In article <0001HW.BF8557B200095884F0305550@news.easynews.com>, Caprice
<Caprice@badluck.com> wrote:
> On Wed, 26 Oct 2005 12:44:57 -0700, go||um: wrote
> (in article <4fmvl1dtl0n7kihl0vq40m8f6ia8eoh7up@4ax.com>):
>
> > On Wed, 26 Oct 2005 18:48:02 GMT, Caprice <Caprice@badluck.com> wrote:
> >
> >> On Tue, 25 Oct 2005 10:34:05 -0700, Flowerchild wrote
> >> (in article <0001HW.BF83BAC8000541B5F058A550@news.easynews.com>):
> >>
> >>> On Oct 20, 2005, Caprice wrote:
> >>>
> >>>> Password security is a balance (like most things in life). The balance
> >>>> is
> >>>> between having a strong password that is hard to break and having a
> >>>> password
> >>>> that can remembered without writing it down.
> >>>>
> >>>> It is astounding how many people write their passwords down and have
> >>>> them
> >>>> easily accessible when they have serious things to hide. This is fairly
> >>>> easily avoided.
> >>>>
> >>>> For most applications (like email with friends) a simple password that
> >>>> no
> >>>> one
> >>>
> >>>> knows will do. But this assumes that no one is really interested in
> >>>> what
> >>>> you
> >>>
> >>>> are trying to protect and what you are protecting will, if exposed, have
> >>>> a
> >>>> small impact. After all, if "email is like a postcard" guideline, who
> >>>> really cares if you are having fun at the beach.
> >>>>
> >>>> All that changes, however, when there is compromising information either
> >>>> in
> >>>> storage or in messages, posts, cache files, etc. Then the risk of
> >>>> exposure
> >>>> is high and often the effort to expose will be done by people trained in
> >>>> detecting passwords either physically or virtually. In other words,
> >>>> they
> >>>> know where and how to look to gain access to your files.
> >>>>
> >>>> In that case I think it is good to have a method of generating strong
> >>>> passwords that you don't have written down anywhere and that only you
> >>>> know
> >>>> about. Moreover the passwords have to be strong. Strong here is
> >>>> defined
> >>>> to
> >>>> mean difficult and time-consuming to detect.
> >>>>
> >>>> A brute force attack will eventually reveal any password. The
> >>>> statistical
> >>>> reality is that the detection could take a long time or a short time.
> >>>> There
> >>>> is no way to know since it's based on luck. I lot of times people are
> >>>> fooled
> >>>
> >>>> by claims that it takes hours and hours to break the password. That's
> >>>> not
> >>>> really true. It takes hours and hours to exhaust possibilities. In
> >>>> reality
> >>>> your password could be revealed on the 10th try just by luck alone.
> >>>>
> >>>> I did some research and came up with the following which makes sense to
> >>>> me.
> >>>>
> >>>> Of course comments are welcome and if there are oversights and other
> >>>> considerations so that this knowledge can be upgraded that would be
> >>>> particularly useful.
> >>>>
> >>>> The following is from www.securitystats.com they also have a meter
> >>>> that
> >>>> 'tests' password strength. DO NOT put any password you actually use
> >>>> into
> >>>> that meter. I have no idea who these people are and whether or not they
> >>>> are
> >>>> legit. I thought their advice was sound although have edited some it.
> >>>>
> >>>> Some passwords do and don'ts:
> >>>>
> >>>> Many intruders enter systems simply by guessing passwords and even the
> >>>> best
> >>>> passwords can eventually be defeated mathematically, given enough time.
> >>>> The
> >>>> use of strong passwords acts as a firm deterrent against password
> >>>> guessing
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> or
> >>>> doubled as a password).
> >>>>
> >>>>
> >>>> form.
> >>>>
> >>>> the
> >>>> first letter, but add uppercase letters throughout the password.
> >>>> spelling
> >>>>
> >>>>
> >>>> includes
> >>>> pet
> >>>> names, license plate numbers, telephone numbers, identification numbers,
> >>>> the
> >>>> brand of your automobile, the name of the street you live on, and so on.
