Encryption back door for law enforcement

[farmkid]

Applying 100 keys in sequence is actually slower, because the setup/teardown mechanisms have to be performed 100 times now instead of just once. Such overhead can be substantial.

In practice, in terms of security there is no difference between 1 very long key and 100 short keys that add up to the same key length, except that doing 100 short keys is so much busy work when you could've just used one big one. But one big one (that is, big enough to where dividing it into 100 parts still results in usefully-large keys) is still impractical.

This brings up something I've wondered about with regard to encryption. First, let me be clear that I don't know much about encryption and only have an interest in the topic, but no actual education in it. You say here that using a multiple short keys is the same as using one long key of the same length as the sum of the short ones. Okay, I get that. But that is based on the idea that each of the short multiple keys is using the same algorithm, right? What if each of those layers used a different algorithm?

To put it in terms more easily understandable to a layman like myself, consider a code message from back in the days before digital computers when text switch ciphers or the like were common. What if instead of just a text switch cipher, a multi step approach was used--something like this: (1) a character change cipher was applied, (2) the characters were then scrambled based on some algorithm, and (3) the (now changed and scrambled) characters were hidden in a larger block of characters according to some other algorithm. To decrypt the information, the reader would first have to identify the characters that were part of the message, then unscramble them, then change each character back to the correct one (I suppose that last step could be performed anytime). It seems to me that such a scheme would be much more difficult to crack because any one step on its own only yields gibberish. Meaningful information is only revealed after correctly applying all three decryption steps.

Could something similar be done with digital communication, using multiple layers of encryption that use different algorithms? Would that still be the same as just using a key equal in length to the sum of the sorter keys?

 

[farmkid]

Its the human element that I am focusing on. Keys are generated and then stored and are easily accessible. Even if those keys are random theirself the best hacker will always be able to break the algorithm because the keys are a constant set of data that can be hacked and can even be mimicked to break into a computer. A random outside variable however is hard to track...

I think that the point was that the fingerprint/retina scan will be converted to digital information. At that point it can be faked. What's to stop someone from simply capturing the information sent when someone scans a fingerprint, then later sending that information when the computer asks again for that person's fingerprint? There's no actual fingerprint reader, no finger to read, etc., but the computer doesn't know that. The computer receives the data that would come from a fingerprint scan and as far as it knows the right person is standing there with their finger pressed against the scanner.

 

[Robert Maxwell]

This brings up something I've wondered about with regard to encryption. First, let me be clear that I don't know much about encryption and only have an interest in the topic, but no actual education in it. You say here that using a multiple short keys is the same as using one long key of the same length as the sum of the short ones. Okay, I get that. But that is based on the idea that each of the short multiple keys is using the same algorithm, right? What if each of those layers used a different algorithm?

To put it in terms more easily understandable to a layman like myself, consider a code message from back in the days before digital computers when text switch ciphers or the like were common. What if instead of just a text switch cipher, a multi step approach was used--something like this: (1) a character change cipher was applied, (2) the characters were then scrambled based on some algorithm, and (3) the (now changed and scrambled) characters were hidden in a larger block of characters according to some other algorithm. To decrypt the information, the reader would first have to identify the characters that were part of the message, then unscramble them, then change each character back to the correct one (I suppose that last step could be performed anytime). It seems to me that such a scheme would be much more difficult to crack because any one step on its own only yields gibberish. Meaningful information is only revealed after correctly applying all three decryption steps.

Could something similar be done with digital communication, using multiple layers of encryption that use different algorithms? Would that still be the same as just using a key equal in length to the sum of the sorter keys?

The problem is that you want something the computer can do quickly. This needs to work in real-time, after all.

Stepping back for a moment, remember that digital cryptography works because encrypting and decrypting something with a known key is (computationally) easy, but decrypting without the key (that is, trying to break/guess it) is very hard (computationally).

Mixing algorithms together doesn't buy you as much as you'd think, because while they add computational complexity, they don't really add much security. It's a diminishing return.

Nevertheless, what you are talking about actually is used in some instances. TrueCrypt and Rubberhose both possess the ability to use what are called hidden and nested volumes. It works like this: you create a decoy container, which just looks like a file. It's encrypted. It has some stuff in it, but it's actually stuff you don't care about. Inside it is another container, which contains the real data you care about. Because the entire file (containing both the stuff you care about and the stuff you don't) is encrypted, the contents are indistinguishable from random noise if you don't have the key, and there is no way to tell that there even is a hidden, nested volume unless you have the key for it. In this case, you may or may not mix algorithms--there's really nothing to be gained by doing so, since a good key is much, much more important.

