To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.generalOpen lugnet.admin.general in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / General / 7817
7816  |  7818
Subject: 
 Re: Password Tips
Newsgroups: 
 lugnet.admin.general
Date: 
 Wed, 27 Sep 2000 21:30:28 GMT
Viewed: 
 302 times
  
In lugnet.people, Todd Lehman writes:
In lugnet.people, Kevin Loch writes:
[...]
Basically, avoid regular letters and numbers at all cost.

Gee, that was so funny I almost forgot to laugh.  There are plenty of
6-character pw's that you can use that have 5 letters and one number or
special character, and plenty of 7-character pw's that you can use that are
all lowercase letters.  I don't see why some people are having trouble coming
up with something.

Here's a good one:

Long,Term/P1an!

Passed with +178%

I think I've got the hang of it now.

But be that as it may, I would much rather discuss practical ways to limit
brute-force cracking throughput so that the strictness of the validator can
be lowered to something more human-factors-friendly.


Delaying positive and negative results and temporarally blocking ip's for
logins that have too many tries is probably the best way to discourage
cracking.

Another thing would be to switch to a passphrase system.  People could
use passphrases of up to 256 characters, with a minimum of 2 space characters
and 10 other characters would do fine.  That way you could use less stringent
requirements (say at least one non [a-z] character and or at least one numer).
That would open up the keyspace significantly.  The idea is people use
combinations of less secure "words" to make a much stronger easier
and much easier to remember phrase.  Be careful not to make the diversity
rules too strict, if you have to have a bunch of Caps or special symbols
it is difficult to remember where you put them  in your phrase.

Another good system is to ask people a series of questions that only
they know the answer to and have several challenge/response questions
chosen at random for each login.  This has some resistance to sniffing.
The security against brute force is very similar to passphrases in that
it has a very large keyspace and the attacker has no idea how many characters
long the pw is (as opposed to traditional pw's that are 5-8 chars in length
even if longer is permitted, especialy if they have to be hard to remember).



1 Message in This Thread:

Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR