Cybersecurity

Well, that is exactly what I said in my first post, that the issue is when someone steals the password file (what ever kind it is), my post was:

And in reality, this is what happens. A password file or database full of passwords (encrypted) are stolen; this can also include encrypted credit card information and other confidential data.

The same is also true for encrypted WIFI keys, which can be stored as encrypted text and then later on, a brute force attack is applied against those passwords; so the exploit is first gathering the data (encrypted text) and later running an attack against the ciphertext.

Even so, you are still left with the problem of determining the seed used on the target system. The same password for the same user on the same system does not produce the same encrypted key each time the password is changed.

The seed is not a problem, it is just more bits to brute force, for the most part, and it does not take a cryptographic genius to run brute force attacks against passwords with salt.

Actually, I recall from my old days in Internet security that the salt / seeds can actually be exploited and some actually weaken the crypto when many examples of the encrypted data exist.

For example, a large passwd file has many examples of the same crypt algorithm running against the same plaintext, so the salt can actually weaken the crypto, in some cases.

But, it's been a while since it been years since I did this deep level security.

The bottom line is that crypto is math and brute force attacks against cipertext is easy in the world of modern computing. The most important thing is to use the longest key space possible and modern algorithms designed to be strong against modern computing power.

Here is one quick reference about salt:

Frankly, many years ago, I worked on a project to help NIST in the US evaluate the AES algorithm. I even wrote a paper on the topic; but it was not published (public).

Crypto is math, and computing power... and the state of the art changes as computing power changes. What was a great crypto algorithm for the processing power of 10 years ago is just weak "history" today, and the same is true for the crypto today, when we fast forward 10 or more years.

Edit: Anyway, this is mostly "abstract" because when discussing cryptography, we should really not speak in sweeping generalizations; but focus on the exact algorithms, hash functions, length of keys, salt, method of storing both cryptographics hashes and salt, etc.

Passwords are no longer stored in /etc/passwd. If you have access to /etc/shadow, then you already have root access to the target system anyway, either through the root password, or physical access.

Yes, I am using the term "password file" in the general since, as we have not discussed a specific system, algorithm, configuration, security policy, etc.

And, we are getting far off topic in my view; the original poster asked why there is a requirement for strong passwords versus weak ones; not for a discussion of every possible argument pro and con for security.

It's not that hard for an experienced attacker to gain root access; but that is not a topic for this thread. In fact, as we know, we can gain root access for most any computer we have physical access to.

Let's not go down that path.. thanks. The path just gets further and further off topic of the question asked by the original poster.

In case anyone needs help with choosing a strong password: xkcd: Password Strength

Regards,
Alister