Twitter | Pretraživanje | |
Hector Martin
Thread about numeric passcode strength on iPhones. And *this* is why I consider my rooted Android phone to be more secure than iPhones under a whole category of attack scenarios. Because I can use separate 25-character full ASCII *startup* password and an 8-digit *unlock* code.
20:33 - 16. sij 2020.
Reply Retweet Označi sa "sviđa mi se" More
Hector Martin 17. sij
Odgovor korisniku/ci @marcan42
Sure, you can try to attack my phone from a powered-but-locked state, but if you screw up and it reboots, or if you attempt any boot chain attacks, or if the battery runs out, you are *not* getting in. Period.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Hector Martin 17. sij
Odgovor korisniku/ci @marcan42
I don't know why nobody offers this option of split FDE/unlock codes by default (neither iPhones nor stock Android). It's such a massive no-brainer to increase security to basically "unbreakable" under an entire class of practical attack scenarios.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Hector Martin 17. sij
Odgovor korisniku/ci @marcan42
(And we can already do this exact thing for FDE on desktops/laptops, so it's not like it's novel)
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
rcombs 17. sij
Odgovor korisniku/ci @marcan42
i mean… my unlock passcode is 20 chars
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Hector Martin 17. sij
Odgovor korisniku/ci @11rcombs
My patience isn't that high :-)
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Dean Herbert 17. sij
Odgovor korisniku/ci @marcan42
hmm i suddenly feel pretty safe with my 14 digit password
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Mempler 17. sij
Odgovor korisniku/ci @ppy @marcan42
I only have 32 digit passwords lol (doesn't work on every website though, as it's "too long")
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Piero Ulloa 17. sij
Odgovor korisniku/ci @marcan42
But having a custom recovery doesn't kind of defeat the purpose?
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Hector Martin 17. sij
Odgovor korisniku/ci @piero512
No, why would it? The FDE passphrase is cryptographically bound to the userdata partition, it doesn't matter if you can compromise all software. At most, if you break the TrustZone bit (which is separate from custom rec), you can speed up the cracking attempt, but not enough.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Bit Rot Farmer 17. sij
Odgovor korisniku/ci @marcan42
out of curiosity - does rooted equal unlocked bootloader? How do you prevent somebody from backdooring the password dialog?
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Hector Martin 17. sij
Odgovor korisniku/ci @bitrotfarmer
You don't; I'm talking about people taking your phone, not evil maid attacks. I don't consider the latter in scope, because I don't really leave my phone unattended, basically ever.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"