[ale] passwords

Tim Watts tim at cliftonfarm.org
Sat Feb 12 12:25:07 EST 2011


I've often wondered why those anti-spam word jumble graphics haven't
been deployed on logins as a measure against automated login attacks.
Certainly not foolproof -- and may pose accessibility issues for some --
but if there's one place where I'd like to maximize the probability that
an actual human is providing the input it's during authentication.


On Sat, 2011-02-12 at 11:47 -0500, Michael H. Warfield wrote:
> On Sat, 2011-02-12 at 11:04 -0500, Drifter wrote: 
> > the recent chatter about network security has, mostly, skirted around the 
> > password problem. Too many web sites that need strong security restrict 
> > passwords by length, or character set, or both. So also do many corporate 
> > web sites.  Software exists that can generate random alphanumeric 
> > passwords, but they routinely suffer the same fault: being difficult to 
> > remember, users end up with notes taped to monitors, voiding the security.
> > 
> > For the past decade or so I have been recommending that computer users 
> > pick out several favorite poems/songs and use them to generate passwords.
> > 
> > For example, fans of mathematics might reach for Lewis Carroll:
> > 
> > The time has come, the Walrus said, to talk of many things,
> > 
> > which would generate the short password  <tthctwsttomt>, which munged just 
> > a little bit becomes <TthctW5ttomT>.
> > 
> > or perhaps, 
> > 
> > ’Twas brillig, and the slithy toves
> > Did gyre and gimble in the wabe
> > 
> > which would generate <tbatstDgagitw>
> > 
> > English majors might prefer something from "The Love Song of J. Alfred 
> > Prufrock":
> > 
> > In the room the women come and go,
> > Talking of Michelangelo.
> > 
> > Or the opening of "A Tale of Two Cities":
> > 
> > It was the best of times, it was the worst of times;
> > 
> > I do not, for obvious reasons, ever suggest the song
> > "All I want for Christmas is a hippopotamus."  :)
> > 
> > The people I advise do not understand the need for encryption, so the 
> > topic of pass phrases does not usually come up. Memorable quotations from 
> > obscure works are ideal, but all too often are not considered.
> 
> > I wish that financial institutions would lift restrictions on password 
> > length and complexity, but that would, almost certainly, entail reworking 
> > a poorly crafted database.
> 
> What this doesn't solve is the shear mind numbing number of passwords we
> have to remember.  A recent security report indicated that after one
> breakin and compromise of a huge password database, numerous other sites
> were broken into via the cracked passwords and accounts.  They had
> reused their passwords on sites everywhere from silly games to social
> networking to banking.  I have several hundred unique passwords to
> different sites, all different and all random.  Some sites I haven't
> visited in over a year (bugzilla's and listservs mostly). They're stored
> in the password manager Revelation (which, I know, even though the
> database is AES-256 encrypted, they didn't to the most optimal job of
> seeding an implementing the encryption on the safe) with the database
> stored on an encrypted file system.  It takes a very long, very strong
> passphrase to decrypt it.  Once it's open, it's a quick cut-n-paste into
> a site and FF seems to clear the cnp buffer once a password has been
> used so there's little risk from cnp reuse.  Also inhibits shoulder
> surfing and keystroke timing attacks (for those services that might be
> subject to keystroke timing sniffing).
> 
> Even federated ID systems, such as SecureID have come under attack as
> well as some 2-factor authentication such as SecureID, cell phone text
> system, and even smart cards.  A one time password system such as S/KEY
> or OPIE would be nice, but I don't see any becoming popular anytime
> soon.  Short of that, a well protected password safe that convenient to
> use with a good password generator is about the best you can hope for. 
> 
> 
> 
> > Sean
> 
> Regards,
> Mike
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo





More information about the Ale mailing list