this post was submitted on 04 Dec 2023
111 points (100.0% liked)

the_dunk_tank

15910 readers
2 users here now

It's the dunk tank.

This is where you come to post big-brained hot takes by chuds, libs, or even fellow leftists, and tear them to itty-bitty pieces with precision dunkstrikes.

Rule 1: All posts must include links to the subject matter, and no identifying information should be redacted.

Rule 2: If your source is a reactionary website, please use archive.is instead of linking directly.

Rule 3: No sectarianism.

Rule 4: TERF/SWERFs Not Welcome

Rule 5: No ableism of any kind (that includes stuff like libt*rd)

Rule 6: Do not post fellow hexbears.

Rule 7: Do not individually target other instances' admins or moderators.

Rule 8: The subject of a post cannot be low hanging fruit, that is comments/posts made by a private person that have low amount of upvotes/likes/views. Comments/Posts made on other instances that are accessible from hexbear are an exception to this. Posts that do not meet this requirement can be posted to [email protected]

Rule 9: if you post ironic rage bait im going to make a personal visit to your house to make sure you never make this mistake again

founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 11 months ago* (last edited 11 months ago) (1 children)

Well, I used 1 trillion guesses a second here. 10 years ago I'd have used 10 billion. So length does matter. And 300 years drops to 1 year if a dedicated attacker is willing to spend a good bit more on hardware (which, in the era of cryptocurrency, could actually be worth it, even just for a criminal).

And yes, sites should use good hashing algorithms, but we users can't count on them doing so. Plus, even a technically-but-not-practically broken hashing algorithm isn't so broken as to be equivalent to plaintext storage (unless it's unsalted), so it's less about specific algorithm choices and more about overall design security.

Not saying passphrases are useless, but password managers are the better technological path, in my opinion, because they obviate the need to remember more than just one password, and allow to you skip typing in passwords too (in fact, a pw manager is better for passphrase users, because they they can still use memorable phrases but don't have to type them in all the time).

And as it happens, my master password for my pw manager was originally a 6-word passphrase, but has since been changed to a 20-character randomly-generated password, because it's a ton easier to type, particularly on mobile.

[–] [email protected] 5 points 11 months ago (1 children)

Absolutely agree on the usage of a password manager. And yes, as hardware increases in power we run into the issue of timelines being shorter. I disagree on MD5 being not totally broken, considering a collision can be found in seconds on even low end hardware these days. Even salted, a collision would still be viable.

Again, the real problem overall is adoption. Getting people to use better passwords/phrases that are less likely to be brute forced. Everyone should be using non-SMS 2FA, ideally with an authenticator app or physical key. As well, password length should only be limited by a minimum value rather than being in a small range. Services should be using algorithms that are recent, well audited, and have the ability to artificially inflate the time taken to get the result for future-proofing. SSO is also an option, since services without IT departments or people with the ability to handle passwords should offload it to a service that can. SSO as a service provider is very appealing, as you no longer have the responsibility of storing sensitive hashes and account information.

[–] [email protected] 6 points 11 months ago (1 children)

Was not aware of the latest efforts on MD5, in all honesty; I take back what I said before.

I agree with everything you said there 100% except the bit about SSO. SSO is great for people working in managed environments (I wish my workplace would make broader use of it, honestly), but expanding it to everyone as a whole creates some serious issues (putting everyone's eggs in the same basket is a security risk, and worse, having a centralized third party notified of every login request totally undermines user privacy).

[–] [email protected] 4 points 11 months ago

I don't mean to imply that it should be everywhere, rather it is appealing as an option when the only other option is to roll your own setup.

It's useful for connected services, orgs, etc. Especially when it comes to easily setting up access controls. But you're right, it's not a solution that should be used everywhere due to the fact that a single point of failure is bad.

Btw this has been a great discussion and I hope that others reading this might help further the goal of creating a safer internet