[ale] passwords

Michael H. Warfield mhw at WittsEnd.com
Sat Feb 12 11:47:21 EST 2011


On Sat, 2011-02-12 at 11:04 -0500, Drifter wrote: 
> the recent chatter about network security has, mostly, skirted around the 
> password problem. Too many web sites that need strong security restrict 
> passwords by length, or character set, or both. So also do many corporate 
> web sites.  Software exists that can generate random alphanumeric 
> passwords, but they routinely suffer the same fault: being difficult to 
> remember, users end up with notes taped to monitors, voiding the security.
> 
> For the past decade or so I have been recommending that computer users 
> pick out several favorite poems/songs and use them to generate passwords.
> 
> For example, fans of mathematics might reach for Lewis Carroll:
> 
> The time has come, the Walrus said, to talk of many things,
> 
> which would generate the short password  <tthctwsttomt>, which munged just 
> a little bit becomes <TthctW5ttomT>.
> 
> or perhaps, 
> 
> ’Twas brillig, and the slithy toves
> Did gyre and gimble in the wabe
> 
> which would generate <tbatstDgagitw>
> 
> English majors might prefer something from "The Love Song of J. Alfred 
> Prufrock":
> 
> In the room the women come and go,
> Talking of Michelangelo.
> 
> Or the opening of "A Tale of Two Cities":
> 
> It was the best of times, it was the worst of times;
> 
> I do not, for obvious reasons, ever suggest the song
> "All I want for Christmas is a hippopotamus."  :)
> 
> The people I advise do not understand the need for encryption, so the 
> topic of pass phrases does not usually come up. Memorable quotations from 
> obscure works are ideal, but all too often are not considered.

> I wish that financial institutions would lift restrictions on password 
> length and complexity, but that would, almost certainly, entail reworking 
> a poorly crafted database.

What this doesn't solve is the shear mind numbing number of passwords we
have to remember.  A recent security report indicated that after one
breakin and compromise of a huge password database, numerous other sites
were broken into via the cracked passwords and accounts.  They had
reused their passwords on sites everywhere from silly games to social
networking to banking.  I have several hundred unique passwords to
different sites, all different and all random.  Some sites I haven't
visited in over a year (bugzilla's and listservs mostly). They're stored
in the password manager Revelation (which, I know, even though the
database is AES-256 encrypted, they didn't to the most optimal job of
seeding an implementing the encryption on the safe) with the database
stored on an encrypted file system.  It takes a very long, very strong
passphrase to decrypt it.  Once it's open, it's a quick cut-n-paste into
a site and FF seems to clear the cnp buffer once a password has been
used so there's little risk from cnp reuse.  Also inhibits shoulder
surfing and keystroke timing attacks (for those services that might be
subject to keystroke timing sniffing).

Even federated ID systems, such as SecureID have come under attack as
well as some 2-factor authentication such as SecureID, cell phone text
system, and even smart cards.  A one time password system such as S/KEY
or OPIE would be nice, but I don't see any becoming popular anytime
soon.  Short of that, a well protected password safe that convenient to
use with a good password generator is about the best you can hope for. 



> Sean

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110212/7d6f9a16/attachment.bin 


More information about the Ale mailing list