Читать книгу Security Engineering - Ross Anderson - Страница 92

Many accounts are compromised by guessing PINs or passwords. There are botnets constantly breaking into online accounts by guessing passwords and password-recovery questions, as I described in 2.3.1.4, in order to use email accounts to send spam and to recruit machines to botnets. And as people invent new services and put passwords on them, the password guessers find new targets. A recent example is cryptocurrency wallets: an anonymous ‘bitcoin bandit’ managed to steal $50m by trying lots of weak passwords for ethereum wallets [810]. Meanwhile, billions of dollars' worth of cryptocurrency has been lost because passwords were forgotten. So passwords matter, and there are basically three broad concerns, in ascending order of importance and difficulty:

1 Will the user enter the password correctly with a high enough probability?

2 Will the user remember the password, or will they have to either write it down or choose one that's easy for the attacker to guess?

3 Will the user break the system security by disclosing the password to a third party, whether accidentally, on purpose, or as a result of deception?