2008 21:05:11 +0000

Hehe lol, I got to this place through your facebook account, must say I have the same experience with all the above and I actually also re-register every time, except for some; where I just look up the email they sent me once in my Gmail.

And indeed: I had to think for a moment “Do I actually have a wordpress login?” before I could comment.

My real blog is http://bruggenbouwer.blogspot.com

Cool blog, lots of interesting info.

Henri

Comment on HR, your source of identies? by Bookmarks about Workflow

Bookmarks about Workflow — Fri, 15 Aug 2008 01:15:06 +0000

[...] – bookmarked by 4 members originally found by Kloudjonas on 2008-07-22 HR, your source of identies? http://bderidder.wordpress.com/2008/07/08/hr-your-source-of-identies/ – bookmarked by 4 members [...]

Comment on HR, your source of identies? by security systems in Wyoming

security systems in Wyoming — Sun, 13 Jul 2008 20:22:09 +0000

security systems in Wyoming…

[...] systems – it’’s a very different story. A story that ends with your crystal widgets being stolen if one of those security systems fails opens. Or worse, your customers” crystal widgets. We tend not to view network and application [...]…

Comment on HR, your source of identies? by The all knowing Oracle of Identity « Identity Blogger

The all knowing Oracle of Identity « Identity Blogger — Fri, 11 Jul 2008 02:24:49 +0000

[...] 11, 2008 · No Comments Is that your company’s HR system? Not by a long shot according to Bavo De [...]

Comment on HR, your source of identies? by mattpollicove

mattpollicove — Tue, 08 Jul 2008 14:53:23 +0000

Why can’t the systeems update each other. You discuss synchronization in your article, but I don’t think you give it a fair shake. The fact is we’ll always have a number of repositories in the enterprise. When it comes to Identity information, odds are, the HR system is going to be populated first. Why not have the IDM system read and then process the feed? Also there’s nothing saying that the HR system can’t be updated later on when things change. The same goes for the other repositories in the enterprise…