Subject:
|
Re: Automated password appraisal (Re: New feature: Article rating)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Thu, 30 Mar 2000 23:46:41 GMT
|
Highlighted:
|
!
(details)
|
Viewed:
|
3859 times
|
| |
|
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Richard Franks writes:
> > It really likes: fnark-5- (345%)
> > but hates: fnark-5-lego (-104%)
> >
> > Surely that's squiffy? Or is it based on the theory that being able to guess
> > the 'lego' part will make the 'fnark-5-' more obvious?
>
> It's a side-effect of downrating fluffy portions even though they don't hurt.
> That is, if you have a wicked strong 8-character pw (call it "X" for short),
> then even though "Xlego" is no worse than "X", it takes points off for the
> fluffy part ("lego"). Taking points off for that is a good thing to do when
> the fluff serves only to artificially grow the size of the pw, but it's not
> particularly helpful on pw's that are already long enough.
>
> The simple answer is that this pw evaluator is trying to do more of an overall
> randomness check than a pw strength check. Surely "fnark-5-lego" is no weaker
> than "fnark-5", but it is significantly less random.
I am starting to think that this password checker, in its current form (which
I'd like to see left accessable as it IS useful) shouldn't actually block a
password. It should tell me that "maybe this isn't a good choice" but it
doesn't know enough about MY context to comment on passwords that might be
unsafe in my context.
If we assume for the sake of the next bit that nn/nn/nn isn't a bad password in
and of itself (actually it is, too small a pattern set) ...
Then my birthday is a not very good password FOR ME because it's guessable from
context, my birthday is easily obtainable. But it's not a bad password at ALL
for Ed Jones, who has no explicit connection to me that anyone knows of,
because it's just a random string of dates and slashes. It has no meaning that
an attacker can guess and so is as strong as any other random string of numbers
and slashes of the form nn/nn/nn. Similarly, my SSN is a bad password for me,
but some random 9 digit string with dashes in the SSN places isn't all that bad
FOR ME even though it's most likely somebody's SSN.
Right now it might be that it's way too picky. It's flagging passwords that are
reasonable. (elegant work, mind you, from a coding standpoint) If you eliminate
too many passwords from the universe, you reduce the total set that brute force
attack has to use (that is, if you ENFORCE that people can't have unsafe
passwords you increase their safety a lot, but decrease everyone's safety
marginally over all.)
Food for thought.
++Lar
|
|
Message has 2 Replies:
Message is in Reply To:
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
