Re: While we're all trying to fix politics, economics, etc.

["Blanchard, Michael (InfoSec)" <michael.blanchard () emc com>]

Curious that Yahoo calls it weak....

 Throw one of these in the mix and see if that changes:   !@#$%^&*  

Yahoo might be looking at those as the only "special characters" it considers "strong" LOL  

Because, well you know, those are the ONLY special characters on the keyboard.....

Michael P. Blanchard
Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
Cyber Security Services
EMC ² Corporation
32 Coslin Drive
Southboro, MA 01772


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rich Kulawiec
Sent: Wednesday, February 06, 2013 9:13 AM
To: funsec () linuxbox org
Subject: Re: [funsec] While we're all trying to fix politics, economics, etc.

On Tue, Feb 05, 2013 at 12:49:44PM -0500, Rich Kulawiec wrote:
> I have a question.  Please to consider the following candidate password:
>
>       S.3-t=2ga+Zilg59CEkp4


Okay, I s'pose now I should explain why I asked that question.  (But first:
thanks for the comments!)

I actually have that password committed to memory (via a mnemonic that's
partly obscene, so I'll omit it here).  So it's not open to PostIt attack,
although admittedly keystroke logging would grab it just as easily as
any other.  So would rubber hose cryptography, so would other methods.

The usage I'd intended for this was on a Yahoo account.  I have a few
of them that I use for mail/spam/phish/etc. test purposes: little
controlled experiments involving exposing addresses in certain places
and then waiting to see what shows up months or years later.  (I've been
doing this for a very long time with lots of freemail providers as well as
with addresses associated with domains of my own.)  I recently realized
that one of those Yahoo accounts has a password that is inexcusably weak
by contemporary standards, so I decided to change it to a much better
one -- this one.

Yahoo's web interface informs me that this password is weak: in fact,
it informs me that it is as weak as it's possible to be and refuses to
allow me to use it.

It also refuses to allow me to use variations, including still-longer
ones.  It steadfastly rates them all as "weak".  I find this puzzling.

Now given that I was doing this exercise after a certain recent Sunday
evening sporting competition involving a local franchise, I thought,
well, maybe I'm just missing the obvious.  I might still be.  But I
believe I'm now confused on a higher level, so I'll call that progress.

---rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.