Firewall Wizards mailing list archives
Re: "Proactive" Password Checking
From: "Eric Toll" <etoll () syracusesupply com>
Date: Wed, 10 Nov 1999 11:45:49 -0500
If it is known that this is your password technique, I am sure a lot of passwords will be easily cracked in short order. >;-> There are a
Methinks not. The account gets locked after 5 wrong guesses. *Please explain.
finite number of truly popular songs. Just listen to what a target hums
Sounds pretty obscure to me "just listen to what someone is humming" ? or were you making a joke? - - I can't tell. What if said person is in another state or country? *Please explain I was not aware that there was lyric dictionaries on the net. lol *How bout posting some links?
Some systems have a fixed, short password size, and can't change it,
Thank god mine isn't one of them, just used a 20char pass and it works fine. and can can go longer. Password: "alittlebitofericabymyside" and for 5 points what is the song title that password comes from? Smiles. Joe, if you find fault with my methods, why not post something useful like your methods? TIA
Joseph S D Yao <jsdy () cospo osis gov> 11/10/99 10:30AM >>>Just read this password checking thread and a lot of you seem to say, some things which seem a bit strange to me. A complex password does not have to be something like "$5dsdDe%AzW3q" this is hard to crack and hard to remember. (users forgetting or writing it down) Now consider the password "maryhadalittlelamb" hard to crack, easy to remember, not a problem for dictionary crackers. Just tell users to put a few words _together_ for security, like their favorite song lyric or something. I felt obligated to tell you all this, because it felt like no person in the thread was aware or voiced this."Kurt Buff" <kurtbuff () lightmail com> 11/05/99 07:35PM >>>
If it is known that this is your password technique, I am sure a lot of passwords will be easily cracked in short order. >;-> There are a finite number of truly popular songs. Just listen to what a target hums or listens to, to narrow the search even further. Some systems have a fixed, short password size, and can't change it, since there is a lot of code that assumes that standard password setup. It may even be embedded in IEEE and FIPS standards. ;-) In those cases, it is a good idea to have pronounceable but "strange" passwords, with embedded punctuation characters and digits, and mixed case [assuming the system is intelligent enough to understand the difference between cases]. One site I know of got multiple language dictionaries and chooses words at random from all of them, inserting punctuation at odd places. The trick there is to find the words that aren't offensive in any other language ... a yet unsolved problem. ;-) -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Joseph S D Yao <jsdy () cospo osis gov> 11/10/99 10:30AM >>>Just read this password checking thread and a lot of you seem to say, some things which seem a bit strange to me. A complex password does not have to be something like "$5dsdDe%AzW3q" this is hard to crack and hard to remember. (users forgetting or writing it down) Now consider the password "maryhadalittlelamb" hard to crack, easy to remember, not a problem for dictionary crackers. Just tell users to put a few words _together_ for security, like their favorite song lyric or something. I felt obligated to tell you all this, because it felt like no person in the thread was aware or voiced this."Kurt Buff" <kurtbuff () lightmail com> 11/05/99 07:35PM >>>
If it is known that this is your password technique, I am sure a lot of passwords will be easily cracked in short order. >;-> There are a finite number of truly popular songs. Just listen to what a target hums or listens to, to narrow the search even further. Some systems have a fixed, short password size, and can't change it, since there is a lot of code that assumes that standard password setup. It may even be embedded in IEEE and FIPS standards. ;-) In those cases, it is a good idea to have pronounceable but "strange" passwords, with embedded punctuation characters and digits, and mixed case [assuming the system is intelligent enough to understand the difference between cases]. One site I know of got multiple language dictionaries and chooses words at random from all of them, inserting punctuation at odd places. The trick there is to find the words that aren't offensive in any other language ... a yet unsolved problem. ;-) -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- Re: "Proactive" Password Checking, (continued)
- Re: "Proactive" Password Checking Frank O'Dwyer (Nov 18)
- RE: "Proactive" Password Checking Moore, James (Nov 06)
- RE: "Proactive" Password Checking Russ (Nov 06)
- Re: "Proactive" Password Checking REID FOX (Nov 06)
- RE: "Proactive" Password Checking Moore, James (Nov 08)
- RE: "Proactive" Password Checking Russ (Nov 09)
- RE: "Proactive" Password Checking Eric Toll (Nov 10)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 10)
- Re: "Proactive" Password Checking Alec Muffett (Nov 10)
- RE: "Proactive" Password Checking daN. (Nov 15)
- Re: "Proactive" Password Checking Eric Toll (Nov 10)
- Re: "Proactive" Password Checking Rick Smith (Nov 11)
- Re: "Proactive" Password Checking Eric Budke (Nov 14)
- Message not available
- Re: "Proactive" Password Checking Eric Budke (Nov 17)
- Re: "Proactive" Password Checking Rick Smith (Nov 11)
- Re: "Proactive" Password Checking Rick Smith (Nov 14)
- RE: "Proactive" Password Checking Andreas Gunnarsson (Nov 14)
- Re: "Proactive" Password Checking Dorian Moore (Nov 14)