The other day I was helping somebody create an account and they wondered why the web site didn't tell them that password was in use so people didn't duplicate passwords. I don't normally work on exploits but my immediate response was that it is too much information and can be used to hack the system. It was just my opinion and I decided to follow the logic as I write a post. It seems that if I could question a web site and it indicated which passwords were in use, that I could eventually generate a list of all passwords. It would then just be a matter of linking the specific password to the specific account. In the world of programming that has a number associated with it for time resolution and I would say that it is doable.
There are many anecdotal reports of passwords and their use. It seems that "123456" is the most common password on the net. There is a trade off in security if a person doesn't want to be easily spoofed. The "War Games" exploit of knowing where the password is kept is a problem when complex and forgettable passwords are used. I would guess that having a thumb drive with complex passwords would be a solution, but people would probably drop them at bars and then have no way to access anything as they were stripped of assets, privacy and perhaps even dignity.
It seems that there are other algorithms that apply, but as I said, I am not in the exploit business and was just ruminating on what I assumed was obviously true. There are actually many different holes and it is a wonder that anything is secure at all.
0 comments:
Post a Comment