When you get right down to it, the best encryption available uses AES with the Rijndael cipher. It is not known to have any internal weaknesses. Novel encryption algorithms are a bad idea because they may be broken (and you just don't know it yet), so you don't use those. Other algorithms are inferior or broken for one reason or another, so layering them at best gains you a tiny bit more security, but more likely opens you up to any number of attacks. "A chain is only as strong as its weakest link" applies here.

The other big concerns in encryption are hashing and key expansion algorithms. Hashing just takes an input and transforms it into a unique (but smaller) output. The idea there is that you could say "plaintext A is represented in short form by hash B," so it's great for validation, but with only hash B you can never get back plaintext A, so it is also informationally secure: the hash itself tells you nothing about the plaintext unless you happen to have the plaintext already. (Bad hashing algorithms fail this, basically, or are flawed to the point that you can reproduce a given hash with arbitrary plaintext, making it useless for validation.)

Key expansion. Odds are, what you want to encrypt is bigger than the key you're using. That means you need a way to "expand" the key to cover the entirety of the plaintext. This is a complex area but suffice it to say, the slightest weakness in your key expansion algorithm can ruin the encryption method.

All this is to say that mixing and matching encryption methods just doesn't really get you much, and has a strong chance of making you worse off.

 

[Marc]

All this is to say that mixing and matching encryption methods just doesn't really get you much, and has a strong chance of making you worse off.

Especially when the user comes into play. For example, if they have to remember multiple passwords to log into one system they'll either do something like write them down and keep them they can found easily (desk draw, stick note attached to monitor) or they'll use something simple such as their DOB or pet's name which can often be discovered using social engineering. Sure you can have rules for complexity, repeating passwords etc but that's also going to lead to them writing things down.

Security involves a balance between making the system as secure as possible but so tight that getting in becomes a chore (which pisses users off big time and they then look to ways to make it easier).

I studied and passed the Comptia Security+ 3 years ago and have forgotten most of it but use of multi-factor as opposed to multiple passwords is usually a pretty reliable way to go. Working on the principle of "something you have", "something you know" and "something else I can't remember" is a good way to go. Something you have could be a keycard which you combine with a pin code or a biometric reading combined with a pin/password or you could combine a biometric reading with a keycard.

That way there's the user only has to remember their pin code/password so hopefully they'll be less inclined to write it down (if they forgot to bring their keycard well that's user error) or if you don't want to use a remembered password then you can use a one time system. The user has a keyfob (which I've seen in use by client) or an app on their smartphone (I've used for access to some Microsoft systems) that generates a onetime key that's valid for a short period of time. Next time they go to log the fob or app will generate a new code. No point capturing it for a replay attack because it won't be valid 5mins later.

Secondly if there's a compromise of the password for example, access won't be available because the hacker won't have the keycard or biometric reading. Sure both systems could be compromised but the chances of that would be much much smaller (and could indicate you have problems elsewhere).

 

[Robert Maxwell]

Yeah, two-factor looks to be the wave of the future (or the present, I guess).

Best practices seem to be coalescing around the following approach:

• Users have a username and password (typical, this makes sense)
• The service being used has a list of recognized/authorized devices for this user, which may allow bypassing the second factor
• But if not, a second factor (like a short alphanumeric code) delivered by a different channel (text message, smartphone app, email, etc.) helps prove that the user has only the access the real user should
• Confidence words/images (or combinations of the two) presented by the service tell the user that they aren't being phished/using a compromised or fake site

Of course, this is just how you secure frontends. It means fuck all if the service provider doesn't protect their (rather, your) data. It would be nice to see some strong legal and financial consequences for firms that fail to protect confidential user/customer data. I'm not saying protecting such data is easy, but it's certainly well within the capabilities of the kinds of companies that seem to be getting compromised over and over.

 

[Dryson]

• Users have a username and password (typical, this makes sense)

Passwords are really not a safe measure of ensuring protection against hacking. Hackers have been able to gain employment at numerous ISP and can simply release a password by pulling up your internet use on a second monitor and writing down your password. They then release those passwords into their hacking and cyber-stalking cults to harass the individual with.

