The wisdom of the ill informed

Allen netsecurity at sound-by-design.com
Mon Jun 30 14:24:06 EDT 2008



Ed Gerck wrote:
> Allen wrote:
>> Very. The (I hate to use this term for something so pathetic) password 
>> for the file is 6 (yes, six) numeric characters!
>>
>> My 6 year old K6-II can crack this in less than one minute as there 
>> are only 1.11*10^6 possible.
> 
> Not so fast. Bank PINs are usually just 4 numeric characters long and 
> yet they are considered /safe/ even for web access to the account (where 
> a physical card is not required).
> 
> Why? Because after 4 tries the access is blocked for your IP number (in 
> some cases after 3 tries).
> 
> The question is not only how many combinations you have but also how 
> much time you need to try enough combinations so that you can succeed.
> 
> I'm not defending the designers of that email system, as I do not know 
> any specifics -- I'm just pointing out that what you mention is not 
> necessarily a problem and may be even safer than secure online banking 
> today.

Indeed it might be more secure *if* the file was not downloaded as 
opposed to accessed via a web site.

That aside, I believe the ATM PINs have been compromised recently, 
not by direct entry, but rather by harvesting them off the server 
where they were stored, so I would not say that they are "safe" 
anymore. I believe the same applies to web access to your account.

My banks allow more than 4 numeric characters. They use a key space 
of 64 characters and with a 12 character password it would take 
about 1.5*10^5 years to generate the Rainbow table in 1 petabyte of 
storage at 1*10^9 hashes per second. After you have the table it 
would take about 1.9*10^5 to crack the password. (As the storage 
space goes down the time to crack goes up because of the number of 
possibilities between points but the initial time to generate the 
table is the same.)

During the transmission from an ATM machine 4 numeric characters are 
probably safe because the machines use dedicated dry pair phone 
lines for the most part, as I understand the system. This, combined 
with triple DES, makes it very difficult to compromise or do a MIM 
attack because one can not just tap into the lines remotely. One has 
to get on the line from the machine to the CO to get the data and 
then decrypt.

Best,

Allen

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list