Subject:
|
Re: Automated password appraisal (Re: New feature: Article rating)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Thu, 30 Mar 2000 16:30:51 GMT
|
Highlighted:
|
!
(details)
|
Viewed:
|
3743 times
|
| |
|
|
In lugnet.admin.general, Todd Lehman writes:
> First important question:
>
> Are there any bad passwords which this fails to reject? (If it rejects
> a seemingly good password, that's not necessarily a problem. Failing to
> reject a bad password is a far more serious problem.)
It allows: a1b2c3, but fails 1a2b3c, I thought it would (and probably does)
check for numeric sequences?
> Second important question:
>
> Are there words that you can think of which this fails to detect as
> potential weaknesses? (Try to stump it!)
It fails: LL-918 as worthless, but gives LL-928 an excellent :) Maybe you
should add lots of LEGO set names and abbreviations? EG RBR, SES, etc?
Also, my LUGNET password got a bravissimo, and all the passwords I normally use
were worthless :)
squiff9 worked, probably because squiff isn't a word. but people do make up
words.. so if there was a way to check if the words conform to spelling rules?
Did you enter 'fibblesnork' to the DB? I couldn't get that to work even with
slight multilation :)
As an aside, would you actually allow someone to brute-force hack into a LUGNET
account? Or disable the account for X hours automatically after Y fails? If Y
was 5 or something else low, then the possibility of brute-force hacks is
significantly reduced?
Richard
|
|
Message has 1 Reply:
Message is in Reply To:
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