 

[{ Emilia }]

Passwords are really not a safe measure of ensuring protection against hacking. Hackers have been able to gain employment at numerous ISP and can simply release a password by pulling up your internet use on a second monitor and writing down your password.

You do realize passwords are mostly transmitted encrypted?
Most critical sites you enter your passwords on are https.

 

[Marc]

Its the human element that I am focusing on. Keys are generated and then stored and are easily accessible. Even if those keys are random theirself the best hacker will always be able to break the algorithm because the keys are a constant set of data that can be hacked and can even be mimicked to break into a computer. A random outside variable however is hard to track because the input variable being the retinal scan or finger print scan can be any so defined parameter such as point to point checks on a finger print across the ridge of the finger print that nearly a billion if not more such point to point encryption could place that a hacker would never be able to generate a key for fast enough to beat. For example a finger print is taken and has 10,000 points logged based on different distances between the ridges of the finger print. When the security program runs it's random finger print key access block the program would identify three different points on the finger print to make the initial match. From there the program would determine its secondary key access by randomly choosing various distances to other points from the initial scan to other points on the finger print where the computer would be the only entity that would know the key that it was going to be used to allow access.

Not this would not be used in an everyday scenario. It would be used for when someone tried to get my beer from the fridge.

Do you know anything about how various encryption keys work? Even though they are documented and standardised so they can be used in a variety of different systems cracking them by brute force can still be a very long and computationally intense task - IOW having the algorithm means jackshit.

It's only if there's a known issue or limitation with an encryption protocol that things become easier (for example WEP is no long considered secure for wifi becase there's flaw in how it generates the keys).

Yes sometimes there will be standard patterns - these are used as the basis for the dictionary attacks - so you put rules in place that prevent users from having easy to get passwords. It's call complexity. A password has to be a minimum length, use of alpha/numeric/symbols & capitalisation ('A' for example has a different ascii value than 'a'), no more than 2 repeating characters in a row and not based on the username.

Require periodic changes and don't allow the re-use of a password for a period of time.

All make it much harder to crack a password.

On top of that, most systems use one way encryption. The password is encrypted and cannot be decrypted. When you enter the password at login it's not compared with the stored password. Instead what you entered is hash according to the protocol and value is compared to the stored hash value. Use of protocols such as IPSec and LT2P (used for VPN) go one step further. They transmit the encrypted password hash through an encrypted tunnel (so encryption upon encryption).

A biometric reading such as finger print wouldn't look at the points of comparison - that's for the law enforcement and for want of a better term is an analogue approach. Instead the reading is converted to a hash value and encrypted. Each time you logon the new scan is hashed and encrypted and compared to the stored value.

Passwords are really not a safe measure of ensuring protection against hacking. Hackers have been able to gain employment at numerous ISP and can simply release a password by pulling up your internet use on a second monitor and writing down your password. They then release those passwords into their hacking and cyber-stalking cults to harass the individual with.

Passwords are really not a safe measure of ensuring protection against hacking. Hackers have been able to gain employment at numerous ISP and can simply release a password by pulling up your internet use on a second monitor and writing down your password. They then release those passwords into their hacking and cyber-stalking cults to harass the individual with.

Lets see what's wrong with this comment

a) it 's long and slow process and one that's easy to detect and will lead to summary termination. Plus ISPs can take steps to prevent similar to those used in call centres where credit card numbers and other such private data are used. No electronic devices or paper on the desks. when I worked in a call centre you weren't allow to have writing materials on your desk. If you had to make a note of a card number we had a scratchpad app on the computers. Cellphones and cameras were strictly forbidden and being caught with one on the call floor was instant dismissal (even if away from your desk, walking the break room for example).

b) not all ISPs store the passwords so if you forget the password it's going to be reset

c) ISP passwords are of limited use. Unless you're using your ISP's server for e-mail it's generally going to be used only for authenticating your internet connection and that's only if you have ADSL (Cable and Fibre work different). On top of that if the ISP detects multiple logons with your ADSL password it will be very quickly flagged (and extra connections terminated).

TLR use name and password from ISP pretty useless for cyberstalking and hacking. Much easier to go after their facebook account or something.

 

[Dryson]

You do realize passwords are mostly transmitted encrypted?
Most critical sites you enter your passwords on are https.

There is of course phone cloning where a hacker would be able to record any password your type as if you were using the cloned phone yourself but would in be in their possession.

