Subject:
|
Re: PW validation terms/labels
|
Newsgroups:
|
lugnet.off-topic.debate
|
Date:
|
Fri, 5 May 2000 19:25:13 GMT
|
Viewed:
|
2442 times
|
| |
|
|
Todd Lehman wrote:
>
> In lugnet.admin.general, Frank Filz writes:
> > Perhaps part of the problem is the relative weights attached to various
> > elements of strength of passwords. I would generally agree that a 4
> > character password should not be accepted (of course I suspect most of
> > us have a significant amount of money protected only by our physical
> > possesion of a plastic card, and a 4 DIGIT password - I at least chose
> > an 8 digit PIN the one time I was allowed to chose a PIN, but few ATM
> > systems these days allow anything other than a 4 digit PIN).
>
> For the average person or script kiddle to crack a 4-digit PIN via brute
> force, they'd have to:
>
> (1) first actually get someone's card; and then
> (2) manually try out up to 10,000 combinations, and IIRC, ATM's are programmed
> to eat cards after a few failed attempts, and they'll probably be on
> videotape too.
(1) is certainly true, (2) is mostly true (there are many ATMs,
including ones in stores which can not eat cards, and probably don't
alert the cashier to take the card [possibly dangerous if the person
using the card is a real criminal]).
> Unless the cracker works in the banking industry, comparing PINs to PW's is
> apples and orange, my friend. :)
True. But my main point was that one shouldn't allow 4 character
passwords in general. The ATM note was just a side note.
Another interesting security flaw I just saw yesterday: I am nearing the
end of my student loan paybacks, and randomly decided to check out if I
could find my account information on the web. I had some paperwork with
the loan servincing agency with me, and noticed an e-mail, so I pulled
up www.host-name.com. Sure enough, they had a screen to get to account
information. What did you need to get there: SSN and ZIP! The screen
allows you to change your address and phone numbers, shows your last 12
payments for each loan, and other status. Not an incredible amount of
information, but somewhat scary.
--
Frank Filz
-----------------------------
Work: mailto:ffilz@us.ibm.com (business only please)
Home: mailto:ffilz@mindspring.com
|
|
Message has 1 Reply:
Message is in Reply To:
 | | Re: PW validation terms/labels
|
| (...) For the average person or script kiddle to crack a 4-digit PIN via brute force, they'd have to: (1) first actually get someone's card; and then (2) manually try out up to 10,000 combinations, and IIRC, ATM's are programmed to eat cards after a (...) (24 years ago, 5-May-00, to lugnet.off-topic.debate)
|
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
