On Wed, 26 Oct 2005 12:44:57 -0700, go||um: wrote
(in article <4fmvl1dtl0n7kihl0vq40m8f6ia8eoh7up@4ax.com>):
> On Wed, 26 Oct 2005 18:48:02 GMT, Caprice <Caprice@badluck.com> wrote:
>
>> On Tue, 25 Oct 2005 10:34:05 -0700, Flowerchild wrote
>> (in article <0001HW.BF83BAC8000541B5F058A550@news.easynews.com>):
>>
>>> On Oct 20, 2005, Caprice wrote:
>>>
>>>> Password security is a balance (like most things in life). The balance
>>>> is
>>>> between having a strong password that is hard to break and having a
>>>> password
>>>> that can remembered without writing it down.
>>>>
>>>> It is astounding how many people write their passwords down and have them
>>>> easily accessible when they have serious things to hide. This is fairly
>>>> easily avoided.
>>>>
>>>> For most applications (like email with friends) a simple password that no
>>>> one
>>>
>>>> knows will do. But this assumes that no one is really interested in what
>>>> you
>>>
>>>> are trying to protect and what you are protecting will, if exposed, have
>>>> a
>>>> small impact. After all, if "email is like a postcard" guideline, who
>>>> really cares if you are having fun at the beach.
>>>>
>>>> All that changes, however, when there is compromising information either
>>>> in
>>>> storage or in messages, posts, cache files, etc. Then the risk of
>>>> exposure
>>>> is high and often the effort to expose will be done by people trained in
>>>> detecting passwords either physically or virtually. In other words, they
>>>> know where and how to look to gain access to your files.
>>>>
>>>> In that case I think it is good to have a method of generating strong
>>>> passwords that you don't have written down anywhere and that only you
>>>> know
>>>> about. Moreover the passwords have to be strong. Strong here is defined
>>>> to
>>>> mean difficult and time-consuming to detect.
>>>>
>>>> A brute force attack will eventually reveal any password. The
>>>> statistical
>>>> reality is that the detection could take a long time or a short time.
>>>> There
>>>> is no way to know since it's based on luck. I lot of times people are
>>>> fooled
>>>
>>>> by claims that it takes hours and hours to break the password. That's
>>>> not
>>>> really true. It takes hours and hours to exhaust possibilities. In
>>>> reality
>>>> your password could be revealed on the 10th try just by luck alone.
>>>>
>>>> I did some research and came up with the following which makes sense to
>>>> me.
>>>>
>>>> Of course comments are welcome and if there are oversights and other
>>>> considerations so that this knowledge can be upgraded that would be
>>>> particularly useful.
>>>>
>>>> The following is from www.securitystats.com they also have a meter that
>>>> 'tests' password strength. DO NOT put any password you actually use into
>>>> that meter. I have no idea who these people are and whether or not they
>>>> are
>>>> legit. I thought their advice was sound although have edited some it.
>>>>
>>>> Some passwords do and don'ts:
>>>>
>>>> Many intruders enter systems simply by guessing passwords and even the
>>>> best
>>>> passwords can eventually be defeated mathematically, given enough time.
>>>> The
>>>> use of strong passwords acts as a firm deterrent against password
>>>> guessing
>>>>
>>>>
>>>>
>>>>
>>>> doubled as a password).
>>>>
>>>>
>>>> form.
>>>>
>>>> first letter, but add uppercase letters throughout the password.
>>>> spelling
>>>>
>>>>
>>>> pet
>>>> names, license plate numbers, telephone numbers, identification numbers,
>>>> the
>>>> brand of your automobile, the name of the street you live on, and so on.
>>>> Such
>>>
>>>> passwords are very easily guessed by someone who knows the user.
>>>>
>>>> alphabet
>>>>
>>>> the
>>>
>>>> keyboard. This makes it harder for someone to steal your password by
>>>> looking
>>>> at your keyboard (also known as "shoulder surfing").
>>>>
>>>> integrity (such as root on a Unix host or Administrator on Windows NT),
>>>> the
>>>> more frequently the password should be changed. This change stops someone
>>>> who
>>>
>>>> has already compromised an account from continued access.
>>>>
>>>>
>>>> from
>>>>
>>>>
>>>>
>>>> extremely
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> Thanks for all your hard work with your Security posts.
>>> Just because no one make a (like this) statement doesn't mean they
>>> are not read.
>>>
>>
>> You are most welcome.
>
> Yeah I'd like to say the same. Thanks. When I'm not busy bashing you,
> I'm reading your contributions.
>
> I really am thankful, but your password post has been bugging me for a
> week now, so I feel I should say something. Problem is, I'm very
> uncomfortable having open discussions about password security. By
> talking about it, in effect we are giving away clues as to how we may
> have designed our passwords. So, I'm not going to say much, except
> this:
>
> 1. Your post has tips in it that are contradictory.
>
> 2. Your post has tips in it that contradict the security faq that I
> will attach to this post. Ironically, and although I had read previous
> versions of this before, I got this version from Duey. Remember him?
>
> Like I said, I appreciate and am thankful for your efforts.
>
>
> -g
Thanks for your interest.
A couple of points:
1. You are right that there is a balance between discussing security
practices and giving up tips as to how one handles his own security. That is
why I post general advice that may lead to specific practices rather than to
discuss the practices themselves.
For example, I may say to mix numbers, special characters and letters in
passwords, but do not say if I do that or if so, how I do that. Each person
has to devise his own method. What I have posted is a group of things to
consider while doing so.
2. It may be that there are contradictions within or between the posts. I
note in the Dr. Who FAQ it says to create and encrypt a text file of
passwords and in the other post it says not to write passwords down. Note,
please that the Dr. Who advice is specifically in regard to PGP.
Again, each person has to create his own method of developing passwords. The
best methods (as I said) are those that create passwords that don't need to
be written down and are already memorized by the person. One might pick a
particular event of importance in his life, abbreviate the name of the event,
intersperse numbers and letters with the numbers being the date of the event
and also mix in some special characters.
For example: - !2WoR0lD0fa6ir# - (The event being the 2006 World
Fair)....this password is considered 'very strong' by the password tester
mentioned in the post, and it is fairly easily memorized. Moreover that
method can give rise to numerous passwords that are all strong.
Finally, just to say that there are contradictions in the tips is not that
helpful., unless if you could take a little more time and show specifically
what those contradictions are. As my post stated this kind of discussion is
good and can be productive if it leads to better methods.
Thanks for your help.
|
|