Passwords --was-- Re: [BC] Can't solve it if you don't know about it

Cowboy curt
Mon Jul 31 08:21:44 CDT 2006 

On Sunday 30 July 2006 09:36 pm, Barry Mishkind wrote:
> At 05:31 PM 7/30/2006, Rockwell Smith wrote

> >All employees, full or part time, have company e-mail, but....  many 
> >cannot access it because they seem to get locked out of their 
> >accounts because they forget their passwords.
> 
>          Then you don't want to hear about the station
>          I was in last month where the login and password
>          (a lengthy line of letters and numbers) were
>          taped to the studio monitors???

 This is exactly why lengthy strings of random characters are a
 really bad idea.
 Posted passwords are, in effect, no password at all !
 This is as bad as passwords like "password" or "123go" !

 Pass-phrases are MUCH better, provided they aren't too obvious.
 Even better, are apparently random strings derived from a
 pass-phrase, something like MBWbiO14 derived from
       My beloved wife's birthday is October 14.
 This has the double-advantage of reminding one to buy that
 birthday present !

 A fair "generic" pasword would be something like the first and
 last letter of each word in the station slogan, in order, and including
 at least one real word.
 
 These things are easy to remember, yet difficult to decipher if
 one is not familiar with station operations, or the details of an
 individual's life.

 Also good are seemingly random combinations of words.
 Things like spatula&motorcar
 Enough characters to be secure, no apparent relationship between
 the words, and a "random" character separator.
 Of course, for the personality who's password was her own surname,
 and she managed to forget it at least once a week, there is no hope !

 A forgotten password for a critical system, because it was a long string
 of unguessable random characters for "high" security can be much, much
 worse than no password at all when that system goes down !

 Remember, most crackers will try a dictionary attack first.
 Simply trying the more obvious permutations in common use, like
 password, PaSsWoRd, Passw*rd, letmein, letmein45, root, toor, etc.
 followed by a "brute force" ( if they're REALLY determined ) automated
 generation of so many random characters, usually from 1 to 14 ( because
 that was a common limit for Microsoft for MANY years ) characters,
 until they hit one that works.
 Brute force generators will filter and skip actual words, because it's
 well known that the common "random" password web sites don't
 generate real words.
 Therefore, pass-phrases and common words in uncommon combinations
 are FAR more secure than long strings of "random" characters. 
 They won't be in the dictionaries, and it'll take a brute force attack years
 to hit that "random" combination, *if* it's been reprogrammed to
 include real words !
 If you've got a cracker after you that is THAT determined, you've got worse
 problems than simple net scans, and weekend visitors !

 Obvious passwords are bad, but strings of characters so complex they 
 get written down are MUCH worse !

 In an air studio, where "talent" isn't know for good password retention,
 I'd be using something like the first and last letter of the names, both
 first and last names, of each person on the morning show.
 Use their real names, not their air names, including at least one real word,
 and it seems that's about as good as it gets.

 In a data processing center, or the IT department, if one wishes to get REALLY
 secure, AND one can assume some degree of intelligence on part of the
 authorized people, passwords that change with time of day, and date, are
 almost impossible to crack, unless it's too obvious. Even then, a cracker
 has to know that this happens in that IT center.

 Simple, yet really secure, passwords are possible, but they are not
 random character generators !

-- 
Cowboy

More information about the Broadcast mailing list