Re: Creating a Password

From: Mimic (gn0rty@gn0rties.ville)
Date: 02/07/03


From: "Mimic" <gn0rty@gn0rties.ville>
Date: Fri, 7 Feb 2003 17:02:58 -0000


"The Other Guy" <nospam@this.addy> wrote in message
news:qfk74vshen2rc3icp68363umnn4negrpoh@4ax.com...
> On Fri, 07 Feb 2003 13:11:20 GMT, while waiting for Somebody Else to
> show up and say something, The Other Guy responded to a post from "Don
> Kelloway" <dkelloway@commodon.com> who wrote in alt.computer.security:
>
> >It is my opinion that an even better reply to choosing a password less
apt
> >to be cracked, would be to select two from each of the following four
> >categories and mix them any way you want.
> >
> >capital letters, numbers, lowercase letters, symbols
> >
> >Example(s): Qi8&W3n! or Vd#9iR%n
> >
> >Such passwords can only be cracked by means of brute force.
>
>
> Well put, Don. I'd add a couple of things.
>
> 1) Brute forcing these kinds of passwords can take eons to crack, thus
> not worth the effort (the cracker would just move on to other
> accounts).
>
> 2) However, they can be discovered through any form of social
> engineering (writing it down on the sticky note and leaving it for any
> one to see; giving it to someone who you think is trusted -- the old
> call from the "administrator" needing to update and test accounts,
> etc.).
>
> 3) passwords should also be a minimum of eight characters, and likely
> can't exceed 15 depending on the O/S and it's restrictions. Don's
> example illustrated the min 8 characters process, but I just wanted to
> clearly state that.
>
> Furthermore, users tend to shy away from these types of passwords
> because of the difficulty of remembering them (hence it is easier to
> use your kid's name, or favourite TV character).
>
> Finally, there should be some sort of enforcement of password change
> policy, say every six months, to make it truly effective (i.e., again
> using SE, I could get the first four characters at one point, and then
> the other four later on).
>
> Cheers,
> TOG
>
> --
> ./configure --prefix=~/zyterion
> Not this guy or that guy, The Other Guy.
>

I understand DES has a "problem" with >8 char passwords, in that it makes a
14char passwd no stronger than an 8, and to this end MD5 should be used. But
im not really a Nix person so i could be wrong.

--
Mimic
"Without knowledge you have fear, with fear you create your own nightmares"
"There are only 10 types of people in the world. Those that understand
Binary, and those that dont."


Relevant Pages

  • Re: US Military bans HTML in emails
    ... Complex passwords are not that much harder to ... Consider a password with a choice of X different characters for each ... takes using all upper- and lowercase letters, ... I can see only two advantages of complex passwords: ...
    (comp.os.vms)
  • RE: Basic question
    ... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
    (Focus-Microsoft)
  • Re: Paper & pencil password algorithm
    ... generator and generate a password as a permutation of a whole ... The advantage of a random sequence generator is that I can make my ... I can't imagine ever wanting passwords ... convenience I'll probably keep most of them between 20 and 50 characters ...
    (sci.crypt)
  • RE: Password statistics and standards
    ... If you shut off the storage of LM hashes, over 9 Characters will buy you ... Take a look at Perfect Passwords for some creative ideas: ... information about accounts which is helpful in telling me ... Norwich University ...
    (Security-Basics)
  • Re: US Military bans HTML in emails
    ... You mean like requiring 6-character passwords to now be "complex"? ... the need for non-alpha characters. ... I've seen passwords with zeros for O's and 3's for E's. ... What hacker ever think of that? ...
    (comp.os.vms)