I have had had it happened numerous times where I have changed a password and logged into a website such as Trek BBS or Facebook and within a few moments after being at work an employee who would not ever know the password that I just created would make a comment about the password in a context that was unfamiliar to to them.

This is really happened. An employee that I worked with at a company a few years ago constantly made remarks about other employees behind their back to me. This was a constant daily issue for him. Then all of a sudden one day before work I was trying my out my new Hotspot with my laptop in the parking lot of the business. I typed in a new password for Facebook I think it was and within ten minutes after starting to work the employee who had made the comments about a lot of people behind their back suddenly changed their context and was talking about the password that I had just created no less than ten minutes before.

So how is it possible that the employee knew my password? He must have either gotten if from a text message from someone at my ISP, someone who was a hacker or through someone who was texting him that worked in the company itself that gave him the password.

There is also of course key logging where a person with a cloned cell phone would have a program that decodes the password right away.

 

[Dryson]

Do you know anything about how various encryption keys work? Even though they are documented and standardised so they can be used in a variety of different systems cracking them by brute force can still be a very long and computationally intense task - IOW having the algorithm means jackshit.

It's only if there's a known issue or limitation with an encryption protocol that things become easier (for example WEP is no long considered secure for wifi becase there's flaw in how it generates the keys).

Yes sometimes there will be standard patterns - these are used as the basis for the dictionary attacks - so you put rules in place that prevent users from having easy to get passwords. It's call complexity. A password has to be a minimum length, use of alpha/numeric/symbols & capitalisation ('A' for example has a different ascii value than 'a'), no more than 2 repeating characters in a row and not based on the username.

Require periodic changes and don't allow the re-use of a password for a period of time.

All make it much harder to crack a password.

On top of that, most systems use one way encryption. The password is encrypted and cannot be decrypted. When you enter the password at login it's not compared with the stored password. Instead what you entered is hash according to the protocol and value is compared to the stored hash value. Use of protocols such as IPSec and LT2P (used for VPN) go one step further. They transmit the encrypted password hash through an encrypted tunnel (so encryption upon encryption).

A biometric reading such as finger print wouldn't look at the points of comparison - that's for the law enforcement and for want of a better term is an analogue approach. Instead the reading is converted to a hash value and encrypted. Each time you logon the new scan is hashed and encrypted and compared to the stored value.

Lets see what's wrong with this comment

a) it 's long and slow process and one that's easy to detect and will lead to summary termination. Plus ISPs can take steps to prevent similar to those used in call centres where credit card numbers and other such private data are used. No electronic devices or paper on the desks. when I worked in a call centre you weren't allow to have writing materials on your desk. If you had to make a note of a card number we had a scratchpad app on the computers. Cellphones and cameras were strictly forbidden and being caught with one on the call floor was instant dismissal (even if away from your desk, walking the break room for example).

b) not all ISPs store the passwords so if you forget the password it's going to be reset

c) ISP passwords are of limited use. Unless you're using your ISP's server for e-mail it's generally going to be used only for authenticating your internet connection and that's only if you have ADSL (Cable and Fibre work different). On top of that if the ISP detects multiple logons with your ADSL password it will be very quickly flagged (and extra connections terminated).

TLR use name and password from ISP pretty useless for cyberstalking and hacking. Much easier to go after their facebook account or something.

Yes sometimes there will be standard patterns - these are used as the basis for the dictionary attacks - so you put rules in place that prevent users from having easy to get passwords.

The goal of the hacker is to basically think of the password they steal as an access to your mind and thoughts. Take for instance the password. "It's Passive". Determining the hacker is rather easy because they will use key context phrases associated with the word that is not the actual password but similarities. Such a similarity would be someone suddenly talking about a rock along a seashore when they had never spoke about a rock before. A rock is passive as it doesn't move nor interact with anything. Another type of attack the Cyber-Minch use is a deep layer attack such as" I was looking forward into the heat of the day and saw a rock by the seashore."

In this case the hacker and Cyber-Minch would have to know the person or someone who knows the person and what the person reads about. The Deep Layer Attack above that is encrypted by the hacker attacker the person actually refers to FLIR or forward looking infra red a passive device that tracks based on heat signatures.

The hacker and Cyber-Minch will always talk in a non-nonsensical manner as they try to make it appear that they know what is going on inside of your mind based on the passwords they use. Such Cyber-Minch are the degenerates of the Matrix world as well the Lawnmower Man whey they try to make their Minch out to be God like by trying to make you believe that they have some digital mind reading power to read your thoughts.

