OT: Passwords

Page 2 of 2  
Robert Bonomi wrote:

... and that would still fail certain agencies' password rules because it does not have any non-alpha characters in it.
/not kidding
--

There is never a situation where having more rounds is a disadvantage

Rob Leatham
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Yawp. I *know*. In such situations, I've been known to use a password consisting of 1 upper-case letter, 1 lower-case letter, and 8 _space_ characters.
In at least one instance the in-house 'tiger team' went back and re-implemented their password cracker when they found out what I was doing.
Really _good_ password systems allow _any_ character as part of the 'password', including things like 'backspace'. This increases the 'search space' that the attacker (using a password cracker) has to probe *immensely*, has very good odds of fooling someone who is watching it typed in, and numerous other advantages.
One of the -best- systems I saw: prompted for a password, then, no matter _what_ you entered, responded "invalid", prompted again, and again, no matter _what_ you entered, responded "invalid", prompted a third time checked that response for minimum acceptable length, but otherwise ignored it, and let you in _if_and_only_ the first two attempts (a) matched, and (b) were the correct password.
*Amazingly* effective against those who didn't have inside knowledge about how the system worked.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sun, 24 Jan 2010 17:05:59 -0600, snipped-for-privacy@host122.r-bonomi.com (Robert Bonomi) wrote:

MickeyMinniePlutoHueyLouieDeweyDonaldGoofy$acramento
Security through obscurity isn't security at all.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

"Yahbut" applies. Obscurity _on_top_of_ good quality fundamentals *does* make life more difficult for the outside attacker.
Obscurity, _in_and_of_itself_, cannot be relied on to ensure security.
Obscurity, in the form of 'misdirection' especially, _can_ be effective in causing _most_ attackers to waste their efforts in a direction that _cannot_ success.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 1/24/2010 5:34 PM, Robert Bonomi wrote:

And, like those "hidden" devices that are so out in the open that damn few would ever look into, like the dummy wall receptacle "bank" with a plug running to a lamp, that works.
--
www.e-woodshop.net
Last update: 10/22/08
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sun, 24 Jan 2010 17:34:24 -0600, snipped-for-privacy@host122.r-bonomi.com (Robert Bonomi) wrote:

But without the underlying security, obscurity isn't of any use. If the underlying system is secure, the obscure has no function other than to piss off legitimate users, which will tend to reduce security (e.g. silly PW rules will tend to cause PWs to be written on Postit notes). OTOH, some obscurity will completely compromise any security that's there (e.g. the key under the third rock from the left).
In any case, a system should withstand a reasonable attack if all of the rules (and even software) is openly published. Indeed, open-kimono can improve security by exposing holes more readily. In the end, obscurity is only a thin blanket for the lack of security.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Site Timeline

Related Threads

HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.