Which is the better password & 4 facts about passwords

wirestyle22

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

MattSpeller

@wirestyle22 said:

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

Absolutely! Once the luser finally gave up looking for it and confessed. That's anywhere from an hour to several days where I can take your device offline (disabling your remote wipe) and then it's just a count down to pwnage.

Dashrender

@BRRABill said:

@Dashrender said:

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

Isn't that the same words with a letter in them?

If you are thinking they can figure out the words, why would this help?

Because it's no longer a pure dictionary attack. The letter X (I don't think) isn't in the dictionary because it's not a word).

What I'm getting at does have very limited use - this is true, because assume the system allows for all ASCSII characters, you could put spaces between works, or underlines, etc... lots of easy to remember ways to break this away from a dictionary attack. But then again we are talking about people here - where the most common password is still password.

Dashrender

@MattSpeller said:

@wirestyle22 said:

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

Absolutely! Once the luser finally gave up looking for it and confessed. That's anywhere from an hour to several days where I can take your device offline (disabling your remote wipe) and then it's just a count down to pwnage.

Obviously in the case of MDM managed devices, hopefully you have some kind of limited number of tries before the device self wipes.

dafyre

@Dashrender said:

@MattSpeller said:

@wirestyle22 said:

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

Absolutely! Once the luser finally gave up looking for it and confessed. That's anywhere from an hour to several days where I can take your device offline (disabling your remote wipe) and then it's just a count down to pwnage.

Obviously in the case of MDM managed devices, hopefully you have some kind of limited number of tries before the device self wipes.

I have this on my personal phone, lol.

BRRABill

@dafyre said:

I have this on my personal phone, lol.

I don't, just because the little ones grab my phone sometimes.

Though since I really have no data on there ... what am I waiting for???????

Dashrender

@BRRABill said:

@dafyre said:

I have this on my personal phone, lol.

I don't, just because the little ones grab my phone sometimes.

Though since I really have no data on there ... what am I waiting for???????

You have backups don't you? shouldn't be an issue.

dafyre

@Dashrender said:

@BRRABill said:

@dafyre said:

I have this on my personal phone, lol.

I don't, just because the little ones grab my phone sometimes.

Though since I really have no data on there ... what am I waiting for???????

You have backups don't you? shouldn't be an issue.

This! Any pics or videos that I take are uploaded to my ownCloud server... Contats are on Google... anything else can be replaced.

BRRABill

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

Dashrender

@BRRABill said:

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

BRRABill

@Dashrender said:

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

Goes right to iCloud.

Dashrender

Not to mention that you'll still want a contact list on there. So are you saying you never add a phone number/email address/etc via the phone? You only do it via another device? cause if you do it via the phone, then you do want/need backups/syncing.

travisdh1

@Dashrender said:

@BRRABill said:

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

Auto upload is where it's at man. I could completely destroy/loose my phone tomorrow and all my pictures/videos would be available online. Considering that's really all that I care about on the phone, well, great!

Dashrender

@BRRABill said:

@Dashrender said:

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

Goes right to iCloud.

technically a backup.

BRRABill

@BRRABill said:

Goes right to iCloud.

I'm not sure I don't like my OCD control over my pictures.

But I have to admit it's pretty nice not having to worry about it.

BRRABill

@Dashrender said:

Not to mention that you'll still want a contact list on there. So are you saying you never add a phone number/email address/etc via the phone? You only do it via another device? cause if you do it via the phone, then you do want/need backups/syncing.

All that stuff syncs with my Exchange account. If they phone got wiped, I'd just reinstall the Exchange account and it all would be back.

Dashrender

@BRRABill said:

@Dashrender said:

Not to mention that you'll still want a contact list on there. So are you saying you never add a phone number/email address/etc via the phone? You only do it via another device? cause if you do it via the phone, then you do want/need backups/syncing.

All that stuff syncs with my Exchange account. If they phone got wiped, I'd just reinstall the Exchange account and it all would be back.

That syncing is a form of backup.. so it's not accurate to say there is no data on the phone you care about.. it's more accurate to say that anything on the phone you do care about is snyc'ed/backed up to someplace else that comes right back with my new/wiped phone.

BRRABill

@Dashrender said:

technically a backup.

I'm not arguing with you, per se.

I'm just saying there is no data JUST on the phone that I care about losing.

Not so before ML. I'd have months of pictures and stuff I never got around to copying off the phone.

My first step was just to enable iCloud backup. Then I went whole hog.

I might even one day just use OneDrive, because that is where all my other pictures are located. But I"ve just ... delayed doing that.

BRRABill

@Dashrender said:

That syncing is a form of backup.. so it's not accurate to say there is no data on the phone you care about.. it's more accurate to say that anything on the phone you do care about is snyc'ed/backed up to someplace else that comes right back with my new/wiped phone.

There is no data solely on the phone I am worried about losing because don't have it elsewhere, correct.

BRRABill

Of course, as I say this, I forgot that last week I tried accessing PHOTOS on iCloud through my browser, and could not.

Figured it was a fluke.

Tried again today? NADA. Keeps saying it is a network error.

Good job, Apple.