gmail security is a joke
rsk at gsp.org
Wed May 27 20:20:33 UTC 2015
On Wed, May 27, 2015 at 01:51:35PM -0400, Barry Shein wrote:
> Getting a copy of the database of hashes and login names is basically
> useless to an attacker.
Not any more, if the hash algorithm isn't sufficiently strong:
25-GPU cluster cracks every standard Windows password in <6 hours
"Gosney used the machine to crack 90 percent of the 6.5 million
password hashes belonging to users of LinkedIn."
Consider as well that not all attackers are interested in all accounts:
imagine what this system (or a newer one, this is 2.5 years old) could
do if focused on only one account.
And of course epidemic password reuse means that cracked passwords
are reasonably likely to work at multiple sites.
And even if passwords aren't reused, there have now been so many
breaches at so many places resulting in so many disclosed passwords
that a discerning attacker could likely glean useful intelligence
by studying multiple password choices made by a target. (We're all
creatures of habit.)
More information about the NANOG