The wisdom of the ill informed
Allen
netsecurity at sound-by-design.com
Mon Jun 30 14:24:06 EDT 2008
Ed Gerck wrote:
> Allen wrote:
>> Very. The (I hate to use this term for something so pathetic) password
>> for the file is 6 (yes, six) numeric characters!
>>
>> My 6 year old K6-II can crack this in less than one minute as there
>> are only 1.11*10^6 possible.
>
> Not so fast. Bank PINs are usually just 4 numeric characters long and
> yet they are considered /safe/ even for web access to the account (where
> a physical card is not required).
>
> Why? Because after 4 tries the access is blocked for your IP number (in
> some cases after 3 tries).
>
> The question is not only how many combinations you have but also how
> much time you need to try enough combinations so that you can succeed.
>
> I'm not defending the designers of that email system, as I do not know
> any specifics -- I'm just pointing out that what you mention is not
> necessarily a problem and may be even safer than secure online banking
> today.
Indeed it might be more secure *if* the file was not downloaded as
opposed to accessed via a web site.
That aside, I believe the ATM PINs have been compromised recently,
not by direct entry, but rather by harvesting them off the server
where they were stored, so I would not say that they are "safe"
anymore. I believe the same applies to web access to your account.
My banks allow more than 4 numeric characters. They use a key space
of 64 characters and with a 12 character password it would take
about 1.5*10^5 years to generate the Rainbow table in 1 petabyte of
storage at 1*10^9 hashes per second. After you have the table it
would take about 1.9*10^5 to crack the password. (As the storage
space goes down the time to crack goes up because of the number of
possibilities between points but the initial time to generate the
table is the same.)
During the transmission from an ATM machine 4 numeric characters are
probably safe because the machines use dedicated dry pair phone
lines for the most part, as I understand the system. This, combined
with triple DES, makes it very difficult to compromise or do a MIM
attack because one can not just tap into the lines remotely. One has
to get on the line from the machine to the CO to get the data and
then decrypt.
Best,
Allen
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list