[ale] OT - New encryption technology using a piece of paper

David Hillman hillmands at gmail.com
Mon Sep 5 22:14:56 EDT 2011


I guess I came too late to the party.  I read "Off The Grid" and wondered
how long it would be before really well-informed people poked holes in the
whole idea.  To me, it looks like it'll do a better job of creating
passwords than most of the user population (who might find it to be too
complicated).  The rest will have to be handled by the system administrator
with a defense strategy that consists of a mile-wide moat filled with
alligators, rocks and burning faeces.  Intruders tend to shy away from that
level of stinkiness.  Now that I have contributed, I can go back to reading
about Single Packet Authorization (SPA).


On Sun, Sep 4, 2011 at 8:56 PM, Michael H. Warfield <mhw at wittsend.com>wrote:

> On Sun, 2011-09-04 at 19:49 -0500, Pat Regan wrote:
> > On Sat, 03 Sep 2011 20:06:56 -0400
> > "Michael H. Warfield" <mhw at wittsend.com> wrote:
> >
> > > The forced changes provide no benefit and yet add that little tiny
> > > extra opportunity of additional threat.  And, yes, there are password
> > > sniffers that will fire on password changes so they follow your
> > > changes as you make them.  Factor it in how you will.
>
> > A company I used to work for about a decade ago had a 60 or 90 day
> > schedule on their forced password changes.  The requirements for the
> > passwords weren't very strict, either.
>
> > Most of the customer service people ended up teaching each other the
> > same password scheme of current month+year (jan99, for example).  Since
> > those passwords were good for 60 or 90 days, you could walk out on that
> > call center floor and guess almost anyone's password in 2 or 3 tries.
>
> In my talks on this, I try to dance around it a little bit without being
> as blatant as that, but you are absolutely correct.  Forced expiration
> and password changes invariably force most users into predictable
> patterns which are of no benefit and often just the opposite.
>
> The other effect, when password strength/complexity checkers are not
> enforced, is the "jumping in front of the bus effect".  Small but real,
> it's the case where a user is forced to change his password and he
> changes it to one that the attackers are using to guess...  Powned...
>
> > Pat
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>   NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110905/0f629b2f/attachment.html 


More information about the Ale mailing list