Yawp. I *know*. In such situations, I've been known to use a password
consisting of 1 upper-case letter, 1 lower-case letter, and 8 _space_ characters.
In at least one instance the in-house 'tiger team' went back and re-implemented
their password cracker when they found out what I was doing.
Really _good_ password systems allow _any_ character as part of the 'password',
including things like 'backspace'. This increases the 'search space' that the
attacker (using a password cracker) has to probe *immensely*, has very good
odds of fooling someone who is watching it typed in, and numerous other
One of the -best- systems I saw:
prompted for a password,
then, no matter _what_ you entered, responded "invalid",
and again, no matter _what_ you entered, responded "invalid",
prompted a third time
checked that response for minimum acceptable length, but otherwise ignored it,
and let you in _if_and_only_ the first two attempts (a) matched, and (b)
were the correct password.
*Amazingly* effective against those who didn't have inside knowledge about how
the system worked.
"Yahbut" applies. Obscurity _on_top_of_ good quality fundamentals *does*
make life more difficult for the outside attacker.
Obscurity, _in_and_of_itself_, cannot be relied on to ensure security.
Obscurity, in the form of 'misdirection' especially, _can_ be effective in
causing _most_ attackers to waste their efforts in a direction that _cannot_
On Sun, 24 Jan 2010 17:34:24 -0600, firstname.lastname@example.org
(Robert Bonomi) wrote:
But without the underlying security, obscurity isn't of any use. If
the underlying system is secure, the obscure has no function other
than to piss off legitimate users, which will tend to reduce security
(e.g. silly PW rules will tend to cause PWs to be written on Postit
notes). OTOH, some obscurity will completely compromise any security
that's there (e.g. the key under the third rock from the left).
In any case, a system should withstand a reasonable attack if all of
the rules (and even software) is openly published. Indeed,
open-kimono can improve security by exposing holes more readily. In
the end, obscurity is only a thin blanket for the lack of security.
HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.