Passwords (was: Stanford break in)

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Carric Dooley
[...]
> Yes. There are password generators that create 
> 'pseudo-english' words, but I think the best system is using 
> something the user knows/likes, providing it's not obvious 
> like birhday+daughter's_name... "I like fuzzy bunnie's.." 
> is a good example. 

This is a common scheme, which is good. My personal favourite is to use the
"shocking nonsense" technique (google it) - when combined with the
symbol/number thing it provides passwords that are "strong", very memorable,
and which have the added advantage of being embarassing (which makes users
less likely to disclose them).

> > Also, are salts a good idea to change the hash in the shadow file? 

Absolutely.

> Salt would typically be some random factor that affects the 
> outcome of the hash. [...]

Yup.

> I am not a cryptologist, so I'm sure 
> I sound like an idiot to that crowd

No, you got it pretty much right. I would put it like this - a salt is a
_non-secret_ value. If you don't use a salt then an attacker can precompute
a big file containing the hashes of common passwords. Then, when they get
hold of a particular password hash they can just do a file lookup which is
really really fast (this is probably the simplest example of the "time space
tradeoff" in crypto). Using a salt means that they need to do the same hash
computation, but including the salt - which means they can't precompute, so
it takes longer to crack.

Cheers,

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards