To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.off-topic.debateOpen lugnet.off-topic.debate in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Off-Topic / Debate / 5514
5513  |  5515
Subject: 
Re: PW validation terms/labels
Newsgroups: 
lugnet.admin.general, lugnet.off-topic.debate
Followup-To: 
lugnet.off-topic.debate
Date: 
Fri, 5 May 2000 17:53:25 GMT
Viewed: 
28 times
  
Todd Lehman wrote:
Here is why "1 - Lax" is in fact lax and not even remotely close to serious:

1.  It passes terribly poor 4-character passwords such as "chow", "itso",
    and "frob", and in fact passes 90% of all 4-character randomly generated
    pw's using a linear distribution of the letters 'a' to 'z'.  26^4 =
    456,976 (bad).

2.  It passes 95% of all 4-character randomly generated pw's using a linear
    distribution of the letters a-z and the digits 0-9.  36^4 = 1,679,616
    (also bad).

3.  It passes 99% of all 4-character randomly generated pw's using a linear
    distribution of the 95 printable ASCII characters.  95^4 = 81,450,625
    (still rather bad).

It you believe that any of the above is not lax, then I would posit that you
have at best a weak understanding of even the most basic statistical and
mathematical issues related to pw cracking.  (Sorry.)

Perhaps part of the problem is the relative weights attached to various
elements of strength of passwords. I would generally agree that a 4
character password should not be accepted (of course I suspect most of
us have a significant amount of money protected only by our physical
possesion of a plastic card, and a 4 DIGIT password - I at least chose
an 8 digit PIN the one time I was allowed to chose a PIN, but few ATM
systems these days allow anything other than a 4 digit PIN).

I'm not sure that boiling the strength of a password down to a single
number is the best way to go about it. Why not require a few things,
like minimum length, and let the other checking try and reject trivial
extensions of a short password into the minimum length.

However, you have spoken that this is the final word on Lugnet
passwords, follow-ups to lugnet.off-topic.debate if anyone cares to
continue discussion.

--
Frank Filz

-----------------------------
Work: mailto:ffilz@us.ibm.com (business only please)
Home: mailto:ffilz@mindspring.com



Message has 1 Reply:
  Re: PW validation terms/labels
 
(...) For the average person or script kiddle to crack a 4-digit PIN via brute force, they'd have to: (1) first actually get someone's card; and then (2) manually try out up to 10,000 combinations, and IIRC, ATM's are programmed to eat cards after a (...) (25 years ago, 5-May-00, to lugnet.off-topic.debate)

Message is in Reply To:
  Re: PW validation terms/labels
 
(...) OK, fair enough. Labels gone. Just pure numbers in the drop-down list now. (...) The label covers (covered) what the setting allows in the worst-case. If you poke around enough (or, as I've done, run scripts internally that hammer on it to (...) (25 years ago, 5-May-00, to lugnet.admin.general)  

309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact

This Message and its Replies on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    

Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR