Announcement

Collapse
No announcement yet.

Cheap GPUs render strong passwords useless

Collapse
X
Collapse
 
  • Page of 15
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 6 7 13 15 template Next
  • #31
    That's how they keep TPM secure. But keeping a sensor from getting screwed with is not so easy.

    Also, the whole liquid nitrogen thing is quite a hassle to go through for someone's data--unless you are Super Important, TPM is almost certainly going to be enough.

    Since the sensor has to have a tolerance, ripping out a retina scanner and replacing it with wires could crack things very quickly, since you don't have to guess every number.
    If there is no sound in space, how come you can hear the lasers?
    ){ :|:& };:

    Comment

    • #32
      Originally posted by Koyaanisqatsi View Post
      I truly hate this practice. It's like the password recovery options on most sites that only give you a handful of generic questions that could be easily guessed based on publicly known data. I stopped using a bank not long ago because they did this and the hardest question they could come up with was "what was your high school mascot?".
      The questions are not there to protect against people who personally know you from getting into tour account. It's to prevent hackers who buy your password from some hacked site from gaining access to your account. It's very effective for that.
      "The issue is there are still many people out there that use religion as a crutch for bigotry and hate. Like Ben."
      Ben Kenobi: "That means I'm doing something right. "

      Comment

      • #33
        Originally posted by Hauldren Collider View Post
        Not if it's a laptop. Remove the battery and coin cell. You can't make a fail safe for that.
        For a laptop I suppose the answer would be an SRAM chip with crypto keys, just like in a cryptoprocessor; the auxiliary battery that's in charge of protecting the sensor by detecting a circuit break would then be able to wipe the SRAM, making it impossible to decrypt the hard drive. In other words, you'd split the key in two - one half is in the SRAM, the other half is derived from the sensor; hash them together and you've got the hard drive decryption key. The problem of course is that if the battery fails then your computer is bricked.
        <p style="font-size:1024px">HTML is disabled in signatures </p>

        Comment

        • #34
          It's a lot harder to prevent a determined attacker from getting into one specific person's account than to prevent someone from trying to break into whichever weakly protected account he can find.
          If there is no sound in space, how come you can hear the lasers?
          ){ :|:& };:

          Comment

          • #35
            Originally posted by loinburger View Post
            For a laptop I suppose the answer would be an SRAM chip with crypto keys, just like in a cryptoprocessor; the auxiliary battery that's in charge of protecting the sensor by detecting a circuit break would then be able to wipe the SRAM, making it impossible to decrypt the hard drive. In other words, you'd split the key in two - one half is in the SRAM, the other half is derived from the sensor; hash them together and you've got the HD decryption key.
            What if the battery fails? Then your computer is a brick.
            If there is no sound in space, how come you can hear the lasers?
            ){ :|:& };:

            Comment

            • #36
              Also, if it's not a laptop then you have very little excuse for compromised physical access.
              If there is no sound in space, how come you can hear the lasers?
              ){ :|:& };:

              Comment

              • #37
                Originally posted by Hauldren Collider View Post
                Not if it's a laptop. Remove the battery and coin cell. You can't make a fail safe for that.
                The good laptops store encryption keys in on-chip flash.
                "The issue is there are still many people out there that use religion as a crutch for bigotry and hate. Like Ben."
                Ben Kenobi: "That means I'm doing something right. "

                Comment

                • #38
                  There'd need to be a way to replace the SRAM after a power failure, either from the battery going bad or from somebody trying to break into your computer. The question is whether the computer manufacturer has the keys, or whether the user does - the former presents another point of failure, but the latter raises the question of where the user is supposed to store the backup SRAM key if not on their laptop (which is inaccessible if they're trying to reprogram the SRAM). The easiest solution would be for the SRAM to contain a user-defined key, which can be generated by SHAing a passphrase; that way if the SRAM loses power the user can re-generate the key. The interface to the SRAM doesn't even need a great deal of protection - if an attacker wipes the SRAM and then attempts to enter a new key then they'll still have a bricked hard drive unless they've entered the correct key.
                  <p style="font-size:1024px">HTML is disabled in signatures </p>

                  Comment

                  • #39
                    I think the best way to do it is just to keep sensitive data off of laptops whenever possible. Use VPN, Citrix, etc.
                    If there is no sound in space, how come you can hear the lasers?
                    ){ :|:& };:

                    Comment

                    • #40
                      Originally posted by Asher View Post
                      The questions are not there to protect against people who personally know you from getting into tour account. It's to prevent hackers who buy your password from some hacked site from gaining access to your account. It's very effective for that.
                      I know that's the theory, I just think that it's going to be/already is foolish when you can combine the email address that came with that password with a database scraped from Facebook and answer most of the trivial questions they ask.
                      "In the beginning was the Word. Then came the ******* word processor." -Dan Simmons, Hyperion

                      Comment

                      • #41
                        If the laptop uses a properly encrypted hard drive (with a passphrase, no biometric tomfoolery) then it's relatively safe. The key stays in memory the entire time, so nobody can find it from the still-unencrypted portions of your hard drive. At that point your only real danger is a keylogger, and depending on how you encrypt the hard drive you might be entering the key before the keylogger is even loaded. For example, Truecrypt full system encryption has you enter the key before Windows is even loaded. (I don't use full system encryption because it's overkill - my HIPS firewall prevents keyloggers from doing any damage.)
                        Last edited by loinburger; June 6, 2011, 14:19.
                        <p style="font-size:1024px">HTML is disabled in signatures </p>

                        Comment

                        • #42
                          Originally posted by Koyaanisqatsi View Post
                          I know that's the theory, I just think that it's going to be/already is foolish when you can combine the email address that came with that password with a database scraped from Facebook and answer most of the trivial questions they ask.
                          My sites allow you to create your own questions, which seems to solve that criticism, no?

                          Plus, things like my first job and my grandmother's maiden name aren't easily discovered via google.
                          "The issue is there are still many people out there that use religion as a crutch for bigotry and hate. Like Ben."
                          Ben Kenobi: "That means I'm doing something right. "

                          Comment

                          • #43
                            If that's the way that particular site is set up, then yes, obviously it is fine. The problem is there are a lot of people who aren't doing it right, including institutions that really should be. For instance, the bank I was talking about had a drop-down box of about 15 questions you could choose from and you had to select five to store answers for. There weren't even five non-trivial questions on the list. I've seen far more sites get it wrong than right, so I wish the practice would just go away until people realize how to implement it properly.
                            "In the beginning was the Word. Then came the ******* word processor." -Dan Simmons, Hyperion

                            Comment

                            • #44
                              Originally posted by loinburger View Post
                              I give fake answers to those questions - ones that I'll be able to remember but that other people aren't likely to guess. "What street were you born on?" "Zim-Zam O'Pootertoot"
                              Click here if you're having trouble sleeping.
                              "We confess our little faults to persuade people that we have no large ones." - François de La Rochefoucauld

                              Comment

                              • #45


                                "computer processing speed grows exponentially; news at 11"

                                If something takes a desktop PC days to crack now, it will take a desktop PC minutes before the decade's out anyway.

                                Comment

                                Previous 1 2 3 4 5 6 7 13 15 template Next
                                Working...
                                X