Microsoft Wants to Kill Passwords, Starting with Windows 10

fairlane said:
Yes, let me clarify; It's MORE prevalent now than it was in the past because more bad actors are now turning their attention to taking advantage of the now known ways of subverting the s7 protocol, but not as much REPORTING on it has been done, probably because no one likes to admit to being compromised, and obviously hackers and Nation States aren't going to own up to it. (and as an aside, if you don't think Nations States haven't been doing this for a long time you're kidding yourself) - but hackers other than governments are now slowly going to be taking advantage of the SMS 2FA, why? Because it's not as secure anymore as the OTR TBOTP apps like Google's authenticator. This is why the security community has already warned against, and has depricated the use of SMS as a robust method of 2FA over time-based apps. As you've said above, is SMS better than nothing? Yes. Is Microsoft doing a disservice by offering SMS over the token based OTP? I believe they are yes.
Click to expand...

So you know for sure it is more prevalent although there is no reporting? Come on man. I guess I can continue to use your logic of saying something is, just because I think it is without any proof whatsoever. You know, like your math that you didn't even link that somehow shows complexity is just as important as length of passwords... :rolleyes:

Look, I don't even know what your point with all this is anymore. Passwords are outdated and have been for a long time. And the SMS scare isn't even a major factor in this because for someone to be able to intercept and act on your SMS text message to take over your account would have to be a sniper with cat like reflexes to recognize and do something about it. So it really isn't a factor in this. Nor is the SMS redirect that big of an issue all things considering. I have been hearing about it forever and forever people have been saying how big a problem it is, and yet hardly anything is out. I haven't had a single company I work with get hit with an SMS redirect attack or be affected by one.

Also read the article again, Microsoft isn't doing SMS for their 2FA, it is only being used as a one-time thing to setup the 2FA. You can also use OTP with MS as well, they have all kinds of articles on how to do it. You can use any number of solutions or setups. What they are offering is an easy way for first time users to start using a better system than passwords. It is amazing how many people want to hate a company even when that company is trying to improve security.
 
NoOther said:
First, what do you mean by my own guy? I don't know the guy.

But as to your other point, straight quote:

"The longer you can make your passphrase while still adding some complexity, the better." Some complexity. I didn't say length alone, I said length was the predominate factor that affects it and is the most important factor by far. For yet another article explaining reasons why, go here. If you want to, I could go on all day listing links, articles, research, etc explaining why length is the most important factor. Basically it just comes down to math. In any case, it doesn't matter as passwords are still the less secure method for accessing systems compare to 2FA.
Click to expand...

No, you basically can't. Any "references" you would be posting would be wrong. "Your guy" is the author of that first link you referenced. Again, there's no such thing as one over the other here; length and complexity are to be paired if your goal is to have a more secure passphrase. Using one method over the other will weaken your passphrase than using BOTH.
 
NoOther said:
So you know for sure it is more prevalent although there is no reporting? Come on man. I guess I can continue to use your logic of saying something is, just because I think it is without any proof whatsoever. You know, like your math that you didn't even link that somehow shows complexity is just as important as length of passwords... :rolleyes: I showed you that YOUR OWN ARTICLE AUTHOR AND QUOTED HIS SENTENCE BACK TO YOU.

BEING REPORTED IN MAINSTREAM MEDIA. (jesus)

Look, I don't even know what your point with all this is anymore. THEN YOURE NOT LISTENING OR READING. Passwords are outdated and have been for a long time. <--- THIS IS TRUE. And the SMS scare isn't even a major factor in this because for someone to be able to intercept and act on your SMS text message to take over your account would have to be a sniper with cat like reflexes to recognize and do something about it. <---- WHERE'S YOUR PROOF THEN? So it really isn't a factor in this. Nor is the SMS redirect that big of an issue all things considering. I have been hearing about it forever and forever people have been saying how big a problem it is, and yet hardly anything is out. I haven't had a single company I work with get hit with an SMS redirect attack or be affected by one. THAT YOU KNOW OF.

Also read the article again, Microsoft isn't doing SMS for their 2FA, it is only being used as a one-time thing to setup the 2FA. TBH I DIDN'T FULLY READ THAT ORIGINAL ARTICLE ABOUT MS DOING THIS TO LOG INTO WINDOWS ACCOUNTS. NO MOM AND POP IS GOING TO IMPLEMENT THAT. You can also use OTP with MS as well, they have all kinds of articles on how to do it. YEAH BUT MS's APP IS SHIT. You can use any number of solutions or setups. What they are offering is an easy way for first time users to start using a better system than passwords. It is amazing how many people want to hate a company even when that company is trying to improve security. PEOPLES HATE ON MS IS JUSTIFIED C'MON NOW. ARE YOU NOT A WINDOWS 10 USER? LMAO
Click to expand...
 
fairlane said:
No, you basically can't. Any "references" you would be posting would be wrong. "Your guy" is the author of that first link you referenced. Again, there's no such thing as one over the other here; length and complexity are to be paired if your goal is to have a more secure passphrase. Using one method over the other will weaken your passphrase than using BOTH.
Click to expand...

