Comments on: Simple Passphrase Conundrum http://www.red-sweater.com/blog/2713/simple-passphrase-conundrum Mac & Technology Writings by Daniel Jalkut Sun, 16 Mar 2014 19:39:31 +0000 hourly 1 http://wordpress.org/?v=3.8.1 By: ChadF http://www.red-sweater.com/blog/2713/simple-passphrase-conundrum/comment-page-1#comment-273205 Tue, 07 Aug 2012 05:53:19 +0000 http://www.red-sweater.com/blog/?p=2713#comment-273205 With so many more sites using SSL by default now for content security, it makes you wonder why client side PKI based authentication hasn’t become more common. Then a place like google (or FB, etc) could still issue certs for users that other sites could “trust”, but aside from the CA cert being cracked/stolen or a user’s private cert key (and passphrase) being directly acquired, it would seem to be a far more secure option. And nothing would stop them (google, etc..) from providing both to each user, a secure cert for all using SSL and a username/password for legacy sites.

While somewhat annoying for normal logins, when resting a password a security question should be needed to prevent blind resets if their email account is hijacked. And if none has been set (or maybe even it it has) then add something else is to make it “less anonymous” for the one doing the resting – maybe a text message to a phone number with an unlock code in addition to the email. Since that has a better chance of being traced (for legal actions) it might at least weed out some of the amateurs out of fear of getting caught.

]]>
By: William http://www.red-sweater.com/blog/2713/simple-passphrase-conundrum/comment-page-1#comment-273162 Mon, 06 Aug 2012 09:59:30 +0000 http://www.red-sweater.com/blog/?p=2713#comment-273162 Sounds like it wasn’t his password that was hacked after all – read the updates.

I “solved” the problem with iOS App Store security by setting up a separate iTunes account that I only use for App Store purchases. So I have a shorter password on that, and a complex one on my actual iCloud account. Hopefully that foils the hacker… or at least slows him down…

]]>
By: Aaron Burghardt http://www.red-sweater.com/blog/2713/simple-passphrase-conundrum/comment-page-1#comment-273161 Mon, 06 Aug 2012 09:53:10 +0000 http://www.red-sweater.com/blog/?p=2713#comment-273161 @ Erik: It’s not quite that bad: All of the data is encrypted, so pulling the flash dumping the flash would result in unreadable dump. Decrypting the dump requires a unique device ID that is built into the hardware, so it can’t be practically brute-forced. Second, by-passing the lock screen requires a boot-rom level exploit, and no known exploits exist for the 4S, iPad 2, or iPad 3. Third, on the devices that have boot-rom exploits (iPhone 4, 3GS, iPad 1), brute-forcing the password is slow, so an 8-character alpha-numeric or 10-digit PIN will take years to by-pass.

@ Daniel: You can make the unlock a little more convenient: you already turned off “Simple Password”, so instead of the 4-digit PIN, you get prompted with a text field and a keyboard. If you set your password to a long numeric one instead of an alpha-numeric, when you unlock the device you will have PIN-style keypad instead of the keyboard, which is much more convenient. You don’t need a complex password, just a long one—see Steve Gibson’s article and podcast on the haystack. A 10-digit password would take roughly 15 years to brute-force.

]]>
By: Erik http://www.red-sweater.com/blog/2713/simple-passphrase-conundrum/comment-page-1#comment-273106 Sun, 05 Aug 2012 15:02:56 +0000 http://www.red-sweater.com/blog/?p=2713#comment-273106 I use the 4-digit PIN to keep casual snoops or pranksters out of my phone. But after reading “Hacking and Securing iOS Applications”, I’ve come to realize there is no good way to truly secure the device; an identity thief can pretty easily bypass the lock screen with standard jailbreak software. Much of the data is actually unencrypted. The crazy thing is how quickly this can be done without leaving obvious traces; if someone confiscates your phone for five minutes at a border crossing you should assume you’ve just been hacked.

]]>
By: Edward Marczak http://www.red-sweater.com/blog/2713/simple-passphrase-conundrum/comment-page-1#comment-273068 Sun, 05 Aug 2012 05:13:27 +0000 http://www.red-sweater.com/blog/?p=2713#comment-273068 You mention two-factor authentication, and Google has offered that very means as a way of protecting your account. In this specific instance, it would have made the attack on Mat’s Gmail account not possible, even with the known password gathered from some other source (presumably, in this case, iCloud).

If you have a Google account, you can read about enabling two-factor authentication for it here:

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

]]>
By: Matthew http://www.red-sweater.com/blog/2713/simple-passphrase-conundrum/comment-page-1#comment-273061 Sun, 05 Aug 2012 03:55:09 +0000 http://www.red-sweater.com/blog/?p=2713#comment-273061 Some banks will require you to answer a random “security question” if you login from a different computer than usual. That wouldn’t be a bad idea for iCloud, but with it being a mobile system, it could be annoying and make it hard to use.

]]>
By: Tom http://www.red-sweater.com/blog/2713/simple-passphrase-conundrum/comment-page-1#comment-273043 Sat, 04 Aug 2012 22:33:28 +0000 http://www.red-sweater.com/blog/?p=2713#comment-273043 Read your post, and this afternoon got an email from my bank that there was a failed password attempt on my online banking. Might just be a sign to spend time this evening changing passwords all around.

]]>
By: Nathan Ferguson http://www.red-sweater.com/blog/2713/simple-passphrase-conundrum/comment-page-1#comment-273021 Sat, 04 Aug 2012 17:57:21 +0000 http://www.red-sweater.com/blog/?p=2713#comment-273021 The regular prompts to enter my Apple ID password when buying and updating apps are what keep me from improving my already tedious-to-enter password. All other services I use have far more secure passwords, saved with 1Password.

I wish iOS worked like desktop iTunes (never thought I’d say that), where my password is only requested when attempting to view/edit my account info. For parents, there could be a preference setting to require a pin code for purchases.

This way, the only thing a hacker could do (in the short term, at least) would be to purchase apps and media — purchases that Apple could refund me and that I could cut off quickly by canceling the credit card attached to my account.

I guess this still wouldn’t solve the “passphrase conundrum”, though.

]]>