Re: Please do not change your password

[Tom Talley <Thomas.Talley () MICROSOFT COM>]

The actual research paper is posted here:

http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf

Highly encouraged to review. 

Thanks

Tom

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
Ladwig
Sent: Thursday, April 15, 2010 6:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Please do not change your password

Heck, Alec Muffet's cracklib was on to that strategy in the mid-90s...  

I used to run cracklib with a modest set of English language dictionaries linked into passwd as an admission quality 
check, would have people complain that it wouldn't accept their password candidates, and I could never have predicted 
why it'd reject their passwords, but they were being failed on input, so there's no reason it wouldn't have failed as a 
test against a hash, or a brute-force, and so... people had to pick something different.

> From several conversations I've had of late, though, the state of this particular art seems to have submerged below 
> the general consciousness, so it's probably worth mentioning again. 

    -jml

-----Original Message-----
From: Alex Keller
Sent: 2010-04-15 17:51:08
To: Alex Keller;SECURITY () LISTSERV EDUCAUSE EDU
Cc: 
Subject: Re: [SECURITY] Please do not change your password


re: Now apply the rules which were discussed an you come up with something like:

 Ny_G1@nts


I used to recommend this same technique until I discovered that many of the more modern hybrid dictionary/brute force 
password guessing tools can be easily configured to check for common obfuscation substitutions:
@ for a, 1 for i, 3 for e, $ for s, etc.


best,
alex

--
Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu

On 4/15/2010 10:46 AM, Don Cochran wrote:
> In our course we teach the learner to choose an easy to remember, but 
> hard to guess password and suggest that a password such as your 
> favorite football team would be a good choice.
>
>  
>
> We then teach them how to apply a couple easy to follow rules....after 
> discussing and showing them an example.
>
>  
>
> Ex: New York Giants...pretty easy to remember, huh?
>
>  
>
> Now apply the rules which were discussed an you come up with something
> like:
>
>  
>
> Ny_G1@nts
>
>  
>
> At least 8 characters long, and a mix of cap and non-cap letters, 
> numbers and special characters.
>
>  
>
> Don Cochran                                  
>
> Director, Business Development
>
> SCIPP International
>
> 1964 Gallows Road, Suite 320
>
> Vienna, Virginia 22182
>
> United States of America
>
>  
>
> +1 703.637.4422 (Direct)
>
> +1 703.599-0666 (Cell)
>
> +1 703. 637-4371 (Fax)
>
> www.SCIPPinternational.org <http://www.SCIPPinternational.org>
>
>  
>
> Ansi100x100.jpg           */SCIPP International/*
>
> */"The Security Awareness Certification Company"/*
>
>