Subject:
|
Re: New feature: Article rating
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Tue, 28 Mar 2000 02:21:26 GMT
|
Highlighted:
|
(details)
|
Viewed:
|
1820 times
|
| |
|
|
In lugnet.admin.general, Larry Pieniazek writes:
> In lugnet.admin.general, Mike Stanley writes:
> > In lugnet.admin.general, Todd Lehman writes:
> > How about minimum of 8 characters with at least 2 numbers or other special
> > characters? 6 and 1 is fairly common.
>
> The argument here is that if you get too restrictive (requiring one non
> alphanumeric, for example) you cut the set of passwords down far enough that
> you make brute force attack easier!
I hope you'll forgive me if I'm skeptical of that statement. I haven't
studied human factors of cryptography in depth but my BS was in mathematics.
I know what you're saying, and why it might be true given a certain set of
assumptions, but how is it known that those assumptions are true?
If you pick a typical random person off the street and ask them to pick a
password, they're probably going to (at best) concatenate a short word or
two or reverse a 5 or 6 digit word, or do something with their initials or
their birthdate. Is it not highly probable that the domain of input symbols
a typical person would pick is a through z and maybe the digits 0 through 9?
If the answer to that is yes, then requiring at least one other special
character increases the size of the password domain, making brute force
attacks harder.
If the answer to that is no (geeks, for example, or anyone who understands
anything about cryptography or simple permutations), then requiring at least
one other special character probably doesn't increase the password domain at
all, and since geeks already know enough to use special symbols, it doesn't
arguably doesn't reudce the size of the password domain from what they would
have used anyway.
In other words, although "sriypc" (all letters) is a much better password
than "69vette" (letters and numbers) or "s@h-4-me" (letters and numbers and
so-called 'special' characters), isn't it still _more likely_ that requiring
something other than non-pure-letters results in better passwords overall?
Even better yet IMHO is to do these two things:
1. First, educate people on how to pick a good password (like what you
suggested earlier).
2. Check the password's strength (by trying to crack it) right when the user
tries to set a new one, and reject weak passwords.
The challenge lies in #2 (and surely this must still even today be a very hot
area of research) because it should allow "sriypc" but not "69vette", and
"vt9te6e" but not "crispy".
> I tend to favor trying a few quick checks on the pw to see if it's easily
> guessable and if it is, telling the user that it's not the greatest choice,
Any pointers to papers on this sort of thing would be highly appreciated!
> but not actually preventing its use.
Disagree on that one. :)
"Uh, you really shouldn't use 'abc' as your password. What, you want to
anyway? You idiot, that's a really dumb password. Are you *really* sure?
sigh...OK, well, there it is then...but don't say I didn't warn you."
[2 weeks later] "Hey, some luser just broken into your account using your
braindead password that I warned you about. Oh well, I guess it's OK because
I warned you three times. Too bad. Have a nice day."
> X.com doesn't require anything special about PWs... when you use X you have
> more at risk than at Lugnet (well, your honor and reputation are more at
> risk here if someone starts posting in your name). Doesn't make their lax
> security "right" but there is an appropriate level of effort to put into
> this, not sure what it is yet.
X.com is still in the membership-acquisition-is-priority-zero phase of their
growth. Any barriers that protect users but not X are useless baggage to X
at this point. After their "viral growth" slows, it'll be safe for them to
raise the barriers a little higher and protect users better. Nothing matters
more to X.com and PayPal right now than acquiring new members into their
network and capturing market segment as fast as possible.
(Disclaimer: I don't work for X.com or PayPal so obviously you'll want to
take this with a grain of salt. But this is nothing more than modern network
economics.)
--Todd
|
|
Message has 1 Reply:
 | | Re: New feature: Article rating
|
| Personally, I'd love some tips on how to pick good passwords that are easy to remember. I'll admit to using poor passwords, and re-using them. These days, one seems to need so many passwords that I can't see how you can really work well if you (...) (24 years ago, 28-Mar-00, to lugnet.admin.general)
|
Message is in Reply To:
| | Re: New feature: Article rating
|
| (...) The argument here is that if you get too restrictive (requiring one non alphanumeric, for example) you cut the set of passwords down far enough that you make brute force attack easier! I tend to favor trying a few quick checks on the pw to see (...) (24 years ago, 27-Mar-00, to lugnet.admin.general)
|
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
