[Cryptography] Why don't we protect passwords properly?
Bill Frantz
frantz at pwpconsult.com
Tue Dec 24 18:27:29 EST 2013
On 12/24/13 at 10:03 AM, pinterkr at gmail.com (Krisztián Pintér) wrote:
>one could also ask how safe it is to sprinkle the secret all over the
>RAM, increasing the risk of getting swapped to disc, or being
>recoverable by cold boot attack.
I must say, these attacks don't seem to be common. Are there any
examples of these attacks being used in the real world?
Swap encryption is the sweet spot of cryptography because all
the key management problems go away. You don't even need to
generate the key until the first swap out so you have lots of
event timings to seed your random number generator. Use it and
the swap problem goes away.
The cold boot attack goes away if you leave your device off
during the times of greatest risk, like going through airport
security or customs.
These attacks pale into insignificance compared with the know
attacks on passwords. It is better to spend effort mitigating
the common attacks than worrying about attacks that are easily avoided.
Cheers - Bill
--------------------------------------------------------------
Bill Frantz | There are now so many exceptions to the
408-356-8506 | Fourth Amendment that it operates only by
www.pwpconsult.com | accident. - William Hugh Murray
More information about the cryptography
mailing list