Re: Please do not change your password

[Jeff Kell <jeff-kell () UTC EDU>]

On 4/14/2010 9:42 AM, SCHALIP, MICHAEL wrote:
> So - this does beg the question - even though longer passwords are theoretically harder to "crack", who cares....the 
> bad guys are just going to go around them anyway....?

For obtaining arbitrary usernames/passwords "in bulk", phishing is
disturbingly effective.  I am reminded of this on an increasing basis as
each phishing run we see slip by our spam appliances is followed shortly
thereafter by spamming runs from the bad guys using credentials they
managed to collect from the same run.  Questioning the "victims"
afterward (accounts are disabled, user calls helpdesk) confirm the
cause-and-effect that they indeed responded (generally speaking, there
are some cases of 'plausible deniability'...).

Combine this with the user trend of often using the same
usernames/passwords for multiple sites, and/or the increasing "strategic
objective" of localized single signons, and the situation takes on an
entirely different viewpoint.  You need only "phish" one targeted use of
credentials and you gain the keys to the kingdom.

Complex passwords may help in a *targeted* attack on an *educated* user
with *valued* assets, but that is the opposite end of the spectrum from
these bulk credential thefts [e.g., nuclear launch codes vs spamming
credentials for webmail].  Hopefully the former category will employ 2FA
or other mechanisms "out-of-band" from the second category, and less
susceptible to MITM / keylogger / replay transit capture.

In other words, incredibly complicated passwords are of no added value
when the user simply gives them away (voluntarily via phish or covertly
via keylogger).

Jeff