Alex Frakt wrote:
geekpryde wrote:...So, assuming someone gets ahold of say 10,000 VG accounts...
This is a pure strawman argument. You chose this particular scenario out of all possible security breaches because it is the only one in which password length matters. There is nothing to indicate that this scenario is more likely at Vanguard than other financial institutions. FWIW, I would guess that it's actually less likely, since Vanguard is certainly aware of this potential weakness and has probably taken more than the usual steps to guard against it.
Again, while password length is vital in a single-layer security system, it's a trivial component of an end-to-end security system. In a truly secured system, you should never be dependent on people not being able to brute force or decrypt a password, because the day will always come where faster hardware or new techniques renders such a dependency fatal.
I do not agree that my reasoning for advocating longer max passwords is false. There are several ways to get ahold of a database of 10,000 VG accounts, all very different. Brute forcing a bunch of accounts is the end result of ANY NUMBER of possible security breaches. Here are a few:
(1) VG employee leaves sensitive laptop in Starbucks, and maybe VG doesn't use whole drive encryption. (Think this doesn't happen, go ask Boeing\TSA\ any number of companies).
(2) VG *thinks* it has safely disposed of old computers containing old hard drives with sensitive info. But the recycling company ends up re-selling them on eBay for a quick buck. (Again, this has happened).
(3) VG has a security issue on the site, and some smart 19 year old in the Philippines exploits it and sells a database of 10,000 VG accounts to the Russian black marker. (This happens to companies all the time)
(4) Rouge VG employee steals and sells 10,000 accounts to the highest bidder on hacker black market. (Inside security threats are probably more damaging than outside threats)
(5) Sally, a secretary in accounting at VG accidentally infected her work PC with a Trojan while playing a free online game. Now the person running the botnet is renting her infected machine on the hacker underground by the hour. (http://krebsonsecurity.com/2012/10/serv ... 500-firms/
(6) A guy in Kenya just convinced Tony, a mid-level manager at VG that he is from VG tech support, and needs start a join.me session on his computer. Oops, Tony has rights to the database that stores customer account profiles. Someone in China is now brute forcing the database.
(7) There are so many more possibilities....
I am fully aware that password length is only 1 part of a multi-faceted means that VG uses to keep us safe. I am sure VG has very robust layers, including physical security of servers, regular penetration testing, patching procedures, hashing and salting of password databases, etc.
But, we are talking about an aspect of the layered security that VG outsiders (you, me, the hacker in the Philippines) KNOWS FOR A FACT is a lot weaker than is acceptable. It is KNOW FACT to be weaker than almost anyone else in the same industry.
So, if you are looking for a large bank or brokerage firm to hack, do you spent time on hacking/buying a database of accounts at VG or say Discover card. Discover allows 32 character long passwords, mixed case, and special characters. VG allows a pathetic 10 characters, and no case sensitivity. HMM, let me think.
I did NOT say that a breach at VG if more likely than at other institutions,
I said that IF a breach happens, than password length can be the only thing between a hacked account and a useless hash.
Let me respectfully ask you this Alex, if VG took a poll
of customers about increasing max password length, would you really vote option “D” over “A”,"B","C"?
“A” – Vanguard should spend money to increase password length, even though I (the customer) think it probably will have a negligible impact on overall holistic security.
“B” - Vanguard should definitely spend money increase password length, I (the customer) strongly believe password length is an important aspect of overall holistic security.
“C” – Vanguard should NOT spend money to increase password length, I (the customer) thinks the benefit does not justify the cost.
“D” – Vanguard should definitely NOT spend money to increase password length, it is a meaningless false security blanket, and I (the customer) love having the weakest password policy in the industry.
I understand all of the options above, including “C”. If you are a “D” kind of guy, than I just don’t understand you.
If this is still a false argument, then I guess I am not smart enough to understand how it is false.