Subject:
|
Re: PW validation terms/labels
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Fri, 5 May 2000 02:23:45 GMT
|
Highlighted:
|
(details)
|
Viewed:
|
2745 times
|
| |
|
|
In lugnet.admin.general, Larry Pieniazek writes:
> I find the labels a bit pejorative, as they impose your thinking on what
> level of security is appropriate on what should just be strength metrics.
OK, fair enough. Labels gone. Just pure numbers in the drop-down list now.
> For example at setting 1 "lax" it fails passwords that I consider perfectly
> adequate for the risk level here at Lugnet and which I would use if I could.
The label covers (covered) what the setting allows in the worst-case. If you
poke around enough (or, as I've done, run scripts internally that hammer on it
to generate meaningful statistics), you'll find that the "Lax" setting (1)
does indeed pass some very, very bad pw's. It may also fail a few good ones
here and there, but as I'm sure you must realize, false positives are
infinitely more harmless than the reverse.
> The next setting up is "casual" but it is far from casual, it's already
> shading up towards quite restrictive.
It's appropriate to call it casual because it is only a minimal level of pw
security -- it offers approximately 25 bits of protection in the worst case.
(It passes approximately 40% of all 5-character pw's chosen from the alphabet
{a-z,0-9}.) 2^25 is scarcely 30 million combinations to try. That IS casual,
trust me.
> Suggest you dump the labels and just go with numeric indicators. My lax is
> probably -23 on your scale and I would call your lax "serious" and your
> casual "moderately insane".
Here is why "1 - Lax" is in fact lax and not even remotely close to serious:
1. It passes terribly poor 4-character passwords such as "chow", "itso",
and "frob", and in fact passes 90% of all 4-character randomly generated
pw's using a linear distribution of the letters 'a' to 'z'. 26^4 =
456,976 (bad).
2. It passes 95% of all 4-character randomly generated pw's using a linear
distribution of the letters a-z and the digits 0-9. 36^4 = 1,679,616
(also bad).
3. It passes 99% of all 4-character randomly generated pw's using a linear
distribution of the 95 printable ASCII characters. 95^4 = 81,450,625
(still rather bad).
It you believe that any of the above is not lax, then I would posit that you
have at best a weak understanding of even the most basic statistical and
mathematical issues related to pw cracking. (Sorry.)
> So clearly these labels are going to be divisive if you keep them. Just say
> you require security level 2 and leave it at that with no label attached to
> it.
Okie dokie.
> PS, my opinion remains unchanged, even 2 is way too strong for what is
> needed here but that's a different issue.
You go right ahead and believe that. In actuality, it would be totally
irresponsible to lower the bar any further. I've already made it far less
restrictive than it was going to be originally. I really would appreciate
it if you would please stop bugging me about this.
--Todd
|
|
Message has 1 Reply:
Message is in Reply To:
 | | Re: PW validation terms/labels
|
| I find the labels a bit pejorative, as they impose your thinking on what level of security is appropriate on what should just be strength metrics. For example at setting 1 "lax" it fails passwords that I consider perfectly adequate for the risk (...) (25 years ago, 5-May-00, to lugnet.admin.general)
|
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