The only problem with with Mind Reading that we all know how radio signals are broadcast so where is the antenna coming out of my head out and their antenna coming out of their head that sends and receives signals in the brain converted into radio signals located at?

 

[sojourner]

 

[Robert Maxwell]

There is of course phone cloning where a hacker would be able to record any password your type as if you were using the cloned phone yourself but would in be in their possession.

I have had had it happened numerous times where I have changed a password and logged into a website such as Trek BBS or Facebook and within a few moments after being at work an employee who would not ever know the password that I just created would make a comment about the password in a context that was unfamiliar to to them.

This is really happened. An employee that I worked with at a company a few years ago constantly made remarks about other employees behind their back to me. This was a constant daily issue for him. Then all of a sudden one day before work I was trying my out my new Hotspot with my laptop in the parking lot of the business. I typed in a new password for Facebook I think it was and within ten minutes after starting to work the employee who had made the comments about a lot of people behind their back suddenly changed their context and was talking about the password that I had just created no less than ten minutes before.

So how is it possible that the employee knew my password? He must have either gotten if from a text message from someone at my ISP, someone who was a hacker or through someone who was texting him that worked in the company itself that gave him the password.

There is also of course key logging where a person with a cloned cell phone would have a program that decodes the password right away.

That's not what "phone cloning" is. It's almost certain the person in question was using a keylogger. They aren't hard to install.

Yes sometimes there will be standard patterns - these are used as the basis for the dictionary attacks - so you put rules in place that prevent users from having easy to get passwords.

The goal of the hacker is to basically think of the password they steal as an access to your mind and thoughts. Take for instance the password. "It's Passive". Determining the hacker is rather easy because they will use key context phrases associated with the word that is not the actual password but similarities. Such a similarity would be someone suddenly talking about a rock along a seashore when they had never spoke about a rock before. A rock is passive as it doesn't move nor interact with anything. Another type of attack the Cyber-Minch use is a deep layer attack such as" I was looking forward into the heat of the day and saw a rock by the seashore."

In this case the hacker and Cyber-Minch would have to know the person or someone who knows the person and what the person reads about. The Deep Layer Attack above that is encrypted by the hacker attacker the person actually refers to FLIR or forward looking infra red a passive device that tracks based on heat signatures.

The hacker and Cyber-Minch will always talk in a non-nonsensical manner as they try to make it appear that they know what is going on inside of your mind based on the passwords they use. Such Cyber-Minch are the degenerates of the Matrix world as well the Lawnmower Man whey they try to make their Minch out to be God like by trying to make you believe that they have some digital mind reading power to read your thoughts.

The only problem with with Mind Reading that we all know how radio signals are broadcast so where is the antenna coming out of my head out and their antenna coming out of their head that sends and receives signals in the brain converted into radio signals located at?

To the extent I am able to parse this at all, it's ignorant nonsense that has nothing to do with actual information security.

 

[farmkid]

Security involves a balance between making the system as secure as possible but so tight that getting in becomes a chore (which pisses users off big time and they then look to ways to make it easier).

This is something that cyber security personnel don't seem to consider enough. I don't think they realize how easy it is to piss off users to the point that they do things that compromise the system, or don't use it at all. It wouldn't be so bad if there would be a standard set of password requirements that would be the same everywhere. I have a pattern I use for passwords that is based in part on the site name. That way I can use a different password everywhere and still remember it. It causes me real problems when I have to create a new password and the rules for that site aren't compatible with my system. In those cases I just make something up and just accept that I'll have to through the password recovery process every time I have to login to that system because I know there's no way I'll ever remember that that particular site/system uses something different, let alone what that password is. It really pisses me off, and on more than one occasion, I have given up entirely on what I was trying to do rather than create a new account with a different password.

If I understand correctly, the reason for all of the password rules is to make it harder to crack the password by brute force, right? If that's the case, why not just make a penalty for incorrect guesses? For example, after maybe five incorrect guesses, start increasing the time allowed between subsequent entries. So after five incorrect guesses, you have to wait 5 seconds, then 10 seconds, then 20 seconds, then 30 seconds, then 45 seconds, and so forth. Long before anyone reached the number of guesses necessary to guess even a simple password that's just a dictionary word, the attacker would be waiting hours between guesses. That wouldn't inconvenience someone who just forgot their password and had to try a few times to get it right and wouldn't require them to go through the process of getting their account unlocked (which is also infuriating). Likewise, it would allow passwords that can actually be remembered because it's all the stupid rules that make them hard to remember. Passwords would still be susceptible to social engineering attacks, but that wouldn't be any different for complex passwords either. I must be missing something here, because this kind of approach seems very simple and obvious, yet I've never seen it in use anywhere.

