Home > Archive > Cobol > March 2005 > Re: Passwords
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Lueko Willms 2005-03-23, 3:55 am |
| .. On 18.03.05
wrote howard@brazee.net (Howard Brazee)
on /COMP/LANG/COBOL
in d1evfn$ofh$1@peabody.colorado.edu
about Passwords
HB> The problem with passwords is a serious problem. We can't use
HB> passwords that are easy to remember, and we can't write them down and
HB> post them next to our computer.
A couple of years ago I had made a count, and found that I had to
memorize 20 passwords (including PINs for bank and phone cards). With
all the web sites and web forums, this number has multiplied.
HB> What happens is often people go to
HB> a site that wants a password, and they try a dozen variations of
HB> their user-id until they get one that hasn't been used at that site
HB> before, log on, get a password, forget it, and repeat next time they
HB> need to go there. Or if they can, they use the same password
HB> everywhere.
The latter makes sense, actually not the same password everywhere,
but a set of, say 5 userid/password pairs depending on the necessary
security level.
HB> (I wonder how many sites have been created that are
HB> designed to harvest such passwords).
Well ... I don't know either.
At least, nobody has yet cracked the passwords I use for my bank
accounts...
Yours,
Lüko Willms http://www.willms-edv.de
/--------- L.WILLMS@jpberlin.de -- Alle Rechte vorbehalten --
Belehrung findet man öfter in der Welt als Trost. -G.C.Lichtenberg
| |
| Michael Wojcik 2005-03-23, 3:55 am |
|
In article <9T7QryK9flB@jpberlin-l.willms.jpberlin.de>, l.willms@jpberlin.de (Lueko Willms) writes:
> . On 18.03.05
> wrote howard@brazee.net (Howard Brazee)
>
> HB> The problem with passwords is a serious problem. We can't use
> HB> passwords that are easy to remember, and we can't write them down and
> HB> post them next to our computer.
Of course there's a ton of research on passwords and other forms of
shared-secret (and secret-and-verifier) authentication in computer
security. And the conclusion everyone comes to - unless they just
adopt it as an axiom to begin with - is that passwords, particularly
short passwords, simply do not work. They're a terrible mechanism.
(PINs are even worse. They're much too short, and they make other
attacks, like account scanning, possible. (In account scanning you
pick a PIN and try it across the whole range of account numbers.
Since there's only one login failure per account, the bank doesn't
lock access to any of the accounts. With a small PIN number space
and a lot of accounts, chances of finding a match are very good.)
And ATM cards contain the PIN in the clear anyway, so if you have
a card all you need is a mag-stripe reader. Pathetic.)
Pass *phrases* are a small improvement. A passphrase that's not too
difficult to remember can have as much entropy as a "good" password
without any trouble, even if the passphrase system doesn't require a
verbatim match (for example, it may fold case) in order to accomodate
minor differences. It's not hard for most people to remember a
quotation of a couple of sentences, for example.
It also helps to have a sensible threat model. It may be acceptible
to keep a file of passwords on a computer, for example, if it's
properly protected; if that machine is sufficiently compromised to
allow an attacker to get the contents of the file, they can get the
secret information in other ways (eg a keystroke logger). Absolute
security rules in the absence of a threat model are security theater,
and generally the sign that security policy is being set by someone
who knows nothing about the subject.
> HB> Or if they can, they use the same password everywhere.
>
> The latter makes sense, actually not the same password everywhere,
> but a set of, say 5 userid/password pairs depending on the necessary
> security level.
Or a single (or better handful of) passwords that are mangled
slightly, in a manner the user can reconstruct, for each login domain
- for example, the user appends a character he associates with the
site to the "base" password. That adds a little security against
manual attacks (it's negligible for automated ones that are at all
sophisticated).
> At least, nobody has yet cracked the passwords I use for my bank
> accounts...
You mean, none of the people who have cracked them have yet used
them in ways you have noticed.
--
Michael Wojcik michael.wojcik@microfocus.com
Proverbs for Paranoids, 1: You may never get to touch the Master,
but you can tickle his creatures. -- Thomas Pynchon
| |
| Lueko Willms 2005-03-23, 3:55 am |
| .. On 18.03.05
wrote mwojcik@newsguy.com (Michael Wojcik)
on /COMP/LANG/COBOL
in d1fe3v0ge0@news2.newsguy.com
about Re: Passwords
[color=darkred]
MW> You mean, none of the people who have cracked them have yet used
MW> them in ways you have noticed.
Maybe.
Yours,
Lüko Willms http://www.willms-edv.de
/--------- L.WILLMS@jpberlin.de -- Alle Rechte vorbehalten --
Ein Buch ist ein Spiegel, wenn ein Affe hineinsieht, so kann kein Apostel herausgucken. -G.C.Lichtenberg
| |
| James J. Gavan 2005-03-23, 3:55 am |
| Donald Tees wrote:
> Lueko Willms wrote:
> Under Linux, I can put them all in an encoded wallet, and have it
> remember them for me. If you get one of those half gig memory devices on
> a keychain, they plug into your USB slot, then place the wallet on the
> keychain device, you have a nice key to everything your's that will fit
> in your pocket. Under $100.
>
What's the official name for the 'half gig memory devices on a key
chain' ? Somebody in Future Shop demoed one to me while he was
discussing a new XP Machine, putting it into a USB slot to look at his
Word documents.
I've not yet seen one of those 'wire less' Mouse/Mice you once referred
to. Not that I spend my time sauntering around computer stores.
Jimmy
|
|
|
|
|