And yet I just did, with a math formula proving it. But from the article linked:

"An interesting Microsoft TechNet blog article shows how, by looking at the formula to calculate bits of entropy (the measure in bits of how difficult it is to hack a password), the role of length is emphasized. The formula is log(C) / log(2) * L where C is the size of the character set and L the length of the password; from a mathematical standpoint, it is clear how L, the length, has a predominant role in the calculation of the entropy bits. C normally includes symbols, lower and upper case characters and number for a total of 96 possible characters or less, if some are excluded: “When looking at passwords in this light, it really starts to become clear how much more important the password length is, as opposed to the defined complexity requirements. To further this point, if you’re using passwords with a character set of 10 (only numbers), in order to achieve the same amount of entropy as a character set of 94 (all possible ASCII characters), you only have the double the password’s length."

See, MATH. I mean all you have to do is google "password length vs complexity" and you will get enumerable articles talking about it. The other added benefit of a longer, yet maybe slightly less complex password is the ability of the user to remember it and thus not write it down somewhere where it can be easily retrieved. There is a reason why password requirements for many companies, especially in the security industry have gone from 8->12->16 characters in length.

fairlane also learn to quote properly, inserting your remarks into my quote is ridiculous. Also your statements were incorrect. You took something out of context from the article I posted, and and then I again quoted from it in context. Then you couldn't accept that. Then I even followed up with MATH since you seemed to think it suggested otherwise, and the math clearly showed length is the predominate factor.
 
NoOther said:
Here just to help with the MATH:

Article using MATH
Article using MATH
Article using MATH
Article using MATH

Like I said, I could do this all day. Longer is definitely better, don't use dictionary words, complexity helps some.

God you are thick, aren't you. Federated Infrastructure & Integration Engineer? Yep, just as I suspected, thick. Again, you could do this all day and you'd still leave out the most relevant part; it's not only length (as I've said repeatedly, it's randomness. That means not only using the aformentioned pool of all alphabets, but padding that space. Length will obviously add exponential combinations but if you only use one or two character sets in the keyspace, it doesn't make it more secure; making it more RANDOM does, and that's the goal. Who gives a shit if length is PREDOMINATE if people are NOT going to better randomize their passphrases. No one will remember them, and not enough people are going to use password managers. And that's pretty much what all of your articles stipulate; yeah, they say length is important (Because it's EASY to do, but they also stretch the importance (which you seem to constantly downplay) that if you want to make it stronger it has to be more RANDOM ie: complexity, which ups the entropy (ability to hack) So let me fix your boiled down version of "Length is better, don't use dictionary words, complexity helps some" to : Longer is required, don't use ANY words, complexity helps A LOT. There. fixed.

As to your point of companies policies setting a limit on passphrase length, there should be NO limit. Why give anything away (keyspace length) to the potential attacker?.

Go ahead and "do this all day".

I will quote however I wish so you can kindly go fuck yourself on that point.

Best yet, use 2FA or stronger instead of just passwords.
Click to expand...
 
fairlane address the post, not the poster first of all. You say I am thick, and yet I have provided ample evidence for my remarks, you have provided zero. You also haven't done anything but attack me for insisting that length is the most important part of the equation, which is proven over and over again by all the math. I did not say it was the only part of the equation. But yes, length, yet again as proven by the MATH is the most important component of the randomness you wish to try and hype now, even though you were talking about complexity, not randomness.
 
fairlane said:
I'm too old to do your research for you, since EVERY link you've provided is weak at best and wrong at worst so here;


https://www.grc.com/sn/sn-594.pdf
Click to expand...

You mean you are too old to actually do any modern research on the issue, even though this research goes back to the 1990s and has been talked about ad nausea at security conferences for decades now... ?

Yet again, you argued complexity not entropy. But the biggest component of entropy is length. This is even discussed in one of the links I provided, that had you actually read, you would have seen. Plus this pdf you give me is a transcript of a podcast and not even the actual research. But to answer that pdf, the guy's reasoning is flawed there, because hashcat works based on dictionary words, which I have already addressed ad nausea as well. Also haschat had issues with passwords longer than 15 characters, so just making a password of 16 characters with dictionary words still confuses it. So yes, length is still the overall winner. But again, you shouldn't use dictionary words. Using a long password without dictionary words is king.

Come on man. You want to make a point, then provide proof with the research or just stop.

Also this is all dumb, because the entire point of my posts here is that passwords in general are not safe and should not be used. So unless you have an argument why passwords are effective enough, I don't understand what you want to gain from this? You certainly aren't going to convince me that somehow math is wrong or that modern security experts in this field are wrong.
 
Last edited:
You must log in or register to reply here.
Back
Top