Firewall Wizards mailing list archives
Passwords (was: Stanford break in)
From: "Ben Nagy" <ben () iagu net>
Date: Fri, 23 Apr 2004 14:39:39 +0200
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Carric Dooley
[...]
Yes. There are password generators that create 'pseudo-english' words, but I think the best system is using something the user knows/likes, providing it's not obvious like birhday+daughter's_name... "I like fuzzy bunnie's.." is a good example.
This is a common scheme, which is good. My personal favourite is to use the "shocking nonsense" technique (google it) - when combined with the symbol/number thing it provides passwords that are "strong", very memorable, and which have the added advantage of being embarassing (which makes users less likely to disclose them).
Also, are salts a good idea to change the hash in the shadow file?
Absolutely.
Salt would typically be some random factor that affects the outcome of the hash. [...]
Yup.
I am not a cryptologist, so I'm sure I sound like an idiot to that crowd
No, you got it pretty much right. I would put it like this - a salt is a _non-secret_ value. If you don't use a salt then an attacker can precompute a big file containing the hashes of common passwords. Then, when they get hold of a particular password hash they can just do a file lookup which is really really fast (this is probably the simplest example of the "time space tradeoff" in crypto). Using a salt means that they need to do the same hash computation, but including the salt - which means they can't precompute, so it takes longer to crack. Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Stanford break in, (continued)
- RE: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Victor Williams (Apr 22)
- RE: Stanford break in R. DuFresne (Apr 22)
- RE: Stanford break in Carric Dooley (Apr 23)
- RE: Stanford break in Victor Williams (Apr 23)
- Re: Stanford break in mlh (Apr 23)
- Re: Stanford break in Luca Berra (Apr 23)
- Re: Stanford break in Chuck Vose (Apr 22)
- Re: Stanford break in Adam Shostack (Apr 22)
- Re: Stanford break in Carric Dooley (Apr 23)
- Passwords (was: Stanford break in) Ben Nagy (Apr 23)
- RE: Stanford break in Carric Dooley (Apr 23)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Vin McLellan (Apr 26)
- Re: Stanford break in Adam Shostack (Apr 23)