To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.generalOpen lugnet.admin.general in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / General / 7762
7761  |  7763
Subject: 
Re: LUGNET Memberships
Newsgroups: 
lugnet.people, lugnet.admin.general
Date: 
Mon, 25 Sep 2000 06:16:58 GMT
Highlighted: 
(details)
Viewed: 
64 times
  
In lugnet.people, Kevin Loch writes:
Actually, all they need to know is my customer number and a PIN to view my
account records.

ouch.  How easy is it for a thief to get your customer number?  How many
digits is your PIN?


I would consider my bank account records much more valuable
than my LUGNET profile, no offense :)

natch.  :)


If the concern is script kiddies cracking accounts, wouldn't it make more
sense to disable accounts (or better  IP's) that are attempting cracking

Disable accounts on repeated fails and you make it trivial to DoS someone.
Disable IP addresses and you lock out the innocent on shared proxy servers.


than force users to choose uncomfortable passwords?

Here are some tips on choosing hard-to-guess passwords that are easy to
remember:

   http://www.lugnet.com/people/members/password-suggestions

There were some threads on this on Slashdot a while back, and several people
noted that one of the best ways to remember a password is to use it often
in the beginning so that your fingers actually begin to remember it (through
so-called "muscle memory").  Like riding a bike, you tend not to forget it
after a certain point.  Some people suggested keeping it written down on a
paper that you keep with your person until you're comfortable that you
absolutely know it and won't forget it, then you eat that piece of paper.  :)

LUGNET's pw changer

   http://www.lugnet.com/people/members/pw/

lets you add a new password (keeping the old one just in case) before
retiring the old one.  Kinda like having a spare set of keys.


You might want to consider letting your users, many of whom understand
the issues and risks as well as you do, decide for themselves what
strength password to use.

Ahh, that is *sooo* tempting -- and I appreciate the practical advice -- but
how many people wouldn't just be lazy and click that checkbox (or whatever it
was)?

   "Yah sure, I understand...urrp.  OK, bob123cat it is!...Whee!...urrp."
        [...two weeks later...]
   "Hey, I didn't write that on my page!  Hey, that's not my butt!  Hey, I'm
   not selling that!  Hey, I didn't bid on that!  What the fsck is going on?!"

Second, how many people with enough cognitive reasing power and/or training
to grok the combinatorics up, down, and sideways don't have the cognitive
ability to invent an easy-to-remember but hard-to-guess password?


Also, I don't think Larry and I have a problem with the fact that you
reject trivial passwords, but that your standards are a bit too high
for practical use.

I'll agree with that.  I think they may still be a bit too high.  I still
seriously consider Larry's original suggestion of having two thresholds --
one for "this is really highly suggsted" and a slightly lower one for "this
is the lowest safely allowed."  The thresholds can be tuned very finely.


Remember, any security measure should be designed
to delay subversion, not prevent it outright, which is theoretically
impossible.  Have you determined what ammound of difficulty is required
before you could detect the intrusion attempt?

A corrupted cookie file could look like an intrusion attempt, although a
corrupted cookie file isn't so likely to result in rapid variations and
permutations without something like stack frame variable corruption.


Or did you set an artificially
high standard (like months or years) without consideration of the impact
it would have on legitemate use?  The president would be alot safer if
he never went out in public, but that would interfere unacceptably with
his normal activities.

I'm not sure if I'm remembering the figures exactly, but IIRC it currently
passes 6-character pw's containing an average of approximately 24-26 bits of
unique information.  To make pw's more "practical" would mean dropping that
even further (26 is already somewhat risky) down to something like probably
18.  Even 2^20 is only one million, and 2^18 is only 1/4 million.  If someone
ran one innocuous HTTP request per second, it would take less than a week to
make 2^18 attempts in that more relaxed pw validation scenario.

2^18 is open net hockey for crackers.

--Todd



Message has 4 Replies:
  Re: LUGNET Memberships
 
Hi there! Excuse me if i am totally lost here... Is it not so that a 6 letter password containing letters from A to Z and 0 to 9, can have 36^6 different combinations and contains 48 bits in a unique order? A binary value containing 0 or 1 in 8 (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
  Re: LUGNET Memberships
 
(...) Not if you only disable loggin in as that user from that ip. (...) I think a minimum of 6 characters is a good limit. It's the character diversity that is causeing problems. Also, you could make failed attempts take a few extra seconds to (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
  Re: LUGNET Memberships
 
(...) My old bank (US Trust) used my social security number + PIN for phone access to my account. Eep. (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
  Re: LUGNET Memberships
 
(...) I'm amazed on how complex and sophisticated the Lugnet password system is. There are the password suggestions, Password strength analyzer which even includes an internal dictionary and gives you the CPU time that it took to analyze the (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)

Message is in Reply To:
  Re: LUGNET Memberships
 
(...) Actually, all they need to know is my customer number and a PIN to view my account records. I would consider my bank account records much more valuable than my LUGNET profile, no offense :) If the concern is script kiddies cracking accounts, (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)

113 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact

This Message and its Replies on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    

Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR