Re: Password encription
Aki,
(Not speaking for Aki)
Yes, your understanding is basically correct. However, history gives lots of examples of broken systems that explicitly or implicitly relied on one critical system not failing -- they lacked defense in depth or resilience.
Examples are "this system has no bugs", "my system does not leak hashes", "this algorithm is unbreakable", "we'll never see a CAT5 hurricane", etc. If these critical assumption ever becomes untrue, the foundation of your defense crumbles.
If you narrow your attack definition to only include in-protocol remote brute forcing, then any decent password will take far too long to break that way (esp. with throttling controls that are built-in). Your log files will overflow recording the attempts long before you can expect a password to be cracked. However, you're still susceptable to the qwerty passwords. If this is your *only* line of defense, it is brittle.
A robustly secure system will overlap protection: strong hashes, password compliance systems, brute force countermeasures, file permissions/OS hardening, network origins vetting, anti-DoS measures, etc.
Keep this picture in mind that I found on CLCERT
https://www.clcert.cl/humor/img/weakest-link-road.jpg
Joseph Tam <jtam.home@gmail.com>
participants (1)
-
Joseph Tam