[Cryptography] Why don't we protect passwords properly?

Sun Dec 22 01:13:50 EST 2013

On 21/12/13 07:00 AM, Bill Cox wrote:
> I only dabble in crypto because it's way cool, but I keep seeing signs
> of either serious ignorance, or amazingly clever social engineering.
> Which is it?
>
> For example, last month I pointed out on the TrueCrypt list that their
> key stretching is a joke, at least if you want to protect data from any
> organization with many millions of dollars to spend on brute-force
> password guessing hardware.  TrueCrypt's strongest option of 2000 rounds
> of AES-512 key stretching is simply not enough to protect passwords real
> Facebook users can remember.  SHA-XXX (all of them) seem to have been
> designed specifically to be cheap and fast to compute in custom
> hardware, while taking forever to compute on modern CPUs.  I especially
> like the bit position swaps which don't take any computation at all in
> hardware.  I thought that was a mistake on the web page when I read it
> the first time.
>
> Scrypt, used by FreeCoin, shows how to do truly effective key
> stretching, which can protect typical Facebook passwords from even the
> most well funded government spy agencies.  Nevertheless, the most common
> tools in use don't include effective key stretching. TrueCrypt is an
> open source project hosted out of Spain, yet the devs are silent when
> asked about their ineffective key stretching choice.  GPG and ssh don't
> key stretch at all by default, AFAIK. How is it possible that the
> open-source devs who invented and wrote these amazing tools fail to
> understand basic password security?
>
> I want a straight answer, and I truly don't know what it is.  Is it
> scary tall dudes in dark suits, or seriously ignorant devs?

Some answers on a bright Sunday morning:

1.  Your attacker of choice has to have custom hardware, this knocks out 
most.

2.  The best benefit is gained when the bar is only lifted some way up, 
as most attackers are 'economic' and they will move on if there is 
difficulties experienced.  Even targetted attacks by the NSA go through 
an 'economic' analysis, and if active hard attacks are required then the 
burden of need gets higher for them, because the one sin they cannot 
commit is sunlight (ok, your attack above isn't active).

3.  The amount of stuff to learn to defeat the aggressive knowledgeable 
attacker is seriously scary.  One guy could possibly do it after 10 
years or so, but it really requires a team of diverse strengths.  E.g., 
This week there was news of acoustic analysis, which perversely seems to 
be reverse correlated with other side-channel analysis techniques.  Oh 
dear.  A month ago there was a scare story about jumping airgaps.

4.  Critics think every thing should be fixed, and give the developers 
no credit.  So criticism is loud, but it more follows the crowd than is 
actually useful.

5.  K6 is the killer.  Most of the work should be in the UI. 
Cryptographers bemoan and wail about some weakness or other, but it is 
easy to show that by far the biggest weakness is that the user chooses 
not to use the tool.

iang