Security Basics mailing list archives
Re: Password variation scheme a plus in security?
From: Alexander Klimov <alserkli () inbox ru>
Date: Tue, 1 Jul 2008 11:07:40 +0300 (IDT)
On Mon, 30 Jun 2008, Stefan Schmidt wrote:
My idea is that the hackers have like 100.000 passwords and from these maybe 90.000 give them immediate login success at other sites, so they might just ignore the 10.000 that don't immediately work. Or is it rather standard procedure in hacking attacks to try variations of the acquired passwords?
Let us put it differently: is it a standard practice to grab a list of user/password pairs from one site and try to apply them to some different site? To answer the question you should think about motives of the attacker: what can they gain from few hundreds logins on, say, /. or any other popular site? Probably link spam, but the result is small and short-living and thus it reasonable to guess that it is not "a standard practice". On the other hand, the effect can be much more profound if an attacker can access your Internet mail and all your messages including messages from your bank. Since your email address is usually stored on the cracked site together with your login credentials it is reasonable to guess that an attacker will apply some small guessing to access your email. The practical summary: use different hard-to-guess passwords to access resources that may have value for an attacker and "password1" in all other cases (actually "qwer1234" is even faster to type :-). -- Regards, ASK
Current thread:
- Re: Password variation scheme a plus in security? Alexander Klimov (Jul 02)
- <Possible follow-ups>
- Re: Password variation scheme a plus in security? Gleb Paharenko (Jul 02)
- Re: Password variation scheme a plus in security? Stefan Schmidt (Jul 02)
- Re: Password variation scheme a plus in security? Stefan Schmidt (Jul 02)