> >>>> Such
> >>>
> >>>> passwords are very easily guessed by someone who knows the user.
> >>>>
> >>>> alphabet
> >>>>
> >>>> at
> >>>> the
> >>>
> >>>> keyboard. This makes it harder for someone to steal your password by
> >>>> looking
> >>>> at your keyboard (also known as "shoulder surfing").
> >>>> thereof.
> >>>>
> >>>> network
> >>>> integrity (such as root on a Unix host or Administrator on Windows NT),
> >>>> the
> >>>> more frequently the password should be changed. This change stops
> >>>> someone
> >>>> who
> >>>
> >>>> has already compromised an account from continued access.
> >>>>
> >>>>
> >>>> gotten
> >>>> from
> >>>>
> >>>> or
> >>>>
> >>>> or
> >>>>
> >>>> extremely
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>> Thanks for all your hard work with your Security posts.
> >>> Just because no one make a (like this) statement doesn't mean they
> >>> are not read.
> >>>
> >>
> >> You are most welcome.
> >
> > Yeah I'd like to say the same. Thanks. When I'm not busy bashing you,
> > I'm reading your contributions.
> >
> > I really am thankful, but your password post has been bugging me for a
> > week now, so I feel I should say something. Problem is, I'm very
> > uncomfortable having open discussions about password security. By
> > talking about it, in effect we are giving away clues as to how we may
> > have designed our passwords. So, I'm not going to say much, except
> > this:
> >
> > 1. Your post has tips in it that are contradictory.
> >
> > 2. Your post has tips in it that contradict the security faq that I
> > will attach to this post. Ironically, and although I had read previous
> > versions of this before, I got this version from Duey. Remember him?
> >
> > Like I said, I appreciate and am thankful for your efforts.
> >
> >
> > -g
>
> Thanks for your interest.
>
> A couple of points:
>
> 1. You are right that there is a balance between discussing security
> practices and giving up tips as to how one handles his own security. That is
> why I post general advice that may lead to specific practices rather than to
> discuss the practices themselves.
>
> For example, I may say to mix numbers, special characters and letters in
> passwords, but do not say if I do that or if so, how I do that. Each person
> has to devise his own method. What I have posted is a group of things to
> consider while doing so.
>
> 2. It may be that there are contradictions within or between the posts. I
> note in the Dr. Who FAQ it says to create and encrypt a text file of
> passwords and in the other post it says not to write passwords down. Note,
> please that the Dr. Who advice is specifically in regard to PGP.
>
> Again, each person has to create his own method of developing passwords. The
> best methods (as I said) are those that create passwords that don't need to
> be written down and are already memorized by the person. One might pick a
> particular event of importance in his life, abbreviate the name of the event,
> intersperse numbers and letters with the numbers being the date of the event
> and also mix in some special characters.
>
> For example: - !2WoR0lD0fa6ir# - (The event being the 2006 World
> Fair)....this password is considered 'very strong' by the password tester
> mentioned in the post, and it is fairly easily memorized. Moreover that
> method can give rise to numerous passwords that are all strong.
>
> Finally, just to say that there are contradictions in the tips is not that
> helpful., unless if you could take a little more time and show specifically
> what those contradictions are. As my post stated this kind of discussion is
> good and can be productive if it leads to better methods.
>
> Thanks for your help.
>
>
Good post.
Ah, it looks like I could have written it. :-)
That can be construed as a complement, an insult, or both, or it could
be accepted as a warning to try to write a little differently, to
better maintain our differences. We don't want to revive the hosiery
marionettes situation.
Do you remember the tips I gave you in email, and if so, do you think
they should be shared publicly? I've developed some more tips of a
similar nature. Of course, we don't want to share them with LEA, but we
shouldn't assume they can't think up anything we can think of. They can
afford to hire the best brains in the business (but the worst bodies)
to outthink us. Even if we look better. :-)
But then, The Purloined Letter is a classic that still works, if done
well.
Y Not
"Those who know, know who knows."
|
|