Subject:
|
Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Sun, 23 Apr 2000 18:09:25 GMT
|
Highlighted:
|
(details)
|
Viewed:
|
3133 times
|
| |
|
|
In lugnet.admin.general, Richard Franks writes:
> In lugnet.admin.general, Todd Lehman writes:
> > In lugnet.admin.general, Larry Pieniazek writes:
> > > So are you going to enforce that people HAVE to set their passwords to
> > > things that the validator feels don't suck,
> >
> > That is its purpose.
>
> But the validator doesn't find non-sucky passwords, it just finds the least
> randomised - ie, it will pass something like:
> 4h(i,>$s& but fail:
> 4h(i,>$s&-fun
>
> What's the point of allowing people to change from their highly randomised
> default LUGNET password (because they have a hard time remembering it), if
> the validator only allows something of greater randomisation?
It's perfectly content to "pass" most 6- to 8- character pw's constructed by
the first letter of successive words, especially if the pw includes a digit,
a capital letter, or a special character. Those types of things tend to be
"random" from a brute-force-attack point of view but un-random to the person
generating the pw.
The point is that there are plenty of other pw's that people could come up
with which aren't dangerous, but which are sufficiently random and perfectly
memorable.
> IIRC at least one default LUGNET password failed? [...]
That's entirely possible -- the generator for those doesn't consider
dictionary words, keyboard sequences, etc. But it doesn't necessarily mean
that the pw which failed is risky, so long as they're still chosen from an
equally distributed set of structured input. I can see how it could be
disconcerting, though. :-)
> IMHO it is reasonable to impose a minimum limit of characters, impose an
> alpha-numeric mix, maybe even make sure that it isn't just one word known
> to a dictionary mixed with one number. But much more than that seems too
> restrictive.
:) you and I both know that you're an extremely intelligent adult who has
thought about these things and wouldn't pick something particularly risky --
but the server doesn't know that...(well, I guess it knows that you're an
adult, but...) What of a 10-year-old kid (not that there's anything wrong
with being a 10yo)? Just because someone is a 10yo, should they should be
given a break and allowed to pick a risky pw like "lego4me"?
> There is also the counter-security risk - as people have to use
> really complicated and random passwords, they tend to start writing them
> down in places, password files etc.
Definitely a risk -- but a weak password like "lego4me" or "zaza88" is a
higher worst-case security risk than a strong password which has been written
down.
No matter how strong or weak a password is, if someone writes it down or tells
it to a friend, there's the possibility that someone in that person's nearby
vicinity could use their password -- that's always a risk, and the blame lies
entirely with the user if something goes awry there.
On the flipside, if someone chooses a weak password and never writes it down
and never tells it to anyone, but then someone halfway around the globe who
has never met them suddenly guesses it through trial and error or a brute-
force attack, the blame lies entirely with the system and not with the user.
> Besides which, the longer it takes before users can change their passwords,
> the greater chance that other people will stumble upon their LUGNET welcome
> pack, which contains their password handily printed out :)
True, very true. But if someone leaves that password in a place that it can
be discovered by untrusted eyes and subsequently abused, then that's their
own darn fault.
> I'm not a security expert - just a user who would rather take the advice of
> a password system but have ultimate personal responsibility over my password.
Think of it this way: It's not a PR disaster if someone has their written-
down password stolen and used by a friend or coworker or family member --
that's their own irresponsibility. It -is-, OTOH, a huge PR disaster if
someone chooses a weak password and their account is hacked. There is a
middleground where both extremes are avoided -- where people can pick their
own passwords which don't "have to" be written down and which aren't
particularly dangerous either.
Perhaps the password strength analysis tool should have two thresholds for
the "pass" state:
- Pass if 100% or higher
- Pass with a warning if between 50% and 100%
- Fail if 50% or lower
This would still weed out dictionary words and awful keyboard sequences like
'zaza' and 'qwerty' and 'mnbvcxz' and '3edcvfr4' but allow more (in practice)
than it currently does. I'm not sure if this is what Larry meant or if he
was suggesting an infinitely-low fail threshold.
I don't have a problem with two thresholds as long as the fail-in-practice
threshold isn't too much lower than the fail-in-theory threshold.
--Todd
|
|
Message has 1 Reply:
Message is in Reply To:
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
