Cloud Paranoia

Discussion in 'General Computer Chat' started by storp, Mar 27, 2015.

  1. ScottALot

    ScottALot Active Member

    Messages:
    4,963
    Schneier's blog makes the claim that my random sentence passwords are easily crackable because words like that can be farmed from information they have on someone... except there's an issue with that sentence.
    If I used ihadatastybrunch as my password and someone used a rainbow table and password cracking methods that involved harnessing words from social media, forums, etc... (not counting this one), there is NO WAY my password would be cracked!
    I've never said the word brunch anywhere online, it's just a random word that popped into my head and I made a sentence about it.

    "Oh but it's a sentence, so the algorithm can get rid of any grammatically incorrect passwords"
    Have a good time with that... your program is going to be horribly slow.

    And he suggests these horribly inconvenient methods of creating long passwords of complex characters completely randomly and storing them encrypted on your computer with some master password (single point of failure)... 'cept if you're not doing regular backups and/or you've made a password change and you have a hard disk failure, then you can say bye-bye to your passwords. Or if you decide to use some sort of password management that's internet-enabled and stores in the cloud, you've just hugely compromised your password.

    The end goal of making a password is balancing usability with entropy. If your password is so obscure and unmemorable that you forget it and have to reset it, it is a poorly usable password. Every time you do a password reset, you're opening your account to theft. Luckily, you can open a Merriam Webster dictionary, flip to a random page, point at a word, repeat 3-5 times, and you've got a secure and memorable password. Hell, you can use a random number generator to choose your words... and the only way someone can crack your password is if they have a few ____illion years to spare and/or they just happen to know that Scott used plaintext words in his password, which is an assumption that's completely broken by throwing just one @ or 1 in the mix, but isn't even worth that effort.

    I honestly can't fathom why he'd say "correcthorsebatterystaple" is crackable by harnessing information... maybe that's why Blowfish and Twofish are hardly used outside of crypto classes.
     
  2. Agent Smith

    Agent Smith Well-Known Member

    Messages:
    3,324
    You better read up on bcrypt. Truecrypt offers Twofish and it isn't popular because it's slower than AES. AES so happened to win the competition. That doesn't mean Blowfish is any more less secure. Not even Twofish. A cascade of Twofish and AES would be a lot better using Truecrypt.

    Face palm on the rest... :rolleyes:
     
    Last edited: Apr 12, 2015
  3. ScottALot

    ScottALot Active Member

    Messages:
    4,963
    You haven't proven anything. You've just recited some barely relevant facts that don't construct anything remotely close to an argument or point.

    While you've refused to acknowledge the math, I've shown that you can do the calculations and prove that low complexity and high length is better than high complexity and low length (all relative).

    Hint: If you're going to write "facepalm" to someone, you've got to actually be in the right.

    It's like securing a car. Your argument is like saying the car should have a wireless key, fingerprint scan, voice recognition, retinal scans, ... while I secure my car with a metal key and unhooking the battery after I get out. Sure mine takes a bit longer, but if your key runs out of battery, you scrape your thumb, get a cold, or the lighting isn't just right (i.e. you forget, something in your chain of "security" breaks), you're not getting to work on time.
    #ArtisticMetaphors
     
  4. Agent Smith

    Agent Smith Well-Known Member

    Messages:
    3,324
    No, if you're not going the heed the advice of Bruce Schneier then that is most certainly face palm worthy.
     
  5. ScottALot

    ScottALot Active Member

    Messages:
    4,963
    [​IMG]
     
  6. Thanatos

    Thanatos Active Member

    Messages:
    2,033
    I have the Cloud to Butt extension on Chrome, so it's been interesting seeing "Butt Paranoia" every time I log on.
     
  7. Peakkk

    Peakkk New Member

    Messages:
    23
    I go with both.

    I go with both. With the local being disconnected afterwards. Online backups should have versioning turned on.
    Usually, pictures and photos on cloud, and some other important files to be backup in an external hard drive.
    For cloud I'm using dropbox.
    For onsite backup I'm using free todo backup.
     
    Last edited: Apr 29, 2015

Share This Page