 

[Marc]

This is something that cyber security personnel don't seem to consider enough. I don't think they realize how easy it is to piss off users to the point that they do things that compromise the system, or don't use it at all. It wouldn't be so bad if there would be a standard set of password requirements that would be the same everywhere. I have a pattern I use for passwords that is based in part on the site name. That way I can use a different password everywhere and still remember it. It causes me real problems when I have to create a new password and the rules for that site aren't compatible with my system. In those cases I just make something up and just accept that I'll have to through the password recovery process every time I have to login to that system because I know there's no way I'll ever remember that that particular site/system uses something different, let alone what that password is. It really pisses me off, and on more than one occasion, I have given up entirely on what I was trying to do rather than create a new account with a different password.

There are ways that passwords can be centralised - it's known a single sign-on (SSO) but it relies on interoperability between systems. Sure you can do nicely in a Windows environemnt (authenticate when you logon, ties in with Active Directory and then you can access Exchange Server for your e-mail, SQL server and Sharepoint for groupware. But what happens if you use an Oracle Server? Can get messier but people just have to live with it.

Of course the danger with SSO is that if I get the password, your entire IT world is my oyster.

If I understand correctly, the reason for all of the password rules is to make it harder to crack the password by brute force, right? If that's the case, why not just make a penalty for incorrect guesses? For example, after maybe five incorrect guesses, start increasing the time allowed between subsequent entries. So after five incorrect guesses, you have to wait 5 seconds, then 10 seconds, then 20 seconds, then 30 seconds, then 45 seconds, and so forth. Long before anyone reached the number of guesses necessary to guess even a simple password that's just a dictionary word, the attacker would be waiting hours between guesses. That wouldn't inconvenience someone who just forgot their password and had to try a few times to get it right and wouldn't require them to go through the process of getting their account unlocked (which is also infuriating). Likewise, it would allow passwords that can actually be remembered because it's all the stupid rules that make them hard to remember. Passwords would still be susceptible to social engineering attacks, but that wouldn't be any different for complex passwords either. I must be missing something here, because this kind of approach seems very simple and obvious, yet I've never seen it in use anywhere.

yes that can be done and is done but the drawback is that you wind up with lots more pissed off people - the users who can't get on with their work, their managers who have to deal with the loss of productivity and the admins who are continually having to reset passwords.

Though I'm not sure you can increase the timeout interval - it tends to be set to a particular value but you can set retry and permanent lock out levels (say 3 tries to get in, 4th failure and you need a reset and account unlock.

 

[Robert Maxwell]

This is something that cyber security personnel don't seem to consider enough. I don't think they realize how easy it is to piss off users to the point that they do things that compromise the system, or don't use it at all. It wouldn't be so bad if there would be a standard set of password requirements that would be the same everywhere. I have a pattern I use for passwords that is based in part on the site name. That way I can use a different password everywhere and still remember it. It causes me real problems when I have to create a new password and the rules for that site aren't compatible with my system. In those cases I just make something up and just accept that I'll have to through the password recovery process every time I have to login to that system because I know there's no way I'll ever remember that that particular site/system uses something different, let alone what that password is. It really pisses me off, and on more than one occasion, I have given up entirely on what I was trying to do rather than create a new account with a different password.

There are applications like KeePass and 1Password which allow you to have unique, non-dictionary passwords on every site. They're very handy. Something like that should just be standard for everyone. But passwords themselves are a kludge because, of course, they can be guessed/compromised. They're always a proxy for the question, "Are you the person you claim to be?"

If I understand correctly, the reason for all of the password rules is to make it harder to crack the password by brute force, right? If that's the case, why not just make a penalty for incorrect guesses? For example, after maybe five incorrect guesses, start increasing the time allowed between subsequent entries. So after five incorrect guesses, you have to wait 5 seconds, then 10 seconds, then 20 seconds, then 30 seconds, then 45 seconds, and so forth. Long before anyone reached the number of guesses necessary to guess even a simple password that's just a dictionary word, the attacker would be waiting hours between guesses. That wouldn't inconvenience someone who just forgot their password and had to try a few times to get it right and wouldn't require them to go through the process of getting their account unlocked (which is also infuriating). Likewise, it would allow passwords that can actually be remembered because it's all the stupid rules that make them hard to remember. Passwords would still be susceptible to social engineering attacks, but that wouldn't be any different for complex passwords either. I must be missing something here, because this kind of approach seems very simple and obvious, yet I've never seen it in use anywhere.

