| |
In lugnet.people, Kevin Loch writes:
> Actually, all they need to know is my customer number and a PIN to view my
> account records.
ouch. How easy is it for a thief to get your customer number? How many
digits is your PIN?
> I would consider my bank account records much more valuable
> than my LUGNET profile, no offense :)
natch. :)
> If the concern is script kiddies cracking accounts, wouldn't it make more
> sense to disable accounts (or better IP's) that are attempting cracking
Disable accounts on repeated fails and you make it trivial to DoS someone.
Disable IP addresses and you lock out the innocent on shared proxy servers.
> than force users to choose uncomfortable passwords?
Here are some tips on choosing hard-to-guess passwords that are easy to
remember:
http://www.lugnet.com/people/members/password-suggestions
There were some threads on this on Slashdot a while back, and several people
noted that one of the best ways to remember a password is to use it often
in the beginning so that your fingers actually begin to remember it (through
so-called "muscle memory"). Like riding a bike, you tend not to forget it
after a certain point. Some people suggested keeping it written down on a
paper that you keep with your person until you're comfortable that you
absolutely know it and won't forget it, then you eat that piece of paper. :)
LUGNET's pw changer
http://www.lugnet.com/people/members/pw/
lets you add a new password (keeping the old one just in case) before
retiring the old one. Kinda like having a spare set of keys.
> You might want to consider letting your users, many of whom understand
> the issues and risks as well as you do, decide for themselves what
> strength password to use.
Ahh, that is *sooo* tempting -- and I appreciate the practical advice -- but
how many people wouldn't just be lazy and click that checkbox (or whatever it
was)?
"Yah sure, I understand...urrp. OK, bob123cat it is!...Whee!...urrp."
[...two weeks later...]
"Hey, I didn't write that on my page! Hey, that's not my butt! Hey, I'm
not selling that! Hey, I didn't bid on that! What the fsck is going on?!"
Second, how many people with enough cognitive reasing power and/or training
to grok the combinatorics up, down, and sideways don't have the cognitive
ability to invent an easy-to-remember but hard-to-guess password?
> Also, I don't think Larry and I have a problem with the fact that you
> reject trivial passwords, but that your standards are a bit too high
> for practical use.
I'll agree with that. I think they may still be a bit too high. I still
seriously consider Larry's original suggestion of having two thresholds --
one for "this is really highly suggsted" and a slightly lower one for "this
is the lowest safely allowed." The thresholds can be tuned very finely.
> Remember, any security measure should be designed
> to delay subversion, not prevent it outright, which is theoretically
> impossible. Have you determined what ammound of difficulty is required
> before you could detect the intrusion attempt?
A corrupted cookie file could look like an intrusion attempt, although a
corrupted cookie file isn't so likely to result in rapid variations and
permutations without something like stack frame variable corruption.
> Or did you set an artificially
> high standard (like months or years) without consideration of the impact
> it would have on legitemate use? The president would be alot safer if
> he never went out in public, but that would interfere unacceptably with
> his normal activities.
I'm not sure if I'm remembering the figures exactly, but IIRC it currently
passes 6-character pw's containing an average of approximately 24-26 bits of
unique information. To make pw's more "practical" would mean dropping that
even further (26 is already somewhat risky) down to something like probably
18. Even 2^20 is only one million, and 2^18 is only 1/4 million. If someone
ran one innocuous HTTP request per second, it would take less than a week to
make 2^18 attempts in that more relaxed pw validation scenario.
2^18 is open net hockey for crackers.
--Todd
|
|
Message has 4 Replies:
 | | Re: LUGNET Memberships
|
| Hi there! Excuse me if i am totally lost here... Is it not so that a 6 letter password containing letters from A to Z and 0 to 9, can have 36^6 different combinations and contains 48 bits in a unique order? A binary value containing 0 or 1 in 8 (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
| | | Re: LUGNET Memberships
|
| (...) Not if you only disable loggin in as that user from that ip. (...) I think a minimum of 6 characters is a good limit. It's the character diversity that is causeing problems. Also, you could make failed attempts take a few extra seconds to (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
| | | Re: LUGNET Memberships
|
| (...) I'm amazed on how complex and sophisticated the Lugnet password system is. There are the password suggestions, Password strength analyzer which even includes an internal dictionary and gives you the CPU time that it took to analyze the (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
Message is in Reply To:
| | Re: LUGNET Memberships
|
| (...) Actually, all they need to know is my customer number and a PIN to view my account records. I would consider my bank account records much more valuable than my LUGNET profile, no offense :) If the concern is script kiddies cracking accounts, (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
113 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
