tag:blogger.com,1999:blog-8503755746105415394.post3120873455479438800..comments2008-05-04T18:08:43.169ZComments on PortSwigger.net - web application security: Can you hit a moving target?PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-8503755746105415394.post-79452297786381652082008-05-04T18:08:00.000Z2008-05-04T18:08:00.000Z@AllanSure, changing passwords can be (and perhaps...@AllanSure, changing passwords can be (and perhaps typically are) combined with other controls like static passwords. But what interested me was the intuition that a password which changes is much harder to guess than one which does not. That intuition is traded on by salesmen, and people evidently find it compelling. The problem is that it is mistaken.PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-68568955960599146432008-05-04T16:53:00.000Z2008-05-04T16:53:00.000ZI've been on a number of sites with the 60-second ...I've been on a number of sites with the 60-second keyfob solution from RSA. I believe that in all cases, the six-digit number was not intended for use as a password. The freshest instance in my memory was a site where first you used the number appended to your phone extension to access the corporate VPN, after which you provided your password to get to your Citrix desktop. In a couple of other Allannoreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-35868895224760595872008-05-04T16:46:00.000Z2008-05-04T16:46:00.000Z@The Mighty GnitYou are still asking the wrong que...@The Mighty GnitYou are still asking the wrong question. To repeat, I am not claiming that someone can guess "every 26 spins", but rather that this is the point at which the probability of your not having guessed falls below 0.5.To prove this point in code (rather than your different one), use the following (in C#). It shows that half the time we can guess a 1-in-37 random number correctly after PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-66157229197130160342008-05-04T16:09:00.000Z2008-05-04T16:09:00.000Z@portswiggerThe whole point of a 37-to-1 shot is t...@portswiggerThe whole point of a 37-to-1 shot is that you probably will guess/predict correctly on average once every 37 spins. This is immutable.Each prediction is independent of the previous one.There is no way around this.The odds don't stack.You will not guess the correct combination or number on average once every 26 spins. If you were guaranteed that that particular number would not come upThe Mighty Gnit!http://www.blogger.com/profile/17680951486188974315noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-34327879011091057112008-05-03T08:56:00.000Z2008-05-03T08:56:00.000Z@The Mighty GnitYou are confusing two different th...@The Mighty GnitYou are confusing two different things. I am not saying that you can expect to win at roulette "every 26 spins", nor am I aware of a way to beat the house.To repeat, if there are 37 possibilities and the outcome is fixed, then I will probably have guessed it after 19 attempts. This is the point at which the probability of my not having guessed it falls below 0.5. Half the time, I PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-60466076228275793602008-05-03T04:23:00.000Z2008-05-03T04:23:00.000Z@PortSwiggerI suspect an error in your math or rea...@PortSwiggerI suspect an error in your math or reasoning. To continue the Roulette analogy:If you were successfully predicting a single number on a roulette wheel with greater than 1 in 37 chance (on average), then I would say with certainty that either:a: you are cheating, or b: the rng/wheel has a bias.The whole point of a 1/37 chance of success on any particular prediction means exactly that: The Mighty Gnit!http://www.blogger.com/profile/17680951486188974315noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-6001606283507541252008-05-02T18:34:00.000Z2008-05-02T18:34:00.000Z@The Mighty GnitI didn't deny that the odds of gue...@The Mighty GnitI didn't deny that the odds of guessing a changing password are the same on each attempt - in fact, I asserted it.The point is that the fact of the password's changing doesn't make it very much harder to guess, compared with a static password.To pursue your analogy, if a roulette wheel has 37 possible outcomes, and I only get one guess per outcome, then on average I will get a hitPortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-70247071733728957142008-05-02T18:03:00.000Z2008-05-02T18:03:00.000ZBeing in the casino industry, I have to say that I...Being in the casino industry, I have to say that I think you are incorrect in this statement.Roulette wheels are the equivalent of the constantly-changing password. Each spin, they have a 1/37 (depending upon the wheel, double-zero etc.) of hitting any number.Blackjack (shoe game without a continuous shuffling machine) is a much easier beast. Because you know which cards have been discarded (i.eThe Mighty Gnit!http://www.blogger.com/profile/17680951486188974315noreply@blogger.com