There are already systems that do this, but as @Marc noted, they can irritate legitimate users very easily. On top of that, if you do it based on IPs, it's no hassle at all for those running botnets--they can just use a different bot. And if you just plain lock the user's account, the end user is going to be pretty upset that they are locked out for no reason they are aware of. It's a tough balance to strike, and I think in the end we will settle on something more secure than brief strings of text and numbers (since, realistically, that's all a human can be expected to remember).

 

[Gingerbread Demon]

Currently in Australia the govt. is looking at everyone's metadata. That has proven to be a most confusing topic to explain to the general public, and even I don't quite fully get what metadata actually is all about.

The excuse given for this intrusion is "national security" blah blah. Yet no one seems to protest these changes.

 

[Robert Maxwell]

Currently in Australia the govt. is looking at everyone's metadata. That has proven to be a most confusing topic to explain to the general public, and even I don't quite fully get what metadata actually is all about.

The excuse given for this intrusion is "national security" blah blah. Yet no one seems to protest these changes.

Government security branches prey on the public's ignorance. These topics are rather sophisticated but they can certainly be boiled down for the lay person. There is just little incentive for the government to do so, when it makes people better able to judge whether something is a good or bad idea.

Put simply metadata is data about your activities, without providing the details of the activities themselves. For instance, with regard to phone calls, it's a list of numbers you've called (and who have called you), call durations, things like that--but not actual recordings of the calls themselves. One might think this data is relatively harmless, but in fact a great deal can be gleaned about you from such information.

Personally, I don't believe governments should have any right to such information without a warrant and appropriate due process. It's not something they should be able to gather just because they feel like it.

 

[Gingerbread Demon]

Government security branches prey on the public's ignorance. These topics are rather sophisticated but they can certainly be boiled down for the lay person. There is just little incentive for the government to do so, when it makes people better able to judge whether something is a good or bad idea.

Put simply metadata is data about your activities, without providing the details of the activities themselves. For instance, with regard to phone calls, it's a list of numbers you've called (and who have called you), call durations, things like that--but not actual recordings of the calls themselves. One might think this data is relatively harmless, but in fact a great deal can be gleaned about you from such information.

Personally, I don't believe governments should have any right to such information without a warrant and appropriate due process. It's not something they should be able to gather just because they feel like it.

But yet here we are. I find it ironic that today Western nations are doing this to their citizens, yet back in the 70s 80s we kept saying only the "commies" would do stuff like this..

Yet here we are the freedom loving West doing the very same thing.

 

[Marc]

Government security branches prey on the public's ignorance. These topics are rather sophisticated but they can certainly be boiled down for the lay person. There is just little incentive for the government to do so, when it makes people better able to judge whether something is a good or bad idea.

Put simply metadata is data about your activities, without providing the details of the activities themselves. For instance, with regard to phone calls, it's a list of numbers you've called (and who have called you), call durations, things like that--but not actual recordings of the calls themselves. One might think this data is relatively harmless, but in fact a great deal can be gleaned about you from such information.

Personally, I don't believe governments should have any right to such information without a warrant and appropriate due process. It's not something they should be able to gather just because they feel like it.

Can you please e-mail the Australian government - unlike you, they are incapable of giving an accurate description of what they mean by meta-data.

As to the issue of password, security and encryption, the following comes under 2 possible headings a) what happens when you don't have policies in place to control passwords and b) if people are going to have such weak passwords why bother.

http://www.abc.net.au/news/2016-01-...login-abc123-solo-among-top-passwords/7100870

 

[Robert Maxwell]

Can you please e-mail the Australian government - unlike you, they are incapable of giving an accurate description of what they mean by meta-data.

As to the issue of password, security and encryption, the following comes under 2 possible headings a) what happens when you don't have policies in place to control passwords and b) if people are going to have such weak passwords why bother.

http://www.abc.net.au/news/2016-01-...login-abc123-solo-among-top-passwords/7100870

I'm sure they won't provide a definition because they want it to mean whatever they need it to from one moment to the next, eh?