[BBLISA] Reusing Passwords on Different Sites Should be OK

[Edward Ned Harvey (bblisa4)]

> From: Matt Simmons [mailto:bandman at gmail.com]
> Sent: Thursday, September 17, 2015 4:16 PM
> 
> But then, if I manage to brute force a password somewhere, doesn't that
> give me the correct credentials to authenticate everywhere else that shares
> the same set of credentials?

That's the whole point - Brute force should be required, and presently is not. (Present industry standard, servers have direct access to passwords, no guessing necessary). Brute force is difficult and very ineffective as long as a rate-limiting function has been used. The only passwords you'll be able to brute-force are "password" and "123456" and a few others. Anybody who is using these ridiculously moronic passwords across sites doesn't expect it to be secure, and rightly so. It's impossible to protect those accounts.

To quantify this, you remember, when they thought the Ashley Madison passwords were protected by bcrypt, they were only able to harvest around 4,000 of the users' passwords, which is 0.003%, and then gave up and declared defeat, because it would take too long and be too expensive to continue trying. The ROI would be negative. But the moment they discovered a simple md5-based hash, that figure instantly jumped up to 11 million, which is 8% of the Ash Mad users. If we continue with the industry the way we are now, that number is 100%. If the hackers who were apparently in the Ash Mad systems for an extended undetected period, had bothered to grab the passwords out of memory, they would have gotten 100%. In the case of Ash Mad, the brute force efforts (md5 or bcrypt) were only relevant because it was an offline aftermath analysis.