Re: "Proactive" Password Checking

["Eric Toll" <etoll () syracusesupply com>]

> If it is known that this is your password technique, I am sure a lot of
> passwords will be easily cracked in short order.  >;->  There are a

Methinks not.  The account gets locked after 5 wrong guesses.
*Please explain.


> finite number of truly popular songs.  Just listen to what a target hums
Sounds pretty obscure to me "just listen to what someone is humming" ?  
or were you making a joke?  - - I can't tell.
What if said person is in another state or country?
*Please explain

I was not aware that there was lyric dictionaries on the net.  lol
*How bout posting some links?

> Some systems have a fixed, short password size, and can't change it,
Thank god mine isn't one of them,  just used a 20char pass and it works fine.
and can can go longer.

Password: "alittlebitofericabymyside" and for 5 points what is the song title that password comes from?

Smiles.
Joe, if you find fault with my methods, why not post something useful like your methods?

TIA
 


> > > Joseph S D Yao <jsdy () cospo osis gov> 11/10/99 10:30AM >>>
> Just read this password checking thread and a lot of you seem to say, some things which seem a bit strange to me.
>   
> A complex password does not have to be something like "$5dsdDe%AzW3q"  this is hard to crack and hard to remember.  
> (users forgetting or writing it down) 
>
> Now consider the password "maryhadalittlelamb"  hard to crack, easy to remember, not a problem for dictionary 
> crackers.   Just tell users to put a few words _together_ for security, like their favorite song lyric or something.  
>
> I felt obligated to tell you all this, because it felt like no person in the thread was aware or voiced this.
>
> > > > "Kurt Buff" <kurtbuff () lightmail com> 11/05/99 07:35PM >>>

If it is known that this is your password technique, I am sure a lot of
passwords will be easily cracked in short order.  >;->  There are a
finite number of truly popular songs.  Just listen to what a target hums
or listens to, to narrow the search even further.

Some systems have a fixed, short password size, and can't change it,
since there is a lot of code that assumes that standard password setup.


It may even be embedded in IEEE and FIPS standards.  ;-)  In those
cases, it is a good idea to have pronounceable but "strange" passwords,
with embedded punctuation characters and digits, and mixed case
[assuming the system is intelligent enough to understand the difference
between cases].  One site I know of got multiple language dictionaries
and chooses words at random from all of them, inserting punctuation at
odd places.  The trick there is to find the words that aren't offensive
in any other language ... a yet unsolved problem.  ;-)

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

> > > Joseph S D Yao <jsdy () cospo osis gov> 11/10/99 10:30AM >>>
> Just read this password checking thread and a lot of you seem to say, some things which seem a bit strange to me.
>   
> A complex password does not have to be something like "$5dsdDe%AzW3q"  this is hard to crack and hard to remember.  
> (users forgetting or writing it down) 
>
> Now consider the password "maryhadalittlelamb"  hard to crack, easy to remember, not a problem for dictionary 
> crackers.   Just tell users to put a few words _together_ for security, like their favorite song lyric or something.  
>
> I felt obligated to tell you all this, because it felt like no person in the thread was aware or voiced this.
>
> > > > "Kurt Buff" <kurtbuff () lightmail com> 11/05/99 07:35PM >>>

If it is known that this is your password technique, I am sure a lot of
passwords will be easily cracked in short order.  >;->  There are a
finite number of truly popular songs.  Just listen to what a target hums
or listens to, to narrow the search even further.

Some systems have a fixed, short password size, and can't change it,
since there is a lot of code that assumes that standard password setup.
It may even be embedded in IEEE and FIPS standards.  ;-)  In those
cases, it is a good idea to have pronounceable but "strange" passwords,
with embedded punctuation characters and digits, and mixed case
[assuming the system is intelligent enough to understand the difference
between cases].  One site I know of got multiple language dictionaries
and chooses words at random from all of them, inserting punctuation at
odd places.  The trick there is to find the words that aren't offensive
in any other language ... a yet unsolved problem.  ;-)

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.